Hackers and Scanners Antti Palokangas Hackers & scanners • Most of scanners are easy to use and widely distributed • It is no longer a question of if, but when you will be probed • You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? But these kind of unprotected systems are easy to exploit for example to DDoSattacks What is a ”script kiddie”? • Script kiddies can be advanced users or just kids who have found a nice application and bugs from Internet • Script kiddies look for an easy kill • They do this by focusing on a small number of exploits, and then searching randomly the entire Internet for that exploit • Scanners are important tools for searching the exploitable systems Example of script kiddie using scanners • Step 1: Script kiddie finds a bug nobody else knows about or uses a common exploit from e.g. www.cert.org or bugtraq (archived at www.securityfocus.com), hoping that administrator of a system hasn’t fixed the bug • Step 2: Uses tools (e.g. z0ne) to scan random networks for IP-addresses. Tool builds an IPdatabase which can be used also later (databases may contain over 2 million addresses) Example of script kiddie using scanners • Step 3: Scans IP-addresses for information: e.g. operating system type, running services, system architecture (x86, Alpha, Sparc) • Step 4: Breaks into exploitable systems where bug hasn’t been fixed Usefulness of a scanner for a hacker • It’s important to fix bugs immediately to prevent abovementioned attacks and run only needed services • The way bug fixes are updated now would mean that a hacker who tries to take advantage of a known bug before the bug is fixed would have a small time margin from an unpredictable time when a bug is found to an uncertain time when a bug is fixed • This type of attack may not be suitable for a hacker who wants to break into certain well-administered system. But there is always somewhere a system that hasn’t been updated Usefulness of a scanner for a hacker • We may say that finding holes with a publicly known vulnerability scanner is probably most useful if the goal of the hacker is - just to break in somewhere - terrorist action or vandalism - make a computer crime anywhere • If the target is a specific system which is known to have high security, the hacker should: – find new holes, not the ones in the bulletin boards, – or plant holes using viruses or other distribution methods • A scanner can be useful, but it should be not detected easily. Therefore it may be not necessary for the attacker to find all information he can get. After all, he may have rather few new holes that can be used. Reverse engineering security patches • Currently security patches in software releases are reverse engineered and their security implications are sought for and similar holes in other pieces of software are looked for. • This is relatively slow work (though not very slow – reverse engineering a security patch may be done in a day), but it will find new holes. • Being too certain of security after having successfully scanned a system without any vulnerabilities found is quite wrong. Security scanner can be compared to an anti-virus program: it only checks for known holes and it must be updated to remain functional Detecting scanning • It may be possible to monitor the network for odd behavior and detect scanning • One way is to find scanning patterns in our log files after scan has occured (manually or automatically by Intrusion Detection Systems) Detecting a scanner • There are programs which detect a scanner: Courtney, Gabriel, scan_detector, TCP Wrapper, scanlogd, Argus. • Some of them have a sniffer, like tcpdump, and look for a rapid sequence of short connection attempts to TCP and UDP ports. Some use proxies and make logs • There has not been any raise in the number of attacks made with SATAN or other scanners. • We may assume it is because real attackers modify the scanners so, that scanning goes undetected. It is for instance possible to slow down scanning below the level which causes a scanner detector to alarm. Detecting a scanner • There are also stealth scanners which do not leave traces of the scan. Jakal and Nmap are stealth scanners using half scan (start SYN/ACK but never complete it). • ”Half scanning” won’t fool e.g. PortSentry, tcplogd or Intrusion Detection Systems (IDS) but it will prevent applications logging suspiciously closed connections Detecting scanning • Courtney detects if the system has been scanned by SATAN, or any other similar port scanner and notifies this to the administrator. Courtney is a short PERL script, which uses tcpdump sniffer. • tcpdump is a sniffer, which puts a LAN interface to a promiscuous mode so, that all IP packets can be read by the sniffer. tcpdump is one of the more popular programs for traffic measurement also. The Courtney program notices port scanning from a rapid sequence of connection attempts to many UDP and TCP ports. • Gabriel is similar to Courtney, but it is a binarycreated from C and does not use tcpdump. It only runs on Sun. • Either of these are not very useful nowadays Other ways to improve security • Scanning a system and finding no bad holes (most systems cannot protect against DoS-attacks, so this vulnerability there is) may give a wrong feeling of security. There are bugs though they are not found. • What one can do is to replace the services by something more simple ones which hopefully have much fewer bugs or none at all (if they are very simple, this is possible) • Usually services are not replaceable, they can only be patched and updated • TCP ports need not have the real daemon listening them (or have the inetd daemon start the service, which is another common way). One can also make a proxy service using TCP Port Wrappers developed by Wietse Venema. Other ways to improve security • SOCKS is a proxy technique which is used to build circuit level firewalls. Socksifying all ports is one way to stop an intruder from using them. • There are tools (IP Personality, Fingerprint fucker, Stealth patch, IPlog) to fake your operating system so that Nmap will be fooled and guesses wrong. • Exploits are often OS-specific, so faking makes hacking more difficult Other ways to improve security • The defender could offer some traps to see if the attacker tries them • These traps are called honeypots • Honeypots should be implemented so that attacker can’t do anything harmful, but honeypot administrator gains valuable information on attacker’s methods • More on honeypots: http://project.honeynet.org/ How to test your own vulnerabilities? • If you have only one computer, you could use an Internet-service to scan your vulnerabilities. Several sites do it for free usually after registering. • How much do you trust these kind of services?