| By Written by b0iler for http://b0iler.eyeonsecurity.
|
Hacking Techniques: Issue #2
- Bouncing Attacks Written by b0iler for http://b0iler.eyeonsecurity.net
(covered in issue #1)
1. Getting info
-vuln scripts
-vuln services
-vuln people
1.99
Intro
2.
Bouncing Attacks
-proxies
-wingates
-shells
2.5
Conclusion
(covered in future issue)
3. Once They
Are In
-logs
-IDS
-Rootkits
-sniffers
-DDoS
-RootShell
-Deface
Intro
Welcome to the 2nd issue of Hacking Techniques. If you
read the first one I am glad to see you liked it enough
to want to read this one. This issue will focus on how
hackers bounce their attacks so that they do not get caught
and so they use the power of a *nix shell. As with the
first one this tutorial can both be used by hackers and
admins. Hackers will learn how to mount an attack and
use proxies to help stay anonymous. Admins will learn
how to prevent themselves from being used in an attack
as a proxy and prevent stress. If you don't know what
a proxy is or how to use a wingate you need to read this
tutorial. People who run wingates, proxies, or give shells
out also should go over this tutorial as to scare them
into securing it. I'll go over a few other random things
such as using routers as wingates, and using wingates
to bounce your irc sessions.
Bouncing
Attacks
There are a few ways to bounce your attack. Sometimes
it depends on how you are gonna to do the attack, sometimes
it depends on what you got on hand. I will introduce
you to 3 ways to bounce you attack. I will not go into
using routers as proxies since wingates are fairly easy
to get. And I will not go over bouncing your attack off
an ftp because all (or very close to all) ftp programs
are patched to this by now. Not only should hackers read
this next part, but so should admins who want to keep
themselves from being used in an attack. Securing their
proxies and wingates can help prevent trouble with hackers
abusing it. This can save some time and hassle because
you will not need to bother with an admin who trying to
track down a hacker who used your network to bounce off
of.
- Bouncing through proxies
- Bouncing through wingates
- Bouncing and compiling the attack with shells
Bouncing through proxies
Proxies are the most basic way to stay anonomous while
on the web. They are used with your web browser to rely
data that you are downloading. So when you send data
to get a webpage it is first sent to the proxy and then
to the webpage. like this:
[your
computer] -> [proxy] -> [website]
Some kinds of proxies, known as cache'ing proxies, will
hold local copies of websites people visit. This makes
browsing much faster since ideally the connection between
you and the proxy is very fast. So instead of having
to query the website the proxy will just send out the
saved (cache'd) copy and save time and resources. Although
this can be a problem as I have had first hand experience
with this. When running lame industries we put a script
up that allowed people to check out other users email
addresses, image, website, names, country, etc.. all info
was optional. But the script would check if you were
an admin of lame industries and if you were it would display
users passwords, cookies, allow you to change the status
of users. Now somehow a nice fellow named MaAaX found
a cache'ing proxy that had this page cached. Not only
was it cache'd.. but it was the admin version cache'd.
Some admin of the site must have used that proxy to visit
that script, so the proxy saved what he saw. And MaAaX
reported this, but he was tricked into reporting it to
someone who was not an admin of the site. That person
then used the proxy to get an admin's password from the
cache'd page. Moral of the story? Don't leave sensitive
info out for everyone to see, I would suggest not using
a proxy when admining a site through http and also to
put all scripts which can be used by an admin in a .htaccess
protected directory.
Proxies are very easy to find and very easy to use. To
find them try using a program called Proxy
Hunter what this program will do is it will scan
large ranges of ips for open proxies. Then it will report
them to you so you can try them and see if they require
a username and password or if you can use them without.
Another way is to look on the web for lists of proxies,
a few good sites for this are:
Don't expect proxies to stay up forever, if one goes down
try another. It is fairly simple to set up basic security
for your proxy server, get a good access list restricting
who can use it. Also, as with all programs, check for
known security vulnerabilities in the proxy server itself,
and vulnerabilities in your firewall, which you set the
access list for the proxy server.
To use proxies you need to set up your browser to bounce
off of them. In internet explorer this is done by going
to Tools->Internet Options...->Connections->(highlighting
your connection)->Settings...->check "Use a proxy
server for this connection"->file in the ip or hostname
and the port number then press ok, and ok.
To set up Netscape to use a proxy select edit->preferences->advanced->proxies->"Manual
proxy configuration" then fill in the hostname or ip and
the port number.
In lynx (or Mosaic) you would do this at the command line:
http_proxy="http://proxy.com:80/"; export http_proxy;
exec lynx
or exec Mosaic.
Now to validate that the proxy is working go to a site
which displays server environment variables from a perl/php
script. One such site is http://www.cyberarmy.com/cgi/whoami.pl
One proxy is good for everyday surfing, but what if you
are up to alittle more than just that? (I see that smile
on your face) You need to use a technique called chaining
proxies. What happends is you rely the data transfer
from one proxy, to another, to another, to another ...
until it reaches the destination. It is fairly simple
to do this, but some proxies don't support it. Other
problems include one proxy is slow it makes the connection
timeout, too many proxies that the connection times out,
and it takes awhile to find 4 or 5 good proxies. This
should work in almost every browser, put the proxies in
the address bar in this format: http://proxy.com:80/http://proxy2.com:80/http://proxy3.com:8000/http://site.com
this should connect you to site.com using those 3 proxies
and the one you put in your configuration (options, preferences..
what we just did above). I've also heard that using http://proxy.com;80-_-http://site.com
works, but from my experience it tends to be less supported
by proxy servers.
Now when I say proxies can be used to bounce a connection
to a webpage - I mean webpage. You cannot use a normal
http proxy on anything besides port 80 (the http port..
for webpages). If you want to bounce connections on other
ports try a wingate
.
So what if you are using an exploit to mount an attack
and you are too lazy to use wingates to connect to your
shell? You can use something like rain.forrest.puppy's
libwhisker, which makes it extremely easy to add proxy
support to perl scripts. You can get libwhisker at: http://www.wiretrip.net/rfp/bins/libwhisker/pr4/libwhisker.pm
I haven't really looked for a C/C++ version of something
like this, since it's just as simple to connect to a shell,
but if anyone knows one please send info to b0iler@hotmail.com
One last thing I will go over for proxies is chaining
them together, hackers use this so they have more cover
when hacking into a script avalible over port 80. To do
this you can put proxy1-_-proxy2-_-proxy3-_- before the
url, or you can use a program called MultiProxy
to chain anonymous proxies together. What is an anonymous
proxy? It is a proxy that will not forward information
about you. The main peice of information hackers want
to keep secret is their IP address, when a proxy forwards
this to a computer it is known as the X-Forward-For. It
is a header in the packet which tells the target what
computer the proxy is going to send the info to (the hackers
IP). Anonymous proxies will leave the X-Forward-For header
blank so that the target has no idea where the attack
is comming from. You can check if a proxy is anonymous
at http://www.cyberarmy.com/cgi/whoami.pl
Bouncing through
wingates
Wingates are a type of proxy that allow you to make a
telnet connection. They are intended to be used to allow
computers to access the internet through another one,
but since many types of wingates allow anyone to connect
without a password this can be exploited by hackers and
other people to be used to bounce their connection off
of. Here is how this works:
[hacker's
computer] -> [wingate] -> [destination]
This snazzy ascii shows how your data will go through
a wingate and then to it's destination. So the destination
sees it as if the data is coming from the wingate. If
you can't see how hackers can use this to their advantage
let me explain...
Hackers want to keep their ip hidden, they don't want
their target to know where they are coming from. This
is both so they cannot block the attack as easy and so
they do not get in trouble if they do get caught. Using
a wingate means that the target doesn't see the hackers
ip, it sees the wingate's ip instead. Most hackers use
over 3 wingates when hacking, just to be safe. Because
if an admin caught the hack attempt and contacted the
admin of the wingate logs can be used to find the hackers
ip. So if they bounce off of like 5 wingates that means
alot more hassle for the attacked admin to go through
to find the hacker and the more chance that logs will
not be kept or will be deleted by one of the wingate admins.
Bouncing hacking attacks off of a wingate is not the only
reason a hacker would use one. They are also quite handy
when going on some irc servers. The same basic concept
applies, the data is bounced off the wingate and then
sent to the destination (irc server). So the irc server
sees the connection as comming from the wingate. This
can allow hackers to get around channel bans, get around
glines, hide themselves from others, create clones, etc..
Check your options in irc client to figure out how to
use them. (with mirc it's known as a SOCKS 4 firewall
in the options.)
Since they are useful on an irc, many people on irc tend
to be using wingates. This is why I ported a simple port
scanner to irssi (also works with BitchX and maybe Xchat).
This port scanner is editted to only look for port 23
and 1080 the most commonly used ports for wingates, 23
is telnet, 1080 is SOCKS. What it does is collects people's
ips when they enter a channel and then when you issue
the command /scan it will check the list of ips for avalible
wingates. There is also easy to use scripts for mirc
that do this, a search on google for mirc wingate scanner
produced many links. You can also use tools that scan
wide blocks of ips for wingates using tools like wingate
scanners . Here is a tip: find a cable or dsl isp
and scan their subnet for wingates. Many people on fast
connections use wingates for their network to split their
bandwidth up and since cable they have a static ip they
will not change as often. So do a '/whois user' on someone
who is on cable to get their ip, then check all-nettols.com
(use "smartwhois") to get their isp's ip range and
I scan that for wingates.
Wingates tend to go up and down hourly, this is because
sometimes people only need them for awhile and when someone
does put one up they get alot of traffic from hackers
using them to bounce off of, so instead of wasting their
bandwidth they secure the wingate or take it down. Because
of this you need to scan for wingates all the time. Another
reason why irc works good for looking for wingates, you
let other people find them for you. =)
Not many hackers just use 1 wingate when hacking. This
is how using 4 wingates would work:
[hacker's
computer] -> [wingate] -> [wingate] -> [wingate]
-> [wingate] -> [destination]
Using multiple wingates is required for a hacker, they
will not just use one, since it would be easy to track
them. But using too many can make things very slow.
Anything over 4 and under 10 would be normal.
So after you scan (this may take awhile, be patient) and
get a few wingates how do you connect to them and use
them? This is very simple, but tends to be asked all the
time on message boards and chatrooms all over the place.
When you telnet to a wingate you need to have it's ip
or hostname and the port the wingate is running on. Normally
the port is 23 or 1080. Now we can only use wingates
which don't require a username and password to use. So
after we get a list of them we will need to test and see
which work without a login. Simply get out telnet and
connect to that ip and port, wait for the connection and
see if it says something like this:
Wingate>
If it had a login of some sort then you cannot use it.
This is one way admins of wingates can protect themselves,
make sure to password protect the wingate so random hackers
cannot use it. Not only can hackers use your wingate,
but spammers often use them aswell. Having spammers send
thousands of emails through your wingate is a surefire
way to get your isp to cancel your account. Besides adding
passwords you can also secure your wingate by only allowing
computers on your LAN to access it, this is how for GateKeeper
:
login as Administrator on GateKeeper
Policies -> Default Policies -> Users can access
services -> select everyone
Location -> Specify locations from where this recipient
has rights ->
add 127.0.0.1 and 192.168.0.* (or whatever ip range your
network uses).
To secure Deerfield's
wingate simply upgrade to 3.x home version. The home
version of 3.x doesn't let anyone connect at default.
It's now configured securely by default :D
There are also other terminal's that will appear, it is
not allways "Wingate>". It could be anything, Wingate>
is just default on some.
We got connected, now to use the wingate. Wingates by
default will telnet to any ip port you enter, so try to
telnet to a server you know is up:
Wingate>
204.42.253.18:23
Now if you encounter an error this means somethings ether
wrong with the ip:port you entered, the ip:port is down,
or the wingate is not working. Also try to do 'telnet
ip:port' since that wingate might not telnet at default.
So we got our list of wingates down to a list of working,
none passworded wingate. Now to link them. Lets say
we have the wingates (note, these are fake):
203.43.25.104 port 23
214.133.200.20 port 1080
180.23.56.93 port 23
194.51.107.68 port 23
To link these we would telnet into the first one:
telnet 203.43.25.104 23
Sparky's
server 1.03>
Then enter in the ip:port of the next one on the list.
Sparky's server 1.03> 214.133.200.20
1080
CDD Proxy Server>
and link the rest..
CDD Proxy Server>
180.23.56.93 23
welcome
to 180.23.56.93: 194.51.107.68 23
Now A hacker can telnet into a shell account from the
last wingate and launch the attack, or if they know how
to do some socket programming they can set up exploits
to go through wingates themselves. For the next section
, shells
, I'll go over how a hacker can use a shell to make
his attack.
I have heard from a few people that routers can be used
as a wingate, I myself have never done this since there
is always plenty of wingates to use if you just scan for
them. But.. using a router as a wingate is very interesting
for a number of reasons. First, a router gets so much
traffic that the admin would probably not know if it was
being used to bounce an attack. Routers don't log by
default, and since they get alot of traffic not many admins
log everything (or they're logs do not last too long)
this means there is less of a chance of the hacker getting
tracked down. Routers are pretty much always up and have
a fast connection, so if you got a few routers going as
wingates you wouldn't have to scan for new ones as much
=)
Now don't go out looking for routers just yet, before
you can use a router as a wingate you need to have access
to use telnet on it. Unlike wingates which can sometimes
allow anyone to run telnet, routers don't. You will need
to hack into the router to beable to use telnet on it
to wingate from it. Of course the number of routers with
default passwords (admin:admin) or simple exploits not
patched is pretty high from my experience. Also to note:
it might not be a good idea to telnet directly into a
router as your first wingate.. if the admin does find
out of your break in (and they log) you will have left
your real ip. Hackers will probably use a regular wingate
or two before connecting to a comprimized router. Needless
to say, if you admin a router make sure to keep it locked
up tight, not only can hackers screw up your network,
sniff passwords, redirect data, and generally cause a
muck, but they can also use your router as a launching
pad for their next attack.
Another use for wingates is to use them to bounce a connection
off of irc. Most commonly SOCKS (stands for SOCK-et-S),
are used for irc, they are very simular to wingates but
used mainly at a firewall to allow transparent connections
through it. SOCKS usually run on port 1080. To bounce
your connection to an IRC server with a wingate or SOCKS
type the following in your irc client:
/server win.gate.com 23
/quote irc.box.sk 6667
/quote user grendelsucks 123.123.123.123 b0iler :ban evader
/quote nick b0iler2
then use irc like normal, you will have the ip or hostname
of the wingate. I believe if you use mirc you can go
to File -> Options -> Connect -> Firewall and
then enter in the wingate's IP and port and checking "Use
SOCKS Firewall" (correct me if I am wrong). If you use
Xchat try Settings -> Setup -> IRC -> Proxy Server
-> Fill in IP and port and select the type as wingate.
You can also use a bnc (stands for BouNCe) to rely your
connection to an IRC server.
Same as with proxies, if you don't want people connecting
to your wingate set up a strict access list on a firewall.
Also username and passwords are a good idea when it comes
to wingates.
Shell Accounts
A shell account is having access to a remote computer.
Users can connect to them and issue commands just like
if they were at that computer's keyboard. This also means
that hackers can issue commands, and they often use shell
accounts as another way to bounce their attack.
Usually a shell account is used along with wingates and
is used by the hacker to launch the attack. Hackers will
not use free shells such as nether.net or hobbiton.org
because they do not have the ablity to run programs they
need and they cannot delete the log files with a regular
user account. If they were to use one of these shells
the admin could easily check the logs and see what they
were upto. So hackers will use what are known as root
shells, these are systems the hacker has already comprized
and has root on them. This allows them to delete all
nessasary logs of their attack and lets them have full
access to *nix tools. The key tools hackers need are
raw packet support, nmap and other auditting programs,
a c compiler, a perl interpreter, and exploits. These
come standard on most *nix boxes, so it makes *nix very
valuable to hackers. Although most will have *nix installed
on their computer they might still use shells because
they have faster connections, and will allow another layer
of protection along with the wingates.
This is an example of how a hacker would use 3 wingates
with 2 shells:
[hacker's computer]
-> [wingate] -> [wingate] -> [wingate] ->
[shell] -> [shell] -> [target]
To login to the shells a hacker can use telnet or they
can use ssh , whichever
they want. ssh will allow a more secure connection.
A simple: telnet owned.com:5742 would allow them to get
in (if they set up telnetd on port 5742). To connect
with ssh is: ssh owned.com -p 5742. If your system would
get comprized it too could be used as a shell for the
hackers next attack.
There are free shell accounts for beginner hackers to
use, again, I stress that these are closely monitored
and you only get a user account, so things are logged
and power is limitted. Don't use them to hack! What a
hacker wants is a 'rootshell' which is root access. This
allows the hacker total control over everything on that
computer. Raw sockets is a big thing, access to edit logs
is another. If you can edit the logs on a rootshell this
means that it is all the more harder for anyone to track
you. If you use a free shell or a user account on a box
you cannot edit the logs and will be vulnerable to be
traced. Always using alot of wingates will help in keeping
you out of trouble.
Most shells you will want are on *nix boxes, so you need
to learn unix commands. Also knowing what files do what
will help you understand how to hide yourself and how
to modify the system the way you want. Setting up linux
and securing your box will help you better understand
how to break in, as well as breaking into linux will help
you better understand how to secure it =) To help you
learn *nix here is a few really good tutorials:
How can you stop hackers from using your system? Well
this is a very indepth question, because you will need
to completely secure your box to stop them from gaining
access to it. Read up on Unix security, firewalls, and
IDS. Ofcourse take action before the hacker gets in,
secure your box... use tripwire and snort 'just incase'.
One way to catch them is to install a remote logging box.
This will allow you to have logs of everything they do,
to do this set up any old box with inetd and syslogd and
then change syslog's configuration file to have logs sent
to that box.
# /etc/syslog.conf file
*.* @213.165.52.61
For more info on setting up a secure remote logger try
loki's guide on How
to set up a secure remote logger
One thing I would like to stress about using shells from
a friends box is that they may be logging everything you
do and gathering your username:passwords to your email,
hacked accounts, sites, ftp, nickserv, and anything else
you transfer. Same holds true for BNCs and wingates.
It's a trick passed around by many hackers to put a wingate
on their box and put it on a hacker website's list and
wait for people to log into their hacked accounts with
it. I also read somewhere that governments set up wingates
to catch hackers, I don't know how true this is.. but
it sure is a good way to discurage hackers.
Conclusion
In this issue of Hacking Techniques I went over how and
why hackers use proxies, wingates, and shells when attacking
and how admins can stop them from using their networks
to bounce attacks from. I think the next issue will be
much longer, it will cover many things hackers do once
they comprize a system. I hope everyone learned atleast
something from this paper, and I hope I didn't forget
anything =) I am sorry if you felt it was hard to read
this tutorial, I had a hard time writting it, it just
felt like my words didn't go together right. It may be
awhile till I get around to finishing issue #3, thanks
for your patients.
-If I made any mistakes please let me know so I can fix
them, b0iler@hotmail.com
[-----]
http://b0iler.eyeonsecurity.net
- A really good site with tons of orignal
tutorials.
[-----]
|
|
