--------------------------------------------------------------------------- Lesson A.1: Advanced Cracking: Internet Cracking (Unix) --------------------------------------------------------------------------- -------------> INTERNET CRACKING: FIREWALLS With each new company that connects to the "Information Superhighway" new frontiers are created for crackers to explore. Site administrators (Siteads) have implemented various security measures to protect their internal networks. One of these is xinetd, covered later. A more general solution is to construct a guarded gateway, called a [Firewall], that sits between a site's internal network and the wild and woolly Internet where we roam. In fact only one third of all Internet connected machines are already behind firewalls. Most information services have to deal with the same problem we have: getting OUT through a local firewall or GETTING INTO a service through their Firewall. There lays also the crack_solution. ------------> What is a Firewall? The main purpose of a Firewall is to prevent unauthorized access between networks. Generally this means protecting a site's inner network from the Internet. If a site has a firewall, decisions have been made as to what is allowed and disallowed across the firewall. These decisions are always different and always incomplete, given the multiplicity of Internet, there are always loopholes where a cracker can capitalize on. A firewall basically works by examining the IP packets that travel between the server and the client. This provides a way to control the information flow for each service by IP address, by port and in each direction. A firewall embodies a "stance". The stance of a firewall describes the trade-off between security and ease-of-use. A stance of the form "that which is not expressly permitted is prohibited" requires that each new service be enabled individually and is seldom used, coz very slow and annoying. Conversely, the stance "that which is not expressly prohibited is permitted" has traded a level of security for convenience. It will be useful to guess the stance of the firewall you are cracking when making probe decisions. A firewall has some general responsibilities: * First and foremost if a particular action is not allowed by the policy of the site, the firewall must make sure that all attempts to perform the action will fail. * The firewall should log suspicious events * The firewall should alert internal administration of all cracking attempts * Some firewall provide usage statistics as well. ------------> Types of Firewall In order to avoid head-scratching, it's a good idea to know the TOPOLOGY of "your" firewall -and its limitations- before attempting to get through it. Discussed below are two popular firewall topologies. Although other types exist, the two below represent the basic forms; most other firewalls employ the same concepts and thus have -luckily- the same limitations. 1) THE DUAL-HOMED GATEWAY A dual-homed Gateway is a firewall composed of a single system with at least two network interfaces. This system is normally configured such that packets are not directly routed from one network (the Internet) to the other (the internal net you want to crack). Machines on the Internet can talk to the gateway, as can machines on the internal network, but direct traffic between nets is blocked. In discussing firewalls, it's generally accepted that you should think of the inner network as a medieval castle. The "bastions" of a castle are the critical points where defence is concentrated. In a dual-homed gateway topology, the dual-homed host itself is called the [BASTION HOST]. The main disadvantage of a dual-homed gateway, from the viewpoints of the users of the network and us crackers alike, is the fact that it blocks direct IP traffic in both directions. Any programs running on the inner network that require a routed path to external machines will not function in this environment. The services on the internal network don't have a routed path to the clients outside. To resolve these difficulties, dual-homed gateways run programs called [PROXIES] to forward application packets between nets. A proxy controls the conversation between client and server processes in a firewalled environment. Rather than communicating directly, the client and the server both talk to the proxy, which is usually running on the bastion host itself. Normally the proxy is transparent to the users. A proxy on the bastion host does not just allow free rein for certain services. Most proxy software can be configured to allow or deny forwarding based on source or destination addresses or ports. Proxies may also require authentication of the requester using encryption- or password-based systems. The use of proxy software on the bastion host means that the firewall administrator has to provide replacements for the standard networking clients, a nightmare in heterogeneous environments (sites with many different operating systems platforms, PC, Sun, IBM, DEC, HP...) and a great burden for administrator and users alike. 2) THE SCREENED HOST GATEWAY A screened host gateway is a firewall consisting of at least one router and a bastion host with a single network interface. The router is typically configured to block (screen) all traffic to the internal net such that the bastion host is the only machine that can be reached from the outside. Unlike the dual- homed gateway, a screened host gateway does not necessarily force all traffic through the bastion host; through configuration of the screening router, it's possible to open "holes" in the firewall to the other machines on the internal net you want to get into. The bastion host in a screened host firewall is protected from the outside net by the screening router. The router is generally configured to only allow traffic FROM SPECIFIC PORTS on the bastion host. Further, it may allow that traffic only FROM SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet news traffic to reach the bastion host ONLY if the traffic originated from the site's news provider. This filtering can be easily cracked: it is relying on the IP address of a remote machine, which can be forged. Most sites configure their router such that any connection (or a set of allowed connections) initiated from the inside net is allowed to pass. This is done by examining the SYN and ACK bits of TCP packets. The "start of connection" packet will have both bits set. If this packets source address is internal... or seems to be internal :=) the packet is allowed to pass. This allows users on the internal net to communicate with the internet without a proxy service. As mentioned, this design also allows "holes" to be opened in the firewall for machines on the internal net. In this case you can crack not only the bastion host, but also the inner machine offering the service. Mostly this or these machine/s will be far less secure than the bastion host. New services, for instance recent WEB services, contain a lot of back doors and bugs, that you'll find in the appropriate usenet discussion groups, and that you could use at freedom to crack inner machines with firewall holes. Sendmail is a good example of how you could crack in this way, read the whole related history... very instructive. The rule of thumb is "big is good": the bigger the software package, the more chance that we can find some security related bugs... and all packages are huge nowadays, 'coz the lazy bunch of programmers uses overbloated, buggy and fatty languages like Visual Basic or Delphy! Finally, remember that the logs are 'mostly) not on the bastion host! Most administrators collect them on an internal machine not accessible from the Internet. An automated process scan the logs regularly and reports suspicious information. 3) OTHER FIREWALL TOPOLOGIES The dual-homed gateway and the screened host are probably the most popular, but by no mean the only firewall topologies. Other configurations include the simple screening router (no bastion host), the screened subnet (two screening routers and a bastion host) as well as many commercial vendor solutions. ------------> Which software should we study? Three popular unix software solutions allow clients inside a firewall to communicate with server outside: CERN Web server in proxy mode, SOCKS and the TIS Firewall toolkit. 1) The CERN Web server handles not only HTTP but also the other protocols that Web clients use and makes the remote connections, passing the information back to the client transparently. X-based Mosaic can be configured for proxy mode simply by setting a few environment variables. 2) The SOCKS package (available free for anonymous ftp from ftp.nec.com in the file /pub/security/socks.cstc/socks.cstc.4.2.tar.gz includes a proxy server that runs on the bastion host of a firewall. The package includes replacements for standard IP socket calls such as connect(), getsockname(), bind(), accept(), listen() and select(). In the package there is a library which can be used to SOCKSify your crack probes. 3) The Firewall Toolkit The toolkit contains many useful tools for cracking firewall and proxy server. netacl can be used in inetd.conf to conceal incoming requests against an access table before spawning ftpd, httpd or other inetd-capable daemons. Mail will be stored in a chroot()ed area of the bastion for processing (mostly by sendmail). The Firewall toolkit is available for free, in anonymous ftp from ftp.tis.com in the file /pub/firewalls/toolkit/fwtk.tar.Z The popular PC firewall solution is the "PC Socks Pack", for MS- Windows, available from ftp.nec.com It includes a winsock.dll file. The cracking attempts should concentrate on ftpd, normally located on the bastion host. It's a huge application, necessary to allow anonymous ftp on and from the inner net, and full of bugs and back doors. Normally, on the bastion host, ftpd is located in a chroot()ed area and runs as nonprivileged user. If the protection is run from an internal machine (as opposing the bastion host), you could take advantage of the special inner-net privileges in hostp.equiv or .rhosts. If the internal machine "trusts" the server machine, you'll be in pretty easily. Another good method, that really works, is to locate your PC physically somewhere along the route between network and archie server and "spoof" the firewall into believing that you are the archie server. You'll need the help of a fellow hacker for this, though. Remember that if you gain supervisor privileges on a machine you can send packets from port 20, and that in a screened host environment, unless FTP is being used in proxy mode, the access filters allow often connections from any external host if the source port is 20 and the destination port is greater than 1023! remember that NCSA Mosaic uses several protocols, each on a different port, and that -if on the firewall no proxy Web server is operating- each protocol must be dealt with individually, what lazy administrators seldom do. Be careful for TRAPS: networking clients like telnet and ftp are often viciously replaced with programs that APPEAR to execute like their namesake, but actually email an administrator. A fellow cracker was almost intercepted, once, by a command that simulated network delays and spat out random error messages in order to keep me interested long enough to catch me. Read the (fictions) horror story from Bill Cheswick: "An evening with Berferd in which a cracked is lured, endured and studied", available from ftp.research.att.com in /dist/internet_security/berferd.ps As usual, all kind of traps can be located and uncovered by correct zen-cracking: you must *FEEL* that some code (or that some software behaviour) is not "genuine". Hope you believe me and learn it before attempting this kind of cracks. ------------> How do I crack Firewalls? Some suggestions have been given above, but teaching you how to crack firewalls would take at least six complete tutorial lessons for a relatively unimportant cracking sector, and you would almost surely get snatched immediately, 'coz you would believe you can crack it without knowing nothing at all. So, for your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT (quite a fascinating difference): First Text, then the software above. For text, start with Marcus Ranum's paper "Thinking about Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z and do an archie search for newer literature. Join the firewall discussion list sending a message to majordomo@greatcircle.com, you'll get a message with instructions, as usual, lurk only... never show yourself to the others. You can find for free on the web quite a lot of early versions of proxy software. Study it, study it and then study it again. The cracking efforts on your copies, and your machines, before attempting anything serious, are MANDATORY if you do not want to be immediately busted on the Internet. When you feel ready to try serious cracking, you must OBLIGATORY start with a small BBS which uses a firewall version you already studied very well (sysops are not firewall administrators, and many of them do not know nothing about the software they use). As soon as you gain access to the bastion host, remember to subvert entirely the firewall itself before entering the inner net. If you feel ready and everything went well so far, if your zen- cracking abilities are working well... then take a moment for yourself... prepare yourself a good Martini-Wodka (you should only use Moskovskaia), take a deep breath and by all means go ahead! You will then be able to try your luck on the Cyberspace and get quickly busted (if you did not follow my admonitions and if you cannot zen-crack) or, may be, fish quite a lot of jewels... :=) -------------> INTERNET CRACKING: XINETD [Xinetd] a freely available enhanced replacement for the internet service daemon inetd, allows just those particular users to have FTP or Telnet access, without opening up access to the world. Xinetd can only protect the system from intrusion by controlling INITIAL access to most system services and by logging activities so that you can detect break-in attempts. However, once a connection has been allowed to a service, xinetd is out of the picture. It cannot protect against a server program that has security problems internally. For example, the finger server had a bug several years ago that allowed a particularly clever person to overwrite part of its memory. This was used to gain access to many systems. Even placing finger under the control of xinetd wouldn't have helped. Think of the secured firewall system as a fortress wall: each service that is enabled for incoming connections can be viewed as a door or window in the walls. Not all these doors have secure and reliable locks. The more openings are available, the more opportunities are open for us. -------------> What xinetd does Xinetd listens to all enabled service ports and permits only those incoming connection request that meet authorization criteria. - Accept connections from only certain IP addresses - Accept connections only from authorized users - Reject connections outside of aithorized hours - Log selected service when connections are accepted or rejected, capturing following informations: * Remote Host Address * User ID of remote user (in some cases) * Entry and Exit time * Terminal type Support login, shell, exec and finger -------------> SERVICES TO CRACK & UNWITTING INSIDE COMPLICES In this order the easy services: FTP TELNET LOGIN (rlogin) SHELL (rcmd) EXEC In this order the more difficult ones: MOUNT TFT FINGER NFS(Network File System) DNS(Domain Name Service) Remember that sendmail (SMTP), by default, accepts a message from any incoming connection. The "sender" of such a message can appear to have originated anywhere, therefore your claim of identity will be accepted! Thus you can forge a message's originator. Most of the recipients inside the protected (firewalled) net will take your claim at face value and send you (to the "return address" you provide) all the sensitive information you need to crack the system. Finding unwitting inside complices is most of the time pretty easy. By far the best method, for entering xinetd, is to get the real version from panos@cs.colorado.edu, modify the system files in order to have some backdoors, and then distribute them to the mirror servers on the WEB. Each time a new administrator will download "your" version of xinetd, you'll have an easy access to the "protected" system. On the Nets, it's important to conceal your identity (they will find you out pretty quickly if you do not). The best method is to obtain the IP address of a legitimate workstation during normal hours. Then, late at night, when the workstation is known to be powered-off or disconnected from a dialup PPP link, a different node on the network can be configured to use the counterfeit IP address. To everyone on the network, it will appear that the "legitimate" user is active. If you follow this strategy, you may want to crack somehow more negligently... the search for the cracker will go on -later- in the false confidence that a sloppy novice (the legitimate user) is at work, this will muddle the waters a little more. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. -=-=-=-=-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-