[Psionic Software Systems] What's New . Abacus Project . Profile . Papers . Download Area . Other Links Common System Intrusion Methods I've done a large amount of system auditing and network attack tool programming in the past and here is what I consider the most common methods for gaining access to a target host. Most will notice that the attacks are not very high-tech. Well they don't have to be, they just need to work and if you can perform all of these attacks I can almost guarantee a 10-20% success rate in system cracking. That may not sound great, but if you consider that for a network of 10 systems you will break into one then it becomes clear that you success rate is really approaching 100%. I have always found that once one host falls the rest of the network is doomed, especially if you can setup a good password sniffer or ride transitive trusts between hosts. This list is not exhaustive and I know this. These attacks though are what I see most hackers using and if you take care of these problems you will be very well off. I will not detail how to execute any of these attacks. They are very simple if you do the research. The List (in no particular order) [Bullet] Default Accounts/Null Passwords- Login using common accounts as shipped with many UNIX hosts. Although many modern systems do not succumb to this, many older ones do. Sometimes administrators will re-enable the default accounts even on new hosts as well. [Bullet] - Username/Password Same- Logging in by trying a known username and using the username as the password as well. [Bullet] - rsh - I hate all the r-services. I think they should not be shipped with any product and that they should be rm'd from all UNIX source trees with extreme prejudice. They use a poor authentication mechanism that is easily abused and I find that the majority of people who use them are just too lazy to type in a password between hosts. A very large number of sites I've audited in the past use transitive trusts between hosts (.rhosts files) and this leads to rapid system compromise if even a single host is hacked. Some vendors ship with a /etc/hosts.equiv file with a "+" that allows any host full access to your system remotely. In addition to this, many of the rsh daemons perform no auditing of any commands! You should shut of the rsh service and rm it from your binary directory to ensure it is never turned on. If you need the remote execution feature and transitive trust feature for automated tasks you should try SSH instead. [Bullet] - rlogin - See the rsh section. If you are going to use rlogin you should get a version that allows you to shut off support for .rhosts files and forbid your users from using .rhosts. There should be no exceptions to this. Make sure your /etc/hosts.equiv does not contain a "+" as well. [Bullet] - rexecd - This service uses username/password style authentication but does not audit failed login attempts. This allows an attacker to beat up on a host with a large password list unknown to the administrator. [Bullet] - rexd - Not to be confused with the above, rexd is an RPC service that allows any remote host to run commands on the target system as any user they want (sometimes you may not be able to run as root though). This service is actually shipped with some UNIX versions turned on. It is important to note that all of the rexd security is at the client not the server. As the attacker can impersonate any user they wish, you can plainly see that this service is BOHICA material waiting to happen. [Bullet] - Anonymous FTP mis-configured- Don't run an anonymous FTP server unless you need the service. FTP sites are easily mis-configured and one OS manufacture man page has details on how to set up the anonymous site that is incorrect and grossly insecure. Many FTP daemons also have a variety of problems that can lead to system compromise even if anonymous FTP is not enabled. If you do run an anonymous FTP site you need to watch it like a hawk and follow these Auscert Guidelines for setting it up correctly. Attackers can use a mis-configured site to exchange pirate software, corrupt downloadable files, gain remote access, bypass firewall and packet filter security and a variety of other misuses. [Bullet] - Finger - The finger service can be used to grab valid account names for the target host. Some versions allow you to issue commands that will allow you to "walk" the user list thereby allowing an attacker to list out every account on your host. Some versions will also walk the local utmp file allowing attackers to view where users are logging in from and when! Yet still, there are versions that allow attackers to execute commands remotely or to setup .plan files that mail out privileged system information. [Bullet] - Generic Recon Mechanisms - Services such as systat, netstat, rusersd, etc. can be used to gather user names, network statistics, process accounting and other information. All of these help an attacker to learn about the target host and network. [Bullet] - NIS (formerly YP) - This service has a large number of problems allowing attackers to remotely grab passwd files and in some cases remotely execute commands. [Bullet] - RPC Portmapper - Some versions allow attackers to perform "proxy" attacks that will allow an attacker to bypass local security resrictions by making the RPC call appear to come from the localhost. This service can also be used to dump all available RPC services that may aid an attacker to discover vulnerable services. You should shutdown all RPC services if you don't use them, or use Wietse Venema's portmapper replacement. [Image] [Bullet] - NFS - NFS is a notorious problem. Attackers use this to read/write to files and to gain access through any number of methods. First be sure you are running the latest version of the daemon for your OS as this will fix many common problems. Be sure you are not exporting directories to the world. Be sure you are only exporting directories to hosts that need them and that you are not exporting more than necessary(why are you exporting "/" when users really only need "/usr/local/tools")? Be sure you are running fsirand or similar utility to ensure your filehandles are random. Export read-only when you can and if you export read-write be sure you do not allow root privs to cross the export mount. [Bullet] - WWW Server - If you don't need to run a WWW server you should shut it off. Many attackers can abuse the default cgi-bin files shipped with these servers to remotely exploit hosts. If you are running a WWW server, you should go into the cgi-bin directory and execute a "rm *" and then fill it in with your CGI scripts. Most all example CGI scripts shipped with WWW servers have had a hole, or currently have a hole of some type and should be deleted. [Bullet] - SMTP - Make sure your SMTP server is running the latest version of the daemon!! Sendmail, smail, and others have all had problems in the past ranging from denial of service to full remote access exploits. If your host does not process mail you should shut off local SMTP services! [Bullet] - SNMP - Many SNMP daemons and services are setup with easily guessable public and private community strings. This allows an attacker to re-configure key network devices, gain reconnasaince information, and cause general mayhem. Disable SNMP on your network or if you need to use it make sure you are using at least SNMPv2 and have unguessable community names. [Bullet] - TFTP - Trivial File Transfer Protocol. I think the name says it all, this service allows an attacker to often grab key system files such as /etc/passwd. Since it requires no authentication any person can connect and read whatever they want. [Bullet] - X-Windows - Attackers can use open X-Windows clients to read keyboard input, dump screen shots, execute commands as the logged in user and generally cause mischief. Make sure all your X related devices are SECURED with either xhost or xauth security mechanisms. [Bullet] - Generic RPC services - Many RPC services have problems that can be exploited to one degree or another. If you don't use the service you should shut it off. [Bullet] - DNS - Make sure you are using the latest version of DNS on your name servers to prevent cache poisoning and buffer overrun attacks. Make sure you prohibit zone transfers to sites that are not a secondary to you as this allows attackers to view your entire namespace to find targets (not foolproof, but good enough to stop most). [Bullet] - IMAP/POP - This is a very common exploit method for attackers as some versions contain a serious and easily exploited buffer overrun that allows remote execution commands as root. Update your daemon or shut this service off if you do not use it. [Bullet] - Samba - This is a popular exploit for Linux systems as many distributions ship with this service enabled by default. Aside from administrators exporting shares with global permission, exporting too much, etc. it also has a serious buffer overrun that allows attackers to execute commands as root. Shut off this service or obtain an update. [Bullet] - Password Sniffing - I feel this to be one of the most powerful attacks available. This is not because it is sophisticated, but rather it allows an attacker to gain access quickly to hundreds of hosts if they have a sniffer setup in a high-traffic location. Once the passwords are obtained it is difficult to spot the attacker because they appear as a normal user. The only defense against this is to not allow an attacker to obtain access to a host and to use encrypted sessions between all hosts with a tool such as SSH instead. [Bullet] - "Temporary" Changes - These are changes that you set up "temporarily" to let someone onto your box but you later forget to disable. It always seems that hackers find these little nuggets at one point or another, no matter how well hidden you think they are. Final Words The best advice is to filter out all of these services for incoming connections at your router. Remember: Just because you have the latest version of every program does not mean it doesn't have a problem or mis-configuration waiting to be exploited. Take the minimalist approach: If it isn't needed shut it off. Other Sources Here are some other sources you should look into, they offer some more descriptive advice than what this page provides. If you follow the advice given in these two sources and this web page you will be safe from most hackers, and all of the ankle-biters. Auscert Security Guidelines - Good, simple, and accurate advice. Improving the Security of Your Site by Breaking Into It. - A good primer for admins on what hackers look for. Written by Dan Farmer and Wietse Venema. -------------------------------------- All Material Copyright ©1996, 1997 Craig H. Rowland and Psionic Software Systems Contact Me