Computer Security Class - Notes 2

30 November -0001

Overview of Computer Security - Week 2

Class notes from class on Tuesday, 28 October, 2003 at Byte Back.

The first class was mainly an introduction to the terminology and landscape of computer security. From here on out we're going to explore network security specifically, and approach security from the perspective of a system cracker. By understanding some of the typical methods used to break into systems, you can become better equipped to spot potential problems, or effectively handle break ins.

As an note, the examples below are all made using reserved IP addresses (not real ones) and all the names are fictitious. Following these examples directly won't get you any real information. In class we used system names and IP addresses that we were authorized to explore. Be warned that using any of the methods or techniques described in any of these class notes on networks where you aren't specifically authorized could get you into trouble.

Also note that as of the time of this writing DummyCompanyFoo.com and Dummy Company Foo were not registered trademarks, actual companies or websites, the name is used solely for demonstrative purposes in this writing.

For our purposes we're going to use the following six step model for a break-in. Be aware, however, that this is simply a typical pattern. It isn't by any means comprehensive and is offered only as example. The six step model that we will examine is as follows:

  1. Information gathering
  2. Finding a route in
  3. Break in
  4. Elevating privileges
  5. Erasing tracks
  6. Insure re-entry

Step one, information gathering, consists of finding out as much as possible about the target before attempting any exploit. This step is crucial if the system cracker has a specific network or target in mind (an organization or specific website). Information gathering is a passive process whereby the system cracker attempts to gather publicly available information about the system. This is often useful to help map the landscape of the target systems and to plan a route of attack that will attract little suspicion.

Many system crackers won't attempt this step as they are simply looking for zombies or an easy break-in and only search for systems with services or vulnerabilities that they know they can exploit. Often, personal firewall users will notice random scans on isolated ports on their machine (port 21 for FTP for example). These types of scans are usually remote users simply searching for a vulnerable machine (in the this case someone running an FTP server). These types of system crackers are skipping directly to step 3 in the above outline because the target system is irrelevant to them as long as it is vulnerable.

Information gathering usually begins will connecting IP addresses to URL names or vice versa. For instance, if a system cracker were to attempt to break into the systems of dummycompanyfoo.com then it is necessary to figure out what IP addresses are assigned to dummycompanyfoo.com. The first step in gathering this information is usually to find a web site or other URL associated with the target. With this information we can begin to query public DNS (Domain Name Server) information.

Network Solutions has one of the most comprehensive DNS 'whois' lookups available online. At their website www.neworksolutions.com there is a link to the whois database at the top. Clicking this link will present the user with a form field to fill out of the target system's domain. Submitting this form will give users some very valuable information that includes not only email addresses for the domain registrant, but also contact information to include phone numbers, names, and addresses. The following is some sample output from a Network Solutions whois lookup:

Organization:
Dummy Company Foo
John Doe
420 Maple Ave
New York, NY 20878
US
Phone: 212-555-5555
Email: jdoe@dummycompanyfoo.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: dummycompanyfoo.com

Created on..............: Thu, Dec 14, 2001
Expires on..............: Wed, Dec 14, 2005
Record last updated on..: Wed, Aug 27, 2003

Administrative Contact:
Dummy Company Foo
John Admin
420 Maple Ave
New York, NY 20878
US
Phone: 212-565-5554
Email: admin@dummycompanyfoo.com

Technical Contact:
Dummy Company Foo
John Tech
420 Maple Ave
New York, NY 20878
US
Phone: 212-555-5556
Email: tech@dummycompanyfoo.com

Zone Contact:
Dummy Company Foo
John Tech
420 Maple Ave
New York, NY 20878
US
Phone: 212-555-5556
Email: tech@dummycompanyfoo.com
Domain servers in listed order:

DNS.dummycompanyfoo.com 127.0.0.1
DNS2.dummycompanyfoo.com 127.0.0.2

Notice now that we've got a few names and phone numbers. This can be extremely handy in performing a social engineering attack against DummyCompany. We also have address information in case we choose to raid Dummy Company Foo's garbage to see if we can find any juicy tidbits while 'dumpster diving.'

The Domain server information is also very useful. If we want to find out a little bit about what IP addresses we might be able to find for dummycompanyfoo.com we can use the program 'nslookup' that is included in Windows 2000 and Windows XP. This program is used to find DNS information. By default nslookup will use the Primary DNS specified either by your DHCP server or under the properties of your network connection. The actual program is located in C:\windows\system32\nslookup.exe, but you should be able to access it from any location in a command prompt (Start->Run->command). Fire up a command prompt and type in 'nslookup'. Your prompt will change from the default 'C:>' or 'c:\' to a simple greater than sign ('>'). Once the program is up and running you can check your server settings by looking at the banners that list after you typed in 'nslookup', it should look something like:

Default Server:  dns.yourdomain.tld
Address:  xxx.xxx.xxx.xxx

Where the 'Address:' IP address is the actual IP address of your DNS server (and not a series of x's). You can change this server, which will be handy for our purposes, by typing in 'server yournewserver.com' using either the server name or an IP address. If you change the server to one of the DNS servers of the target (dummycompanyfoo.com) then you can directly query the target DNS server. What we want to do is list all the hosts for dummycompanyfoo.com using the 'ls' command inside nslookup. Only dummycompanyfoo.com's DNS servers will give us the complete output that we're looking for (which is why we have to change our server settings inside nslookup). If we do this we should get something that looks like this:

>server dns.dummycompanyfoo.com
Server:  dns.dummycompanyfoo.com
Address:  127.0.0.1

> ls dummycompnay.com
[dns. dummycompnay.com]
dummycompnay.com.      NS    server = dns. dummycompnay.com
mail                                  A     127.0.0.2
www                                A     127.0.0.4
fileserver                          A     127.0.0.6

What we've managed to retrieve is some IP addresses and machine names (the IP's for mail.dummycompanyfoo.com, www.dummycompanyfoo.com, and fileserver.dummycompanyfoo.com). This information will be vital when we actually begin actively exploring dummycompanyfoo.com's network (we now know three machines that we might be able to break into). You can exit out of nslookup by typing in 'exit'.

To verify the network block of dummycompanyfoo.com or to find out who their ISP is we can turn to another online lookup tool: ARIN. ARIN is the American Registry for Internet Numbers. They have a lookup tool similar to Network Solutions, which instead searches on IP addresses. If we enter the IP address of www.dummycompanyfoo.com (127.0.0.4) then we get a list of whom the IP address actually belongs to. Sometimes this information is directly relevant to the target, other times it is simply the listing for the ISP of the IP address we're investigating. In either case, the information can be valuable and is often recorded. Sometimes we can figure out the specific IP range for a target with a search result that looks like this:

Dummy Company Foo DUMMYCOMPANY-5 (NET-127-0-0-0-1)
                                  127.0.0.0 - 127.0.0.255

This output tells us that Dummy Company Foo actually owns all the IP addresses from 127.0.0.1 to 127.0.0.254, and although we didn't get host listings for each of these addresses using nslookup, it is a good bet that there are computers attached to some of these IP's that aren't listed in DNS.

You can also look for ISP information using the network diagnostic tool 'tracert' (pronounced trace route). It is another command line tool provided by Windows 2000 and Windows XP. Tracert sends packets to the target and charts their path, from your network to the target. You can use tracert by typing in 'tracert www.dummycompanyfoo.com' and watching the system names at the end of each line. You should see transmission leaving your network and traversing the backbones of the internet toward the target. It's a good be that the next to last system your tracert crosses is the ISP of the target. Knowing the ISP of the target can be handy for social engineering attacks.

It almost goes without saying that often the best source of information about a target is the target's own website. Scouring a website and viewing a site's source code can reveal a plethora of information. Often noticing links, corporate partners, or even specific information about an organizations network or systems used, can prove valuable when exploiting a target system. Web developers and organizations should be especially careful and sanitize any information provided on their website. Noting names on a website and in the above queries can also lead to interesting results. Searching the web and newsgroups for names of people in an information could lead to all sorts of peripheral information. For instance, if you discover the name and email address of one of the network technicians at an organization you might be able to find a posting on a remote web board asking for help in configuring a system used on the company network, thus providing clues as to the type of systems being used by the target.

These are just a few of the easy ways that system crackers can gain information in an attempt to map the resources of a target. There are other tools online and downloadable, but these are the basics. The next step is to actually begin to actively explore the target. The advantage and safety in this stage, however, is that there is little, if any, interaction with the target system, and thus no log files or permanent traces that can be used to discover that an intruder is looking at the system. In addition, all of this information gathering is perfectly legal, and very difficult to detect.