Advertisement: Support SunWorld, click here! Hacker's toolchest Techniques and tools for penetration testing Summary There are hackers capable of penetrating almost any system. The good ones get paid for it. The bad ones pay for it. What is a hacker's approach to penetration testing? What tools do they use? In this column, Carole Fennelly asks noted security specialists Brian Martin, Mark Abene, and Rain Forest Puppy for their perspective. (3,000 words) ----------------------- recently heard of yet another penetration test in which the vendor charged $150,000 for two days of testing. It seemed pretty expensive to me, but I assumed that the testers must have brought in some major security gurus who ran uber-elite secret exploits against the systems. In fact, they ran ISS Scanner. Don't get me wrong; ISS Scanner is a useful tool that tests for all known vulnerabilities. (I'm not picking on ISS; there are other tools like this as well.) It's just that for $150,000, I want Robert Redford testing my system. (Ok, who hasn't seen Sneakers? Go rent it!) It also occurred to me that there are hackers capable of penetrating almost any system. The good ones get paid for it. What is a hacker's approach to penetration testing? What tools do hackers use? I decided to find out. Hacker phobia The term hacker has been abused by the media and by hacker wannabes to the extent that many people think all hackers are criminals. This is simply not true. For the purposes of this column, I'll define a hacker as "an expert with informal training." While it's true that there are hackers who have violated laws and/or cannot be trusted, the same can be said for people who avoid the hacker label. We've all heard of insiders who, using their computers, rob a company blind. To make a hiring decision based solely on the label a person uses to describe him or herself is a copout. In the following Q&A, I asked three well-known security specialists about their background and approach to penetration testing. The players include: Brian Martin, a.k.a. Jericho: Founder of Attrition.org, a popular hacker site with an eclectic mix of computer security tools, humor, rants, and the ever-popular Attrition Defacement Mirror. Brian presently works as a computer security consultant responsible for leading a security audit and penetration assessment team. In recent months, Brian's articles focusing on security issues have been widely circulated in corporate newsletters, in print magazines, and on the Internet. Mark Abene, a.k.a. Phiber Optik: Cofounder and president of Crossbar Security. Mark's teenage curiosity with phone networks prompted a federal judge to sentence him to a year in jail. While the experience deterred Mark from illegal hacking, time has proved that it wasn't much of a deterrence to others. Rain Forest Puppy, a.k.a. RFP: The bane of Microsoft. Best known for releasing the Microsoft IIS RDS exploit used by thousands of script kiddies. RFP is the author of the Web-scanning tool whisker, which can defeat intrusion detection systems. RFP is credited for recently revealing a backdoor inserted by Microsoft engineers that stated that "Netscape engineers are weenies!" RFP prefers to keep his professional identify anonymous. Q: How long have you been doing penetration testing? Brian: Professionally, for five years. Mark: Professionally for over five years, but I first started penetrating systems when I was about 12. RFP: Professionally with a company for about eight months, although individually as needed for about two years. Q: Do you work for a company or independently? Brian: I presently work for a company, although I've done both in the past. Mark: Both. Currently, I'm the president of my own firm, Crossbar Security, Inc. RFP: Company. Q: Do your perceive yourself as a hacker-type or a computer security professional? Brian: A bit of both. I try to be a well-balanced hybrid of the two. Mark: One's experiences as a hacker-type are what make one a truly great computer security professional -- which is to say [that] it's one thing to be book smart or school taught and quite another to have years of hands-on experience defeating security systems. RFP: I'm a hacker-type, but I'm billed as a computer security professional because my clients are scared by the former. (Laughs) Q: Do you see any problems with how penetration tests are typically performed? If so, what? Brian: Yes. Most companies are charging an arm and a leg for canned security scanner output. While these scanners test for most vulnerabilities, they're always behind the curve in the latest exploits. The whole reason for having a penetration test is to test for everything, especially the latest vulnerabilities. If they can't do that, the client should just purchase their own copies of the scanners. Mark: Typical penetrations are hardly thorough. They often rely on untrained auditors that use canned tools, which are only as good as their updates. They produce canned reports, devoid of actual useful information and hard facts. We go in after some large audit firm has done their thing, leaving the client with reason for doubt, and we totally penetrate their most sensitive systems. A truly valuable penetration study is a strategic operation, from start to finish. RFP: Auditors who walk in and exclusively run ISS or CyberCop aren't doing a thorough job. The majority of the time, the auditors don't understand the security vulnerabilities that the scanners are finding. Q: How can auditors prove that they've done a good job if they've been unable to find anything wrong in the allotted time? Brian: By writing a comprehensive and well-written report that covers what was tested. I also believe that every network can be improved, so if they didn't find a single point of concern, no matter how trivial, they missed something. Mark: If an auditor hasn't found anything, by de facto he's done a poor job. Any sufficiently large corporation is going to have security problems. Bureaucracy often unintentionally creates an environment where good security practices are overlooked. The larger the corporation, the more likely it is that holes are lurking. Disorganization and breakdowns in management breed security problems. RFP: Auditors should document the list of vulnerabilities they checked and say something like, "I didn't find any problems, given the time frame and this list of checks." If the list of checks was small, an explanation of why those checks were picked would probably be sufficient. Obviously, more critical problems and popular vulnerabilities should take precedence. Q: Do your clients ask you to sign a nondisclosure agreement? Brian: Yes. And we require them to sign one as well. Mark: Yes. RFP: For the most part, yes. Q: How do you and your clients reach an agreement on the scope of the audit? Do you have a written Statement of Work before you proceed? Brian: We always come to agreement and are very clear on what is within the scope. 99 percent of the time there's a written Statement of Work. Mark: We always try to sell our clients on the largest scope possible, because we believe that a penetration greatly diminishes in value the more restrictions and off-limits areas are declared. Obviously, we both have to agree to something on paper, and we author our Statement of Work based on preliminary meetings with clients. Also, we treat each client separately, so our simulation will best suit their individual needs. RFP: Typically, yes. However, the best interest is with the client, so if they wish to have extra systems audited, and time permits, we'd be happy to check them. This works well if you work with your client beforehand to firmly establish what they should and need to have done. Some companies have a sales guy/gal roll through, sell some service, and when the actual assessment team shows up, it turns out what was sold is not really what should be done. Q: Do you write a report for the client yourself, or does your company write up your findings? Do you get final approval on the report? Brian: For the most part, I write the entire report myself. After that, the rest of the team gives input, our managers give it a thorough review, and I get the final say. Mark: One of the luxuries of running your own company is that you get to write your own reports. That way, nothing gets edited out that should be left in, and there are no misunderstandings. RFP: I have personally done both; it depends on the particulars of that client. Q: Do you tell your clients which tools you use? Brian: If they ask. While it's no secret, we try not to list every single step and tool, because to do so would create a lot more work for us. Mark: Always. We don't believe in crystal balls or sleight-of-hand, and we don't want our clients to either. Part of our final report is detailing exactly what tools and exploits were used, even demonstrating them after the fact for technical staff. We believe we're all on the same team, and teaching security awareness is the most valuable tool of all. RFP: If they ask, we do tell, and, time permitting, offer to demonstrate and even teach them how to use ones that are available to them. Page 1 of 2, continued... Page 1. Page 2. The toolchest Printer-friendly (all-in-one) version Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique and readers are cautioned to investigate with their companies the feasibility of using the information and software in the article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither author nor publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein. Hacker's toolchest Page 2 of 2 The toolchest While many hackers have their favorite homegrown tools and scripts, some open source tools are freely available and quite useful. Which tool is most appropriate depends on what you're auditing. Brian Martin describes a few of these below. This is by no means a complete list (see Resources for more) and I hope to explore other tools in the future. Of course, these tools should only be used on a network that you're authorized to audit. Just as you might question the wisdom of trusting hackers, you might question the wisdom of trusting hacker tools as well. The tools are open source and painstakingly reviewed by other hackers, often for egotistical reasons. If there's a back door or Trojan horse in the code, there will be a mad rush to be the first to post it on Bugtraq. From my experience, the hackers who write these tools are more concerned with maintaining a respectable technical reputation than in getting into systems that they couldn't care less about. That said, of course you shouldn't trust them, any more than you should trust code you get from a vendor. Review the code, verify the PGP signatures and checksum information, and test it on an isolated system. Do this for anything you get from a vendor as well. * binfo.c -- bind version checker. binfo is a quick little script to pull back the version of named running on a remote nameserver. This is handy for comparing it to a list of known vulnerable versions of named/bind. Previous to this it, took a few commands to extract out the version. binfo.c is available here: http://www.attrition.org/tools/other/binfo.c Example: forced# binfo ns1.inficad.com ns1.inficad.com's named that errors on iquery is version: 8.1.2 forced# binfo ns2.wkeys.com ns2.wkeys.com's named that errors on iquery is version: 8.1.2 forced# binfo ns1.ecompany.net 216.32.144.7's named that supports iquery does not respond to version.bind. forced# * ghba.c -- A handy tool for extracting all the machine names and IPs of a given class B or C subnet. This is handy for scanning a wide range of IPs looking for sites affiliated with a specific company. ghba.c is also a handy tool that allows administrators to determine who they share IP space with, which in turn helps them determine if those other sites may be targeted, and if their site might get caught in the crossfire. For a penetration test, it's a good idea to run ghba.c to ensure that you're not inadvertently probing a network you're not authorized to probe. ghba.c is available here: http://www.attrition.org/tools/other/ghba.c Example: forced# ghba 208.225.201.0 Scanning Class C network 208.225.201... 208.225.201.1 => rt1.tuc.inficad.com 208.225.201.2 => laptop1.tuc.inficad.com [snip..] 208.225.201.198 => etworld.com 208.225.201.199 => ip12.eai-healthcare.com 208.225.201.200 => forced.attrition.org 208.225.201.201 => img.rowlandnet.com 208.225.201.202 => self-paced.phoenixacademies.org 208.225.201.203 => servicexchange.org 208.225.201.205 => ourladyofsorrows.org 208.225.201.206 => casualgolf.com 208.225.201.207 => arizona.com 208.225.201.208 => solar.atenveldt.org [snip..] * whisker -- whisker is a comprehensive utility for checking a Website for vulnerable CGI scripts. It is intuitive and checks for CGIs based on the remote operating system. It also offers various levels of decoys to fool intrusion detection systems, looks for more than vulnerable scripts, and checks for different packages (such as webalizer) that give valuable information about a site and its visitors. whisker is developed and maintained by Rain Forest Puppy (rfp@wiretrip.net), who is well known for his history of finding vulnerabilities in CGI scripts and Microsoft products. whisker available here: http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2 Example: forced # ./whisker.pl -v -h www.attrition.org -- whisker / v1.3.0a / rain forest puppy / ADM / wiretrip -- - Loaded script database of 1691 lines = - = - = - = - = - = = Host: www.attrition.org = Server: Temple-of-Hate/12.3.1.BetaThug (PathOS) + 404 Not Found: GET /cfdocs/ + 404 Not Found: GET /cfide/Administrator/startstop.html + 404 Not Found: GET /cfappman/index.cfm + 404 Not Found: GET /cgi-bin/ + 404 Not Found: HEAD /mall_log_files/order.log + 404 Not Found: HEAD /PDG_Cart/ + 404 Not Found: HEAD /quikstore.cfg + 404 Not Found: HEAD /Admin_files/order.log [snip..] forced # ./whisker.pl -v -h www.somerandomNTbox.com -- whisker / v1.3.0a / rain forest puppy / ADM / wiretrip -- - Loaded script database of 1691 lines = - = - = - = - = - = = Host: www.somerandomNTbox.com - Cookie: ASPSESSIONIDGQQGQSCD=NPCDILLDCJHJCOHDJIMGOMNH; path=/ + 302 Object moved: HEAD / = Server: Microsoft-IIS/4.0 + 404 Object Not Found: GET /cfdocs/ + 404 Object Not Found: GET /cgi-bin/ + 404 Object Not Found: HEAD /scripts/ + 404 Object Not Found: HEAD /cgi-win/ + 404 Object Not Found: HEAD /PDG_Cart/ [snip..] * nmap -- Perhaps the most versatile and widely-used tool for penetration testing today. Offering a wide range of port-scanning techniques, this utility will report which ports are open, who owns each process, which service is typically assigned to the port, the probability of a TCP sequence prediction attack, and more. Another useful feature of nmap is its ability to remotely "fingerprint" a machine's operating system. This utility has become the penetration tester's Swiss Army Knife. Available at: http://www.insecure.org/nmap/index.html Example: forced# nmap -O ns2.wkeys.com Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on ns2.wkeys.com (208.201.137.10): Port State Protocol Service 25 open tcp smtp 49 open tcp tacacs 53 open tcp domain 110 open tcp pop-3 149 open tcp aed-512 TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-37 * John the Ripper (JtR) -- Similar to Alec Muffett's popular Crack program, John the Ripper is a Unix password cracker written by Solar Designer. It is faster and more efficient than Crack, and will run on multiple platforms, including Windows, most flavors of Unix, OS/2, and more. However, Alec Muffett notes: JtR is a jolly good piece of software, and if it works faster or seems better for [you, the systems administrator], then feel free to use it. I will not weep. I will not cry for the blow to my ego. What I will worry for is that by caring which password cracker you are using, you too are propagating a myth -- that password crackers are a right and just tool for a systems administrator -- when in reality the right tool would be a secure password system, employing shadowing and cracking-resistant hash algorithms with long-input capability, or, better yet, one-time technologies. So -- if you're using a password cracker, and getting any results out of it whatsoever, go beat up your vendor as loudly as possible and demand something better. Crack is available here: http://www.crypto.dircon.co.uk/ JtR is available here: http://www.openwall.com/john/ Dug Song has S/Key and Kerberos patches for John the Ripper here: http://www.monkey.org/~dugsong/ Example: [root@lughnasad run]# ./john /etc/shadow Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 0:00:00:04 20% (1) c/s: 595 trying: R99999> guesses: 0 time: 0:00:00:05 23% (1) c/s: 573 trying: RROOT8 r00t (root) Summary So, do you hire a hacker to test your systems, or do you stick with the Big Five auditors? That's up to you to decide -- you run the risk of being owned either way. The alternative is to do it yourself. Then someday you may be considered a hacker. Just be sure to cover your assets. Acknowledgments: Much appreciation to Brian Martin for writing the descriptions of the tools and for providing examples. My thanks also go out to Mark Abene and Rain Forest Puppy for their participation and contributions. I've learned a lot from this. Finally, I'd like to thank Lew Koch and Adam Penenberg for their review and suggestions. [Image] Page 1. Page 2. The toolchest Printer-friendly (all-in-one) version Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique and readers are cautioned to investigate with their companies the feasibility of using the information and software in the article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither author nor publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein. About the author Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been [Image]a Unix system administrator for more than 15 years on various platforms and has particularly focused on sendmail configurations of late. Carole provides security consultation to several financial institutions in the New York City area. Home | Mail this Story | Printer-Friendly Version | Comment on this Story | Resources and Related Links Advertisement: Support SunWorld, click here! [Image]Resources and Related Links Resources mentioned in this article * Brian Martin: http://www.attrition.org/~jericho * Mark Abene: http://www.crossbar.com * Rain Forest Puppy: http://www.wiretrip.net/rfp * Nomad Mobile Research Centre: http://nmrc.org/files/snt/index.html * NMRC's useful page on password-cracking programs: http://www.nmrc.org/files/sunix/index.html#password * Murphy's Law and computer security: http://www.fish.com/security/murphy.html * An older security FAQ; has some good background: http://csrc.nist.gov/secpubs/faq-sec.txt * Compass Security FAQ (one company's approach to penetration tests): http://www.csnc.ch/company/faq_e.html * Links to security resources: http://www.spirit.com/Resources/links.html * University of Florida's page on hacker tools and techniques: http://logjam.nerdc.ufl.edu/~security/hacker.html Useful sites * Technotronic: http://www.technotronic.com/ * Packet Storm: http://packetstorm.securify.com/ * The Openwall Project: http://www.openwall.com/ * The L0pht: http://www.l0pht.com Articles * "Want To Prevent Break-Ins? Just Ask a Hacker," Laura DiDio (Computerworld, March 1998): http://www2.computerworld.com/home/print.nsf/All/9803022E52 * "Space Rogue," Adam L. Penenberg (Forbes, February 2000) -- interview with Space Rogue: http://www.forbes.com/columnists/penenberg/2000/0207.htm Additional SunWorld resources * The SunWorld Topical Index -- a comprehensive listing of all SunWorld articles by subject: http://www.sunworld.com/common/swol-siteindex.html * Visit sunWHERE -- launchpad to hundreds of online resources for Sun users: http://www.sunworld.com/sunwhere.html * Explore back issues of SunWorld: http://www.sunworld.com/common/swol-backissues.html * IDG.net, your one-stop IT resource: http://www.idg.net [Image] Tell Us What You Thought of This Story -Very worth reading -Too long -Too technical -Worth reading -Just right -Just right -Not worth reading -Too short -Not technical enough [(c) Copyright 2000 Web Publishing Inc., and IDG Communication company] If you have technical problems with this magazine, contact webmaster@sunworld.com URL: http://www.sunworld.com/swol-05-2000/swol-05-security-2.html Last modified: Monday, May 08, 2000