NWC     Internet   Site Map
   Click Here to Visit APC!
Getting StartedTechnology GuideDepartmentsresearch CenterSales & Marketing
FAQs Site Map Staff Article Index Current Issue

  W O R K S H O P

Tools From the Underground

May 29, 2000
By Greg Shipley

The term "computer underground" is as mysterious as it is misleading. It carries with it various connotations. To some, the term references a source of deceit or trickery--a world ruled by an underlying theme of mischief. To others, it suggests a raw, unbiased approach to information security techniques--a dark world that exists under a twisted light of purity.

However, regardless of the stance one takes on the hacker underground, one cannot debate the talent that it harbors and the power behind the tools of its trade.

Before providing a brief tour of a very select group of tools we've found useful over the years, a few disclaimers: First, this is not meant to be an all-encompassing overview of "hacking tools." Second, the tools mentioned here are not necessarily written by members of the "underground"--some are simply used by that community. Finally, many of these tools are old news to some. However, for others, this introduction may provide some insight into methods being used on networks and systems today and present some options that might not have been thought of otherwise.

The first stage of most network assessments and intrusion attempts is usually network reconnaissance. By far the most popular tool on the scene for simple port mapping is Fyodor's Nmap. Running only on Unix-based platforms, Nmap started off as a basic port scanner like strobe and grew into one of the more powerful tools today.

Nmap Goes Beyond

While it still serves quite well for identifying listening services on targeted hosts, Nmap also has an impressive set of features that includes OS detection, TCP/IP sequence predictability, UDP (User Datagram Protocol) scanning (for services like TFTP and SNMP) and "stealth" scanning using SYN, FIN or RST packets. Nmap can be used to map and scan massive networks (thousands of hosts) in a relatively short time--with surprising accuracy.

Its ability to identify both host types and listening services, combined with a flexible assortment of timing and syntax options, makes Nmap ideal for taking "snapshots" of any network. For example, executing "Nmap O p1-1024 oM" will scan all the hosts found on the class B network for all listening ports ranging from 1 to 1,024. It will then attempt to detect the OS type of every host and send the output to a comma-delimited file called "10.

1.0.0.Nmap." Once the initial sweep of a network is completed, you can begin to identify, lock down or disable unneeded services and ports. However, Nmap is not a vulnerability assessment tool in the same category as Cisco NetSonar, ISS Internet Scanner and Network Associates Cybercop Scanner. Traditional vulnerability-assessment scanning tools not only do port/service mapping but also have back-end engines that look for sets of known vulnerabilities. Note that Nmap has an assortment of more devious features such as packet forging (for decoy scans) and some nifty timing options to bypass threshold settings on IDSes (intrusion-detection systems)--among other things.

In contrast, RFP's Whisker is a more targeted tool that does contain an internal database of known vulnerabilities. Whisker was designed specifically to scan Web servers for known CGI vulnerabilities. Unlike Nmap, Whisker is very specific--as it is useful for scanning only Web servers. Poorly coded CGI programs and sample scripts have been among the primary methods used for gaining unauthorized access to firewall-protected Web servers. Often, vulnerable sample programs are missed and left on production Web servers by mistake. This is usually because of the jurisdictional chaos surrounding Web masters, application developers and system administrators in many organizations. While problems with older versions of Allaire Corp.'s ColdFusion and Microsoft's IIS (Internet Information Server) RDS/MDAC package plagued thousands of Web servers last year, many of these sites could have caught the offending files had their administrators been using a tool such as Whisker to scan their Web servers. Let's hope RFP keeps this tool up to date.

Whisker runs only on Unix-based platforms and requires Perl to operate (it is written in Perl). What raises Whisker above every other CGI-based scanner is both its intelligence and the total number of Web-based vulnerabilities for which it looks. Whisker first queries the targeted Web server to determine the version of the server. Whisker won't, for example, look for the presence of msadc.dll (an IIS-specific DLL--Dynamic Link Library--that can cause problems) on non-Microsoft Web servers. Combine this feature with the surprising fact that Whisker's internal list of known Web-based vulnerabilities exceeds that of commercial products such as ISS Internet Scanner and Cybercop Scanner (Whisker looks for more than 200 mischievous CGI programs), and its usefulness should become glaringly obvious.

On the craftier side, Whisker has some stealth options that let it hide its activity. For example, it can obfuscate its queries using the "-I" switch so that a probe looking for the presence of victim/cfdocs/ will appear as "GET /%63%66%64%6f%63%73/" in the logs. Whisker also has some other neat anti-IDS tricks that will get past most IDSes. Regardless of how Whisker's used, whether you are running one Web server or an entire farm, the decision to turn Whisker loose to double-check for common CGI nasties should be a no-brainer.

While Hobbit's netcat has been around for quite some time, when L0pht member Weld Pond ported the native Unix utility to NT, new life was breathed into an old friend (see www.l0pht.com/~weld/netcat/"). Netcat has a number of useful features, but it is best known for its ability to port scan and bind/redirect network-based processes to any TCP or UDP port in an inetd- (Internet daemon) type fashion. Netcat can serve as a fabulous network troubleshooting tool because of its simplicity, but it can also be used for some interesting demonstrations. For example, if you ever wanted to see how useful stateful inspection is against Web-based attacks, try this on an NT server: Shut down IIS on your target server and use netcat to bind cmd.exe to port 80--that is, issue the command "nc l p 80 e cmd.exe." Then from outside your firewall, telnet to your Web server at port 80 ("telnet 80"). The folks over at eEye Digital Security built their iishack exploit to use this very trick.

While netcat can be used in all sorts of shady situations, it can also double as a port scanner and general troubleshooting tool. You can use it to test network-based applications, test connectivity when building router and firewall ACLs (access-control lists), and figure out protocols. For example, using it as a client, you can pull raw HTTP pages by issuing "nc 80" and manually issuing HTTP GET requests. While this might not appear to be any great breakthrough (you can also use telnet to do this), netcat is "raw" and doesn't complicate things with control characters and sequences. Even if you don't see an immediate need for it, chances are you'll use netcat once you familiarize yourself with it.

Another useful utility is winfingerprint, a command-line program that was developed by Vacuum and runs on Microsoft Windows NT (see www.technotronic.com/winfingerprint). Winfingerprint has some interesting features, but its primary strength lies in its enumeration abilities. It can query NT machines for user lists, share lists, group lists and services, and output its findings directly to an HTML file. One of the unique features of winfingerprint is its ability to "walk" the Microsoft Network Neighborhood. You can turn winfingerprint loose on a single machine, direct it at the Network Neighborhood and have it document a good portion of your NT infrastructure without further hassle.

Winfingerprint is capable of querying/enumerating information without any logon credentials via the Windows null session. Essentially, the null session is an unauthenticated connection to an NT machine used for anonymous information gathering (user lists, for example). While the availability of null sessions eases some administrative burden by providing services to tools like Explorer, null sessions are akin to the Unix "finger" service. They are an intruder's dream: access to users, shares and other potentially useful information, remotely and anonymously. While null sessions can be disabled using a registry hack (see "Locking Down Windows NT Server"), most organizations have not made these changes.

Another tool that demonstrates the usefulness or danger of the null session is winfo.exe, by Arne Vidstrom (see ntsecurity.nu/toolbox/"ntsecurity.nu/toolbox/). Winfo will create a null session and effectively dump the user accounts of any NT machine to standard out. In addition to users, shares and trust relationships are also listed--very helpful for probing machines for inventory purposes.

Another useful tidbit concerning null sessions is the debate surrounding the renaming of the administrator account. Although renaming the administrator account and creating a dummy or fake account can serve as a diversionary tactic, it will slow down only the most novice attacker. A basic way to demonstrate this is to use two NT command-line utilities written by Evgenii Rudnyi called user2sid and sid2user (see packetstorm.securify.com).

For example, because the administrator account always has a RID (relative ID) of 500, if you issue "user2sid \\ administrator" and get anything back other than 500, you know the account is not genuine. If an organization has renamed an admin account, you can use the guest account as a seed (the guest RID is always 501) to find the real admin account. If you use "user2sid" to get the entire SID (system ID) and then use "sid2user" with the admin RID (500), you'll be handed the admin user. Or, for the less adventurous, simply run "winfo -n"--it will flag the admin account as part of its standard report.

WinMag.com/TechShopper Contest!
Printer Print Full Article
Printer Print This Page
E-Mail E-mail this URL
Related Links
arrow  Web Server: Security Lockdown
September 15, 1996

arrow  Villains in the Vault
January 15, 1997

arrow  Intrusion Detection, Take Two
November 15, 1999

arrow  Hammering Out a Secure Framework
January 24, 2000

arrow  Best Practices in Network Security
March 20, 2000

arrow  Security Alert Consensus, from the editors of Network Computing and the SANS Institute, lets you customize content on security holes, exploits and patches.
Sign up now !

Other articles
arrow  Buyer's Guide: Spending Wisely on FRADs

arrow  Events
arrow  IT Training
arrow  Company Directory
arrow  Reader Service


<< They're Free! >>

Tech Library!
Tired of trolling Web sites in search of technical and vendor data, and research reports to support your IT purchase decisions? Now you can search through thousands of categorized white papers and reports right here!

UnixWorld | Network Design Manual | Interactive Buyer's Guide | WANsites | Real-World Labs | Learn IT | Careers | Article Index |

Home | Technology Guides | Site Map | FAQ | Subscriptions | Contacts | Sales & Marketing | 2000 Edit Calendar |

Network Computing

Byte.com |  Bank Systems & Technology |  CMPmetrics |  eBusiness Expo |  File Mine |  InformationWeek |  Insurance & Technology | 
InternetWeek |  PC Expo |  Planet IT |  TechCalendar |  TechEncyclopedia |  TechLearning | 
TechShopper |  TechWeb News |  TechWeb Today |  Wall Street & Technology |  WebTools |  Winmag.com | 

Click Here!

TechWeb is brought to you by CMP Media, Inc., Copyright © 2000 - Privacy Statement