____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING

Beginners' Series Number 7

The Exploit Files
____________________________________________________________

by keydet89@yahoo.com and Carolyn Meinel

How many times have you read hacker newsgroups or email lists and seen posts
that begged "teach me to hack," or asked "how do I hack this"? It often
looks as though the person asking the question just doesn't understand the
basics of vulnerabilities and their exploits. The purpose of this Guide is
to explain what vulnerabilities and exploits are, and how they relate to
computer security.

Let's start with an example. Suppose that you are trying to sell something
by phone. So you start by calling phone numbers, and you keep calling until
you get someone to answer, not an answering machine, but a real live person.
Then if the person who answers the phone speaks the same language as you and
can understand you, you try to sell your product.  Lots of people will hang
up on you, but eventually, someone will buy something...bang!  You've scored!

*****************************************************************
In this Guide you will learn:

* What is a vulnerability
* What is an exploit
* How to look for vulnerabilities
*****************************************************************

So what does this have to do with 'hacking'?  Look at your dialing of phone
numbers as port scanning IP (Internet protocol) addresses on the Internet.
Some Internet host computers won't answer. Maybe a firewall is blocking the
ports that you're scanning.  Some hosts will answer, and at that point
maybe, just maybe, you've found a vulnerable computer.

********************************************************************
Newbie note: What are these 'ports' we are talking about?  This kind of
'port'  is a number used to identify a service on an Internet host.  For
this reason they are often called 'TCP/IP' (transfer control
protocol/Internet protocol) ports, to distinguish them from other kinds of
computer ports such as modems, ports to printers, etc. Each  host computer
connected to the Internet is identified by an IP address such as
'victim.fooisp.com.'  Since each host may have many  services running, each
service uses a different port.  To contact any of these ports across the
Internet, you use the host's IP address and port number -- it's kind of like
dialing a phone number.
********************************************************************

Now maybe you have connected to telnet, port 23.  You get a login prompt,
but you don't know any valid username/password combinations.  So the host
"hangs up" on you.  After many hours of trying, you connect to a host on the
right port, and Shazam!! You're greeted with a login prompt, and you quickly
guess a valid username and password combination.  The next thing you know,
you have a command prompt. You have discovered a vulnerability -- an easily
guessed password! So being the 'white hat hacker' that you are, you send an
email to the sysadmin of the site and leave quietly.

*****************************************************************
Newbie note: A 'host'  is a computer connected to the Internet. A 'service'
is a program that is running on a port of an Internet host. Each service is
a program that will respond to certain commands. If you give it the right
command, you will get it to do something for you.

The simplest example of a service is 'chargen', or character generator (port
19). If you make a telnet connection on the chargen port to a server running
the chargen service, this program will react to this connection by sending a
string of characters which you will see being repeated across your telnet
screen.  All you need to do is connect to the service.

Another example of a service is finger (port 79).  If you run a finger
program to request information on a particular user from a specific host,
and the finger service (or 'fingerd') is running, and if the user has not
instructed the finger service to ignore requests about him or her, you will
get back information on that user.
*****************************************************************

What services are run from these ports, and how can we learn more about
them? Ports numbered from 1 to 1024 are called the 'well-known' ports.
These are listed in RFC 1700 (see
http://www.internetnorth.com.au/keith/networking/rfc.html).  Many of the
well-known ports are also listed in a file on your computer called
'services'.  On Win95, it's c:\windows\services; on NT, it's
c:\winnt\system32\drivers\etc\services; on many Unix type computers (your
shell account) it's /etc/services.

These ports are called 'well-known' because they are commonly used by
certain  services. For example, the well-known port for sending email is the
SMTP port, or port 25.  Because it is 'well-known', anyone can send email to
anyone else.  Because port 110 is the well-known port for checking email,
all email clients know that they have to connect to a POP server on port 110
in order to retrieve email.

An excellent FAQ (frequently asked questions) on TCP/IP ports can be found
at http://www.technotronic.com/tcpudp.html

*************************************************************
You can get punched in the nose warning:  There are many port scanning
tools, and wannabe hackers use them ... a lot.  But for what purpose? In
most cases all that happens is that a sysadmin or firewall administrator
goes through the logs that computer keeps of who has tried to hack that
site. He or she then decides whether to ignore your scan or call the
sysadmin of the site that your scan came from. Even though (in the US at
least) port scanning is legal, it makes systems administrators really mad at
you! To avoid getting kicked off your Internet provider, get permission to
scan first!
*************************************************************

What Is a Vulnerability?

A 'vulnerability' is anything about a computer system that will allow
someone to either keep it from operating correctly, or that will let
unauthorized people take it over.  There are many types of vulnerabilities.
They may be a misconfiguration in the setup of a service, or a flaw in the
programming of the service.

An example of a setup misconfiguration is leaving the 'wiz' or 'debug'
commands operational in older versions of sendmail, or incorrectly setting
directory permissions on your FTP server so people can download the password
file.  In these cases, the vulnerability is not how the program was written,
but with how the program is configured. Allowing file sharing on your
Windows 95 or 98 computer when it is not necessary, or failing to put a
password on file sharing, is another example.

Examples of errors in the programming of services are the large number of
buffer overflow vulnerabilities in the programs that run services on port of
Internet host computers.  Many of these buffer overflow problems allow
people to use the Internet to break into and take control of host computers
(check out "Smashing the Stack", by Aleph One, at:
http://www.happyhacker.org/docs/smash.txt).

What Is an Exploit?

An 'exploit' is a program or technique that takes advantage of a
vulnerability.  For example, the FTP-Bounce vulnerability occurs when an FTP
server (used to allow people to upload and download files) is configured to
redirect FTP connections to other computers.  There really is no good reason
to allow this feature.  It has become a vulnerability because this 'bounce'
feature allows someone to use it to port scan other computers on the same
local area network (LAN) as that FTP server.  So even though a firewall may
be keeping port scanners form directly scanning other computers on this LAN,
the FTP server would bounce a scan past the firewall.

So really an exploit is any technique that takes advantage of a
vulnerability to enable you to carry out your own schemes, despite the
wishes of the sysadmin of your target. Exploits depend on operating systems
and their configurations, the configurations of programs running on computer
systems, and of the LAN they are on.

Operating systems such as NT, VMS and Unix are very different, and the
various versions of Unix have their differences, as well.  (Examples of Unix
operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux).
Even the various versions of the Linux form of Unix are different.

This means exploits that will work against NT systems will probably not work
against Unix systems, and exploits for Unix systems will probably not work
against NT. NT services are run by different programs from what you may find
on Unix type computers. Further, different versions of the same service
running on any particular operating system will probably not be vulnerable
to the same exploit,  because each version of a service is run by a
different program.  Sometimes this different program may have the same name
but only have a different version number. For example sendmail 8.9.1a is
different from 8.8.2.  Many of the differences are that 8.9.1a has been
fixed so that none of the old sendmail exploit programs will work on it.

For example, the "Leshka" exploit explained in the GTMHH on advanced shell
programming clearly explains that it only works on versions 8.7-8.8.2 of the
SMTP service program called 'sendmail.'  We observed a number of people who
were playing the hacker wargame trying to run the Leshka exploit against a
later, fixed version of sendmail.

So remember, an exploit for one operating system or service is unlikely to
work against another operating system.  This isn't to say that it definitely
won't...it's just not likely.  However, you are pretty much guaranteed that
any Win95 or NT exploit will not work against any kind of Unix.

How to Look for Vulnerabilities

Now let's start someplace where you are unlikely to get punched in the nose
by looking at some ports on your own computer.  You can do this by typing
'netstat -a' at the command prompt.

You should see something such as:

Active Connections

Proto  Local Address        Foreign Address      State
TCP    localhost:1027       0.0.0.0:0            LISTENING
TCP    localhost:135        0.0.0.0:0            LISTENING
TCP    localhost:135        0.0.0.0:0            LISTENING
TCP    localhost:1026       0.0.0.0:0            LISTENING
TCP    localhost:1026       localhost:1027       ESTABLISHED
TCP    localhost:1027       localhost:1026       ESTABLISHED
TCP    localhost:137        0.0.0.0:0            LISTENING
TCP    localhost:138        0.0.0.0:0            LISTENING
TCP    localhost:nbsession  0.0.0.0:0            LISTENING
UDP    localhost:135        *:*
UDP    localhost:nbname     *:*
UDP    localhost:nbdatagram *:*

Hhhmm...nothing much going on here.  The 'Local Address' (ie, my local
machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which
translates to port 139...type 'netstat -an' to see just the port numbers,
not the names of the ports). This is okay...those ports are part of
Microsoft networking, and need to be active on the LAN my machine is
connected to.

Now we connect our Web browser to http://www.happyhacker.org and at the same
time run Windows telnet and connect to a shell account at example.com.
Let's see what happens.  Here's the output of the 'netstat -a' command,
slightly abbreviated:

Active Connections

Proto  Local Address      Foreign Address      State
TCP    localhost:1027     0.0.0.0:0            LISTENING
TCP    localhost:135      0.0.0.0:0            LISTENING
TCP    localhost:135      0.0.0.0:0            LISTENING
TCP    localhost:2508     0.0.0.0:0            LISTENING
TCP    localhost:2509     0.0.0.0:0            LISTENING
TCP    localhost:2510     0.0.0.0:0            LISTENING
TCP    localhost:2511     0.0.0.0:0            LISTENING
TCP    localhost:2514     0.0.0.0:0            LISTENING
TCP    localhost:1026     0.0.0.0:0            LISTENING
TCP    localhost:1026     localhost:1027       ESTABLISHED
TCP    localhost:1027     localhost:1026       ESTABLISHED
TCP    localhost:137      0.0.0.0:0            LISTENING
TCP    localhost:138      0.0.0.0:0            LISTENING
TCP    localhost:139   0.0.0.0:0            LISTENING
TCP    localhost:2508     zlliks.505.ORG:80    ESTABLISHED
TCP    localhost:2509     zlliks.505.ORG:80    ESTABLISHED
TCP    localhost:2510     zlliks.505.ORG:80    ESTABLISHED
TCP    localhost:2511     zlliks.505.ORG:80    ESTABLISHED
TCP    localhost:2514     example.com:telnet   ESTABLISHED

So what do we see now?  Well, there are the ports listening for Microsoft
networking, just like in the first example.  And there also are some new
ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to
'example.com' on the telnet port.  These correspond to the client
connections that I set up.  See, this way you know the name of the computer
that was running the happy Hacker Web site at this time.

But what is with the really high port numbers?  Well, remember the
'well-known' ports that we talked about above?  Client applications, such as
browsers and telnet clients (clients are programs that connect to servers)
need to use a port to receive data on, so they randomly select ports from
outside the 'well-known' port range...above 1024.  In this case, my browser
has opened up four ports...2508 through 2511.

Now suppose you want to scan your friend's ports.  This is the best way to
scan, as you won't have to worry about your friend getting you kicked off
your ISP for suspicion of trying to break into computers. How do you know
what your friend's IP address is?  Ask him or her to run the command (from
the DOS prompt) 'netstat -r'.  This shows something like this:

C:\WINDOWS>netstat -r

Route Table

Active Routes:

Network Address  Netmask        Gateway Address  Interface       Metric
0.0.0.0         0.0.0.0         198.59.999.200   198.59.999.200       1
127.0.0.0       255.0.0.0       127.0.0.1        127.0.0.1            1
198.59.999.0    255.255.255.0   198.59.999.200   198.59.999.200       1
198.59.999.200  255.255.255.255 127.0.0.1        127.0.0.1            1
198.59.999.255  255.255.255.255 198.59.999.200   198.59.999.200       1
224.0.0.0       224.0.0.0       198.59.999.200   198.59.999.200       1
255.255.255.255 255.255.255.255 198.59.999.200   0.0.0.0              1

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    lovely-lady:1093       mack.foo66.com:smtp     ESTABLISHED

That 'gateway address' and 'interface' both give the current IP address of
your computer. If you are on a LAN, the gateway should be different from
your own computer's IP address.  If you or your friend are on a LAN,
however, you should think twice before port scanning each other, or the
LAN's sysadmin may notice your activity.  Warning, sysadmins have quite an
arsenal of larts to use on suspicious-acting users.

************************************************************
Newbie note: Lart?  What the heck is a lart?  It is a "luser attitude
readjustment tool."  This is a generic class of techniques used by sysadmins
to punish lusers.  What is a luser? A wayward user. To get a sampling of
popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins
to be your FRIENDS, right?  Never forget this!
************************************************************

What are some of the vulnerabilities to win95 and NT, you ask? Check
previous GTMHHs for this information. Perhaps the most important thing to
remember about Windows is equal to root in Unix), can run a program that
uses any port it wants, even a well-known port.  This vulnerability is
demonstrated by a program from Weld Pond of L0pht fame called 'netcat'.  The
program can be obtained from:

http://www.l0pht.com/~weld/netcat

Read the documentation that ships with the program, or the Guides on (a)
win95 and telnet from:

http://www.happyhacker.org/gtmhh.shtml

or (b) NT security from:

http://www.infowar.com/hacker/hacker.html-ssi

...for information on uses of netcat.

Of course, various Windows applications, such as Internet Explorer, have
their own vulnerabilities.

By now, you're probably wondering where you can learn more about various
vulnerabilities and exploits for just about any computer you might find on
the Internet.  Here is a list of sites:

ISS X-Force
http://www.iss.net/xforce

RootShell
http://www.rootshell.com

TechnoTronic
http://www.technotronic.com

Packet Storm Security Site
http://www.Genocide2600.com/~tattooman/index.shtml

Bugtraq archives:
http://www.netspace.org/lsv-archive/bugtraq.html

NTBugTraq
http://www.ntbugtraq.com

Aelita Software
http://www.ntsecurity.com
**This site has the RedButton program, which demonstrates the capability to
connect to an NT machine via a null session and retrieve registry
information.  This is a relatively simple problem to fix...see the NT
security Guides at: http://www.infowar.com/hacker/hacker.html-ssi

NTSecurity
http://www.ntsecurity.net

Active Matrix's HideAway
http://www.hideaway.net/exploits.html

CERT
http://www.cert.org

________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out
the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. But we hate computer crime.  So don't email us about any crimes
you may have committed!
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@techbroker.com with message "subscribe
happy-hacker" in the body of your message.
Copyright 1998 keydet89 and Carolyn Meinel.  You may forward, print out or
post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you
leavethis notice at the end.
_________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers
http://techbroker.com