The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (19 page)

A great many hacker attacks can be blocked simply by following best security practices and exercising a standard of due care. But the dangers of accidentally deploying an open proxy are too often overlooked and repre- sent a major vulnerability in a great number of organizations. Enough said?

THE BOTTOM LINE In whatever field you find them, people of an original turn of mind, peo- ple who are deep thinkers and see the world (or at least parts of it) more clearly than those around them are people worth encouraging.

And, for those like Adrian Lamo, people worth steering along a con- structive path. Adrian has the ability to make significant contributions. I will follow his progress with fascination.

NOTES 1. See the press release from the U.S. Government at www.usdoj.gov/criminal/cybercrime/ lamoCharge.htm. 2. See www.usdoj.gov/criminal/cybercrime/lamoCharge.htm. 3. For more information on this, see www.crime-research.org/library/Kevin2.htm. 4. See www.infoworld.com/article/04/07/16/HNlamohome_1.html. 5. For more information on this, see www.corpit.ru/mjt/proxycheck.html.

The Wisdom and Folly

of Penetration Testing The adage is true that the security systems have to win every time, the attacker only has to win once.

-- Dustin Dykes

T

hink of a prison warden who hires an expert to study his insti-

tution's security procedures, concerned about any gaps that

could allow an inmate to slip out. A company follows that same line of thinking when it brings in a security firm to test the sanctity of its Web site and computer networks against intrusion by seeing whether hired attackers can find a way to access sensitive data, enter restricted parts of the office space, or otherwise find gaps in the security that could put the company at risk.

To people in the security field, these are penetration tests -- or, in the lingo, "pen tests." The security firms that conduct these drills are fre- quently staffed by (surprise, surprise) former hackers. In fact, the founders of these firms are themselves frequently people who have extensive hacker credentials that they prefer their clients never find out about. It makes sense that security professionals tend to come from the hacker community, since a typical hacker is well educated in the common and not so common doorways that companies inadvertently leave open into their inner sanc- tums. Many of these former hackers have known since they were teens that "security" is, in a great many cases, a serious misnomer.

Any company that orders a pen test and expects the results to confirm that their security is intact and flawless is likely setting themselves up for

115 116 The Art of Intrusion

a rude awakening. Professionals in the business of conducting security assessments frequently find the same old mistakes -- companies are sim- ply not exercising enough diligence in protecting their proprietary infor- mation and computer systems.

The reason businesses and government agencies conduct security assess- ments is to identify their security posture at a point in time. Moreover, they could measure progress after remediating any vulnerabilities that were identified. Granted, a penetration test is analogous to an EKG. The next day, a hacker can break in using a zero-day exploit, even though the business or agency passed their security assessment with flying colors.

So, calling for a pen test in the expectation that it will confirm the organization is doing a bang-up job of protecting its sensitive informa- tion is folly. The results are likely to prove exactly the opposite, as demon- strated by the following stories -- one for a consulting company, the other with a biotech firm.

ONE COLD WINTER Not long ago, several managers and executives of a large New England IT consulting firm gathered in their lobby conference room to meet with a pair of consultants. I can imagine the company technology people at the table must have been curious about one of the consultants, Pieter Zatko, an ex-hacker widely known as "Mudge."

Back in the early 1990s, Mudge and an associate brought together an assortment of like-minded guys to work together in cramped space in a Boston warehouse; the group would become a highly respected com- puter security outfit called l0pht or, tongue firmly in cheek, l0pht Heavy Industries. (The name is spelled with a small "L," a zero instead of an "o," and, in hacker style, "ph" for the sound of "f"; it's pronounced "loft.") As the operation grew more successful and his reputation spread, Mudge was invited to share his knowledge. He has lectured at places like the U.S. Army's strategy school in Monterey on the subject of "informa- tion warfare" -- how to get into an enemy's computers and disrupt serv- ices without being detected, as well as on data destruction techniques and the like.

One of the most popular tools for computer hackers (and sometimes for security people as well) is the software package called l0phtCrack. The magic this program performs is taken for granted by those who use it, and I suspect thoroughly hated by a great many others. The l0pht group gar- nered media attention because they wrote a tool (called 10phtCrack) that quickly cracked password hashes. Mudge coauthored l0phtCrack and cofounded the online site that made the program available to hackers and anybody else interested, at first free, later as a moneymaking operation. Chapter 6 The Wisdom and Folly of Penetration Testing 117

Initial Meeting The call that L0pht had received from the consulting firm (we'll call them "Newton") came after the firm decided they needed to expand the services they offered their clients by adding the capability to conduct pen tests. Instead of hiring new staff people and building a department grad- ually, they were shopping for an existing organization they could buy and bring in-house. At the start of the meeting, one of the company people laid the idea on the table: "We want to buy you and make you part of our company." Mudge remembers the reaction:

We were like, "Well, er, um, you don't even know much about us."

We knew they were really interested largely from the media frenzy

that l0phtCrack was creating.

Partly to buy time while he got used to the idea of selling the company, partly because he didn't want to rush into negotiations, Mudge came up with a delaying tactic.

I said, "Look, you don't really know what you'd be getting. How

about this -- how about for $15,000 we will do an exhaustive pen

test on your organization?"

At the time, the l0pht wasn't even a pen test company. But I told

them, "You don't know what our skills are, you're basically going

off of our publicity. You'll pay us $15,000. If you don't like what

you get, then you don't have to buy us and it will still have been

worth the time because you'll get a good pen test report and we'll

have $15,000 in the bank.

"And, of course, if you like it and you're impressed by it, which we

expect you will, then you'll buy us."

They said, "Sure, this is great."

And I'm thinking, "What idiots!"

To Mudge's way of thinking, they were "idiots" because they were going to authorize the l0pht team to break into their files and corre- spondence at the same time they were negotiating a deal to buy his com- pany. He fully expected to be able to peer over their shoulders.

Ground Rules Security consultants running a pen test have something in common with the undercover vice cops buying drugs: If some uniformed precinct cop spots the transaction and pulls his gun, the vice squad guy just shows his 118 The Art of Intrusion

badge. No worries about going to jail. The security consultant hired to test the defenses of a company wants the same protection. Instead of a badge, each member of the pen-test team gets a letter signed by a com- pany executive saying, in effect, "This guy has been hired to do a project for us, and if you catch him doing something that looks improper, it's okay. No sweat. Let him go about his work and send me a message with the details."

In the security community, this letter is known by all as a "get-out-of- jail-free card." Pen testers tend to be very conscientious about making sure they always have a copy of the letter with them when they're on or anywhere near the premises of the client company, in case they get stopped by a security guard who decides to flex some muscle and impress the higher-ups with his gumshoe instincts, or challenged by a conscien- tious employee who spots something suspicious and has enough gump- tion to confront the pen tester.

In another standard step before a test is launched, the client specifies the ground rules -- what parts of their operation they want included in the test and what parts are off-limits. Is this just a technical attack, to see if the testers can obtain sensitive information by finding unprotected systems or getting past the firewall? Is it an application assessment of the publicly fac- ing Web site only, or the internal computer network, or the whole works? Will social engineering attacks be included -- attempting to dupe employ- ees into giving out unauthorized information? How about physical attacks, in which the testers attempt to infiltrate the building, circumventing the guard force or slipping in through employee-only entrances? And how about trying to obtain information by dumpster diving -- looking through the company trash for discarded paperwork with passwords or other data of value? All this needs to be spelled out in advance.

Often the company wants only a limited test. One member of the l0pht group, Carlos, sees this as unrealistic, pointing out that "hackers don't work that way." He favors a more aggressive approach, one where the gloves are off and there are no restrictions. This kind of test is not only more revealing and valuable for the client but more pleasing to the testers as well. It is, Carlos says, "a lot more fun and interesting." On this one, Carlos got his wish: Newton agreed to a no-holds-barred attack.

Security is primarily based on trust. The hiring firm must trust the secu- rity company entrusted to perform the security assessment. Furthermore, most businesses and government agencies require a nondisclosure agree- ment (NDA) to legally protect proprietary business information from unauthorized disclosure.

It's common for pen testers to sign an NDA, since they may come upon sensitive information. (Of course, the NDA seems almost superflu- ous: Any company that made use of any client information would likely Chapter 6 The Wisdom and Folly of Penetration Testing 119

never manage to get another client. Discretion is essentially a prerequisite.) Frequently, pen testers are also required to sign a rider stating that the firm will do its best not to impact the company's daily business operations.

The l0pht crew for the Newton test consisted of seven individuals, who would work alone or in pairs, each person or team responsible for focus- ing on a different aspect of the company's operations.

Attack! With their get-out-of-jail-free cards, the l0pht team members could be as aggressive as they wanted, even "noisy" -- meaning carrying out activities that could call attention to themselves, something a pen tester usually avoids. But they still hoped to remain invisible. "It's cooler to get all this information and then at the end know they hadn't detected you. You're always trying for that," says Carlos.

Newton's Web server was running the popular server software called Apache. The first vulnerability that Mudge had found was the target com- pany's Checkpoint Firewall-1 had a hidden default configuration (rule) to allow in packets with a source UDP (User Data Protocol) or TCP (Transmission Control Protocol) port of 53 to almost all the high ports above 1023. His first thought was to attempt to mount off their exported file systems using NFS (Network File System), but quickly realized that the firewall had a rule blocking access to NFS daemon (port 2049).

Although the common system services were blocked, Mudge knew of an undocumented feature of the Solaris operating system that bound rpcbind (the portmapper) to a port above 32770. The portmapper assigns dynamic port numbers for certain programs. Through the portmapper, he was able to find the dynamic port that was assigned to the mount daemon (mountd) service. Depending on the format of the request, Mudge says, "the mount daemon will also field Network File System requests because it uses the same code. I got the mount daemon from the portmapper, then I went up to the mount daemon with my NFS request." Using a program called nfsshell, he was able to remotely mount the target system's file system. Mudge said, "We quickly got the dial-up list numbers. We just download their entire exported file systems. We had total control of the system."

Mudge also found that target server was vulnerable to the ubiquitous PHF hole (see Chapter 2, "When Terrorists Come Calling"). He was able to trick the PHF CGI script to execute arbitrary commands by passing the Unicode string for a newline character followed by the shell command to run. Looking around the system using PHF, he realized that the Apache server process was running under the "nobody" account. Mudge was pleased to see that the systems administrators had "locked down the 120 The Art of Intrusion

box" -- that is, secured the computer system -- which is exactly what should be done if the server is connected to an untrusted network like the Internet. He searched for files and directories, hoping to find one that was writable. Upon further examination, he noticed that the Apache configuration file (httpd.conf) was also owned by the "nobody" account. This mistake meant that he had the ability to overwrite the contents of the httpd.conf file.

His strategy was to change the Apache configuration file so the next time Apache was restarted, the server would run with the privileges of the root account. But he needed a way to edit the configuration so he could change what user Apache would run under.

Working together with a man whose handle is Hobbit, the two figured out a way to use the netcat program, along with a few shell tricks, to get the closest thing to an interactive shell. Because the system administrator had apparently changed the ownership of the files in the "conf"directory to "nobody," Mudge was able to use the "sed" command to edit httpd.conf, so the next time Apache was started, it would run as root. (This vulnerability in the then-current version of Apache has since been corrected.)

Because his changes would not go into effect until the next Apache was restarted, he had to sit back and wait. Once the server rebooted, Mudge was able to execute commands as the root through the same PHF vul- nerability; while those commands had previously been executed under the context of the "nobody" account, now Apache was running as root. With the ability to execute commands as root, it was easy to gain full con- trol of the system.

Meanwhile, the l0pht attacks were progressing on other fronts. What most of us in hacking and security call dumpster diving, Mudge has a more formal term for it: physical analysis.

We sent people over to do physical analysis. One employee [of the

client company] I guess had recently been fired and instead of just

throwing out his paperwork, they had trashed his entire desk. [Our

guys found] his desk set out with the trash. The drawers were full of

old airline tickets, manuals, and all kinds of internal documents.