How to Hack Your ISP

by Krellis  (krellis@the-pentagon.com)

After seeing the security procedures at my local ISP, both physical and on their servers, I felt I had to inform others of these pathetically lax procedures.  If even a few local ISP's are as bad as mine, huge gaping holes exist that must be fixed.  I hope to provide enough information here to allow the ISP security services to fix their problems.

Throughout this article, I will refrain from using the real name of my ISP.  This is simply because they wouldn't like me much if they saw how I'd tested their security, and I don't want a bunch of malicious little idiots who think they're cool going into my ISP and hacking the shit out of it.  I've already spread this information too much, and because of that, the ISP took some new security measures (detailed later) that screwed up any clean, wholesome fun that myself and others could have had.

When I started with this ISP, I had little to no UNIX experience.  I now write this as someone who administers his own UNIX system (FreeBSD 2.2.5-RELEASE on a custom kernel).  When I started, I couldn't even get my webpage set up right.  Let me give you an overview of the services provided by my nameless ISP.  For US$ 19.95 per month, you get a PPP dial-up account, giving access to WWW, FTP, and all other normal Internet services.  You also receive a shell account on their (Linux 2.0.30 based) main server with 5 MB included storage space.  This server serves mail, FTP, WWW, and Telnet for the users of the ISP.  Three PPP dial-up access numbers provide access to this server through about five gateways total.  The DNS server for this ISP runs on an Intel-based machine at 188 MHz.

Now I will go on to the security holes.  One of their biggest mistakes has to be the fact that the /etc/passwd file was (and still is at the time of writing) not shadowed.  Any user who has a valid login and password can Telnet or FTP in and download this file.  A run through a UNIX brute-force password file cracker with a 700k or so dictionary file returned some 1300 passwords (not including that of this author).  Mind you, this took a long time, even on my Intel Pentium II 266 MHz with 64 megs of RAM.  But it worked.  As a safety precaution, I have spread a few copies of this password list to secured directories on a number of Internet servers, in case I need to have a copy.  No, I won't tell you where it is.  Sorry.

Another major error on the part of the security team at my ISP was related to password selection by users.  A large number of users had ridiculously easy to guess passwords.  I mean, as in 12345 and abcdefg.  At least 100 users (I don't remember the exact number) used their username as their password!  Any decent ISP security staff should know not to allow that, and also should disallow the common passwords such as those mentioned above.

One thing I must applaud my ISP for is their Sendmail setup.  They have configured Sendmail not to allow outside, unknown users to send mail through their system.  Another system I know of (which has a large user base) allows mail to be sent simply by Telnetting (anonymously) into the SMTP port and does not IP stamp!

Another problem my ISP has now rectified (due to the circumstances above, I believe) was that they allowed Telnet connections from IP addresses outside their network.  I (stupidly) told a "friend" the location of the password list, and he promptly accessed a few accounts and wreaked havoc with web pages.  This "hacker" (hah!  Not really!) screwed up web pages (not saving backups of people's files) and turned them into porno sites, just for personal laughs.  Frankly, that is not funny!  Do not do it!  If you come into privileged information, handle it wisely.  Don't do what I did, and stupidly give it to people who will be malicious with it.  All you are doing when you do that is tipping your hand and ruining it if you ever need to use the information.

Well, that's about it as far as my ISP's security is concerned.  There may be more, and I invite anyone else from my area who knows me to send in some more information.  I hope this has inspired some ISP security staff to improve the procedures in place on their systems!

Return to $2600 Index