Tutorial: Wargames: Part 2 -- LONG
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Tutorial: Wargames: Part 2 -- LONG

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Talking Tutorial: Wargames: Part 2

    Wargames: Steps to an attack

    If you missed Part 1, it can be found here

    While I do like hands on, there is occassionally a need for some theory. One of the important theories to get across to students is the methodology that is used to commit attacks. If you understand the process (which is relatively straightforward) then the rest would continue (assuming enough time). Not all of this can be done in class but if you build your own wargames setup, make sure to include a DNS server and create a "fake" company. One I use regularly for this course is "Hackers R Us". Students create the appropriate MX, A, etc. records as would be to fill the needs of the DNS. This is used in both the Intro Course (4 weeks of war games) and Advanced course (4 months of wargames --- Although I call it "auditing" with the advanced students).

    One caveat: In no way should you use this in an illegal manner. Do not attack your ISP, company or others without written consent from the proper authorities/management. If you choose to attack someone without their permission you may run the risk of being charged with a felon (depedent upon the laws of your nation). I DO NOT ADVOCATE THIS, ENCOURAGE THIS NOR SUGGEST YOU DO THIS.

    For this tutorial, I will look at the methodology involved "dark side" of things. The steps are as follows:
    Code:
    1. Pick a target. 
    
    2. Case the Joint
    	a) footprinting
    	b) scanning
    	c) enumeration
    
    3. Robbing the Place
    	a) launch DoS/DDoS/DRDoS
    
    	OR
    
    	b) gain access to the network
    		- social engineering
    		- brute force, old accounts, default passwords
    
    	c) escalating privilege and pilfering data
    
    4. Going Stealth
    	a) erasing/altering logs
    	b) putting a back door in

    1. Picking a target

    This one always starts with the Why. The reasons for breaking in vary. For our purposes it's a learning experience to understand things but out there -- in that "Real World" -- the reasons are varied:

    - money: The book The Cuckoo's Egg talks about the "hacker" that was paid with cocaine via the KGB. We are seeing more and more industrial espionage happening.

    - fame: everyone is a "media whore" at one point or another. Some just want to see their name on the front of CNN and on the lips of every script kiddie.

    - revenge: "I'LL SHOW YOU!!!!!! I'M L337!!!!" (... and apparently have a stuck caps key)

    - statement (Hacktivism): either political reason or non-political. I remember after the India earthquake in 2001 some defacers choose NASA.gov as their launch point to encourage people to donate to the Red Cross and bring attention to their plight (there wasn't much attention being given due to the 9/11 attacks that happened around the same time)

    - fun: Hey.. it's like a roller coaster. You get to see someone else swirm. And "ain't it neat what I can do!"

    - status (self-esteem): @Large certainly highlighted this. The stereotype of the "hacker" being someone who doesn't socialize, is an outcast in the real world and very shy but in cyberspace, they rule because they know..

    - to gain access: The idea of "I want to see what they are doing".

    - just because (Mount Everest Reason): What the hell, eh? It's there. Why shouldn't I do this?
    I think there is also the mentality of looking for vulnerable machines and "let's see what this exploitz I found does" (I spell better than them... imagine it's in "leet" ). This might explain the influx of DoS attacks attributed in the 2003 CSI/FBI Computer Crime Report.

    2. Casing the Joint

    Much like the thieves in that Home Alone series of movies, good attackers will learn about their "victims" before attempting to break in. They will do ... *gasp* .. research. "We must do reeee-search", says Uncle from the Jackie Chan Cartoon. How right you are, sensei. The importance of research cannot be stressed enough. And it is that fact, IMHO, that seperates the real ones was from the frauds. Frauds aren't interested in taking the time to research, they just want to break in. So what kind of research?

    Footprinting, scanning and enumeration

    Generally, we'll start with footprinting. That is, we want to get an idea or shape of the network. We won't use scanning tools just yet as they can be noisy and give away our position. As an attacker, this is much like a strategy game. Putting all my cards on the table too soon tells my opponent what I'm going to do. As an attacker I'd probably start with simple Whois searches. These can be done through websites like samspade.org or networksolutions.com, etc. If I do a simple search using Network Solutions on that giant multinational MsMittens.com I get the following:

    Code:
    msmittens.com  	 
    
    Registrant:
    Inc., MsMittens (MSMITTENS-DOM)
    80 Pembroke Street
    Swuite 6
    Toronto, Ontario M5A 2N8
    CA
    
    Domain Name: MSMITTENS.COM
    
    Administrative Contact:
    Inc., MsMittens (27849169I) msmittens@msmittens.com
    1234 Main Street
    Toronto, Ontario A1A 2B2
    CA
    999-999-9999 fax: 999 999 9999
    Technical Contact:
    Inc., MsMittens (27849169I) msmittens@msmittens.com
    MsMittens Company
    1234 Main Street
    Toronto, Ontario A1A 2B2
    CA
    999-999-9999 fax: 999 999 9999
    
    Record expires on 22-Sep-2005.
    Record created on 23-Sep-1996.
    Database last updated on 5-Dec-2003 17:06:46 EST.
    
    Domain servers in listed order:
    
    AUTH01.NS.ISP.NET 1.1.1.1
    AUTH02.NS.ISP.NET 1.2.3.4
    From this I've learned a few things: Contact info (apparently the admin at this site is called MsMittens Inc... weirdo name) and I can see the phone and fax. Now in my domain I've put in false phone information (amazing how the phones to get me better long distance have dropped now) but sometimes attackers will look at phone and fax to determine whether a company has a range of phone numbers. If they figure out that the company has purchased then there is an opportunity to do some wardialing to find some machine that a user might have left on connected to their personal ISP because it was "so important they download personal email" (and didn't tell the admin of course).

    I also now know the address and could use that for a potential social engineering opportunity (more on that later). Lastly I have the domain information. Using tools like dig and nslookup I can find out more information. With the right options I can find out things like server listings. I can then compare them with the DNS. This might tell me whether they host their servers locally or whether they host them elsewhere. Potentially, I might even find out what OS or server type it is. In one audit I did for a company I used to work for a little nslookup revealled "mx.toronto.nt4sp6.company.com". Geez. Don't make it too hard for me.

    As I mentioned I have that wacko admin name. I can use this in a few ways. I can do searches through forums and newsgroups to see if the admin has requested help anywhere about their servers. It might tell me OS, patches, etc. if I find the right help area. If that doesn't turn up anything I might eventually use it for social engineering using the role(s) of a sales person trying to sell a firewall product or some other such device. People are inherently helpful. It is pounded into us that the "Customer is King". And since we don't know who our next customer may be, we tend to help and be nice to everyone (except for the BOFHs on this board. ).

    If I do social engineering at this stage, it's merely to get information about the network layout. As the attacker I need to know what machines are where, what runs on them and what the attitude is towards giving out information. I might use this later so I'll keep it handy.

    Now that I've got some research done and have recorded that information, I can look towards getting more information. I may or may not have gotten accurate indications of what OSes are being used, services/daemons being run, patch levels, etc. So I'll probably need to use a scanner. Rather, I'd need to use multiple scanners. While many scanners are good at getting information, sometimes they aren't always accurate. And sometimes a scan from one location gives different results from other locations. Here at the school, students are allowed to abuse a server called "Hoser". "Hoser" gives different responses depending on whether you scan from outside the school network verses if you scan from internally.And some scanners work better against certain OSes. The following isn't a definitive list but should be a good place to start:

    Nmap: by far, this remains the "King of Scanners". Kudos to Fyodor on creating a worthwhile product. Works good against most OSes (Mac OS is still a problem one I find).

    Retina: from eEye, this is the primer Windows target scanner. It's a $$ product but you can play with it for a couple of weeks. It's quite powerful and pulls a fair amount of information.

    Nessus: Open Source project that is good for testing not just vulnerabilities but also stability (will the server withstand an onslaught).

    Saint: was Open Source but has gone $$ unfortunately. Based on SATAN

    SARA: Open Source and based on SATAN

    SATAN: The original. Not up to date.
    As an attacker I will need to scan these machines but when to do it? One of the biggest fallacies is that scanning should be done when no one is in. Actually, when you think about it, you'd want to do scanning during high volume times. Why? As an attacker, I can hide my scans with the traffic. With luck, the IDS will be overwhelm by a variety of packets and perhaps not give a full report. I'd also slow down the scanner(s) request so that it's not immediately picked up. To go futher I might even see if there is a wireless network (war walking) and try an "internal" scan if they haven't locked down their network.

    This will flush out my diagram of the network and give me a better idea of how things work. I should be able to tell if it's a MS shop, *nix shop, mixed, etc. More critically, I'll be able to find the vulnerabilities. *smack*

    "Uncle says... re-search! We must do reeeeeeeeeeee-search!"

    Research the vulnerabilities to understand what causes the problem. If you understand how the flaw works, then you'll know how "noisy" it will be to attack that flaw. I might go searching for exploits. But remember that when searching for exploits it is a) better to build your own b) if you have to use others' exploits, "buyer beware" so check first c) not all exploits out there work (you may need to "fix" them). You may even need to modify the exploit to perhaps cause something else to happen. Take time to do "reeeeeeeeeee-search".

    The last step for this is to do enumeration, or basically, find out what accounts exist. This can be done through some social engineering, a quick Open Relay SMTP email, SMTP check, etc. You could even get the username from information retrieved in the footprinting section. In this period of time, you should have a few pages of information about your target. An attacker might also do some dumpster diving here to get memo info, old emails, etc. Anything that can help give an idea as to how the internal network works.

    Know yourself, know your enemy; your victory will be certain. Know Heaven, know Earth; your victory will be complete.

    3. Robbing the Place

    Depending on the goal, the next steps will either be the last or middle of the whole thing. If the next step is a DoS (revenge/anger/fun motive usually), then after the DoS is run for extensive period nothing further may come of it. Then again, an attacker could use the DoS to hide the actual activity (draw attention of admin so he comes in the "backdoor" as it were). DoS attacks are simple. They come in a variety of forms but the most common is a network bandwidth issue.

    If I'm going beyond this, then my next step is to get an account into the network. One way I might do this is through some social engineering. A phone call to the admin pretending to be a lost, new worker asking for help and having a new huge project to do .. and oh ya.. the boss is away in some big CEO meeting/retreat and can't get the paperwork.. oh could you help me? PLUUUUUUUUUUUUUUUUUUEEEEEEEEEEEEEEZZZZZZZZZZZZZZZEEEEEEEEEEEEEEEE... annoyance/lamer factor can be helpful here. Most admins avoid dealing with "lusers" and the less time on the phone and more time on the CS server, the better.

    Other methods might require a little more time and finesse. Finding out who does the 2am cleaning routine and seeing if they are hiring is another way. "Sticky gardens/farms" are often found on monitors, under keyboards, top drawer, under desk mats, garbage cans, etc. By being able to be there after hours and having a good memory (or perhaps a little camera), user names, passwords, etc. can be found.

    Desperate attackers might resort to brute force attacks. At the request of a senior admin, I did a full onslaught brute force attack against a junior admins ftp server. The senior admin was concerned about the security of it (well should he be). After 4 days of brute forcing I came to visit and asked the junior admin how the ftp server was doing. He said fine. I asked him if there were any security concerns. He said none but then he had never checked. I did eventually get the password -- letmein -- and the junior never realized or noticed the brute force attack.

    In my initial check of the network, I probably found some devices. I'd also check to see if default passwords exist. Heck, I might even try default passwords on voice mail boxes and use them as planning locations with "friends". Decent research will find the infamous 2600 network device lists of default user/pass.

    Once an account is obtained then it's a matter of time to then run a root granting exploit. For the last few semesters, ptrace() exploits were really popular with the students. (Granted they aren't programmers but they do understand buffer overflows). A bit of a cavaet reminder: be careful about what you use. Sometimes it won't do what you expect. One of my favourites that I run into at least once every semester is an "exploit" that is called "SuperDude". Superdude looks like a dud after compiling but students sometimes don't check around to see if it left any files. When you run SuperDude, it creates a SUID file in /tmp. I often take over student's accounts through this and change the .bash_profile to:

    Code:
    echo "MWAHAHAHAHAHAHAHAHAHA"
    echo "I OWNZ YOU"
    echo " rm -rf *"
    sleep 60
    exit
    Ain't I evil?

    The important part of this step is gaining root or administrator access. Once the power account is done, get the data. For the wargames, retrievel of the shadow file or other important but unique file is an indication of "victory". I've collected the shadow file 3 times personally from our "Hoser" box. Kinda fun.

    4. Going Stealth

    Of course, now that you've gotten in once, you want to go back again and again and again... First, you need to hide that you were there. This means cleaning and/or deleting logs. In some of the wargames students were successful at deleting some logs but forget others like syslog or .bash_history. Heck, in one case, the up-arrow seemed to keep values other than .history and students could figure out they had been compromised and how.

    Also, need a way back in. Creating a hidden account is helpful. Sometimes even hiding it in plain sight can be fun too. One student said his machine was acting weird and I suspected that he had been compromised. So I did a quick glance over his passwd file. Lo and behold I saw a user called mial. I suggested to the student to review his logs. Ideally, you'd want more than one account. Defenders can create thousands of dummy accounts. The more variety the better. Remember that it is a learning experience so the more realistic it is, the greater the impact. If need be, use the phone book as a way to put in names for "dumdum" accounts.

    Now through all of this, as the attacker, you would have kept records on everything. In addition, you would have made recommendations as to fixes for the holes/flaws/vulnerabilities you found in the system. These include computers, network devices and individuals. We become so focussed on technology we forget sometimes the effect that people have.




    For those who asked if I did seminars, well.. this is it. This particular tut incorporates how I start off teaching Introduction to Network Security.

    This particular Tut ended up being longer than anticpated so I think it will keep everyone amused for a bit. I probably won't continue until mid next week. I'm fighting a bit of a cold right now (making me a bit light headed so if there are major gaffs, that's why) as well as heavy marking (end of semester reports and exams).

    And if there are questions, ask away.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Banned
    Join Date
    Sep 2002
    Posts
    222
    MsMittens, these are absolutely excellent. Are you allowing people to post these to other sites/forums, or would you rather it be kept here on AO?

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'd rather they'd be here (that silly copyright thingy on the bottom of the site) but by all means promote and encourage people to visit.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    That is awsome. Where do you teach? I am looking at colleges, although I would like MIT, I do not have the grades (I dont think grades show anything, but hey...). I may apply to Rensselaer, but I would like to at least take a look at your school.

    -Cheers-


    [Edit] I am trying to learn security and black hat techniques on my own network (well not mine, but the network at home). I would really like to be an Intrusion Specialist, or whatever most White Hats are; not quite in the research field, but it could be fun. Learning this, even failing, is much more fun than school (except wrestling practice )

  5. #5
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    I'm about to copy/paste all these tuts for references in my library/collection ...thank you so much mittens.

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Who said the early bird gets the worm ?
    This night owl has got something here that will keep him awake till well past his get up call ? this is a LOT of info, for the experienced out there, it is just a stroll in the park, but as a newbie to both this site AND to 'heavy duty'? IT, it is a little bit disconcerting to realise that to get to the good stuff you really do need to remember a LOT of other stuff??
    First up I'm going to follow the advice of some of the senior members on site, and that is to read until my eyes bleed !!! I fully intend to use this site as the extensive training tool it is,

    I am hoping? to become a Sys Admin type of guy, and if this is what it takes, then so be it.
    Sorry for the rambling ?? but it really is late, and there is no sign of those pills working ??
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  7. #7
    Banned
    Join Date
    Sep 2002
    Posts
    222
    PM8228: Good luck getting into RPI. I'll be applying there as well.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Where do you teach?
    Somewhere in the first wargames tut thread I mentioned it: Seneca College in Toronto. Unlike US colleges, we offer diplomas -- for now. We are getting closer to degree. Perhaps next spring I'll be making that announcement.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    I apologize for missing that. So I would not really want to apply there yet, jobwise? This college thing is pissing me off.
    [Off Topic Rant] Grades show nothing, not even responsability. It is a meaningless way of inefectively evaluating students. *Four letter words for a few minutes* [/Off Topic Rant]

    At worst I will end up at OSU with my best friends and everytime I feel bad I can look out the window and see a bar just within walking distance.... No campus has more bars within sight of it But that's not why we go to college, right... Good luck to you as well Jenny.

    Is it officially "Intrusion Detection Specialist" or "Network Auditing Specialist"? Or something completely different?

    -Cheers-


    PS: All those old ass tutorials that I used to read, from like the 1960's say you need to be able to program to hack, but that fact is that all I have seen is you need to be able to understand a few things, but mostly be inovative and know how to abuse services Har HAr

  10. #10
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    As per Cybr1d, I am going to copy and paste this tut. as for PM8228, I have worries about his preference for 'wrestling practise' or I could be in the wrong thread.
    I'm definitely feeling the pills starting ?? I'm on Doctors orders, but he doesn't prescribe Guinness ? one to be taken plenty of times a day.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides