|
Previous | Table of Contents | Next |
FTP security archives, such as Wietse Venemas ftp.win.tue.nl, CERTs ftp.cert.org, are very useful sources for new programs and papers. A list of various FTP archives is included in Appendix B, Internet Security References.
Watch for Linux source code changes on ftp.sunsite.unc or your favorite mirror, because Linux is usually at the cutting edge of technology for many Internet services.
Finally, you should look for updates to SATAN itself, in case scans for new vulnerabilities that are added into the base distribution.
Sometimes, the best way to learn about new holes is to think like an intruder and analyze a system from that standpoint. The first phase of a network attack consists of gaining information about security holes. The previous sections have shown some sample security holes as well as how to learn about new ones. The next part of this phase is gaining information about the target systems. This is best taught by a demonstration, albeit a naive and primitive one.
The creators of SATAN gained notoriety a few years before SATANs release when they published a paper entitled Improving the Security of Your Site by Breaking Into It (Farmer & Venema, 1993). The novel idea was not popular with some system administrators, because the paper provided a training manual of sorts for new hackers. Work on the paper led the authors to create SATAN, so it is appropriate to try to follow the same approach in learning about SATAN. This approach can be useful in creating policies and configurations that improve the security of an organization.
Instead of using a real organization, the example uses a hacker that attempts to gain access to an imaginary company called NotReal Corporation. The hackers goal is to break into the companys computer systems and get as much control over their systems as possible. The assumption is that the hacker has access to a system on the Internet and will mount the attack from that location, with no additional access over any other network. The example steps through the general procedure that a non-automated attack would use, so that the automated approach used by SATAN is more clear.
What the hacker would like to do is create a map of all the systems in the company, along with version numbers of the OS, lists of the usernames, and a list of the network services that are being run on those systems.
Getting Hostnames and IP Addresses
By running whois notreal.com, the hacker can get back either a list of hosts on the notreal.com network or a message about the notreal.com network. The whois program contacts the Internic and finds matches of names (administrator names, hostnames, network addresses, and so on) from the DNS records kept by the Internic. Sometimes, the whois output contains a prepared message that includes a nicely formatted list of the domain servers along with system admin names.
(The new whois++ standards in RFC 1834 and RFC 1835 improves the information available from the Network Information Center that stores the whois database.)
For example, here is what the hacker might see as a result of doing a whois notreal:
# whois notreal Notreal Corporation (NOTREAL-DOM) NOTREAL.COM Notreal - Bldg 11 (NET-NSOFT-1) NSOFT-1 123.45.67.89 Notreal (NRWORD-DOM) NRWORD.COM Notreal Corporation (NOB3-DOM) NOB.COM
Now run nslookup :
# nslookup > set type=any > notreal.com Name Server: mylocal.hackersystem.com Address: 1.2.3.4 Non-authoritative answer: notreal.com nameserver = dns1.notreal.COM notreal.com nameserver = dns.somebodyelse.COM notreal.com preference = 10, mail exchanger = mail.notreal.com notreal.com preference = 20, mail exchanger = m2.notreal.com Authoritative answers can be found from: notreal.com nameserver = dns1.notreal.COM notreal.com nameserver = dns.somebodyelse.COM DNS1.NOTREAL.COM internet address = 12.34.56.78 DNS.SOMEBODYELSE.COM internet address = 23.45.67.89 mail.notreal.com internet address = 123.45.67.89 m2.notreal.com internet address = 123.456.78.9 >
The hacker already has a few hosts by using whois and nslookup. The new trick is to pull down the entire notreal.com map from the DNS server named, running on the dns1.notreal.com system.
DNS uses secondary name servers that regularly transfer the named db files by requesting them from the primary name server. Any system can usually request these. (Although the new Bind 4.9.x name servers can be configured to restrict the source addresses of requesting systems, few use this new configuration option.) The hacker uses the program named-xfer to do exactly that:
% named-xfer -d notreal.com -f db.notreal 12.34.56.78 % head db.notreal $ORIGIN notreal.com. notreal IN SOA dns1.notreal.com. root.dns1.notreal.com. ( 2213 10800 3600 604800 86400 ) IN NS dns1.notreal.com. $ORIGIN dns1.notreal.com.
The hacker is now getting a much better picture of the hosts in the notreal.com domain. He or she would like to find out how many of these hosts are directly connected to the Internet and how many are behind a firewall. He or she could do this by trying to ping each host; however, it is best to create a script that would do this, rather than doing it by hand. Even better, the fping command can do this most efficiently and is shipped with SATAN. The hacker can format the db.notreal file to list out all the hosts in the notreal.com domain and then have fping try to contact each. This aids the hacker in generating a list of systems directly on the Internet:
% cat notreal.hostlist dns1.notreal.com sys1.notreal.com sys2.notreal.com mail.notreal.com m2.notreal.com ... % fping < notreal.hostlist dns1.notreal.com is alive sys1.notreal.com is unreachable sys2.notreal.com is unreachable mail.notreal.com is alive m2.notreal.com is alive ...
The hacker now starts looking at the systems that are connected to the Internet. Ideally, the hacker would like to know the OS type and brand of each system, so that he or she can identify problems that may exist on those systems.
Previous | Table of Contents | Next |