1993-FarmerVenema-comp.security.unix-Improving-the-Security-of-Your-Site-by-Breaking-Into-It2.pdf

(98 KB) Pobierz
Improving the Security of Your Site by Breaking Into it
Improving the Security of Your Site by Breaking
Into it
Dan Farmer
Sun Microsystems
zen@sun.com
Wietse Venema
Eindhoven University of Technology
wietse@wzv.win.tue.nl
Introduction
Every day, all over the world, computer networks and hosts are being broken into. The level of
sophistication of these attacks varies widely; while it is generally believed that most break-ins succeed
due to weak passwords, there are still a large number of intrusions that use more advanced techniques to
break in. Less is known about the latter types of break-ins, because by their very nature they are much
harder to detect.
CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. You name it, we've
seen it broken into. Anything that is on the Internet (and many that isn't) seems to be fairly easy game.
Are these targets unusual? What happened?
Fade to...
A young boy, with greasy blonde hair, sitting in a dark room. The room is illuminated only by the
luminescense of the C64's 40 character screen. Taking another long drag from his Benson and Hedges
cigarette, the weary system cracker telnets to the next faceless ".mil" site on his hit list. "guest -- guest",
"root -- root", and "system -- manager" all fail. No matter. He has all night... he pencils the host off of
his list, and tiredly types in the next potential victim...
This seems to be the popular image of a system cracker. Young, inexperienced, and possessing vast
quantities of time to waste, to get into just one more system. However, there is a far more dangerous
type of system cracker out there. One who knows the ins and outs of the latest security auditing and
cracking tools, who can modify them for specific attacks, and who can write his/her own programs. One
who not only reads about the latest security holes, but also personally discovers bugs and vulnerabilities.
A deadly creature that can both strike poisonously and hide its tracks without a whisper or hint of a trail.
The uebercracker is here.
Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's uebermensch, or, literally
http://www.deter.com/unix/papers/improve_by_breakin.html (1 of 22)2004-07-03 Æ$È 11:21:37
Improving the Security of Your Site by Breaking Into it
translated into English, "over man." Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and weakness of the everyday man.
The uebercracker is therefore the system cracker who has gone beyond simple cookbook methods of
breaking into systems. An uebercracker is not usually motivated to perform random acts of violence.
Targets are not arbitrary -- there is a purpose, whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or net.personality. An uebercracker is
hard to detect, harder to stop, and hardest to keep out of your site for good.
Overview
In this paper we will take an unusual approach to system security. Instead of merely saying that
something is a problem, we will look through the eyes of a potential intruder, and show _why_ it is one.
We will illustrate that even seemingly harmless network services can become valuable tools in the
search for weak points of a system, even when these services are operating exactly as they are intended
to.
In an effort to shed some light on how more advanced intrusions occur, this paper outlines various
mechanisms that crackers have actually used to obtain access to systems and, in addition, some
techniques we either suspect intruders of using, or that we have used ourselves in tests or in friendly/
authorized environments.
Our motivation for writing this paper is that system administrators are often unaware of the dangers
presented by anything beyond the most trivial attacks. While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to lack the resources to assess what
level of host and network security is adequate. By showing what intruders can do to gain access to a
remote site, we are trying to help system administrators to make _informed_ decisions on how to secure
their site -- or not. We will limit the discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host. Once this is achieved, the details of obtaining
root privilege are beyond the scope of this work -- we consider them too site-dependent and, in many
cases, too trivial to merit much discussion.
We want to stress that we will not merely run down a list of bugs or security holes -- there will always
be new ones for a potential attacker to exploit. The purpose of this paper is to try to get the reader to
look at her or his system in a new way -- one that will hopefully afford him or her the opportunity to
_understand_ how their system can be compromised, and how.
We would also like to reiterate to the reader that the purpose of this paper is to show you how to test the
security of your own site, not how to break into other people's systems. The intrusion techniques we
illustrate here will often leave traces in your system auditing logs -- it might be constructive to examine
them after trying some of these attacks out, to see what a real attack might look like. Certainly other sites
and system administrators will take a very dim view of your activities if you decide to use their hosts for
security testing without advance authorization; indeed, it is quite possible that legal action may be
http://www.deter.com/unix/papers/improve_by_breakin.html (2 of 22)2004-07-03 Æ$È 11:21:39
Improving the Security of Your Site by Breaking Into it
pursued against you if they perceive it as an attack.
There are four main parts to the paper. The first part is the introduction and overview. The second part
attempts to give the reader a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security. This section goes over actual techniques to gain
information and entrance and covers basic strategies such as exploiting trust and abusing improperly
configured basic network services (ftp, mail, tftp, etc.) It also discusses slightly more advanced topics,
such as NIS and NFS, as well as various common bugs and configuration problems that are somewhat
more OS or system specific. Defensive strategies against each of the various attacks are also covered
here.
The third section deals with trust: how the security of one system depends on the integrity of other
systems. Trust is the most complex subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.
The fourth section covers the basic steps that a system administrator may take to protect her or his
system. Most of the methods presented here are merely common sense, but they are often ignored in
practice -- one of our goals is to show just how dangerous it can be to ignore basic security practices.
Case studies, pointers to security-related information, and software are described in the appendices at the
end of the paper.
While exploring the methods and strategies discussed in this paper we we wrote SATAN (Security
Analysis Tool for Auditing Networks.) Written in shell, perl, expect and C, it examines a remote host or
set of hosts and gathers as much information as possible by remotely probing NIS, finger, NFS, ftp and
tftp, rexd, and other services. This information includes the presence of various network information
services as well as potential security flaws -- usually in the form of incorrectly setup or configured
network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It
then can either report on this data or use an expert system to further investigate any potential security
problems. While SATAN doesn't use all of the methods that we discuss in the paper, it has succeeded
with ominous regularity in finding serious holes in the security of Internet sites. It will be posted and
made available via anonymous ftp when completed; Appendix A covers its salient features.
Note that it isn't possible to cover all possible methods of breaking into systems in a single paper.
Indeed, we won't cover two of the most effective methods of breaking into hosts: social engineering and
password cracking. The latter method is so effective, however, that several of the strategies presented
here are geared towards acquiring password files. In addition, while windowing systems (X,
OpenWindows, etc.) can provide a fertile ground for exploitation, we simply don't know many methods
that are used to break into remote systems. Many system crackers use non-bitmapped terminals which
can prevent them from using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim's keyboard is often sufficient to capture
passwords). Finally, while worms, viruses, trojan horses, and other malware are very interesting, they
http://www.deter.com/unix/papers/improve_by_breakin.html (3 of 22)2004-07-03 Æ$È 11:21:39
Improving the Security of Your Site by Breaking Into it
are not common (on UNIX systems) and probably will use similar techniques to the ones we describe in
this paper as individual parts to their attack strategy.
Gaining Information
Let us assume that you are the head system administrator of Victim Incorporated's network of UNIX
workstations. In an effort to secure your machines, you ask a friendly system administrator from a
nearby site (evil.com) to give you an account on one of her machines so that you can look at your own
system's security from the outside.
What should you do? First, try to gather information about your (target) host. There is a wealth of
network services to look at: finger, showmount, and rpcinfo are good starting points. But don't stop there
-- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp, and as many other services as you can
find. There are so many methods and techniques that space precludes us from showing all of them, but
we will try to show a cross-section of the most common and/or dangerous strategies that we have seen or
have thought of. Ideally, you would gather such information about all hosts on the subnet or area of
attack --- information is power -- but for now we'll examine only our intended target.
To start out, you look at what the ubiquitous finger command shows you (assume it is 6pm, Nov 6,
1993):
victim % finger @victim.com
[victim.com]
Login
Name
zen
Dr. Fubar
TTY Idle
co
1d
When
Wed 08:00
Where
death.com
Good! A single idle user -- it is likely that no one will notice if you actually manage to break in.
Now you try more tactics. As every finger devotee knows, fingering "@", "0", and "", as well as
common names, such as root, bin, ftp, system, guest, demo, manager, etc., can reveal interesting
information. What that information is depends on the version of finger that your target is running, but
the most notable are account names, along with their home directories and the host that they last logged
in from.
To add to this information, you can use rusers (in particular with the -l flag) to get useful information on
logged-in users.
Trying these commands on victim.com reveals the following information, presented in a compressed
tabular form to save space:
Login
Home-dir
Shell
Last login, from where
http://www.deter.com/unix/papers/improve_by_breakin.html (4 of 22)2004-07-03 Æ$È 11:21:39
Improving the Security of Your Site by Breaking Into it
-----
--------
root
/
victim.com
bin
/bin
nobody /
victim.co
daemon /
victim.com
sync
/
victim.com
zen
/home/zen
death.com
sam
/home/sam
com
guest
/export/foo
ftp
/home/ftp
-----
/bin/sh
----------------------
Fri Nov 5 07:42 on ttyp1 from big.
Never logged in
Tue Jun 15 08:57 on ttyp2 from server.
Tue Mar 23 12:14 on ttyp0 from big.
/bin/sync
/bin/bash
/bin/csh
/bin/sh
Tue Mar 23 12:14 on ttyp0 from big.
On since Wed Nov
Wed Nov
6 on ttyp3 from
5 05:33 on ttyp3 from evil.
Never logged in
Never logged in
Both our experiments with SATAN and watching system crackers at work have proved to us that finger
is one of the most dangerous services, because it is so useful for investigating a potential target.
However, much of this information is useful only when used in conjunction with other data.
For instance, running showmount on your target reveals:
evil % showmount -e victim.com
export list for victim.com:
/export
/var
/usr
/export/exec/kvm/sun4c.sunos.4.1.3
/export/root/easy
/export/swap/easy
(everyone)
(everyone)
easy
easy
easy
easy
Note that /export/foo is exported to the world; also note that this is user guest's home directory. Time for
your first break-in! In this case, you'll mount the home directory of user "guest." Since you don't have a
corresponding account on the local machine and since root cannot modify files on an NFS mounted
filesystem, you create a "guest" account in your local password file. As user guest you can put an .rhosts
entry in the remote guest home directory, which will allow you to login to the target machine without
having to supply a password.
evil # mount victim.com:/export/foo /foo
evil # cd /foo
evil # ls -lag
http://www.deter.com/unix/papers/improve_by_breakin.html (5 of 22)2004-07-03 Æ$È 11:21:39

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin