In the previous entry for hacking, I covered how to investigate local network connection information right this moment using netstat.
The first thing we’re going to do is determine information about these foreign connections to your machine. Such as – who are they, where are they, and what machine configuration are they running.
Now if you’re a hacker, this information can be used to obtain information on how you can ‘hack’ into these machines.
But as a security analyst, an arguably harder and less financially rewarding position than a hacker, your reward is outwitting the hackers by thinking out of the box with a HUGE question like:
“As a network or system administrator, I wish I could wipe every computer of installed software I don’t like and micromanage my domain’s software and hardware installations. But I understand this is a heart attack in the making, and is clearly flawed logic, so how do I protect my domain against attacks when the software vendors themselves can’t keep up with the vulnerabilities?”
I just washed my hands of a network administrator like this in Costa Rica. Carlos Moreira in Costa Rica, you’re a heart attack in the making. If anyone knows the guy. Steer clear. These kind of guys are a nightmare to work with, and typically you won’t get anything done other than spinning in circles.
But the answer to the question is surprisingly easy.
And gives credit to mother nature herself.
Employee education, allow and encourage personalization, and build in redundancy to the DNA of your Company’s software, hardware, and network architecture.
This is the essence of white hat hacking.
Sure, there WILL be bad apples. But when you’re paranoid and constantly on guard protecting your assets, you’ll limit productivity and be the least liked person in the organization.
Reinforcing an evolutionary structure makes so much more..
… cents (har har)
Everyone on the internet loves to hate the company that invented internet security, the NSA themselves.
Here’s a look at the NSA’s web site:But let’s say you want to find more out about their ‘public presence’ that most people don’t. There’s a tool called ‘whois’ which is available on many web sites (and most Unix based machines) where you can obtain this information.
www.iana.org obtained the whois results below:
Now keep in mind that a good majority of hacking is social networking. So when you’re targeting an organization (or protecting one), this is the absolute START of determining vulnerabilities.
With this, we’ve just obtained the name of one “Lee Ellis” who is the program manager for the nsa.gov domain.
While this is valuable information, the next step is to determine physical location of the hardware containing the web site http://www.nsa.gov. You can do this by obtaining the IP for it using nslookup at the command line (described in previous session)..
Next, we take the IP provided (220.127.116.11), and we check it’s location using two separate methods (redundancy).
The first method, an invaluable little site called Geobytes, provides this information:
That’s interesting, GEOBYTES indicates the NSA’s web site resides in Scotland.
… don’t take this as evidence that the United States government is not controlled by our own people. There’s a full on cyber war going on right now, has been for some time now, so just take this as evidence to question the information you’re given on the internet – take absolutely nothing you read on the internet as fact!
You don’t need me to tell you that though, do you?
Using tracert.org, we find the results we’re looking for:
Now what can be gleaned from this tracert?
- The web server seems to be hidden behind routers and firewalls in or around Dallas, Texas (which is a hub for the great majority of United States intelligence activities). As our trace inches closer to it’s destination, we see in the trace above that at step 3 we’re going through a location in Houston, then it jumps over to Dallas in step 6 through 9. Even companies and government organizations do business with service providers like you would with your cable provider, who also sublets their lines from a much larger provider and so on, so that’s all we’re seeing here, is a backtrace through a larger provider to a smaller one until it ultimately reaches it’s destination. The asterisks ‘*’ indicate this is where the network’s protected from ‘PING’ commands, which is an attack that’s called a SYN Flood, which administrators learned a long time ago how to protect against.
So what have we learned so far?
1) We have contact information, a project manager by the name of Lee Ellis in Virginia.
2) The physical hardware is quite likely located in Dallas, Texas, but is well protected (as expected) by a few layers of routers
With this information, a social attack is probably much easier than a physical hardware attack, which more or less means investigating Mr Ellis’s information (if he even exists), and then targeting him rather than the organization since he has administrative access. But that all depends on what kind of information we’re trying to obtain.
This information is important because it sets our expectations for what we’re going to receive via our scanning attempts, and lets us put our energy and attention in the right areas first.
NMAP – the preferred scanning tool for PORT SCANNING
What we’re going to do next is a PORT Scan of the NSA’s web site.
A little backgrounder on PORTS:
Every (standardized) networked computer sends and receives information via something called TCP/IP and UDP. TCP stands for Transmission Control Protocol/ Internet Protocol, a guaranteed method of transmission, and UDP stands for User Datagram Protocol, an UNGUARANTEED method of transmission – and both acronym you don’t need to remember.
An easy way to think about TCP and UDP is this: Imagine writing a letter to a friend, and placing it in an envelope. If you send the ‘envelope’ using standard post office rates, chances are your friend will receive your message. But it’s not guaranteed. That’s UDP, an easy way to remember this is the U stands for unguaranteed receipt.
Now imagine sending that same envelope via FEDEX. You get a tracking number, and you know when it’s been received. That’s TCP.
Now the CONTENTS of the message are unique based on the application sending it, and the recipient. That’s where ports come in handy. Specific ports being used helps us predict what ‘language’ or in computer terms – protocol – is going to be used to exchange information between systems.
Most ports are standardized and/or reserved for specific applications or application types (such as email or file transfers), and are published publicly here: http://www.rfc-editor.org/rfc/rfc1700.txt.
What this all means is that I – or you – or Sridhar Kristhmancupaleanweirdnamefromindia has created a program – an application – that does something on a computer which communicates with or is communicated with by programs on other systems. As programmers, we’re only as good as the information we’re given and what we have endured through prior experience – which means – it’s quite likely we’re gonna screw something up when we set up communications for the programs we create.
We don’t know everything, give us a break, willya!
Why is this important? Vulnerabilities, baybee. When specific vulnerabilities are detected in an application a developer(s) create on a remote computer system, these vulnerabilities are circulated in the hacker communities and are things you can leverage to ‘crack open’ a machine and gain full access to it – doing anything you want with it once this has been achieved.
How this is done – through the port that application receives it’s commands on, where you can then execute something called an ‘exploit’ to gain control of that foreign system.
Once you have access to one important system administratively, you then leverage that system to gain access to the rest of the network. Or just that machine. Depending on your own goals.
I will get into that next time though. For now, we’re just determining what’s exposed.
Now bring up NMap. The first screen you should see is this:
NMap itself is a command line utility. ZENMap is the Windows Front end application that makes the commands easy to ‘select’ (rather than having to memorize them all).
Now I take the IP obtained for the NSA’s web site, 18.104.22.168, and plug it into the ‘target’ machine. Intense Scan is fine to start off with, then select ‘Scan’.
… Wait for it…
My nMap scan of NSA.Gov results in 3 pages of information.
Here’s Page 1 of the NMap scan:
In the above dump, take a look at where it says “Discovered open port’
This is VERY important information, as what we’ve just found is somewhat expected, port 80 is open, port 443 is open, and port 53.
Now port 80 is the HTTP Protocol, in a nutshell this is what constitutes the vast majority of UNENCRYPTED internet conversations. When we go to the http://www.nsa.gov web site in our web browser, that ‘conversation’ is carried through this ‘channel’.
Port 443 is SECURED HTTP, which says there’s parts of this site that require a logon or are delivered through secured media. This is good news, which means some people might log on through this server, which means if we crack this machine, we might be able to gather passwords directly on this machine. Very good news indeed.
Finally, there’s port 53. Referring to the RFC 1700 document, port 53 is reserved for Domain Name Serving, meaning this system is used for commands like nslookup.
Going to page 2 of the nMap results:
Page 2 doesn’t give us too much interesting information, other than the security ‘certification’ is held by the NSA (ssl-cert). No surprise there, for more information on security certificates read up on RSA certificates and RSA Encryption on the internet.
What’s important to consider about this is: Sometimes the certificate held may NOT be by the registered owner of the company. With this, you may be able to gain access to the network you’re looking for by looking at who ‘owns’ the certificate’.
Now here’s Page 3 of the nMap Scan:
Now what’s important about this final page is the Operating System identified: we’re running Linux version 2.6 on the web server.
THAT or the router queried is running that operating system.
Always question the information you’re given via these scans is the moral to that story.
Now having run NMap, here’s what we now have as potential ammunition against the NSA’s Web server:
- We have Mr Ellis as a potential ‘social hacking’ contact (known)
- The physical hardware is likely in Dallas (known)
- Port 80 is exposed publicly (known by access via web)
- Port 443 is exposed publicly – this is new, and we now have SSL and RSA exploits we can perform against the company to gain access to their system
- Port 53 is open (this is a GREAT one) – and we now have DNS attacks we can perform against the system…
- The target system seems to be running some flavor of Linux version 2.6. Quite likely Redhat. This adds to our ‘arsenal’ Unix based exploits.
Now I know for a fact there are DNS overflow attacks which can potentially gain administrative access to the system. I don’t doubt they’ve protected themselves against these attacks. But you never know.
The purpose of the port scan and the preliminary footwork is for intel gathering purposes. You don’t bring a knife to a gun fight, and similarly with this, you don’t waste your time trying out Oracle exploits against a machine which simply does not appear to have Oracle installed on it.
The port scan helps you determine what you as a hacker need to concentrate on, and you as an administrator need to defend yourself against.
Now brute force hacking like this believe it or not accounts for only 40% of successful hacks, which is why it’s so incredibly important to understand the hierarchy of the organization you’re attacking, and as much of the social structure as possible.
So in addition to the physical asset information we just obtained, we have at least one potentially technical point of contact to… shall we say.. befriend.
Coming up next time:
The easiest way to hack systems is to sit on it’s network and watch the traffic go by.
I will detail a network investigation technique called ‘sniffing’ which provides more insight into how the intercommunication works between systems and to potentially gather unencrypted user names and passwords which ultimately will give you control over foreign systems.
For that, download Wireshark from http://www.wireshark.org/download.html and play with that for a bit until I detail it..