1. INTRODUCTION TO HACKING
The term "hacking" in the 1980's became a buzzword in the media which was taken to be derogatory and which by misuse and overuse was attached to any form of socially non-acceptable computing activity outside of polite society. Within this context "hackers" were assumed to be the fringe society of the computing fraternity, mainly characterized as "youngsters" who did not know any better and who had obtained access to a technology with which they terrorized the world of communications and computing. To be tagged as a "hacker" was to portray a person as member of a less than acceptable group of near criminals whose activities were not be to be undertaken by the upright citizenry. These connotations are in contrast to the use of the term in the 1950's and 1960's when hackers were at least to be tolerated for their potential, though not necessarily displayed in public.
In many ways the early use of the term held a connotation similar to that of a "boffin" during World War II who was characterized as a backroom activist who when left to their own devices could produce some wonderful inventions. Scientists such as Edison (electric light bulb, phonograph, etc.), Fleming (penicillin), Barnes-Wallis (the bouncing bomb and swept wing aircraft), Watson-Watt (radar) and possibly even Babbage (the difference and analytical engines), may have been honored to be identified as hackers. Only in more recent times has there been confusion between the terms "hacker", "petty criminal" and possibly "nerd".
1.1 What is hacking?
The process of attempting to gain, or successfully gaining, unauthorized access to computer resources for the purpose of mischievous or malicious use, modification, destruction or disclosure of those resources. The concept of hacking as a methodology to achieve some particular goal has the allusion of working at something by experimentation or empirical means, learning about the process under review or development by ad hoc mechanisms. This may have had an origin from the use of the term "v.t. to chop or cut roughly. v.i. to make rough cuts" as in the process of empirical development where numerous different routes are explored in a search for the most effective approach to a solution, but without necessarily having planned a prearranged ordering of search or necessarily a methodology for evaluation. To chance upon a solution through "hacking through a problem" is often as educational as structured learning, and thus it is not nreasonable to approach a problem in a field which is devoid of structure and methodology by "hacking".
1.2 The history of hacking & how it has grown from over time
1966, Robert Morris Sr., the future NSA chief scientist, decides to mutate these early hacker wars into the first "safe hacking" environment. He and the two friends who code it call their game "
1969 turns out to be the most portent-filled year yet for hacking. In that year the Defense Department's Advanced Research Projects Agency funds a second project to hook up four mainframe computers so researchers can share their resources. This system doesn't boast the vector graphics of the Plato system. Its terminals just show ASCII characters: letters and numbers.
1969 John Goltz teams up with a money man to found CompuServe using the new packet switched technology being pioneered by ARPAnet. Also in 1969 we see a remarkable birth at Bell Labs as Ken Thompson invents a new operating system: UNIX. It is to become the gold standard of hacking and the Internet, the operating system with the power to form miracles of computer legerdemain.
1978, Ward Christenson and Randy Suess create the first personal computer bulletin board system. Soon, linked by nothing more than the long distance telephone network and these bulletin board nodes, hackers create a new, private cyberspace. Phreaking becomes more important than ever to connect to distant BBSs.
1984 Emmanuel Goldstein launches 2600: The Hacker Quarterly and the Legion of Doom hacker gang forms. Congress passes the Comprehensive Crime Control Act giving the US Secret Service jurisdiction over computer fraud. Fred Cohen, at
June 1990 Mitch Kapor and John Perry Barlow react to the excesses of all these raids to found the Electronic Frontier Foundation. Its initial purpose is to protect hackers. They succeed in getting law enforcement to back off the hacker community
In 1993, Marc Andreesson and Eric Bina of the
In 1998, Anti-hacker ad runs during Super Bowl XXXII. The Network Associates ad, costing $1.3-million for 30 seconds, shows two Russian missile silo crewmen worrying that a computer order to launch missiles may have come from a hacker. They decide to blow up the world anyway. In January, the federal Bureau of Labor Statistics is inundated for days with hundreds of thousands of fake information requests, a hacker attack called "spamming." Hackers break into United Nation's Children Fund Web site, threatening a "holocaust" if Kevin Mitnick is not freed.
1.3 Hacker
A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Most often, hackers are programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They may know of holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data.
1.4 Cracker
A cracker is a person who breaks into or otherwise violates the system integrity of remote machines, with malicious intent. Crackers, having gained unauthorized access, destroy vital data, deny legitimate users service, or basically cause problems for their targets. Crackers can easily be identified because their actions are malicious.
1.5 Why do crackers exists?
Crackers exist because they must. Because human nature is just so, frequently driven by a desire to destroy instead of create. No more complex explanation need be given. The only issue here is what type of cracker we are talking about. Some crackers crack for profit. These may land on the battlefield, squarely between two competing companies. Perhaps Company A wants to disable the site of Company B. There are crackers for hire. They will break into almost any type of system you like, for a price. Some of these crackers get involved with criminal schemes, such as retrieving lists of TRW profiles. These are then used to apply for credit cards under the names of those on the list. Other common pursuits are cell-phone cloning, piracy schemes, and garden-variety fraud. Other crackers are kids who demonstrate an extraordinary ability to assimilate highly technical computer knowledge. They may just be getting their kicks at the expense of their targets.
1.6 Difference between hacker and cracker.
Modern hackers, however, reach deeper still. They probe the system, often at a microcosmic level, finding holes in software and snags in logic. They write programs to check the integrity of other programs. Thus, when a hacker creates a program that can automatically check the security structure of a remote machine, this represents a desire to better what now exists. It is creation and improvement through the process of analysis.
In contrast, crackers rarely write their own programs. Instead, they beg, borrow, or steal tools from others. They use these tools not to improve Internet security, but to subvert it. They have technique, perhaps, but seldom possess programming skills or imagination. They learn all the holes and may be exceptionally talented at practicing their dark arts, but they remain limited. A true cracker creates nothing and destroys much. His chief pleasure comes from disrupting or otherwise adversely affecting the computer services of others.
This is the division of hacker and cracker. Both are powerful forces on the Internet, and both will remain permanently. And, as you have probably guessed by now, some individuals may qualify for both categories. The very existence of such individuals assists in further clouding the division between these two odd groups of people. Now, I know that real hackers reading this are saying to them "There is no such thing as this creature you are talking about. One is either a hacker or a cracker and there's no more to it.
1.7 Which operating system crackers use?
Operating systems used by crackers vary. Macintosh is the least likely platform for a cracker; there simply aren't enough tools available for MacOS, and the tools needed are too much trouble to port. UNIX is the most likely platform and of that class, probably FreeBSD or Linux.
The most obvious reason for this is cost. For the price of a $39 book on Linux (with the accompanying CD-ROM), a cracker gets everything he could ever need in the way of tools: C, C++, Smalltalk, Perl, TCP/IP, and much more. Moreover, he gets the full source code to his operating system.
This cost issue is not trivial. Even older workstations can be expensive. Your money will buy more computing power if you stay with an IBM compatible. Today, you can get a 100MHz PC with 8MB of RAM for $300. You can put either FreeBSD or Linux on that machine and suddenly, you have a powerful workstation. Conversely, that same $300 might buy you a 25MHz SPARCstation 1 with a disk, monitor, and keyboard kit. Or perhaps an ELC with an external disk and 16MB of RAM. Compounding this is the problem of software. If you get an old Sun, chances are that you will also be receiving SunOS 4.1.x. If so, a C compiler (cc) comes stock. However, if you buy an RS/6000 with AIX 4.1.x, you get a better deal on the machine but you are forced to get a C compiler. This will probably entail getting GCC from the Internet. As you might guess, a C compiler is imperative. Without it, you cannot build the majority of tools distributed from the void. This is a big consideration and one reason that Linux is becoming much more popular.
I should mention that professional crackers (those who get paid for their work) can probably afford any system. You can bet that those forces in American intelligence investigating cyber war are using some extreme computing power. For these individuals, licensing and cost are not issues.
Ø SUN
It is fairly common to see crackers using either SolarisX86 or SCO as a platform. This is because even though these products are license ware, they can easily be obtained. Typically, crackers using these platforms know students or are students. They can therefore take advantage of the enormous discounts offered to educational institutions and students in general. There is a radical difference between the price paid by a student and the price paid by the average man on the street. The identical product's price could differ by hundreds of dollars. Again, because these operating systems run on PC architecture, they are still more economical alternatives. (SolarisX86 2.4 became enormously popular after support was added for standard IDE drives and CD-ROM devices. Prior to the 2.4 driver update, the system supported only SCSI drives: a slightly more expensive proposition.) And of course, one can always order demo disks from Sun and simply keep the distribution, even though you are in violation of the license.
Ø UNIX
UNIX platforms are popular because they generally require a low overhead. A machine with Windows 95 and all the trimmings requires a lot of RAM; in contrast, you can run Linux or FreeBSD on a paltry 386 and gain good performance (provided, of course, that you do not use X). This is reasonable, too, because even tools that have been written for use in the X environment usually have a command-line interface as well (for example, you can run SATAN in CLI).
Ø MICROSOFT
The Microsoft platform supports many legitimate security tools that can be used to attack remote hosts. Of that class, more and more crackers are using Windows NT. It outperforms 95 by a wide margin and has advanced tools for networking as well. Also, Windows NT is a more serious platform in terms of security. It has access control as well, so crackers can safely offer remote services to their buddies. If those "friends" log in and attempt to trash the system, they will be faced with the same controls as they would on a non-cracker-friendly box.
Moreover, NT is becoming more popular because crackers know they must learn this platform. As NT becomes a more popular platform for Internet servers (and it will, with the recent commitments between DEC and Microsoft), crackers will need to know how to crack these machines. Moreover, security professionals will also develop tools to test internal NT security. Thus, you will see a dramatic rise in the use of NT as a cracking platform.
1.8 Why do people hack?
There is an on-going debate about the definition of the word hacker. A hacker can be anyone with a deep interest in computer-based technology; it does not necessarily define someone who wants to do harm. The term attacker can be used to describe a malicious hacker. Another term for an attacker is a black hat. Security analysts are often called white hats, and white-hat analysis is the use of hacking for defensive purposes.
Attackers' motivations vary greatly. Some of the most notorious hackers are high school kids in their basements planted in front of their computers looking for ways to exploit computer systems. Other attackers are disgruntled employees seeking revenge on a company. And still other attacks are motivated by the sheer challenge of penetrating a well-secured system.
Ø Just for fun
Ø Show off
Ø Hack other systems secretly
Ø Notify many people their thought
Ø Steal important information
Ø Destroy enemy’s computer network during the war.
Ø Spite--Plainly stated, the cracker may dislike you. Perhaps he is a disgruntled employee from your company. Perhaps you flamed him in a Usenet group. One common scenario is for a cracker to crack an ISP with which he once had an account. Perhaps the ISP discovered the cracker was cracking other networks or storing warez on its box. For whatever reason, the ISP terminated the cracker's account, and now the cracker is out for revenge.
Ø Sport--Perhaps you have been bragging about the security of your system, telling people it's impenetrable. Or worse, you own a brand-spanking-new system that the cracker has never dealt with before. These are challenges a cracker cannot resist.
Ø Profit--Someone pays a cracker to bring you down or to get your proprietary data.
Ø Stupidity--Many crackers want to impress their friends, so they purposefully undertake acts that will bring the FBI to their door. These are mostly kids.
Ø Curiosity--Many crack purely for sake of curiosity, simple enjoyment of the process, or out of boredom.
Ø Politics--A small (but significant) percentage of crackers crack for political reasons. That is, they seek press coverage to highlight a particular issue. This could be animal rights, arms control, free speech, and so forth. This phenomenon is much more common in
2. HACKING TOOLS AND HOW THEY ARE USED.
2.1 Scanners :-
Internet security, no hacking tool is more celebrated than the scanner. It is said that a good TCP port scanner is worth a thousand user passwords. Before I treat the subject of scanners in depth, I want to familiarize you with scanners.
Ø What is a Scanner?
A scanner is a program that automatically detects security weaknesses in a remote or local host. By deploying a scanner, a user in
Ø How Do Scanners Work?
True scanners are TCP port scanners, which are programs that attack TCP/IP ports and services (Telnet or FTP, for example) and record the response from the target. In this way, they glean valuable information about the target host (for instance, Can an anonymous user log in?).
Other so-called scanners are merely UNIX network utilities. These are commonly used to discern whether certain services are working correctly on a remote machine. These are not true scanners, but might also be used to collect information about a target host. (Good examples of such utilities are the rusers and host commands, common to UNIX platforms.)
Ø On What Platforms Are Scanners Available?
Although they are commonly written for execution on UNIX workstations, scanners are now written for use on almost any operating system. Non-UNIX scanning tools are becoming more popular now that the rest of the world has turned to the Internet. There is a special push into the Microsoft Windows NT market, because NT is now becoming more popular as an Internet server platform.
Ø How to get the IP address
There are different ways of getting IP address
1) The only way I know to do that is to send to the contact a file while he is online, send him/her a photo or something else , doing that a peer-to-peer connection opens while your friend gets the file/photo no matter what it is , make sure that you have a DOS Prompt open (located at: start > programs > MS-DOS Prompt) and type the command: netstat while sending them the file and you will see a list in the DOS Prompt of all the connections your computer has that time , one of them must be your friend that is receiving the file. If I hear about an other easier way that you get it without sending files be sure I will post it here.
2) Find an IP though mIRC chat channels
There is the /dns nickname command in IRC but some people use proxies or shells and you cant see their real address, how do you know if the user uses a web-shell or a proxy? well... guess that yourself while looking the ip you got from the /dns nickname command , make sure you check out IRC Scanner v1.0 by RG in our programming section and in IP scanners section , its the best and fastest way to scan the users in IRC channels.
3) Get your friends IP address by sending them to your page
Build a simple site in geocities or anywhere else , then go t http://www.stats4all.com and create an account , they provide free website statistics , add their code to your site and tell your friend to check out a cool page you just made , when he visits the page his IP will be logged in stats4all.com so after your friend visits your page check out your stats in stats4all.com and you will find the last 5 visitors at the left of the stats page , your friends IP included.
2.2 Password cracker
The term password cracker can be misinterpreted, so I want to define it here. A password cracker is any program that can decrypt passwords or otherwise disable assword protection. A password cracker need not decrypt anything. In fact, most of them don't. Real encrypted passwords, as you will shortly learn, cannot be reverse-decrypted.
A more precise way to explain this is as follows: encrypted passwords cannot be decrypted. Most modern, technical encryption processes are now one-way (that is, there is no process to be executed in reverse that will reveal the password in plain text).
Instead, simulation tools are used, utilizing the same algorithm as the original password program. Through a comparative analysis, these tools try to match encrypted versions of the password to the original (this is explained a bit later in this chapter). Many so-called password crackers are nothing but brute-force engines--programs that try word after word, often at high speeds. These rely on the theory that eventually, you will encounter the right word or phrase. This theory has been proven to be sound, primarily due to the factor of human laziness. Humans simply do not take care to create strong passwords. However, this is not always the user's fault:
Ø How Encryption Works
The concept behind encryption is quite simple - make the data ineligible for everyone else except those specified. This is done using cryptography - the study of sending 'messages' in a secret form so that only those authorized to receive the 'message' is able to read it.
The easy part of encryption is applying a mathematical function to the plaintext and converting it to an encrypted cipher. The harder part is to ensure that the people who are supposed to decipher this message can do so with ease, yet only those authorized are able to decipher it. We of-course also have to establish the legitimacy of the mathematical function used to make sure that it is sufficiently complex and mathematically sound to give us a high degree of safety.
The essential concept underlying all automated and computer security application is cryptography. The two ways of going about this process are conventional (or symmetric) encryption and public key (or asymmetric) encryption.
Ø CRYPTOGRAPHY
This definition is wide, and I want to narrow it. The etymological root of the word cryptography can help in this regard. Crypto stems from the Greek word kryptos. Kryptos was used to describe anything that was hidden, obscured, veiled, secret, or mysterious. Graph is derived from graphia, which means writing. Thus, cryptography is the art of secret writing. An excellent and concise description of cryptography is given by Yaman Akdeniz in his paper Cryptography & Encryption:
Cryptography defined as "the science and study of secret writing," concerns the ways in which communications and data can be encoded to prevent disclosure of their contents through eavesdropping or message interception, using codes, ciphers, and other methods, so that only certain people can see the real message.
2.3 E-Mail bombs & list linking
E-mail bombing is nothing more than nuisance material. The cure is generally a kill file or an exclusionary scheme. An exclusionary scheme is where you bar entry of packets received from the source address.
If you maintain a site and malicious users from the void start bombing you, contact their postmaster. This is usually quite effective; the user will be counseled that this behavior is unnecessary and that it will not be tolerated. In most cases, this proves to be a sufficient deterrent. (Some providers are even harsh enough to terminate the account then and there.) However, if you are faced with a more difficult situation (for example, the ISP couldn't care less if its users bombed the Internet collectively), you might have to take more aggressive measures.
One such measure is to block traffic from the originating network at the router level. (There are various packet-filtering techniques that you can apply.) However, if this doesn't suit your needs (or your temperament), there are other, more proactive solutions. One fine technique that's guaranteed to work is this: Fashion a script that catches the offending e-mail address each time it connects to your mail server. For each such connection request, terminate the connection and autorespond with a polite, 10-page advisory on how such attacks violate acceptable use policies and that, under certain circumstances, they may violate the law. After the offending party has received 1,000 or so returns of this nature, his previously unconcerned provider will bring the offender onto the carpet and promptly chop off his fingers.
2.4 Flash bombs & war scripts
Flash utilities (also referred to as flash bombs) belong to a class of munitions that are used on Internet Relay Chat (IRC). IRC is the last free frontier because it is spontaneous and uncontrollable. It consists of people chatting endlessly, from virtual channel to virtual channel. There is no time for advertisements, really, and even if you tried to push your product there, you would likely be blown off the channel before you had a chance to say much of anything.
In this respect, IRC is different from any other networked service on the Internet. IRC is grass roots and revolutionary Internet at its best (and worst), and with all likelihood, it will remain that way forever.
IRC was developed in
talk person@provider.com
This causes the local talk program to contact the remote talk daemon. If the person is available (and hasn't disabled incoming connections via talk), the screen soon splits and the conversation begins.
IRC differs from talk in that many people can converse at the same time. This was a major innovation, and IRC chatting has become one of the most popular methods of communication on the Net.
3. ATTACKS
3.1 Defination
An attack is any unauthorized action undertaken with the intent of hindering, damaging, incapacitating, or breaching the security of your server. Such an attack might range from a denial of service to complete compromise and destruction of your server. The level of attack that is successful against your network depends on the security you employ.
3.2 Developing & attack strategy
The days of roaming around the Internet, cracking this and that server are basically over. Years ago, compromising the security of a system was viewed as a minor transgression as long as no damage was done. Today, the situation is different. Today, the value of data is becoming an increasingly talked-about issue. Therefore, the modern cracker would be wise not to crack without a reason. Similarly, he would be wise to set forth cracking a server only with a particular plan.
The only instance in which this does not apply is where the cracker is either located in a foreign state that has no specific law against computer intrusion (Berferd again) or one that provides no extradition procedure for that particular offense (for example, the NASA case involving a student in
Your attack strategy may depend on what you are wanting to accomplish. We will assume, however, that the task at hand is basically nothing more than compromise of system security. If this is your plan, you need to lay out how the attack will be accomplished. The longer the scan takes (and the more machines that are included within it), the more likely it is that it will be immediately discovered. Also, the more scan data that you have to sift through, the longer it will take to implement an attack based upon that data. The time that elapses between the scan and the actual attack, as I've mentioned, should be short.
Some things are therefore obvious (or should be). If you determine from all of your data collection that certain portions of the network are segmented by routers, switches, bridges, or other devices, you should probably exclude those from your scan. After all, compromising those systems will likely produce little benefit. Suppose you gained root on one such box in a segment. How far do you think you could get? Do you think that you could easily cross a bridge, router, or switch? Probably not. Therefore, sniffing will only render relevant information about the other machines in the segment, and spoofing will likewise work (reliably) only against those machines within the segment. Because what you are looking for is root on the main box (or at least, within the largest network segment available), it is unlikely that a scan on smaller, more secure segments would prove to be of great benefit.
3.3 Types of attacks
Ø REMOTE ATTACKS
Ø SPOOFING ATTACKS
Ø TELNET-BASED ATTACKS
3.3.1 Remote attacks
A remote attack is any attack that is initiated against a machine that the attacker does not currently have control over; that is, it is an attack against any machine other than the attacker's own (whether that machine is on the attacker's subnet or 10,000 miles away). The best way to define a remote machine is this:
A remote machine is any machine--other than the one you are now on--that can be reached through some protocol over the Internet or any other network or medium.
STEPS FOR REMOTE ATTACKS
The first steps, oddly enough, do not involve much contact with the target. (That is, they won't if the cracker is smart.) The cracker's first problem (after identifying the type of network, the target machines, and so on) is to determine with whom he is dealing. Much of this information can be acquired without disturbing the target. (We will assume for now that the target does not run a firewall. Most networks do not. Not yet, anyway.) Some of this information is gathered through the following techniques:
Ø Running a host query.
Here, the cracker gathers as much information as is currently held on the target in domain servers. Such a query may produce volumes of information or may reveal very little. Much depends on the size and the construct of the network.
Ø For example, under optimal circumstances of examining a large and well-established target, this will map out the machines and IPs within the domain in a very comprehensive fashion. The names of these machines may give the cracker a clue as to what names are being used in
Ø A WHOIS query.
This will identify the technical contacts. Such information may seem innocuous. It isn't. The technical contact is generally the person at least partially responsible for the day-to-day administration of the target. That person's e-mail address will have some value. (Also, between this and the host query, you can determine whether the target is a real box, a leaf node, a virtual domain hosted by another service, and so on.)
Ø Running some Usenet and Web searches.
There are a number of searches the cracker might want to conduct before actually coming into contact with the target. One is to run the technical contact's name through a search engine (using a forced, case-sensitive, this-string-only conditional search). The cracker is looking to see if the administrators and technical contacts sport much traffic in Usenet. Similarly, this address (or addresses) should be run through searchable archives of all applicable security mailing lists.
3.3.2 Spoofing attacks
A spoofing attack involves nothing more than forging one's source address. It is the act of using one machine to impersonate another. To understand how this occurs, you must know a bit about authentication.
Every user has encountered some form of authentication. This encounter most often occurs while connecting to a network. That network could be located in the user's home, his office, or, as in this case, the Internet. The better portions of authentication routines known to the average user occur at the application level. That is, these methods of authentication are entirely visible to the user. The typical example is when a user is confronted with a password prompt on FTP or Telnet. The user enters a username and a password; these are authenticated, and the user gains access to the resource.
On the Internet, application-level authentication routines are the minority. Each second, authentication routines that are totally invisible to the user occur. The difference between these routines and application-level authentication routines is fundamental. In application-level authentication, a machine challenges the user; a machine requests that the user identify him. In contrast, non-application-level authentication routines occur between machines. One machine demands some form of identification from another. Until this identification is produced and validated, no transactions occur between the machines engaged in the challenge-response dialog.
Such machine-to-machine dialogs always occur automatically (that is, they occur without human intervention). In the IP spoofing attack, the cracker attempts to capitalize on the automated nature of the dialog between machines. Thus, the IP spoofing attack is an extraordinary method of gaining access because in it, the cracker never uses a username or password.
Who Can Be Spoofed?
The IP spoofing attack is unique in that it can only be implemented against a certain class of machines running true TCP/IP. True TCP/IP is any fully fledged implementation of TCP/IP, or one that--in its out-of-the-box state--encompasses all available ports and services within the TCP/IP suite. By this, I am referring almost exclusively to those machines running certain versions of UNIX (only a handful is easily spoofed). PC machines running DOS, Windows, or Windows 95 are not included in this group. Neither are Macintoshes running MacOS. (It is theoretically possible that Macs running A/UX and PCs running Linux could be vulnerable, given the right circumstances.)
I cannot guarantee that other configurations or services will not later be proven vulnerable to IP spoofing, but for the moment the list of vulnerable services is short indeed:
Ø Any configuration using Sun RPC calls
Ø Any network service that utilizes IP address authentication
Ø The X Window System from MIT
Ø The R services
How Spoofing Attacks Work?
Spoofing attacks differ from random scanning and other techniques used to ascertain holes in the system. Spoofing attacks occur only after a particular machine has been identified as vulnerable. By the time the cracker is ready to conduct a spoofing attack, he or she knows the target network is vulnerable and which machine is to be attacked.
Hardware address spoofing is, to a certain extent, also dependent upon the card. Cards that do not allow for software-driven settings of the hardware address are generally useless in this regard. You might be able to report an address, but in most instances, the technique does not actually work. Older cards support software-driven alteration of the address, usually with a jumper setting. (This is done by shorting out the jumper pins on the card.) A good example is the old Western Digital Ethernet card. Newer cards are more likely to automatically allow software-driven changes, whereas IRQ settings may still be a jumper issue. It is likely, however, that in the near future, Ethernet cards may not have jumpers at all due to the fact that plug-and-play technology has emerged.
This type of spoofing works because each machine on a given network segment trusts its pals on that same segment. Barring the installation of a hub that hardwire-routes packets to each machine, at least a few trust relationships between machines will exist within a segment. Most commonly, those machines know each other because their addresses are listed within some database on each machine. In IP-based networks, this is done using the IP address--I hope--or with the hostname. (Using hostnames is a potential security problem in itself. Whenever possible, hard numeric addresses should be used.)
Machines within a network segment that are aware of the addresses of their pals are referred to as machines that trust each other. When such a trust relationship exists, these machines may remotely execute commands for each other with no more authentication than is required to identify the source address.
Crackers can determine trust relationships between machines using a wide range of commands or, more commonly, using scanners. One can, for example, scan a host and easily determine whether the R services are running. Whatever method is used, the cracker will attempt to map the trust relationships within the target network.
What Can Be Done to Prevent IP Spoofing Attacks?
IP spoofing attacks can be thwarted by configuring your network to reject packets from the Net that claim to originate from a local address (that is, reject packets that purport to have an address of a workstation on your internal network). This is most commonly done with a router.
Routers work by applying filters on incoming packets; for example, they can block particular types of packets from reaching your network.
3.3.3 Tel-net based attacks
The purpose of the Telnet protocol is to provide a fairly general, bi-directional, eight-bit byte oriented communications facility. Its primary goal is to allow a standard method of interfacing terminal devices and terminal-oriented processes to each other. It is envisioned that the protocol may also be used for terminal-terminal communication ("linking") and process-process communication (distributed computation).
Telnet is unique in its design with the notable exception of rlogin. Telnet is designed to allow a user to log in to a foreign machine and execute commands there. Telnet (like rlogin) works as though you are at the console of the remote machine, as if you physically approached the remote machine, turned it on, and began working.
Telnet can also be used in a variety of ways to attack or otherwise cull information from a remote host. By the time this book is released, many more Telnet attack techniques will have surfaced. If you run a network and intend to supply your users with Telnet access, beware. This is especially so on new Telnet servers. These new servers may have bugs that have not yet been revealed. And, because Telnet is so interactive and offers the user so much power to execute commands on remote machines, any hole in a Telnet distribution is a critical one. It stands in the same category as FTP or HTTP in this respect (or is perhaps even worse).
Telnet is an interesting protocol. As explained earlier, one can learn many things using Telnet. For example, you can cull what version of the operating system is being run. Most distributions of UNIX will report this information on connection. It is reported by at least one authoritative source that various scanners use the issue information at connect to identify the type of system (SATAN being one such scanner). The operating system can generally be determined by attacking any of these ports:
Ø Port 21: FTP
Ø Port 23: Telnet (Default)
Ø Port 25: Mail
Ø Port 70: Gopher
Ø Port 80: HTTP
In their now-famous paper, "Improving the Security of Your Site by Breaking into It," Dan Farmer and Wietse Venema point out ports that can be attacked. Specifically, they address the issue of port 6000:
X windows is usually on port 6000...If not protected properly (via the magic cookie or xhost mechanisms), window displays can be captured or watched, user keystrokes may be stolen, programs executed remotely, etc. Also, if the target is running X and accepts a Telnet to port 6000 that can be used for a denial of service attack, as the target's windowing system will often "freeze up" for a short period of time.
X Terminals are generally diskless clients. These are machines that have the bare minimum of hardware and software to connect to an X server. These are most commonly used in universities and consist of a 17" or 19" screen, a base, a keyboard and a mouse. The terminal usually supports a minimum of 4 megabyte of RAM but some will hold as much as 128 megabytes. X terminals also have client software that allows them to connect to the server. Typically, the connection is via fast Ethernet, hardwired to the back of the terminal. X Terminals provide high-speed connectivity to X servers, coupled with high-powered graphics. These machines are sold on the Internet and make great "additional" terminals for use at home. (They are especially good for training.)
Another interesting thing that Telnet can be used for is to instantly determine whether the target is a real or virtual domain (this can be done through other methods, but none perform this function quite as quickly). This can assist a cracker in determining exactly which machine he or she must crack to reach your resources or, more precisely, exactly which machine he or she is engaged in cracking.
Under normal circumstances, a real domain is a domain that has been registered with InterNIC and also has its own dedicated server. Somewhere in the void is a box with a permanent IP address, and that box is attached permanently to the Internet via 28.8Kbps modem, ISDN, 56Kbps modem, frame relay, T1, T3, ATM, or perhaps, if the owner spares no expense, SONET. As such, when you Telnet to such a real site, you are reaching that machine and no other.
Virtual domains, however, are simply directories on a real server, aliased to a particular domain name. That is, you pay some ISP to register your domain name and create a directory on its disk where your virtual domain exists. This technique allows your_company.com to masquerade as a real server. Thus, when users point their browsers to www.your_company.com, they are reaching the ISP's server. The ISP's server redirects the connection request to your directory on the server. This virtual domain scheme is popular for several reasons, including cost. It saves your company the trouble of establishing a real server and therefore eliminates some of these expenses:
Ø Hardware
Ø Software
Ø 24-hour maintenance
Ø Tech support
Basically, you pay a one-time fee (and monthly fees thereafter) and the ISP handles everything. To crackers, this might be important. For example, if crackers are about to crack your domain--without determining whether your machine is truly a server--they may get into trouble. They think they are cracking some little machine within your internal offices when in fact, they are about to attack a large, well-known network provider.
Telnet instantly reveals the state of your server. When a cracker initiates a Telnet connection to your_company.com (and on connect, sees the name of the machine as a node on some other, large network), he or she immediately knows that your address is a virtual domain.
Moreover, Telnet can be used for other nefarious purposes. One is the ever-popular brute-force attack. I am not sure why brute-force attacks are so popular among young crackers; almost all servers do some form of logging these days. Nevertheless, the technique has survived into the 1990s. These attacks are most commonly initiated using Telnet clients that have their own scripting language built in. Tera Term is one such application.
Tera Term sports a language that allows you to automate Telnet sessions. This language can be used to construct scripts that can determine valid usernames on a system that refuses to cough up information on finger or sendmail-expn queries. Versions of Telnet reveal this information in a variety of ways. For example, if a bogus username is given, the connection will be cut. However, if a valid username is given, a new login: prompt is reissued.
Moreover, Telnet is a great tool for quickly determining whether a particular port is open or whether a server is running a particular service. Telnet can also be used as a weapon in denial-of-service attacks. For example, sending garbage to certain ports on an NT Web server under IIS can cause the targeted processor to jump to 100 percent utilization. Initiating a Telnet session to other ports on an NT Web server can cause the machine to hang or crash. This is particularly so when issuing a Telnet connection request to port 135.
One can also crash Microsoft's Internet Information Server by Telnetting to port 80 and issuing a GET.../... request. Reportedly, however, that problem was remedied with the Microsoft Windows NT Service Pack 2 for Windows NT 4.0. If you do not have that patch/service pack, get it. A good treatment of this and other problems can be found in the Denial of Service Info post, posted by Chris Klaus of Internet Security Systems.
Finally, Telnet is often used to generate fake mail and fake news. Spammers often use this option instead of using regular means of posting Usenet messages. There are certain options that can be set this way that permit spammers to avoid at least some of the screens created by spam-killing robots on the Usenet network.
4. NEED FOR SECURITY
4.1 Types of security
4.1.1. Trojan
The trojan horse, or trojan. No other device is more likely to lead to total compromise of a system, and no other device is more difficult to detect.
Ø What Is a Trojan?
Before I start, I want to offer a definition of what a trojan is because these devices are often confused with other malicious code. A Trojan horse is an unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user.
A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user.
Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and probably unwanted) by the user.
The unauthorized functions that the trojan performs may sometimes qualify it as another type of malicious device as well. For example, certain viruses fit into this category. Such a virus can be concealed within an otherwise useful program. When this occurs, the program can be correctly referred to as both a trojan and a virus. The file that harbors such a trojan/virus has effectively been trojaned. Thus, the term trojan is sometimes used as a verb, as in "He is about to trojan that file."
Classic Internet security documents define the term in various ways. Perhaps the most well known (and oddly, the most liberal) is the definition given in RFC 1244, the Site Security Handbook:
A trojan horse program can be a program that does something useful, or merely something interesting. It always does something unexpected, like steal passwords or copy files without your knowledge.
Another definition that seems quite suitable is that given by Dr. Alan Solomon, an internationally renowned virus specialist, in his work titled All about Viruses:
A trojan is a program that does something more than the user was expecting, and that extra function is damaging. This leads to a problem in detecting trojans. Suppose I wrote a program that could infallibly detect whether another program formatted the hard disk. Then, can it say that this program is a Trojan? Obviously not if the other program was supposed to format the hard disk (like Format does, for example), then it is not a trojan. But if the user was not expecting the format, then it is a trojan. The problem is to compare what the program does with the user's expectations. You cannot determine the user's expectations for a program.
Ø Where Do Trojans Come From?
Trojans are created strictly by programmers. One does not get a Trojan through any means other than by accepting a trojaned file that was prepared by a programmer. True, it might be possible for a thousand monkeys typing 24 hours a day to ultimately create a trojan, but the statistical probability of this is negligible. Thus, a trojan begins with human intent or mens rea. Somewhere on this planet, a programmer is creating a trojan right now. That programmer knows exactly what he or she is doing, and his or her intentions are malefic (or at least, not altruistic).
The trojan author has an agenda. That agenda could be almost anything, but in the context of Internet security, a trojan will do one of two things:
Perform some function that either reveals to the programmer vital and privileged information about a system or compromises that system.
Conceal some function that either reveals to the programmer vital and privileged information about a system or compromises that system.
Some trojans do both. Additionally, there is another class of trojan that causes damage to the target (for example, one that encrypts or reformats your hard disk drive). So trojans may perform various intelligence tasks (penetrative or collective) or tasks that amount to sabotage.
One example that satisfies the sabotage-tool criteria is the PC CYBORG trojan horse. As explained in a December 19, 1989 CIAC bulletin ("Information about the PC CYBORG (AIDS) Trojan Horse"):
There recently has been considerable attention in the news media about a new trojan horse which advertises that it provides information on the AIDS virus to users of IBM PC computers and PC clones. Once it enters a system, the Trojan horse replaces AUTOEXEC.BAT, and may count the number of times the infected system has booted until a criterion number (90) is reached. At this point PC CYBORG hides directories, and scrambles (encrypts) the names of all files on drive C:. There exists more than one version of this trojan horse, and at least one version does not wait to damage drive C:, but will hide directories and scramble file names on the first boot after the trojan horse is installed.
Ø What Level of Risk Do Trojans Represent?
Trojans represent a very high level of risk, mainly for reasons already stated:
Ø Trojans are difficult to detect. In most cases, trojans are found in binaries, which remain largely in non-human-readable form.
Ø Trojans can affect many machines. Trojans are a perfect example of the type of attack that is fatal to the system administrator who has only a very fleeting knowledge of security. In such a climate, a Trojan can lead to total compromise of the system. The Trojan may be in place for weeks or even months before it is discovered. In that time, a cracker with root privileges could alter the entire system to suit his or her needs. Thus, even when the trojan is discovered, new holes may exist of which the system administrator is completely unaware.
Ø How Does One Detect a Trojan?
Detecting trojans is less difficult than it initially seems. But strong knowledge of your operating system is needed; also, some knowledge of encryption can help.
If your environment is such that sensitive data resides on your server (which is never a good idea), you will want to take advanced measures. Conversely, if no such information exists on your server, you might feel comfortable employing less stringent methods. The choice breaks down to need, time, and interest. The first two of these elements represent cost. Time always costs money, and that cost will rise depending on how long it has been since your operating system was installed. This is so because in that length of time, many applications that complicate the reconciliation process have probably been installed. For example, consider updates and upgrades. Sometimes, libraries (or DLL files) are altered or overwritten with newer versions. If you were using a file-integrity checker, these files would be identified as changed. If you were not the person who performed the upgrade or update, and the program is sufficiently obscure, you might end up chasing a phantom trojan. These situations are rare, true, but they do occur.
Most forms of protection against (and prevention of) trojans are based on a technique sometimes referred to as object reconciliation. Although the term might sound intimidating, it isn't. It is a fancy way of asking "Are things still just the way I left them?" Here is how it works: Objects are either files or directories. Reconciliation is the process of comparing those objects against themselves at some earlier (or later) date. For example, take a backup tape and compare the file PS as it existed in November 1995 to the PS that now resides on your drive. If the two differ, and no change has been made to the operating system, something is amiss. This technique is invariably applied to system files that are installed as part of the basic operating
4.1.2. Firewall
What Is a Firewall?
A firewall is any device used to prevent outsiders from gaining access to your network. This device is usually a combination of software and hardware. Firewalls commonly implement exclusionary schemes or rules that sort out wanted and unwanted addresses. To understand how work firewalls; consider some of the subjects discussed earlier in this book. First, most simple authentication procedures use the IP address as an index. The IP address is the most universal identification index on the Internet. This address can be either a static or dynamic address:
A static IP address is permanent; it is the address of a machine that is always connected to the Internet. There are many classes of static IP addresses. One class can be discovered by issuing a whois query; this class consists primarily of top-level machines in a network, such as domain name servers, Web servers, and root-level machines. These actually have registered hostnames within the whois database at InterNIC.
Other classes of static IP addresses are addresses assigned to second- and third-level machines within networks dominated by domain name servers, root servers, Web servers, and so on. These also have permanent physical addresses. However, these machines might or might not possess a registered hostname. In any event, their addresses are registered as well.
A dynamic IP address is one that is arbitrarily assigned to a different node each time it connects to a network. Dynamic IP is often used by ISPs for dial-up access--each time a node dials up, it is assigned a different IP address.
Whether your address is static or dynamic, it is used in all network traffic that you conduct. A Web server records your IP address when you request a Web page. This is not to intrude on your privacy; it is done so that the server knows how to send you the requested data. In a similar fashion, all network services capture your IP (either temporarily or permanently) so they can return data to your address. In essence, it works much like the postal service: Imagine if every letter mailed had a return address. On the Internet, things are just so. The IP is the return address.
TYPES OF FIREWALLS
There are four types of firewalls.
Ø The remote server or Proxy Server: It is essentially a computer which checks the packets of information being sent over the network to be certain they are safe. It blocks unsafe packets and allows those to pass that are safe.
Ø Screening routers: These connect two or more computers together to make a network, are the most basic type of firewall. Your Internet connection is attached to the router and you access the Internet through your internal network. Two or more computers can share the Internet connection and be protected by the firewall, which is built into the router, at the same time.
Ø High security network level firewalls: These firewalls compare the bit patterns of data packets being sent over the network to data packets that are listed as being "trusted" or safe. These firewalls are used to help stop DOS (denial of service) attacks. They also use dynamic packet filtering to automatically control the flow of data through the ports, to minimize the number of open ports at any given time to help stop hackers from gaining access to the network.
Ø The software firewall: It is probably the most common type. It is a software program running on your computer that allows the data to pass through it, if you have programmed the software to allow it. You simply select which of your applications, like web browsers, email client, mIRC, etc. you want the "firewall" to allow to access the Internet. These firewalls are mainly designed to protect the single computer that is running the software.
5 . SEVEN WAYS TO PROTECT SYSTEMS FROM HACKING
Here are seven simple, effective steps that network administrators can take to protect their systems.
Ø Implement a firewall -- A firewall is a barrier that keeps hackers and viruses out of computer networks. Firewalls intercept network traffic and allow only authorized data to pass through.
Ø Develop a corporate security policy -- Establish a corporate security policy that details practices to secure the network. The policy should direct employees to choose unique passwords that are a combination of letters and numbers. Passwords should be changed every 90 days to limit hackers’ ability to gain possession of a functioning password. When someone leaves company, immediately delete the user name and password. The corporate policy should outline consequences for network tampering and unauthorized entry.
Ø Install anti-virus software -- All computers should run the most recent version of an anti-virus protection subscription. Ideally a server should be configured to push virus updates out periodically to all client systems. Employees should be educated about viruses and discouraged from opening e-mail attachments or e-mail from unknown senders.
Ø Keep operating systems up to date -- Upgrade operating systems frequently and regularly install the latest patches or versions of software, which are often free over the Web.
Ø Don’t run unnecessary network services -- When installing systems, any non-essential features should be disabled. If a feature is installed but not actively used, it is less likely to be updated regularly, presenting a larger security threat. Also, allow only the software employees need to do their job effectively.
Ø Conduct a vulnerability test -- Conducting a vulnerability test is a cost-effective way to evaluate the current security program. This test highlights flaws and limitations in the program, and experts can offer suggestions for improvement. The best method for conducting a vulnerability test is to contact a computer consulting company and provide access to your system for a day or two. This will provide ample time for network appraisal and follow-up discussion and planning.
Ø Keep informed about network security -- Numerous books, magazines and online resources offer information about effective security tools and “lessons learned.” Also, the Web provides ample and very current information about security – type in the key words “network security.”
6. THE BENEFITS OF HACKING
A benefit to the computer community is the free-wheeling exploration of systems by the benign hacker. Freedom and control may be incompatible attributes of such an environment, but it is clear that the tasks of program or system usage in a productive setting are not amenable to the recognition and acceptance of bugs and errors. On the other hand the challenge of testing may be a logical outlet for hacking inclinations in the make-up of a programmer. In several cases systems have been purposely exposed to hackers to test their security and their robustness.
In 1989 LeeMah DataCom Security Corporation challenged hackers to retrieve a secret message hidden in a computer in
7. THE PSYCHOLOGY OF HACKING & PROGRAMMING
There is a certain allure to computing which is difficult to replicate in other environments. In many respects computing is always "real" rather than merely an example or model, though there is equally always the hope for more power and greater facilities to do bigger and better hacks. Whereas in other endeavors the development of a project such as a hot-rod car or a trip to
Even the non-hacker and the non-programmer are affected by the computer. With the advent of e-mail systems, one can easily recognize the change in personality with comes from a non-evasive form of communication. Persons who are puppy dogs in face-to-face communication become wolves when they do not have to look into the eyes of the receiver and are not threatened physically by their textual combatant
Ø Access to Computers - and anything which might teach you something about the way the world work - should be unlimited and total. Always yield to the Hands-On Imperative!
Ø All information should be free.
Ø Mistrust Authority - Promote Decentralization.
Ø Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.
Ø You can create art and beauty on a computer.
Ø Computers can change your life for the better.
Ø Hacking, whether it is benign or felonious, is associated with learning and exploration. While there are elder hackers, they grew up from the hacking covens of youngsters interested in exploring and exploiting the new ethereal world of electronic tripping. But like so many other new technologies, the growth of the amateur capabilities and the sharing of findings, soon outgrows the normal and the useful; to find an area in which to make a mark requires an excursion into the not so acceptable domains.
8. WHAT HACKERS CAN STEAL FROM YOUR COMPUTER
Personal information, names address, financial information, even the account information for your ISP and passwords, in short anything stored on your computer can be obtained by the hacker. The Trojan may even be able to record each and every keystroke you make, save the info to a hidden file and then when you go online upload the file to the hacker's computer. This means that even if you don't keep personal info or passwords on your computer the hacker can still obtain them from the keystroke log he uploaded.
I just have one computer for my personal use, why would a hacker bother with me?
There are a number of reasons why a hacker would want to "look" at your computer. He may find your credit card number stored there from buying online, or use the information gleaned from your computer to use your ISP account for illegal activity, like distributing child pornography. One of the most recent uses of Trojans is to cause DDoS (distributive denial of service) attacks. In a DDoS attack, the client commands all of the "servers" located on individual PCs to attack a single website. Thousands of individual PCs can be commanded to access a website like eBay or Yahoo at the same time, clogging the site's bandwidth and causing an interruption of service.
9. CONCLUSION
Hacking is a very broad discipline, which covers a wide range of topics. The complexity of hacking allows us only to scratch the surface of it.
With increases in computer technology, as well as increases in integration of computers into everyday life, it is evident that there is a place for hackers in the future but finding where they will stand is something that only time can tell.
Hacking caused an international problem when the
The very technology that brought the world together (the computer), is now the central focus in a plague tearing the world apart.
TO DOWN LOAD REPORT AND PPT
