HOW TO CRACK, by +ORC, A TUTORIAL


Lesson A.1: Advanced Cracking: Internet Cracking (Unix)


------------->   INTERNET CRACKING: FIREWALLS

     With each new company that connects to the "Information

Superhighway" new frontiers are created for crackers to explore.

Site administrators (Siteads) have implemented various security

measures to protect their internal networks. One of these is

xinetd, covered later. A more general solution is to construct

a guarded gateway, called a [Firewall], that sits between a

site's internal network and the wild and woolly Internet where

we roam. In fact only one third of all Internet connected

machines are already behind firewalls. Most information services

have to deal with the same problem we have: getting OUT through

a local firewall or GETTING INTO a service through their

Firewall. There lays also the crack_solution.

------------>         What is a Firewall?

     The main purpose of a Firewall is to prevent unauthorized

access between networks. Generally this means protecting a site's

inner network from the Internet. If a site has a firewall,

decisions have been made as to what is allowed and disallowed

across the firewall. These decisions are always different and

always incomplete, given the multiplicity of Internet, there are

always loopholes where a cracker can capitalize on.

     A firewall basically works by examining the IP packets that

travel between the server and the client. This provides a way to

control the information flow for each service by IP address, by

port and in each direction.

     A firewall embodies a "stance". The stance of a firewall

describes the trade-off between security and ease-of-use. A

stance of the form "that which is not expressly permitted is

prohibited" requires that each new service be enabled

individually and is seldom used, coz very slow and annoying.

Conversely, the stance "that which is not expressly prohibited

is permitted" has traded a level of security for convenience. It

will be useful to guess the stance of the firewall you are

cracking when making probe decisions.

     A firewall has some general responsibilities:

*    First and foremost if a particular action is not allowed by

the policy of the site, the firewall must make sure that all

attempts to perform the action will fail.

*    The firewall should log suspicious events

*    The firewall should alert internal administration of all

cracking attempts

*    Some firewall provide usage statistics as well.



------------>          Types of Firewall

     In order to avoid head-scratching, it's a good idea to know

the TOPOLOGY of "your" firewall -and its limitations- before

attempting to get through it. Discussed below are two popular

firewall topologies. Although other types exist, the two below

represent the basic forms; most other firewalls employ the same

concepts and thus have -luckily- the same limitations.

                   1) THE DUAL-HOMED GATEWAY

     A dual-homed Gateway is a firewall composed of a single

system with at least two network interfaces. This system is

normally configured such that packets are not directly routed

from one network (the Internet) to the other (the internal net

you want to crack). Machines on the Internet can talk to the

gateway, as can machines on the internal network, but direct

traffic between nets is blocked.

     In discussing firewalls, it's generally accepted that you

should think of the inner network as a medieval castle. The

"bastions" of a castle are the critical points where defence is

concentrated. In a dual-homed gateway topology, the dual-homed

host itself is called the [BASTION HOST].

     The main disadvantage of a dual-homed gateway, from the

viewpoints of the users of the network and us crackers alike, is

the fact that it blocks direct IP traffic in both directions. Any

programs running on the inner network that require a routed path

to external machines will not function in this environment. The

services on the internal network don't have a routed path to the

clients outside. To resolve these difficulties, dual-homed

gateways run programs called [PROXIES] to forward application

packets between nets. A proxy controls the conversation between

client and server processes in a firewalled environment. Rather

than communicating directly, the client and the server both talk

to the proxy, which is usually running on the bastion host

itself. Normally the proxy is transparent to the users.

     A proxy on the bastion host does not just allow free rein

for certain services. Most proxy software can be configured to

allow or deny forwarding based on source or destination addresses

or ports. Proxies may also require authentication of the

requester using encryption- or password-based systems.

     The use of proxy software on the bastion host means that the

firewall administrator has to provide replacements for the

standard networking clients, a nightmare in heterogeneous

environments (sites with many different operating systems

platforms, PC, Sun, IBM, DEC, HP...) and a great burden for

administrator and users alike. 

                 2) THE SCREENED HOST GATEWAY

     A screened host gateway is a firewall consisting of at least

one router and a bastion host with a single network interface.

The router is typically configured to block (screen) all traffic

to the internal net such that the bastion host is the only

machine that can be reached from the outside. Unlike the dual-

homed gateway, a screened host gateway does not necessarily force

all traffic through the bastion host; through configuration of

the screening router, it's possible to open "holes" in the

firewall to the other machines on the internal net you want to

get into.

     The bastion host in a screened host firewall is protected

from the outside net by the screening router. The router is

generally configured to only allow traffic FROM SPECIFIC PORTS

on the bastion host. Further, it may allow that traffic only FROM

SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet

news traffic to reach the bastion host ONLY if the traffic

originated from the site's news provider. This filtering can be



easily cracked: it is relying on the IP address of a remote

machine, which can be forged.

     Most sites configure their router such that any connection

(or a set of allowed connections) initiated from the inside net

is allowed to pass. This is done by examining the SYN and ACK

bits of TCP packets. The "start of connection" packet will have

both bits set. If this packets source address is internal... or

seems to be internal :=) the packet is allowed to pass. This

allows users on the internal net to communicate with the internet

without a proxy service.

     As mentioned, this design also allows "holes" to be opened

in the firewall for machines on the internal net. In this case

you can crack not only the bastion host, but also the inner

machine offering the service. Mostly this or these machine/s will

be far less secure than the bastion host.

     New services, for instance recent WEB services, contain a

lot of back doors and bugs, that you'll find in the appropriate

usenet discussion groups, and that you could use at freedom to

crack inner machines with firewall holes. Sendmail is a good

example of how you could crack in this way, read the whole

related history... very instructive. The rule of thumb is "big

is good": the bigger the software package, the more chance that

we can find some security related bugs... and all packages are

huge nowadays, 'coz the lazy bunch of programmers uses

overbloated, buggy and fatty languages like Visual Basic or

Delphy!

Finally, remember that the logs are 'mostly) not on the bastion

host! Most administrators collect them on an internal machine not

accessible from the Internet. An automated process scan the logs

regularly and reports suspicious information.

                               

                 3) OTHER FIREWALL TOPOLOGIES

The dual-homed gateway and the screened host are probably the

most popular, but by no mean the only firewall topologies. Other

configurations include the simple screening router (no bastion

host), the screened subnet (two screening routers and a bastion

host) as well as many commercial vendor solutions.



------------>   Which software should we study?

Three popular unix software solutions allow clients inside a

firewall to communicate with server outside: CERN Web server in

proxy mode, SOCKS and the TIS Firewall toolkit. 



1)   The CERN Web server handles not only HTTP but also the other

protocols that Web clients use and makes the remote connections,

passing the information back to the client transparently. X-based

Mosaic can be configured for proxy mode simply by setting a few

environment variables.

2)   The SOCKS package (available free for anonymous ftp from

ftp.nec.com in the file

        /pub/security/socks.cstc/socks.cstc.4.2.tar.gz

includes a proxy server that runs on the bastion host of a

firewall. The package includes replacements for standard IP

socket calls such as connect(), getsockname(), bind(), accept(),

listen() and select(). In the package there is a library which

can be used to SOCKSify your crack probes.

3)   The Firewall Toolkit

The toolkit contains many useful tools for cracking firewall and

proxy server. netacl can be used in inetd.conf to conceal



incoming requests against an access table before spawning ftpd,

httpd or other inetd-capable daemons. Mail will be stored in a

chroot()ed area of the bastion for processing (mostly by

sendmail).

The Firewall toolkit is available for free, in anonymous ftp from

ftp.tis.com in the file

               /pub/firewalls/toolkit/fwtk.tar.Z

The popular PC firewall solution is the "PC Socks Pack", for MS-

Windows, available from ftp.nec.com It includes a winsock.dll



file. 



     The cracking attempts should concentrate on ftpd, normally

located on the bastion host. It's a huge application, necessary

to allow anonymous ftp on and from the inner net, and full of

bugs and back doors. Normally, on the bastion host, ftpd is

located in a chroot()ed area and runs as nonprivileged user. If

the protection is run from an internal machine (as opposing the

bastion host), you could take advantage of the special inner-net

privileges in hostp.equiv or .rhosts. If the internal machine

"trusts" the server machine, you'll be in pretty easily.

     Another good method, that really works, is to locate your

PC physically somewhere along the route between network and

archie server and "spoof" the firewall into believing that you

are the archie server. You'll need the help of a fellow hacker

for this, though.

     Remember that if you gain supervisor privileges on a machine

you can send packets from port 20, and that in a screened host

environment, unless FTP is being used in proxy mode, the access

filters allow often connections from any external host if the

source port is 20 and the destination port is greater than 1023!

     remember that NCSA Mosaic uses several protocols, each on

a different port, and that -if on the firewall no proxy Web

server is operating- each protocol must be dealt with

individually, what lazy administrators seldom do.

     Be careful for TRAPS: networking clients like telnet and ftp

are often viciously replaced with programs that APPEAR to execute

like their namesake, but actually email an administrator. A

fellow cracker was almost intercepted, once, by a command that

simulated network delays and spat out random error messages in

order to keep me interested long enough to catch me. Read the

(fictions) horror story from Bill Cheswick: "An evening with

Berferd in which a cracked is lured, endured and studied",

available from ftp.research.att.com in

              /dist/internet_security/berferd.ps

As usual, all kind of traps can be located and uncovered by

correct zen-cracking: you must *FEEL* that some code (or that

some software behaviour) is not "genuine". Hope you believe me

and learn it before attempting this kind of cracks. 



------------>      How do I crack Firewalls?

     Some suggestions have been given above, but teaching you how

to crack firewalls would take at least six complete tutorial

lessons for a relatively unimportant cracking sector, and you

would almost surely get snatched immediately, 'coz you would

believe you can crack it without knowing nothing at all. So, for

your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT

(quite a fascinating difference): First Text, then the software

above. For text, start with Marcus Ranum's paper "Thinking about

Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z

and do an archie search for newer literature.

Join the firewall discussion list sending a message to

majordomo@greatcircle.com, you'll get a message with

instructions, as usual, lurk only... never show yourself to the

others.

     You can find for free on the web quite a lot of early

versions of proxy software. Study it, study it and then study it

again. The cracking efforts on your copies, and your machines,

before attempting anything serious, are MANDATORY if you do not

want to be immediately busted on the Internet. When you feel

ready to try serious cracking, you must OBLIGATORY start with a

small BBS which uses a firewall version you already studied very

well (sysops are not firewall administrators, and many of them

do not know nothing about the software they use). As soon as you

gain access to the bastion host, remember to subvert entirely the

firewall itself before entering the inner net.  

If you feel ready and everything went well so far, if your zen-

cracking abilities are working well... then take a moment for

yourself... prepare yourself a good Martini-Wodka (you should

only use Moskovskaia), take a deep breath and by all means go

ahead! You will then be able to try your luck on the Cyberspace

and get quickly busted (if you did not follow my admonitions and

if you cannot zen-crack) or, may be, fish quite a lot of

jewels... :=) 



------------->     INTERNET CRACKING: XINETD

     [Xinetd] a freely available enhanced replacement for the

internet service daemon inetd, allows just those particular users

to have FTP or Telnet access, without opening up access to the

world. Xinetd can only protect the system from intrusion by

controlling INITIAL access to most system services and by logging

activities so that you can detect break-in attempts. However,

once a connection has been allowed to a service, xinetd is out

of the picture. It cannot protect against a server program that

has security problems internally. For example, the finger server

had a bug several years ago that allowed a particularly clever

person to overwrite part of its memory. This was used to gain

access to many systems. Even placing finger under the control of

xinetd wouldn't have helped.

     Think of the secured firewall system as a fortress wall:

each service that is enabled for incoming connections can be

viewed as a door or window in the walls. Not all these doors have

secure and reliable locks. The more openings are available, the

more opportunities are open for us.

------------->         What xinetd does



Xinetd listens to all enabled service ports and permits only

those incoming connection request that meet authorization

criteria.

-    Accept connections from only certain IP addresses

-    Accept connections only from authorized users



-    Reject connections outside of aithorized hours

-    Log selected service when connections are accepted or

     rejected, capturing following informations: 

     * Remote Host Address

     * User ID of remote user (in some cases)

     * Entry and Exit time

     * Terminal type 

     Support login, shell, exec and finger



------------->        SERVICES TO CRACK &

                  UNWITTING INSIDE COMPLICES

In this order the easy services:

     FTP  TELNET    LOGIN (rlogin) SHELL (rcmd)   EXEC

In this order the more difficult ones:

     MOUNT     TFT  FINGER    NFS(Network File System) 

     DNS(Domain Name Service)

Remember that sendmail (SMTP), by default, accepts a message from

any incoming connection. The "sender" of such a message can

appear to have originated anywhere, therefore your claim of

identity will be accepted! Thus you can forge a message's

originator. Most of the recipients inside the protected

(firewalled) net will take your claim at face value and send you

(to the "return address" you provide) all the sensitive

information you need to crack the system. Finding unwitting

inside complices is most of the time pretty easy.

     By far the best method, for entering xinetd, is to get the

real version from panos@cs.colorado.edu, modify the system files

in order to have some backdoors, and then distribute them to the

mirror servers on the WEB. Each time a new administrator will

download "your" version of xinetd, you'll have an easy access to

the "protected" system.

     On the Nets, it's important to conceal your identity (they

will find you out pretty quickly if you do not). The best method

is to obtain the IP address of a legitimate workstation during

normal hours. Then, late at night, when the workstation is known

to be powered-off or disconnected from a dialup PPP link, a

different node on the network can be configured to use the

counterfeit IP address. To everyone on the network, it will

appear that the "legitimate" user is active. If you follow this

strategy, you may want to crack somehow more negligently... the

search for the cracker will go on -later- in the false confidence

that a sloppy novice (the legitimate user) is at work, this will

muddle the waters a little more.



Well, that's it for this lesson, reader. Not all lessons of my

tutorial are on the Web.



     You 'll obtain the missing lessons IF AND ONLY IF you mail

me back (via anon.penet.fi) with some tricks of the trade I may

not know that YOU discovered. Mostly I'll actually know them

already, but if they are really new you'll be given full credit,

and even if they are not, should I judge that you "rediscovered"

them with your work, or that you actually did good work on them,

I'll send you the remaining lessons nevertheless. Your

suggestions and critics on the whole crap I wrote are also

welcomed.


E-mail +ORC

+ORC an526164@anon.penet.fi