Internetworking BasicsInternetworking BasicsAnd Standard VulnerabilitiesAnd Standard Vulnerabilities

Bill BurnsBill BurnsProfessional HackerProfessional Hacker

Corporate Electronic SecurityCorporate Electronic SecurityNetscape Communications Corp.Netscape Communications Corp.

shadow@netscape.comshadow@netscape.com

Internetworking BasicsAnd Standard Vulnerabilities

AgendaAgenda

• PC networking basicsPC networking basics• Internet Basics, emailInternet Basics, email• Q&AQ&A• Attacking what we’ve learnedAttacking what we’ve learned• ResourcesResources• Thank you!Thank you!

Overview, Part IOverview, Part I

• PC Networking BasicsPC Networking Basics– How a PC connects to a networkHow a PC connects to a network– Types of networks and what they areTypes of networks and what they are– Pieces of the networkPieces of the network

Overview, Part IIOverview, Part II

• Services available on the InternetServices available on the Internet• Attacking Internet servicesAttacking Internet services• Email, “spoofing”, and abuseEmail, “spoofing”, and abuse• Tracking what bad actors are doing or didTracking what bad actors are doing or did

Overview, Part IIIOverview, Part III

• Networking Security ExploitsNetworking Security Exploits– SniffingSniffing– Scanning and mappingScanning and mapping– Breaking (not “into”)Breaking (not “into”)– Breaking into network hostsBreaking into network hosts

• Network-based Trojan Horses and virusesNetwork-based Trojan Horses and viruses• ReferencesReferences• Q&A / Wrap-UpQ&A / Wrap-Up

Networking Basics: The PCNetworking Basics: The PC

• How can you connect to a network?How can you connect to a network?• Wires, waves, glassWires, waves, glass• Ethernet is very common now, Token Ring Ethernet is very common now, Token Ring

not as much anymorenot as much anymore• NICsNICs

Networking Basics: A Simple Networking Basics: A Simple NetworkNetwork

• Network: more than one machine connected Network: more than one machine connected to anotherto another

• A simple bus-layout network:A simple bus-layout network:

Alice BobServer

Networking Basics: It’s more Networking Basics: It’s more than computers!than computers!

• Bridges (repeaters)—makes longer networks, to Bridges (repeaters)—makes longer networks, to a limit.a limit.

• Routers—connects networks togetherRouters—connects networks together– Contains “broadcasts domains”Contains “broadcasts domains”

• Switches—makes networks largerSwitches—makes networks larger– Keeps PCs from seeing most other’s trafficKeeps PCs from seeing most other’s traffic

• Servers, hosts, and “other” devicesServers, hosts, and “other” devices– printers, HVAC systems, even pop machines! :)printers, HVAC systems, even pop machines! :)

Networking Basics: Small LANsNetworking Basics: Small LANs

• LANs vs. WANsLANs vs. WANs• Machines connected together (i.e. an office)Machines connected together (i.e. an office)• Usually a mix of routers and switchesUsually a mix of routers and switches• Intranet = marketing term for “LAN”Intranet = marketing term for “LAN”

Networking Basics: Larger Networking Basics: Larger networksnetworks

• Connecting different LANs togetherConnecting different LANs together• Network traffic usually goes over “public” Network traffic usually goes over “public”

networksnetworks– Frame Relay, Leased Lines, maybe even over the Frame Relay, Leased Lines, maybe even over the

Internet (VPNs)!Internet (VPNs)!– The Telco promises to keep your traffic separate from The Telco promises to keep your traffic separate from

other companies’ traffic also using their networkother companies’ traffic also using their network• A mix of routers and switchesA mix of routers and switches

Larger networks: sampleLarger networks: sample

Smaller networks attached via (multiple) routers to other networks, and their routers

Internet BasicsInternet Basics

• Connections:Connections:– RoutersRouters– FirewallsFirewalls

• Internet Connections (ISPs)Internet Connections (ISPs)• Some services you can use on the InternetSome services you can use on the Internet

Internet Basics: ConnectionsInternet Basics: Connections• Internet: A collection of networksInternet: A collection of networks• A typical corporate Internet connection:A typical corporate Internet connection:

– Usually a mix of router(s) & firewall(s)Usually a mix of router(s) & firewall(s)

Internet

FirewallFirewall

routersrouters

Internet ServicesInternet Services(Or: What to do on the Internet!)(Or: What to do on the Internet!)

• WWW (“The Web”)WWW (“The Web”)• E-Mail—correspondenceE-Mail—correspondence• FTP—”getting stuff”FTP—”getting stuff”• Telnet—remotely logging into machinesTelnet—remotely logging into machines• ““other” servicesother” services

– ICQ—chatICQ—chat– AOL Instant Messenger—chatAOL Instant Messenger—chat– IRC—on-line chatIRC—on-line chat

Email: The BasicsEmail: The Basics

• What an email address looks like /what it What an email address looks like /what it meansmeans

• How Internet email worksHow Internet email works• Tracking email through the InternetTracking email through the Internet• Tools you can useTools you can use

– Domain name/address lookupsDomain name/address lookups– TracerouteTraceroute

E-Mail addressesE-Mail addresses

• Can be trivially spoofed (just telnet to port 25)Can be trivially spoofed (just telnet to port 25)• No one actually checks the validity of the No one actually checks the validity of the

information (“On the Internet, no one knows information (“On the Internet, no one knows you’re a dog” -- you’re a dog” -- SnoopySnoopy))

• Only the dumb spammers use their own or a Only the dumb spammers use their own or a real email addressreal email address

• It’s the email It’s the email headersheaders that can help you track that can help you track someonesomeone

Email address formats:Email address formats:A “proper” email addressA “proper” email address

User ID

Shadow@netscape.com

Domain

Email: A “properly” formatted Email: A “properly” formatted messagemessage

From: orders@x10.comFrom: orders@x10.comDate: 1:55 pmDate: 1:55 pmSubject: Your order 104315-HM323 (received 10/20/98 )Subject: Your order 104315-HM323 (received 10/20/98 )To: SHADOW@NETSCAPE.COM (WILLIAM D. BURNS)To: SHADOW@NETSCAPE.COM (WILLIAM D. BURNS)

Dear Mr. Burns,Dear Mr. Burns,Thank you for your order. We thought you'd like to know that the following Thank you for your order. We thought you'd like to know that the following items have been shipped to you:items have been shipped to you:......

Notes: Expected email, recognizable address, to: field properly Notes: Expected email, recognizable address, to: field properly formatted, etc.formatted, etc.

Email abuseEmail abuse• Spam—What is it?, Why is it called that?Spam—What is it?, Why is it called that?

– ““the same article (or essentially the same article) the same article (or essentially the same article) posted an unacceptably high number of times to one posted an unacceptably high number of times to one or more newsgroups.”or more newsgroups.”

– 'Spam' doesn't mean ‘ads’. It doesn't mean “posts 'Spam' doesn't mean ‘ads’. It doesn't mean “posts whose content I object to”.whose content I object to”.

• UCE—Unsolicited Commercial Email (ads)UCE—Unsolicited Commercial Email (ads)– What most people call “spam” nowWhat most people call “spam” now

• Harassing/threatening emailHarassing/threatening email

Email: A “bogus” emailEmail: A “bogus” email

From: blminor@aol.comFrom: blminor@aol.comDate: 05/05/1998 12:16 pmDate: 05/05/1998 12:16 pmSubject: Hurry, no time to Subject: Hurry, no time to lossloss!!To: shadow@netscape.comTo: shadow@netscape.com

It's your dreams that will save you from life of livingIt's your dreams that will save you from life of livingpaycheck to paycheck. If you've ever dreamed of becoming yourpaycheck to paycheck. If you've ever dreamed of becoming yourown boss and running your own life, you need to stop own boss and running your own life, you need to stop dreamiongdreamiong and become a DOER! and become a DOER!. . .. . .

Notice: “get rich quick” scheme, no one you’veNotice: “get rich quick” scheme, no one you’veheard of before, spelling errors, possibly fake email address.heard of before, spelling errors, possibly fake email address.

Email “spoofing”Email “spoofing”

• Used to obscure the real identity of the Used to obscure the real identity of the sendersender

• Almost never a legitimate offer (consider Almost never a legitimate offer (consider this like unsolicted phone offers)this like unsolicted phone offers)

• Where do spammers get their email lists?Where do spammers get their email lists?

Email analysis: what to do?Email analysis: what to do?

• Tip: Get the email FORWARDED to you, not Tip: Get the email FORWARDED to you, not pasted in a message to you. (headers)pasted in a message to you. (headers)

• Tip: Work from the bottom UP to track the Tip: Work from the bottom UP to track the trace of email servers involved.trace of email servers involved.

• Tip: It’s hard to get the help of other companies Tip: It’s hard to get the help of other companies during your investigation.during your investigation.

• Tip: “abuse@…” is usually helpful.Tip: “abuse@…” is usually helpful.• Realtime Blackhole Lists -- very effective!:)Realtime Blackhole Lists -- very effective!:)

Email header AnalysisEmail header Analysis

• First (bottom-most) header is where the First (bottom-most) header is where the message startedmessage started

• The last (top-most) header is final receiving The last (top-most) header is final receiving serverserver

• Many companies and IPSs used along the way Many companies and IPSs used along the way are “intermediaries” and may not even realize itare “intermediaries” and may not even realize it

• (You need to help them fix their mail servers!)(You need to help them fix their mail servers!)

A sample spam emailA sample spam emailFrom: <equip98@usa.net>Date: 12/03/1998 4:34 am Subject: Ad: Advertising Your Business To: foru98@usa.net BCC: chris@netzone.com, chris@newfire.com, chris@nextwork.com, chris@nexus.net.au, chris@abc.org, chris@nirvana.net, chris@slip.net

Online Entreprenuer, Advertising your business has never been easier or cost effective. You will reach millions for a fraction of any other form of advertising. If you have a product or service that you know is marketable then you simply cannot fail to make huge profits on the internet. Now is the time to get on board while this internet marketplace still remains in the growing stages.

(Notice the general email addresses, and claim to make huge profits)

Analysis of the spamAnalysis of the spamReceived: from ferret.slip.net [207.171.193.6] by mx01 via mtad (2.6) with ESMTP id 029cLcmIE0018M01; Thu, 03 Dec 1998 12:34:30 GMTReceived: from mail.larkom.net ([208.216.216.68]) by ferret.slip.net with esmtp (Exim 2.02 #1) id 0zlXxg-0001n1-00 for chris@abc.org; Thu, 3 Dec 1998 04:34:24 -0800Received: from alpha ([153.35.218.194]) by mail.larkom.net (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-43162U2500L250S0) with SMTP id ABB68; Thu, 3 Dec 1998 03:29:30 -0800To: foru98@usa.netBCC: chris@nettrade-usa.com, chris@netzone.com, chris@newfire.com, chris@news.the-citynet.com, chris@nextwork.com, chris@nexus.net.au, chris@nims.org, chris@nirvana.net, chris@slip.netFrom: <equip98@usa.net>Subject: Ad: Advertising Your BusinessMessage-ID: <E0zlXxg-0001n1-00@ferret.slip.net>Date: Thu, 3 Dec 1998 04:34:24 -0800

3

2

1

Header AnalysisHeader Analysis

• Remember: work from the bottom-upRemember: work from the bottom-up• Message started from “1” (Message started from “1” (alphaalpha, , 153.35.218.194153.35.218.194))

– #1 sent email to server “2” (#1 sent email to server “2” (larkom.netlarkom.net))– #2 sent the email to next server “3” (#2 sent the email to next server “3” (ferret.slip.netferret.slip.net))– #3: it arrived to the user!#3: it arrived to the user!

• So, who owns “153.35.218.194” ? :)So, who owns “153.35.218.194” ? :)

Who is the spammer?Who is the spammer?

• Using ARIN, we look up the IP address:Using ARIN, we look up the IP address:– UUNET Technologies, Inc. (NET-UUNETCUSTB35)UUNET Technologies, Inc. (NET-UUNETCUSTB35)– 3060 Williams Drive Fairfax, VA 22031 US3060 Williams Drive Fairfax, VA 22031 US– Netname: UUNETCUSTB35Netname: UUNETCUSTB35 Netnumber: 153.35.0.0Netnumber: 153.35.0.0– Coordinator: Uunet, AlterNet - Technical Support (OA12-ARIN) help@UUNET.UU.NET +1 (800) 900-0241Coordinator: Uunet, AlterNet - Technical Support (OA12-ARIN) help@UUNET.UU.NET +1 (800) 900-0241– Domain System inverse mapping provided by:Domain System inverse mapping provided by:– DIALDNS1.UU.NET 153.39.194.10DIALDNS1.UU.NET 153.39.194.10– DIALDNS2.UU.NET 153.39.194.26DIALDNS2.UU.NET 153.39.194.26– Record last updated on 18-Nov-98.Record last updated on 18-Nov-98.– Database last updated on 12-Mar-99 16:13:07 EDT.Database last updated on 12-Mar-99 16:13:07 EDT.

• So,the email originated from a UUNET So,the email originated from a UUNET member or a UUNET affiliate.member or a UUNET affiliate.

• (UUNET is a large ISP)(UUNET is a large ISP)

More analysisMore analysis

• What about “larkom.net”? Lookup at What about “larkom.net”? Lookup at InterNIC:InterNIC:– Larkom.netLarkom.net– Registrant:Registrant:– Extreme Marketing (LARKOM-DOM)Extreme Marketing (LARKOM-DOM)– 920 Calle Negocio #C920 Calle Negocio #C– San Clemente, CA 92673San Clemente, CA 92673– Domain Name: LARKOM.NETDomain Name: LARKOM.NET– Administrative Contact, Technical Contact, Zone Contact:Administrative Contact, Technical Contact, Zone Contact:– Hostmaster (NO45-ORG) hostmaster@LARKOM.NETHostmaster (NO45-ORG) hostmaster@LARKOM.NET– 714-492.2938714-492.2938

• Larkom might be the sender or a poor server in the Larkom might be the sender or a poor server in the middle being used by spammers.middle being used by spammers.

Email recapEmail recap

• Most people try to obscure their tracksMost people try to obscure their tracks– This case used “equip98@usa.net” as their This case used “equip98@usa.net” as their

email address instead of their real address.email address instead of their real address.• ForwardForward this email to abuse@uu.net and this email to abuse@uu.net and

maybe abuse@larkom.netmaybe abuse@larkom.net• Call the administrators if there is a serious Call the administrators if there is a serious

problemproblem

Email recapEmail recap

• Each server passes the email along and adds Each server passes the email along and adds their “header” to the top.their “header” to the top.

• Mail servers usually log mail headers, but Mail servers usually log mail headers, but they don’t always keep logs around for long.they don’t always keep logs around for long.

• Time stamps are invaluable, but not always Time stamps are invaluable, but not always accurate; watch out for time drift between accurate; watch out for time drift between servers.servers.

Tracking Internet domainsTracking Internet domains• People and domains:People and domains:

– InternNIC (company domain name owners)InternNIC (company domain name owners)• http://www.internic.nethttp://www.internic.net

– ARIN (numerical addrs to hostnames)ARIN (numerical addrs to hostnames)• http://www.arin.net/whois/arinwhois.htmlhttp://www.arin.net/whois/arinwhois.html

– MILNET (military networks)MILNET (military networks)• http://nic.ddn.mil/cgi-bin/whoishttp://nic.ddn.mil/cgi-bin/whois

• Paths through the network: traceroutePaths through the network: traceroute– Microsoft OS’s: tracert (comes with OS)Microsoft OS’s: tracert (comes with OS)– UNIX: traceroute (comes with OS)UNIX: traceroute (comes with OS)– website: http://www.merit.edu/ipma/tools/trace.htmlwebsite: http://www.merit.edu/ipma/tools/trace.html

Q&A for Part IQ&A for Part I

Network components,Network components,Email tracking,Email tracking,

More...More...

Networking Security Exploits: Networking Security Exploits: SniffingSniffing

• ““Sniffing” = eavesdropping on trafficSniffing” = eavesdropping on traffic• PC traffic can be seen by other PCsPC traffic can be seen by other PCs• Users can easily “sniff” or “snoop” each Users can easily “sniff” or “snoop” each

other’s trafficother’s traffic• Can easy capture usernames, passwords, Can easy capture usernames, passwords,

email content and other sensitive dataemail content and other sensitive data

Network Sniffing (con’t)Network Sniffing (con’t)

• There’s no way to tell if users are doing There’s no way to tell if users are doing this!this!

• Sniffers come standard on UNIX machines!Sniffers come standard on UNIX machines!• Utilities on the Internet are available for Utilities on the Internet are available for

other OS’s as well.other OS’s as well.• Switches help this, but may not eliminate it.Switches help this, but may not eliminate it.

Sniffing/SnoopingSniffing/Snooping

Alice BobServer

• While Alice is logging into the server (with While Alice is logging into the server (with her username and password)...her username and password)...

• ...Bob is watching and recording her every ...Bob is watching and recording her every keystroke!keystroke!

Types of Internet “attacks”Types of Internet “attacks”

• Denial of Service (DoS)—floodingDenial of Service (DoS)—flooding• Breaking in as someone else—impostersBreaking in as someone else—imposters• Breaking things—vandalismBreaking things—vandalism• Stealing things—theftStealing things—theft• Stepping stones—hiding your tracksStepping stones—hiding your tracks

Network-based Trojan HorsesNetwork-based Trojan Horses

• Trojan Horse:Trojan Horse:– Definition: One thing disguised as another.Definition: One thing disguised as another.

• What makes them different than regular What makes them different than regular “Trojan Horses”?“Trojan Horses”?– Specifically designed to use networks to send Specifically designed to use networks to send

information back to the “mother ship” or attack information back to the “mother ship” or attack other networksother networks

– NOTE: most trojan horse warnings are hoaxes!!!NOTE: most trojan horse warnings are hoaxes!!!

Trojan Horses: ExamplesTrojan Horses: Examples

• Have been around since computersHave been around since computers• Recent examples:Recent examples:

– Netbus and Back Orifice (toolkits)Netbus and Back Orifice (toolkits)• Once installed can copy files from machine, take screen Once installed can copy files from machine, take screen

shots, crash machine. Hard to detect.shots, crash machine. Hard to detect.• Use UDP and Internet connections to talk to “mother ship”.Use UDP and Internet connections to talk to “mother ship”.• Once running, can be spotted on network but not with most Once running, can be spotted on network but not with most

“anti virus” programs.“anti virus” programs.– ISP execs and keyboard sniffers (screensavers)ISP execs and keyboard sniffers (screensavers)

Network-based Viruses and Network-based Viruses and WormsWorms

• Virus: Virus: – Definition: infect other systems, usually do damage, Definition: infect other systems, usually do damage,

spawn themselvesspawn themselves– Recent examples: Numerous MS-Word macro Recent examples: Numerous MS-Word macro

virusesviruses• Worm:Worm:

– Definition: Sole purpose is to re-create, grow larger, Definition: Sole purpose is to re-create, grow larger, consume more resources.consume more resources.

– Recent example: Happy99.exe (nasty!)Recent example: Happy99.exe (nasty!)

A “A “NetworkNetwork Virus?” Virus?”

• Refers to the distribution methodRefers to the distribution method• A Network Virus heavily depends on a network A Network Virus heavily depends on a network

to clone and transport itselfto clone and transport itself• Because networks move data quickly, Because networks move data quickly,

squashing them is difficult.squashing them is difficult.• It also means that any information it gathers It also means that any information it gathers

moves at the speed of light.moves at the speed of light.• Email attachments -- watch them!Email attachments -- watch them!

Viruses: resourcesViruses: resources

• Before panicing, check for a hoax:Before panicing, check for a hoax:– (Symantec) http://www.symantec.com/avcenter(Symantec) http://www.symantec.com/avcenter– (Computer Incident Advisory Capability: DOE) (Computer Incident Advisory Capability: DOE)

http://ciac.llnl.govhttp://ciac.llnl.gov• Never open attachments (especially Never open attachments (especially

programs) from untrusted sourcesprograms) from untrusted sources• Install and use anti-virus software all the Install and use anti-virus software all the

timetime

Tracking what bad actors are Tracking what bad actors are doing or diddoing or did

• Intrusion detection programs (perimeter)Intrusion detection programs (perimeter)• Logs, Logs, Logs! (especially on servers)Logs, Logs, Logs! (especially on servers)• PCs leave clues behindPCs leave clues behind

– Netscape.hst (history of where they’ve browsed; maybe Netscape.hst (history of where they’ve browsed; maybe broken into?)broken into?)

– MS Office ‘98 files may have the author’s ethernet card MS Office ‘98 files may have the author’s ethernet card address in themaddress in them

– Email “sent” foldersEmail “sent” folders– Date and time stamps on filesDate and time stamps on files

ResourcesResources

• Email header analysis:Email header analysis:– Http://help.mindspring.com/features/Http://help.mindspring.com/features/

emailheaders/index.htmemailheaders/index.htm• Hacker sites:Hacker sites:

– www.rootshell.comwww.rootshell.com (source code for exploits) (source code for exploits)– www.l0pht.comwww.l0pht.com (news, source code)(news, source code)

• Spam:Spam:– www.cybernothing.org/faqs/net-abuse-faq.html www.cybernothing.org/faqs/net-abuse-faq.html (spam (spam

info)info)

More ResourcesMore Resources

• www.SANS.orgwww.SANS.org (resources, research, alerts)(resources, research, alerts)• www.CERT.orgwww.CERT.org (resources, news, alerts)(resources, news, alerts)

Wrap-up, Q&AWrap-up, Q&A

Thank you!Thank you!

Bill BurnsBill Burnsshadow@netscape.comshadow@netscape.com

http://people.netscape.com/shadowhttp://people.netscape.com/shadow