ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
Computerworld

The hacker in all of us

October 12, 1999
Web posted at: 11:13 a.m. EDT (1513 GMT)

by Deborah Radcliff graphic

(IDG) -- "How do you spell pillage?" asks Fred Norwood, manager of information infrastructure technology at El Paso Energy Corp. in Houston.

Twelve of us had just hacked Microsoft Corp.'s crown jewel -- a Windows NT box -- and were copying passwords to our hard drives.

From across the room, a quick-witted Sam Gerard, data security manager at Motorola Inc., spells out the answer for us: "F-U-N!"

Thus goes Day 2 of Extreme Hacking, a course taught by security whiz kids at Ernst and Young LLP's towering Houston offices.

For four days, network managers, auditors and security specialists from companies such as Motorola, Electronic Data Systems Corp. and State Farm Insurance switched to the dark side. In so doing, they learned just what they're up against in their fight to keep crackers out of their networks.

The truth is, hacking is easy. And, well, fun. We pushed open server doors and helped ourselves to whatever data we wanted -- all without any feeling of culpability.

"This course gives me a lot more insight into the mentality and capability of attackers," says John McGraw, a security technology planner at a large computing services company. "We know all these vulnerabilities, but there are probably so many more that no one knows about."

So fun was it that I was sorry to leave the capture-the-flag game at the end of Day 3. But my cab to the airport was waiting 20 floors below. By then, I had leapfrogged to the fourth and final victim Unix server and was closing in on that flag. But I had a plane to catch.

Day 1: Finding the goods

On Day 1, we case out our victim. Our instructor, Stuart McClure, prefers the more sanitized term "discovery."

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Senators warn of Y2K hack potential
  Hacking your way to an IT career
  How hackers cover their tracks
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   
We begin discovery by finding publicly available information on the Internet. McClure talks about searching the Securities and Exchange Commission (SEC) Web site to get a thumbnail sketch of a company and its affiliates, laboratories and acquisitions. We could use this information to break in to a company by hacking its acquisitions or subsidiaries because those subnetworks aren't usually as well monitored or secure as networks at the home office.

But for expediency's sake we bypass the SEC and go straight to the InterNic Registrar, the service that assigns domain names. By querying InterNic with a simple "whois" command, we get all the IP addresses of our victim's Web servers -- along with company nicknames -- and auxiliary domain name servers (DNS) in affiliates and laboratories. We even find out what type of servers they are (the main DNS is a Sun-3/180 running Unix), along with the names and phone numbers of the server administrators.

I flash to the infamous cracker, Kevin Mitnick, who loved this little InterNic feature. He'd call those network administrators and try to "social engineer" (sweet-talk) them out of network information.

"It's amazing the amount of information you can get from the Internet. You don't realize you're hanging out there as exposed as you are," says El Paso Energy's Norwood.

We deploy a few common network troubleshooting tools (like zone transfers -- normally used to correlate data between the backup and primary servers, and Name Service lookup -- a utility used to look up the IP address of a name like www.microsoft.com) against some of the IP addresses we've just gleaned. We soon have a list of domain names and IP addresses of all the machines connected to our victim network.

Next, we use traceroute (another administrative tool, which traces the route between a source and destination) to view the network topology and identify potential access control devices like routers and firewalls, which we'll steer clear of.

Time to rattle some doors and look in some windows. McClure calls this "port-scanning" -- using administration and downloadable hacking tools to find out what ports are open and what services are running on those ports.

I'm particularly taken with the stealthy Nmap, a utility for network mapping available for free off the Web. We deploy Nmap against our primary target to get a road map of open ports, along with the network protocols and application services they support.

At the top of our list, for example, we see: "Port 7: Open; protocol TCP; service Telnet." And so it goes for 10 other open ports on that machine alone.

The classroom buzzes with excitement.

I realize how removed I feel from the victim. It's chilling to think that there are hundreds, nay thousands, of other crackers from underground groups such as Global Hell who probably feel the same way.

Day 2: The NT root dance

We're introduced to Eric Schultze, affectionately called a "Hoover" by his cronies. A Hoover can really suck the guts out of a victim machine, and Schultze, 31, proves he's worthy of his name.

We start by picking our target. Test servers are notorious for lax password controls and monitoring. Or we could sniff the mail server for user names and passwords. We decide to go for the backup domain controller -- a separate physical server -- where user names are stored and security is often forgotten because it's a backup.

We establish a null session (a Microsoft utility that allows services to communicate with one another without a user identification) with the victim server.

I feel like a ghost inside someone else's house. I can see everything -- network services, password files, user accounts, even payroll. But I can't touch anything because null is only designed for interprocess communication.

For the victim, "the sad thing about Microsoft is it doesn't log any of this," Schultze explains.

We're itching to gain root access (the most privileged level of access). But first, we must log off and then back on as legitimate users in order to grab the password hashes (encoded passwords) and submit them to our ace password-cracking tools.

We get back in under the user name "backup" by guessing the password (which is also "backup"). "Command completed successfully," the machine responds.

I ask Schultze whether raised awareness has pushed administrators to better monitor passwords. No, he says. Most networks are still chock-full of such easy-to-guess passwords.

Once in, we copy user files and encrypted password hashes onto our hard drive. We log off and hit the hashes with L0phtcrack and the even faster John the Ripper. Available on the Web, both tools test passwords against a dictionary of common passwords until they break open.

The tougher passwords may take a day, though, as they must be cracked one character at a time.

Within minutes, we've got more than 70% of plain-text passwords in our greasy little paws.

Microsoft's LAN Manager hashes are the worst from a victim standpoint because LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half, says Schultze. Our cracking tools are programmed for this, so they kick out passwords much faster than they would in Unix.

And if the administrator disables LAN Manager, the NT box won't talk to any Windows 95 or 98 boxes, so it's a tough problem to solve.

Armed with our newfound passwords, we finally reach our goal for the day and hack back into the machine at administrator level and get root control of our machine.

"What's the first thing you do when you gain root? You do the root dance," explains Ron Nguyen, another instructor. Push one arm up, jiggle your hips, put the other arm up, jiggle your hips and repeat until you get it out of your system.

For our reward, Nguyen hands out a red wallet card titled "20 Things to Do After You've Hacked Admin." But for the final slap to our victims' faces, we hide our hacking tools in an alternate data stream behind a readme.txt file on the victim server. You could easily hide 10M bytes of hacker tools behind such a file without changing the file size, according to Schultze. The only way administrators can catch this is to set up audit logs that would alert them when disk space changes significantly.

Day 3: Capturing the Unix flag

"Hacking root is a state of mind." Thus begins our syllabus for Day 3. And we really are getting into this "state." We arrive at the class rubbing our hands in anticipation of breaking the venerable Unix.

Our instructor, former Air Force geek Chris Prosise, doesn't let us down.

We begin by repeating discovery and gaining entry in much the same way we did on NT. But Prosise wants to have a little fun. He's showing us how to corrupt the DNS server to reroute traffic to a phony IP address on an "evil.com" server where he can: a) grab information or b) reroute the message into oblivion.

He also shows us how to conduct common HTTP attacks like test-Common Gateway Interface, which forces the victim to give up files and directories with a simple "get" command, and how to execute remote commands that would disable access controls. We install Trojan horses (executable code to do our bidding remotely) and punch open back doors so we can can back in using a Telnet terminal session without needing identifications or passwords.

Then we play capture the flag by leapfrogging among four Unix boxes. And this, I'm afraid, is where I was so rudely interrupted by my awaiting taxi.

Suffice it to say, we learned our lessons.

Network and security managers have a tough row to hoe. Bullet-proof security is a misnomer. And managing security risk is the best anyone can hope for.

We also learned that there's a little bit of hacker in all of us. And by cultivating this hacker within, information security professionals can better fight the cracker without.


RELATED STORIES:
Security weaknesses prevalent at Treasury's FMS
October 11, 1999
Bike Web site hacks itself after four attacks
October 4, 1999
Embassy site hackers aimed to show its vulnerability
September 8, 1999
Hackers put racist, anti-government slogans on embassy site
September 7, 1999
New tool blocks wily e-comm hacker tricks
September 7, 1999

RELATED IDG.net STORIES:
Getting the drop on network intruders
(Network World)
Justice Dept. funds antihacking campaign
(The Industry Standard)
Microsoft: Bad security, or bad press?
(IDG.net)
Senators warn of Y2K hack potential
(Computerworld)
Hacker lessons
(Computerworld)
Hacking your way to an IT career
(Computerworld)
Hack-proof your system the hardware way
(PC World)
How hackers cover their tracks
(InfoWorld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.