“How do you spell pillage?” asked Fred Norwood, manager of information infrastructure technology at El Paso Energy Corp. in Houston.
Twelve of us had just hacked Microsoft Corp.’s crown jewel – a Windows NT box – and were copying passwords to our hard drives.
From across the room, a quick-witted Sam Gerard, data security manager at Motorola Inc., spelled out the answer for us: “F-U-N!”
Thus went Day 2 of Extreme Hacking, a course taught by security whiz kids at Ernst and Young LLP’s towering Houston offices.
For four days, network managers, auditors and security specialists from companies such as Motorola, Electronic Data Systems Corp. and State Farm Insurance switched to the dark side. In so doing, they learned just what they’re up against in their fight to keep crackers out of their networks.
The truth is, hacking is easy. And, well, fun. We pushed open server doors and helped ourselves to whatever data we wanted – all without any feeling of culpability.
“This course gives me a lot more insight into the mentality and capability of attackers,” said John McGraw, a security technology planner at a large computing services company. “We know all these vulnerabilities, but there are probably so many more that no one knows about.”
So fun was it that I was sorry to leave the capture-the-flag game at the end of Day 3. But my cab to the airport was waiting 20 floors below. By then, I had leap-frogged to the fourth and final victim Unix server and was closing in on that flag. But I had a plane to catch.
Day 1: Finding The Goods
On Day 1, we cased out our victim. Our instructor, Stuart McClure, prefers the more sanitized term “discovery.”
We began discovery by finding publicly available information on the Internet. McClure talked about searching the Securities and Exchange Commission (SEC) Web site to get a thumbnail sketch of a company and its affiliates, laboratories and acquisitions. We could use this information to break in to a company by hacking its acquisitions or subsidiaries because those subnetworks aren’t usually as well monitored or secure as networks at the home office.
But for expediency’s sake we bypassed the SEC and went straight to the InterNic Registrar, the service that assigns domain names. By querying InterNic with a simple “whois” command, we got all the IP addresses of our victim’s Web servers – along with company nicknames – and auxiliary domain name servers (DNS) in affiliates and laboratories. We even found out what type of servers they are (the main DNS is a Sun-3/180 running Unix), along with the names and phone numbers of the server administrators.
I flash to the infamous cracker, Kevin Mitnick, who loved this little InterNic feature. He’d call those network administrators and try to “social engineer” (sweet-talk) them out of network information.
“It’s amazing the amount of information you can get from the Internet. You don’t realize you’re hanging out there as exposed as you are,” said El Paso Energy’s Norwood.
We deployed a few common network troubleshooting tools (such as zone transfers – normally used to correlate data between the backup and primary servers, and Name Service lookup – a utility used to look up the IP address of a name like www.microsoft.com) against some of the IP addresses we’ve just gleaned. We soon had a list of domain names and IP addresses of all the machines connected to our victim network.
Next, we used traceroute (another administrative tool, which traces the route between a source and destination) to view the network topology and identify potential access control devices such as routers and firewalls, which planned to steer clear of.
Then it was time to rattle some doors and look in some windows. McClure called this “port-scanning” – using administration and down-loadable hacking tools to find out what ports are open and what services are running on those ports.
I was particularly taken with the stealthy Nmap, a utility for network mapping available for free off the Web. We deployed Nmap against our primary target to get a road map of open ports, along with the network protocols and application services they support.
At the top of our list, for example, we saw: “Port 7: Open; protocol TCP; service Telnet.” And so it went for 10 other open ports on that machine alone.
The classroom buzzed with excitement.
I realized how removed I feel from the victim. It’s chilling to think that there are hundreds, nay thousands, of other crackers from underground groups such as Global Hell who probably feel the same way.
Day 2: The NT Root Dance
We were introduced to Eric Schultze, affectionately called a “Hoover” by his cronies. A Hoover can really suck the guts out of a victim machine, and Schultze, 31, proved he’s worthy of his name.
We started by picking our target. Test servers are notorious for lax password controls and monitoring. Or we could sniff the mail server for user names and passwords. We decided to go for the backup domain controller – a separate physical server – where user names are stored and security is often forgotten because it’s a backup.
We established a null session (a Microsoft utility that allows services to communicate with one another without a user identification) with the victim server.
I felt like a ghost inside someone else’s house. I could see everything -network services, password files, user accounts, even payroll. But I couldn’t touch anything because null is only designed for interprocess communication.
For the victim, “the sad thing about Microsoft is it doesn’t log any of this,” Schultze explained.
We were itching to gain root access (the most privileged level of access). But first, we had to log off and then back on as legitimate users in order to grab the password hashes (encoded passwords) and submit them to our ace password-cracking tools.
We got back in under the user name “backup” by guessing the password (which is also “backup”). “Command completed successfully,” the machine responded.
I asked Schultze whether raised awareness has pushed administrators to better monitor passwords. No, he said. Most networks are still chock-full of such easy-to-guess passwords.
Once in, we copied user files and encrypted password hashes onto our hard drive. We logged off and hit the hashes with L0phtcrack and the even faster John the Ripper. Available on the Web, both tools test passwords against a dictionary of common passwords until they break open.
The tougher passwords may take a day, though, as they must be cracked one character at a time.
Within minutes, we’ve got more than 70 per cent of plain-text passwords in our greasy little paws.
Microsoft’s LAN Manager hashes are the worst from a victim standpoint because LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half, explained Schultze. Our cracking tools are programmed for this, so they kicked out passwords much faster than they would in Unix.
And if the administrator disables LAN Manager, the NT box won’t talk to any Windows 95 or 98 boxes, so it’s a tough problem to solve.
Armed with our new-found passwords, we finally reached our goal for the day and hacked back into the machine at administrator level and got root control of our machine.
“What’s the first thing you do when you gain root? You do the root dance,” explained Ron Nguyen, another instructor. Push one arm up, jiggle your hips, put the other arm up, jiggle your hips and repeat until you get it out of your system.
For our reward, Nguyen handed out a red wallet card titled “20 Things to Do After You’ve Hacked Admin.” But for the final slap to our victims’ faces, we hid our hacking tools in an alternate data stream behind a readme.txt file on the victim server. You can easily hide 10MB of hacker tools behind such a file without changing the file size, according to Schultze. The only way administrators can catch this is to set up audit logs that would alert them when disk space changes significantly.
Day 3: Capturing The Unix Flag
“Hacking root is a state of mind.” Thus began our syllabus for Day 3. And we really are getting into this “state.” We arrived at the class rubbing our hands in anticipation of breaking the venerable Unix.
Our instructor, former Air Force geek Chris Prosise, didn’t let us down.
We began by repeating discovery and gaining entry in much the same way we did on NT. But Prosise wanted to have a little fun. He showed us how to corrupt the DNS server to reroute traffic to a phony IP address on an “evil.com” server where he can: a) grab information or b) reroute the message into oblivion.
He also showed us how to conduct common HTTP attacks such as test-Common Gateway Interface, which forces the victim to give up files and directories with a simple “get” command, and how to execute remote commands that would disable access controls. We installed Trojan horses (executable code to do our bidding remotely) and punched open back doors so we could back in using a Telnet terminal session without needing identifications or passwords.
Then we played capture the flag by leap-frogging among four Unix boxes. And this, I’m afraid, is where I was so rudely interrupted by my awaiting taxi.
Suffice it to say, we learned our lessons.
Network and security managers have a tough row to hoe. Bullet-proof security is a misnomer. And managing security risk is the best anyone can hope for.
We also learned that there’s a little bit of hacker in all of us. And by cultivating this hacker within, information security professionals can better fight the cracker without.
20 Things to Do After You’ve Hacked Admin*
1. Disable auditing
2. Grab the password file
3. Create an “adminkit” (hacker tools)
4. Enumerate server information
5. Enumerate secrets of LSA (Windows NT’s Local Security Authority in the registry where password hashes are kept)
6. Dump registry info
7. Use Nltest (a tool that queries NT servers remotely)
8. Pilfer the box
9. Add an administrator account
10. Grab a remote command shell
11. Hijack the graphical user interface
12. Disable Passprop (NT’s password policy settings)
13. Install a back door
14. Install Trojan horses and sniffers
15. Repeat
16. Hide the adminkit (so you can use the machine as a launch point to attack others)
17. Enable auditing
18. Eat a nice meal
*There are really only 18
Source: Ernst & Young LLP, Houston
Radcliff is a freelance writer in Santa Rosa, Calif.
