_ __
(_)_ __ / _| ___ ___ _ _ _ __ __ _ ___
| | '_ \\\\| |_ / _ \\\\/ __| | | | '__/ _` |/ _ \\\\
| | | | | _| (_) \\\\__ \\\\ |_| | | | (_| | __/
|_|_| |_|_| \\\\___/|___/\\\\__,_|_| \\\\__, |\\\\___|
|___/
.------------- ----------------.
: Official Irc Channel -> #phreak/AustNET (au.austnet.org) :
: Official Web Site -> http://infosurge.wewt.net :
: Official Submissions -> infosurge@wewt.net :
: :
: issue #2: 01/02/2000 :
.__________________________________________________________.
............................[ Table Of Contents ]...........................
[Intro ............................................................... phase5]
[Editorial ........................................................... phase5]
[News ................................................................ nobody]
[Getting Payphone Numbers cont.d ....................................... sour]
[Intro to php3 ....................................................... jestar]
[Firewalling your Linux Box .......................................... phase5]
[Address Resolution Protocol ........................................ ghengis]
[Introduction to SS7 ................................................. phase5]
[Basic Linux Security ................................................ phase5]
[Basic Perl .......................................................... bsdave]
[Outro ............................................................. phase5]
[Total ................................................. infosurge (78.4kb)]
.................................[ shouts ].................................
[ Shard ^jestar sour secroth ghengis lymco insane hanz3r wewted ]
[ Mista Eckz assass|n mage Red^Blade Excalibur ^OpTiX^ bsdave ]
[ wrath Niffum TheCzar Nailbomb saboteur tux galapogos01 x-circuit ]
[ void_ karn VortexV Digit_Illogic Phrost Byte Deicidal Rendrag ]
........[ Editorial ].................................[ phase5 ]............
Who would have thought a second issue would actually be published. Not many I
would wager but I believe it or not infosurge is back. Were slowly cutting
down on the number of scans and increasing our level of information. Not alot
has happened since number 1. We have moved the site around a fair bit as our
old distro kept going down. We also have a new email addy. Thanks to wewted
for letting us use wewt.net and Rendrag for providing hosting. Another issue
is definately planned after this one however some for submissions and feedback
would be appreciated. I don't know how many times I saw this.
[phase5@melchior ~] mail
No mail for phase5
Heh. I wouldn't complain if someone sent in a good ascii logo. i have recieved
a cool ansi one which is at the bottom of the zine. Well, that's enough from
me. Enjoy the zine.
........[ News ]......................................[ nobody ]............
Seems once again there is no news. Now, there were some developments since
the last issue, ie telstras reaction to the straw technique. However, it seems
nobody actually managed to put it here. This section will probably be gone
next issue if no news is sent even. Even a simple url will do.
........[ Getting Payphone Numbers cont.d ].............[ sour ]............
There is a bit of info left out from artical one that I think that should be
stated out. When inserting the cash into the so called "PAY" phone, then
dialing out 0016 000 000 or any others that you may receive the 3 digit code,
the women may say "one O zero", what she is trying to tell us is that the
letter O should stay zero, and zero should be one. If you dont know what im on
about then read the first issue dammit.
When Brute forcing your way into those two numbers, and you come across an
engaged tone, it does not mean that its the actual number, to test it either
jump to the phone next to you if there is one, or mobile or what ever and punch
in those digits and verify it, if its still engaged then continue scanning your
way threw what ever you may have left.
If theres some knob that lines up to use that phone that your on and you dont
want them round then just hangup then pick up, and hold the hash key for a
few secs (works with all payfones with LCD screen and I think that you can
do it with any other buttons on the numpad) this will give you an Out Of
Service once you hangup and then tell the knob "Look mr knob. This payphone is
like Out Of Your Service Im in line first and I want to use this phone for a
long time so go off and find your own phone knob". Once thats over with, just
pick up and continue your business.
Quick shouts to people from the StarBBS ages, phase5 for getting the mad scene
backup, lets hope it will be as successful as the phrack zines, and the folks
from #phreak (xcept p053553d ofcourse).
sour ...
........[ intro to php3 ].............................[ jestar ]............
________________________________
What is it?
PHP is a newish server side scripting language for generating
dynamic internet pages. It also contains built in support for
a variety of different database servers, so your pages can be
generated from information stored in a database.
The main upside with it being server side is that the clients dont
need to download any additional plugins/programs to view the sites
created with php, to the end user they appear as standard html pages
just with the .php3 extension rather than the .html one.
The scripts are written in a format very similar to perl scripts, which
originally had their format borrowed (read: stolen) from c programming
so if you are familiar with any of these php will seem like second
nature before long.
But thats enough of me crapping on in the intro, its time to get down
and dirty with the classic "hello world" program!
_______________________________
Hello world, i'm php, pleased to meet you!
The staple inital example of ever programming language ever made is the
hello world example, and this is going to be no different. But first you
are going to need a few things as follow:
- A server with php support (either your own or someone elses)
- A text editor
- A brain (although, optional for this example)
Ok first things first. When you are creating your .php3 files they can
be a hybrid of regular html and php scripting. The php sections in your
code are enclosed in tags, or alternatively tags. Either
should work, but is the easiest, and the one i use. If you find your
code interfering with other server technologies you will have to use
. Ok now that thats out of the way here is the code for the hello
world example
Hello world in php3
Ok, as you can probably tell from that code, the file is a hybrid of
normal regular html and the php script. The only php thing there is the
echo command, and it should be pretty obvious what the syntax is.
The echo() function places what ever you pass to it into the html file
when the php script is run. You can put anything you wish into the echo
function but there are a few things to remember. If you want to use
the " character within your echo function you will need to escape it
first with the \\\\ character. This probably sounds a bit confusing so I
will try to explain. Say you wanted to use php to put an image on your
page. The code you would expect to use is
"); ?> but if you were to run this script
you would get a massive glaring errors. The reason for this is that it is
reading the first " inside the img tag as the end of the echo tag. This
is where the escape character \\\\ comes into play. It tells php that the
following character is not part of the command. So remembering that you
can probably work out that the correct line would be
"); ?>. There are other lines you can use
to help format the html, the most often used one will be \\\\n which has
the same effect as pressing enter when writing code (note, that only effects
the generated code if you wanted a newline on the page you would need
to inlude a
in the echo command). I guess thats about it for the
first example. Sorry if its a bit hard to follow, but if you read it
through a few times and try out the example you should be alright. Next
on the list is the if statement, and simple variables.
_______________________________________
Variables for me and you
In php there are 2 types of variable (well, two which you need to worry
about this early on in the piece) and they are the variables generated
by php, and the variables which you create and fill yourself.
Lets start with the ones you create. In php, all variables are prefixed
with the $ character followed by the name of the variable. So lets say
you want to make a variable to hold a counter (there are a variety of
reasons you may want to do this) you would initialise it like this:
$counter = 0;
Now, this MUST be inside php tags, so the code for this is gonna be a
bit beefier than the single line stuff youve seen so far. As it stands,
just for setting up the variable to code would look like this:
Simple ey? Oh well then, because that was so simple I think we will
expand this article to include the if function. Its the exact same syntax
as c and perl, so if you know that this will be second nature to you.
This is for the benefit of those who are completely new to it.
The basic format of the if function is as follows:
if (some test)
{
*this gets done if the test was true*
}
So basically, it is a way of only having something happen if a certain
test turns out to be true. The other part of the if statement is the else,
which is added to the end as follows:
if (some test)
{
*if its true do this*
}
else
{
*otherwise do this*
}
Time for a simple real world example of this. What will happen in this
code is that a counter variable will be initialised to either true or
false (you choose) and then a line will be printed depending on what
the variable is. Here is the code:
and thats all it takes.
_____________________________________
Outtro
Thats enough for this simple introduction, have a play around with this
and if you have the urge to learn further ( and you should) check out
the documentation at www.php.net and also the abundance of example and
downloadable scripts both there and in the links sections.
Have fun
Jestar
(c)2000
........[ Firewalling your Linux Box ]................[ phase5 ]............
In this text I will go over the basics of setting up a small firewall to
protect your box. This will not go into things such as IP Masquerading or
other advanced firewalling stuff. I will assume your using ipchains as your
firewalling software. This will come with your linux distribution. However,
if you have a kernel 2.0.* or 2.1.* you will have ipfwadm instead. I will
include commands for this as well but i recommend upgrading your kernel as
ipfwadm is outdated and upgrading your kernel will provide other benefits
other than ipchains. (note: ipchains itself is on the way out with the latest
2.3.* kernels using Network Packet Filtering). Since i'm not in the
mood to write alot and I doubt you want to read alot I will explain things
mostly using examples. ipfwadm stuff will be at the very end when we put all
this shit together.
For this article we will have the interfaces lo, ppp0 and ppp1. lo is the local
interface and ppp0 + ppp1 will be your dialup net connection (2 dialup lines).
Now, the basic syntax of ipchains is:
ipchains -A type -j policy options
For the purposes of this text type can be: input, output and forward while
policy can be: accept, deny and reject.
For those who don't know I will go over what each one of those is.
Input refers to packets entering your machine.
Output refers to packets leaving your machine.
Foward refers to packets with a destination other than your box.
Accept means let the packet through.
Deny means drop the packet.
Reject means drop the packet but send an icmp packet back telling the source
the packet was dropped.
First thing to do is to clear out any existing rules. This ensures you have
a clean firewall ruleset to work with. Clearing the ruleset is done as such.
ipchains -F input
ipchains -F output
ipchains -F forward
The option -F means Flush. This will flush the rules for input, output and
forward.
Next step would be to allow yourself access.
ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo
Ok. Simply what that does is append a new rule to the ruleset which allows
all traffic from any source to any destination which originates from the
interface lo. lo of course, is you. The -i options allows you to specify an
interface for the incoming packets.
From this you should get the basic idea of using ipchains. Now, lets block
off some stuff. The next rule will stop people spoofing your address to get
past your firewalls and generally do some nasty stuff.
ipchains -A input -j DENY -s 127.0/8 -d 0/0 -i ppp+ -l
Basically any packets coming from an outside interface (ppp+ means anything
starting with ppp, such as ppp0, ppp1,etc) with a source address of the local
subnet is denied. The -l option at the end means turn on packet logging. This
will write an entry to /var/log/messages with various information about the
packet, such as source and destination ips.
Next up is to stop icmp traffic.
ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l
Ok, several new options here. -p specifies protocol. It can be tcp,udp,icmp
or all. The 8 after -s 0/0 means icmp type 8 (hmm).
Now you may wish to block and log some trouble ports. These are ports that
may indictate someone is attempting to DoS you or scan/penetrate your system.
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 21 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 23 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 25 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 79 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 139 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 143 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 1080 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 6000 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 12345 -l
ipchains -A input -p icmp -j DENY -s 0/0 -d 0/0 31337 -l
That's some basic stuff to be blocked. These rules will block: ftp, telnet,
smtp, finger, netbios, imap, socks, X11, netbus and Back Orfice. It will
also create a syslog entry as logging (-l) has been enabled. You can add or
remove ports as you want.
One last thing you might want to do is this:
ipchains -A input -j DENY -s 0/0 -d 0/0 -y
This will deny everything. However the -y option still allows you to establish
connections.
Now you've got a basic understanding of ipchains, the next step is to put
all these rules together into a .sh file and have it exectued at bootime.
Remember that rules wil be looked at in order of entry and as soon as a
matching rule is found it will stop so rule placement order is important.
Here is the shell script:
#!/bin/bash
#
# Firewall Ruleset
#
# Allow local interface
ipchains -A input -j ACCEPT -s 0/0 -d 0/0 -i lo
# Block and log spoofed packets
ipchains -A input -j DENY -s 127.0/8 -d 0/0 -i ppp+ -l
# Block ICMP
ipchains -A input -p icmp -j DENY -s 0/0 8 -d 0/0 -l
# Block and log ports (ftp,telnet,smtp,finger,netbios,imap,X11,netbus,BO)
ipchains -A input -j DENY -s 0/0 -d 0/0 21 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 23 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 25 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 79 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 139 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 143 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 1080 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 6000 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 12345 -l
ipchains -A input -j DENY -s 0/0 -d 0/0 31337 -l
# Block ALL
ipchains -A input -j DENY -s 0/0 -d 0/0 -y
# eof
and the ipfwadm version
#!/bin/bash
#
# Firewall Ruleset
#
# Allow local interface
ipfwadm -I -a ACCEPT -S 0/0 -D 0/0 -W lo
# Block and log spoofed packets
ipfwadm -I -a DENY -S 127.0/8 -D 0/0 -W ppp+ -o
# Block ICMP
ipfwadm -I -P icmp -a DENY -S 0/0 8 -D 0/0 -o
# Block and log ports (ftp,telnet,smtp,finger,netbios,imap,X11,netbus,BO)
ipfwadm -I -a DENY -s 0/0 -D 0/0 21 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 23 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 25 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 79 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 139 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 143 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 1080 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 6000 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 12345 -o
ipfwadm -I -a DENY -S 0/0 -D 0/0 31337 -o
# Block ALL
ipfwadm -I -a DENY -S 0/0 -D 0/0
# eof
Save it and make it executable. Now add a line to your /etc/rc.d/rc.local to
call it. This will ensure it is started every boot.
That ends this basic article. For further information on ipchains and
firewalling read the following manpages, ipchains(8) and ipfw(4).
.eof.
........[ Address Resolution Protocol ]..............[ ghengis ]............
****************************************************************
* [topic;] *
* [author;] *
* [web;] *
****************************************************************
This document is meant to be an introduction to the ARP protocol. It assumes
that you are somewhat familiar with TCP/IP networking.
On the Link Layer of the 7-Layer OSI Network Model, you'll find ARP, standing
by itself off in a corner. This seemingly out-of-the-way protocol is actually
essential for most network communication to take place, as it translates
logical addresses (in this case, IP) to Hardware Addresses.
ARP stands for Address Resolution Protocol, and for this document, we'll speak
of ARP as it applies to a standard IPv4 TCP/IP network.
ARP is responsible for resolving the 48-bit ethernet address associated with
your 32-bit IP address. Your ethernet card doesn't care, nor does it even know
what its IP address is. It just has a 48-bit address assigned to it, most
often hard coded into the firmware. Your IP address however, can change any
time, while your ethernet address stays the same. Hence, your IP-based network
needs to know how to find which machine to send its IP packets to. ARP is the
way.
Let's say for this document your ethernet card has a hardware address
of 00:00:2b:04:a9:11 and your IP address is 198.162.1.1, and you are on
a class C network.
When a machine on the network wants to initiate an IP-based connection, it
first needs to find out the hardware address of the remote machine. ARP steps
in and sends an ARP REQUEST, asking the network who has the IP address it's
looking for. Let's say you are trying to connect to 192.168.1.2.
Running tcpdump you might see this:
00:00:2b:04:a9:11 ff:ff:ff:ff:ff:ff arp 60:
arp who-has 192.168.1.2 tell 192.168.1.1
Let's look at this packet.
The first section is our hardware address.
The second section is the broadcast hardware address of the network. This
packet is sent to every machine listening asking each where this IP is.
The third identifies the packet as being an ARP packet.
The fourth is the size of the ethernet frame, padded to its minimum 60 bytes.
The rest is fairly straightforward, asking "Which machine on this network has
192.168.1.2 assigned to them? Please tell 192.168.1.1 your hardware address."
Now let's look at what this packet looks like on the network.
Ethernet Header
.-------------------------------.
|Ethernet Dst|Ethernet Src|Frame|
| Address | Address |Type |
| | | |
`-------------------------------'
6 bytes 6 bytes 2 bytes
.--------------------------------------------------------------.
| Hard|Prot|Hard|Prot|Op|Sender Eth|Sender|Target Eth|Target IP|
| Type|Type|Size|Size| | Address | IP | Address | Address |
| | | | | | | | | |
`--------------------------------------------------------------'
2 2 1 1 2 6 4 6 4
The numbers below the fields represent the number of bytes in the field. This
ARP request is 28 bytes in length.
The Ethernet header contains the 48-bit ethernet address of the sender and
the recipient, in this case, the recipient being the broadcast address. The
2-byte Frame Type field specifies that this is an ARP request or reply with
the value 0x0806.
The Hardware Type and Protocol Type fields specify the type of hardware
address and type of protocol address, respectively. This would be a 1 for
ethernet in this case, and an 0x0800 for for IP addresses, again respectively.
Hard Size and Prot Size are related information, containing the size of the
hardware address and protocol address contained in the following fields. In
this case we have a 48-bit ethernet address (6 bytes) and a 32-bit IP address
(4 bytes).
The OP field specifies what type of service this packet is. It can be any of
the following:
1 - ARP Request
2 - ARP Reply
3 - RARP Request (Reverse ARP, not covered in this article)
4 - RARP Reply
For now assume Reverse ARP is a machine asking other machines for it's own IP.
Since this field is a request, the target ethernet address is not included, as
that is the information we are looking for.
When the remote host recieved the broadcast request, it recognizes the IP as
being its own, and replies:
00:00:4b:2a:01:04 00:00:2b:04:a9:11 arp 60:
arp reply 192.168.1.2 is-at 00:00:4b:2a:01:04
When the machine requesting the information gets this packet, it can now open
the connection to the remote machine. This entire process on a 10Mbit network
may take about 3ms.
The packet sent back is formatted as the first packet, with different values
in the fields.
1. The Ethernet header is formed with its own information.
2. The OP type is changed to 2, ARP reply.
3. The source and destination fields are completed with the information as
expected, i.e. its own IP and hardware addresses.
4. The packet contains the hardware address of the machine with the IP address
originally asked for in the request.
But what about machines on other networks accessed through gateways? Well, ARP
requests will not be made for machines not located on the local network.
Instead, packets will be forwarded to a next-hop router (gateway) for delivery
to another network.
I hope you learned something reading this article. Next issue, we should be
talking about RARP, ProxyARP, ARP caching, and Gratuitous ARP. If you are
interested in learning more about ARP or any protocols in the TCP/IP family,
I highly recommend W. Richard Stevens' TCP/IP Illustrated Volume 1. This book
covers many topics of TCP/IP networking in great detail, belongs next to the
bed at night, and was used for reference while writing this article.
Also I recommend running tcpdump on your network often and watch what's going
on. This is a good way to get a preliminary look into what's really going on
when that light on the hub is blinking.
****************************************************************
* [topic;] *
* [author;] *
* [web;] *
****************************************************************
For this article, let's use the following network map (I suck at ascii
drawings). Assume the machines on the top are using a Class C netmask of
255.255.255.0, and that the machines on the bottom are on an 8-IP subnet in
the same class C network, using a netmask of 255.255.255.248.
10.10.10.1 10.10.10.2 10.10.10.3
____________ ____________ _____________
| | | | | |
| illusion | | oblivion | | abyss |
|__________| |__________| |___________|
| | | ethernet
---------------------------------------------------------------------------
|
________|________
| Cisco 2514 |
| cube |
| 10.10.10.253 |
|_______________|
|
| <-- serial dial-up
| has ip 10.10.10.250
______|______
| |
| cirrus |
|___________|
10.10.10.201
ethernet |
---------------------------------------------------------------------------
______|_____
| |
| pulsar | 10.10.10.202
|__________|
I) Proxy ARP
Proxy ARP is an implementation of ARP on a machine that allows it to answer
ARP requests on one network for machines on another one of it's networks.
We'll start off like this. Wayne wants to dial in to his corporate network and
have access to all of the machines. Wayne has a few machines at home, so he
sets himself up an 8-IP netblock (10.10.10.200-208) at work, then goes home
and dials into work. The modem at work picks up and establishes a connection,
giving an IP address to his machine, we'll say 10.10.10.250.
The router at work has been configured to route requests for Wayne's network
to Wayne via his dial-up interface. But the other machines on the network
don't know that his machine isn't on the local network. As far as the other
machines are concerned, his subnet is still covered by their netmask, hence on
their local network.
So if Illusion needs to send a packet to Pulsar, Illusion is going to look at
Pulsar's IP address and consider Pulsar to be on the local network, and make
an ARP request.
Pulsar doesn't get that ARP request. This is where Proxy ARP comes in. The
Cisco router (Cube) is going to get that ARP request, and notice that the IP
in question is an IP connected to one of its serial ports. Cube is going to
respond and say that Pulsar is located at its own hardware address. Illusion
will then start sending packets to Cube, and Cube will forward them to Pulsar.
This operation is totally transparent to Illusion. As far as its concerned,
Pulsar is sitting next to it on the wire talking back and forth.
Gory details? No problem.
Illusion sends an ARP request looking for Pulsar.
0:0:b4:03:F2:02 FF:FF:FF:FF:FF:FF ARP 60:
arp who-has 10.10.10.202 tell 10.10.10.1
Cube gets the ARP request and responds with its own HW address.
0:0:0c:3b:a3:4e 0:0:b4:03:F2:02 ARP 60:
arp reply 10.10.10.202 is-at 0:0:0c:3b:a3:4e
Then Illusion starts sending packets to Cube, and Cube forwards them to
Pulsar.
If you were to then view the ARP table on illusion, you would find that Pulsar
and Cube both share the same hardware address.
2) Gratuitous Arp
A very important feature of ARP is Gratuitous ARP. Seemingly minor, Gratuitous
ARP is essential for several reasons.
It happens when a machine asks the network for its own IP address, hence:
0:0:B4:03:F2:02 FF:FF:FF:FF:FF:FF ARP 60:
arp who-has 10.10.10.1 tell 10.10.10.1
This accomplishes several things. One being that if there is another machine
on the network that has the same IP, it will respond back saying so, and alert
the user that there is a duplicate IP on the network.
There is another situation. One feature of ARP is that it will automatically
update its ARP cache if it recieves a broadcast ARP request from a machine
that already has an entry in it's ARP table. More specifically, say you down
one interface on a machine, put your ethernet cable into another card, and up
that interface. When that interface comes up, the first ARP broadcast it sends
will automatically update the arp caches of the machines on the local network
with its new hardware address. Same IP, different Hardware address, because
it's a different ethernet card. Now, the rest of the machines will start
sending data to that hardware address instead of the previous one.
That's kind of neat, now isn't it? If you send an ARP request with an IP
attached to it in the "tell" field, the rest of the machines on the network
will automatically assume you are that IP and send you packets. But of course
they will! That's what ARP does! Resolves IP addresses to hardware addresses.
Now we get to the part where ARP starts to cause trouble.
How you ask? Well, the last paragraph back there should give you some ideas.
Here's some questions:
* What would happen if you wrote a program that replied to every ARP broadcast
with its own hardware address?
A few things. If you wrote a program that replied to every ARP broadcast with
your IP, you'd have machines on the network (especially Windows machines, whoo
boy) confused about who's the Real McCoy. If your entry was the latest in a
machine's ARP cache, you would get packets destined for machine whose identity
you have assumed. Considering this is local ethernet, you'd get the packets
anyway, but they'd have the other machine's IP plastered onto your ethernet
address. This would cause all sorts of problems as the machines fought about
who's who. This is one style of a Denial of Service attack, however it's not
very efficient.
* How can I use ARP to hijack someone's TCP/IP session?
Say Illusion was talking to Abyss with a telnet session, and you wanted to
assume Illusion's place in the conversation. You are currently using Oblivion.
You could write a program to hijack the connection by somehow (network
congestion, crashing Illusion somehow, unplugging it, whatever) getting
Illusion off of the network, and assuming its identity by using ARP to tell
Abyss that Illusion's IP is now located on Oblivion's hardware address. Abyss
can pick up right where it left off and send the next waiting packet, which
your program has already been ready to recieve. You are now talking to Abyss
via telnet, and the upper-layer protocols never missed a beat.
This is not a very technical description of session hijacking. I'm aiming this
article at people that aren't extremely familiar with the concept.
* How can I use ARP as a Denial of Service attack?
One way to use ARP as a DoS attack is to respond to gratuitous ARP requests
with any hardware address. Since gratuitous ARP is often sent at bootstrap
time, attacking this can cause a variety of problems. Windows NT machines have
been known to pop up a dialog box saying "Windows has detected a duplicate IP
address at HW address: #:#:#:#:#:#. The interface has been disabled.". NT then
proceeds to down the interface until it is brought back up by hand, and the
interface sometimes can not be brought back up as long as there is another
machine on the network with the same IP. This has happened to me personally
before, however since it was years ago I'm not sure what version of NT besides
that it was 4.0 that this occured on (Service Packs, etc). Try giving your
UNIX machine an IP that's the same as your NT machine, boot your NT machine
and check what happens.
* How secure is ARP?
ARP is about as secure as crotchless underwear on a glass floor. There is no
security involved with ARP directly besides ethernet switching (or "Smart
Hubs"), which helps prevent sniffing and other problems by knowing what
hardware address is coming in on what port on the switch. If you have access
to broadcast ARP, you can cause damage to your local ethernet.
ARP wasn't designed to be secure. It's a trusted protocol, stateless in
design. There is no connected status, it's just broadcast packets and
one-packet replies. There's no authentication involved.
This is just an introduction to ARP. ARP is a fundamental protocol on networks
today. Mapping logical addresses to physical addresses is essential with the
protocols we use. As more and more people get onto the internet, and we start
to lean towards IPv6, we should be seeing some changes come along in major
protocols, ARP included.
Steps have been taken to keep ARP in check, such as switching. These steps are
nescessary to keep co-locations facilities, ISPs, and businesses'
communications a bit more secure. If everyone at a co-location facility was on
a big hub, colissions, sniffing and IP spoofing would be a bigger problem.
Plugging everyone into a different interface on a router would get expensive,
so switching is the way to go.
****************************************************************
* [topic;] *
* [author;] *
* [web;] *
****************************************************************
***************************
(Note: For all these examples, there are no switches, smart hubs, etc.,
implemented on the network in question.)
(Note 2: If you wish to actually do some of what you see here, I suggest
grabbing a copy of send_arp, an ARP forging application that's been floating
around the net, and I've modified it a bit. It should be on www.sysfail.org
soon after this article is published. If not, e-mail me.)
Situation 1: You are on a ethernet at a small office. Another employee has
picked up a copy of 2600 from the local Barnes and Noble. After spending
3 days OCRing code out of the book, he has managed to compile a copy of
teardrop on the only Linux box at the office (the dial-up server, "RAS").
He thinks it's really funny to crash the unpatched print server all day
whenever you need to queue up some invoices. Knowing that he's telnetting into
the machine and logging in as root, and also knowing that his machine is the
only machine in the office that has access to do that, you figure it would be
just keen to somehow trick the server into thinking that you are coming from
Joe's machine.
Situation 1 Low-Down: We need to spoof a connection from "joe" to "server",
and we are on "tom". We need to not take "joe" off the network or cause any
funny messages to pop up on the screen.
Here's our network layout:
Full Class C: 192.168.0.x
Netmask: 255.255.255.0
------------------------------------------------------------------------------
| | | |
| | | |
* * * *
Printer Server Tom Joe
192.168.0.5 192.168.0.1 192.168.0.2 192.168.0.3
(Linux) (Linux) (Windows)
(0:0:0:0:0:01) (0:0:0:0:0:02) (0:0:0:0:0:03)
You have made the intelligent choice to install Linux on your other drive on
"tom". Your network is working fine, and you can communicate with all your
other machines.
Somehow, you need to make "server" think that you are telnetting to it from
"joe". You've already sniffed the unencrypted root password "hork" from the
local ethernet.
Let's take a look at what happens when joe telnets to server.
****
0:0:0:0:0:03 ff:ff:ff:ff:ff:ff 0806 42 arp who-has 192.168.0.1 tell
192.168.0.3
0:0:0:0:0:01 0:0:0:0:0:03 0806 60 arp reply 192.168.0.1 is-at 0:0:0:0:0:01
0:0:0:0:0:03 0:0:0:0:0:01 0800 62: 192.168.0.3.1029 > 192.168.0.1.23: S
21441998:21441998(0) win 8192
(DF) (ttl 128, id 32010)
0:0:0:0:0:01 0:0:0:0:0:03 0800 58: 192.168.0.1.23 > 192.168.0.3.1029: S
2811556923:2811556923(0) ack 2144199 win 32736 (ttl 64, id 175)
***
What we have here are four separate packets initializing a telnet session.
First packet: ARP request: get HW address of IP to connect to
Second packet: ARP reply: Here's the hardware address requested from "server"
Third packet: I want to telnet to you, you listening?
Fourth packet: Sure thing bro, acking your port 23 request, let's go.
We're not concerned about the latter two packets, just the first two. The ARP
request/reply pair. If we can somehow convince server that it wants to send
packets destined for "joe" to "tom", we're in business.
Sounds easy enough, and in a way that's true. But there are several obstacles
to overcome. You might say, "let's just assume the IP address of joe." That
won't work. You'll have two machines responding to the same IP address, you
really don't want that. You don't want a message on either box complaining
that there's duplicate IPs on the network either.
When your machine sees a packet go by, it checks the hardware address stamped
on the ethernet packet header. If it's not a match, the packet isn't for us,
and we don't care about it. More specifically, the device driver never looks
at the destination IP, just the HW address (of course, there are exceptions
where some drivers dig more into the packet for various purposes). This can be
taken advantage of in numerous ways, and for ARP attacks, it can really come
in handy.
If we ifconfig up an interface on "tom" with the IP address of "joe", and
tell "server" that "joe"'s IP address is located at "tom"'s Hardware address,
then server should send packets destined for "joe" to "tom", and it will also
accept packets from "tom" thinking that it's "joe", bypassing the IP-based
security implemented on "server".
Ok. Read that again.
* We tell SERVER that the IP address of JOE is really located at the HARDWARE
ADDRESS of TOM.
Function: Packets from SERVER to JOE will be encapsulated on the ethernet with
headers sending it to TOM instead of JOE (instead of the header including the
ethernet address of JOE, it will have TOM'S address instead. This means JOE
will ignore the packet while TOM will recieve it. SERVER will not know that
TOM isn't JOE, because TOM is talking with JOE's IP).
How: We send a hand-crafted ARP packet (reply specifically, it can be a
request, but we'll get into that another time. The packet would look like
this on the wire:
0:0:0:0:0:02 0:0:0:0:0:01 0806 60 arp reply 192.168.0.3 is-at 0:0:0:0:0:02
TOM SERVER ARPREPLY IP OF JOE HWA OF TOM
Now, if you try to telnet to SERVER from TOM, you should be able to connect,
and it will allow you to log in as root.
But wait! We lit up a message on the Windows box on Joe's desk saying that
there's an IP address conflict on the network! Busted!
There are several things you must take into account:
1) You need to "ifconfig -arp eth:" and set up static ARP entries and
routes when you do this. You don't want that interface speaking ARP to anyone
unless you make it but you need it to know where to send packets.
2) Doing this *during* an existing session between JOE and SERVER will cause
that connection to drop, unless you work fast.
3) You need to be constantly sending poison ARP to SERVER *and* JOE during
your attack. As long as you keep telling both machines where to find (er,
where you WANT them to find) each other, they won't *ask*. And the less they
ask, the better.
Situation 2: I want to hijack joe's session to server.
How can this be done using ARP as a tool? First off, remember what we said
about accidently cutting off Joe's session earlier? Well now that's exactly
what we want to do.
During a conversation between JOE and SERVER, you inject poison ARP, telling
SERVER that you're JOE, and telling JOE that SERVER is the printer or
something. Then, you proceed to send a flood of spoofed ACKs to the SERVER,
pushing the sequence numbers out of JOE's acceptable window, and by the time
JOE finds out what happened, you've already got his end of the connection, and
SERVER hasn't even noticed anything funny (I'm not going to cover the insides
of TCP sequence numbers today, that's another article. :) ).
How this happens:
* JOE is talking to SERVER
* TOM assumes JOE's IP address.
* TOM sends out an ARP reply unicast to JOE saying SERVER is-at 0:3:1:3:3:7
or something, then immediately send a packet to SERVER saying that JOE is-at
0:0:0:0:0:2 (tom's real HW address)
* To be on the safe side, you push the sequence numbers of the session way out
of JOE's acceptable range.
* JOE is a Windows box and doesn't know what the hell is going on. He's just
sending packets looking for SERVER and probably grinding the hard drive or
showing a little animated paperclip that says "Click here to learn more about
session hijacking" which just points to a broken link on microsoft.com.
* Meanwhile, TOM is re-synching the connection to SERVER, and as far as SERVER
is concerned, the connection was just broken for a moment, and now is better,
and will gladly talk to TOM in the place of JOE, considering that the IP is
right and that TOM's HW address maps to that IP in the arp table on SERVER.
* JOE is still a Windows box and at this point Windows telnet will bring up
a message like "Lost Connection" and probably lock up telnet because it's so
poorly coded and has no emulation and... anyway....
* TOM has full control over the connection and SERVER couldn't be happier
about it. JOE just sits there and plays a neat screen saver and grinds the
hard drive every couple minutes.
I will probably be writing an article specifically on this topic, as I'm not
going to cover this more specifically in the scope of this article.
Situation 3: I just picked up 2600 at Barnes and Noble. I want to be a hacker.
My 6th grade computer teacher is a real dork and I want to
make the network not work right n stuff. I tried mashed
potatos in the power outlets but I got in trouble. What can
I do?
Well, good news for you. ARP can cause all sorts of problems on a network.
If you haven't figured out how this is possible yet, I'm not sure what to tell
you, read the article again and maybe you'll think of a way you could make
computers on a network not able to talk to each other using ARP.
I hope you enjoyed, and should you have any questions, email me.
References:
I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January
1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469
II. "Playing redir games with ARP and ICMP" MESSAGE THREAD: document sections
reviewed were authored by Yuri Yolobuev
........[ Introduction to SS7 ].......................[ phase5 ]............
. Intro
. What is Signaling
. What is SS7
. Basic Signaling with SS7
. Associated Signaling
. North American Signaling
. SS7 signaling links
. An example phone call over SS7
. Layers of the SS7 Protocol
. Acronyms Summary
. Outro
Intro
-------
In this article I will go over the basics of SS7. Due to the lack of technical
phreaking information being written I will keep this simple and hopefully
encourage other phreaks to go learn about the PSTN. This article will only be
in relation to the PSTN and so if definitions or concepts appear limited in
skope it is because they only refer to components of the PSTN.
What is Signaling
-------------------
Signaling is the exchange of information between components of the pstn
needed to provide and maintain service. There are two types of signaling,
in-band and out-of-band. In-band signaling is sent over the same line as is
used for the call, ie the voice circuit. For example, getting a dialtone,
dialing digits, etc are all in-band signaling. In-band signaling is done
through the use of MF tones. This is what allowed the bluebox to work,
emulating the phone companies MF tones and sending them down the phone line,
as the voice line was also used for signaling. Out-of-band signaling is when
signaling information is sent over a seperate line. All signaling information
is sent over this line, which is called a signaling link. Out-of-band has
various advantages to in-band signaling including faster transmission speeds
(56kps), allowing signaling anytime during a call, and other features.
What is SS7
------------
SS7 stands for Signaling System 7. It is a signaling system that utilises
out-of-band signaling and high speed packet data. SS7 is a packet-switched
system as opposed to a circuit switched system. Packet switching is far more
efficient than circuit switching. Circuit switching is 50% efficient. When
one person talk and the other listens, the line is only 50% in use. In packet
switching the packets are stored until a certain amount is reached and then
sent. This makes it 100% efficient.
Basic Signaling with SS7
-------------------------
There are two types of signaling networks with SS7. These are known as
Associated Signaling and North American Signaling.
Associated Signaling
--------------------
For a basic SS7 setup, the signaling network would look similar to this.
.-----. -------------------- .-----.
| | -------------------- | |
| A | -------------------- | B |
._____. .................... ._____.
In this ascii diagram A and B represent two switches. The dashed lines are
voice lines while the dotted line shows the signaling link. For call setup and
maintenance this setup is fairly efficient. All signaling requirements between
switch A and B would use this signaling link. This form of signaling is still
used in many places.
North American Signaling
------------------------
The Americans decided that they wanted to be complex. They wanted a signaling
system where any switch could signal to any other switch without a direct
signaling link. Thus, the North American Signaling Architecture was born. This
network is comprised of the basic components.
signal switching points (SSPs) - These are the lowest class switch. They have
SS7 capable software and start, end, and
switch calls.
signal transfer points (STPs) - These are the packet switches. They route
incoming signals to the correct destination
and other advanced routing functions.
signal control points (SCPs) - These are databases used in advanced call
processing.
These signaling components are crucial for calls to take place. Any call in
which the called party is served by another switch than the calling party
needs the above components to be functioning for the call to be processed. To
avoid problems though, this network has been made highly redundant which
allows it to bypass most network failures. The STP's and SCP's are most often
placed in pairs, with both doing the same task. This prevents a small error in
one STP from stopping signaling. I will draw a pseudo-ascii text diagram to
explain what this network looks like.
SCP1 SCP2---. .---SCP3 SCP4
| | | | | | |
| |____|___STP1....STP3___|____|
| | / : : \\\\ | |
| /.---STP2....STP4---. |
|____/____/_.| |._\\\\____\\\\__|
/ / \\\\ \\\\
/ / \\\\ \\\\
SSP1 SSP2
# # # # # # #
That may be the worst ascii diagram in existence. Never the less, I will try
and explain it and hopefully you will see what it represents. #'s shows
subscribers connected to their local switch(SSP1 and SSP2). SSP1 and SSP2 are
both connected to a pair of STPs. The two STP pairs are connected to each
other. They also have links to SCPs for advanced call processing. Study that
poorly made ascii and this explaination for a bit and it should come to you.
SS7 signaling links
-----------------------------
SS7 signaling links are all the same. They are classed however, on there use
in the signaling network. There are 5 link types, A-F.
A Link - These links connect an STP to either an SSP or an SCP.
C Link - These links interconnect pairs of STPs. These are what reduce
network failure by making multiple signaling links available.
B, D and B/D Link - These links interconnect a pair of STPs to another pair of
STPs. These links are either called B,D or B/D but they
all refer to the same link type.
E Link - These links are another link type used only to enhance reliability.
An SSP will be connected to an STP pair through A links. These E links
are the same but link to a secondary, or backup pair of STPs. In case
the main STPs cannot be reached then the second pair will be used.
F Link - These links are used in Associated Signaling only. They do not use
STPs and link directly between two SSPs.
An example phone call over SS7
-------------------------------
I will briefly explain what goes on during a phone call. To help visualise
this I will draw an ascii, but as I suck at ascii diagrams this will probably
confuse you instead.
[asKi diagram]
STP1 ---------- STP2
/ \\\\ / \\\\
/ \\\\ _______/ \\\\
SSP1_______/ \\\\_______________SSP2
| |
Mr. X ...................... Mrs. Y
Voice .
Signaling - or \\\\
Subscriber |
Right now your probably thinking, wtf is that shit. Yes, strangely enough
ascii is not the best graphics format in the world. Basically Mr. X and Mrs. Y
are both connected to their respective switches (SSP). Both switches have two
signaling links, connecting both to STP1 and STP2 (STP Pair). They do not have
a signaling link to each other. I will show this step by step as when i first
wrote this in one big chunk it looked confusing.
1. Now, Mr. X is getting lonely and decides to call Mrs. Y. He picks up the
phone and dials her number. His switch gets the message, and realises it
needs to get to SSP2. SSP1 will select and idle trunk between itself and
SSP2. It sends a message along one of it's signaling links (SSP1-STP1 or
SSP1-STP2). It can use either link, it makes no difference.
2. The STP gets the message and sees the destination is SSP2. It routes the
message along down a signaling link to SSP2.
3. SSP2 receives the message. It checks the line status of Mrs. Y. If the line
is clear it sends a message back saying the line is clear. This message
goes back to the STP. It also completes the call path and sends a ringing
tone over the trunk to SSP1 and rings the line of Mrs. Y.
4. The STP receives the message, checks the destination and routes it to SSP1.
5. SSP1 gets the message. It's at this point that Mr.X is connected to the
trunk and heres the ringing tone.
6. Mrs. Y picks up the phone. SSP2 sends a message over the signaling link
saying the call is answered.
7. The STP check the destination and routes the message to SSP1.
8. SSP1 gets the message. It makes sure that Mr. X is connected and that a
2-way conversation can take place.
9. Mr. X hears his wife coming home. He quickly zips up and hangs up the phone.
Now, SSP1 gets the hangup. It sends a message indicated the call is over.
10. Once again, STP receives and routes message. This should be no suprise by
now.
11. SSP2 gets the message. It checks the message to see which trunk the call
was on. It sets the trunk to idle and sends a message back.
12. STP gets and routes message.
13. SSP1 gets the message. It checks to see which trunk the call was on and
idles it.
Thats a basic phone call.
Layers of the SS7 Protocol
---------------------------
The SS7 protocol is like most other protocols of the day and is layered. These
are the eight layers of SS7.
Physical Layer - Defines the physical and electrical characteristics of the
signaling links. Signaling links carry raw data at 56kps and
utilise DS-0 channels
Message Transfer Part-Level 2 - This provides link-layer functionality. It
makes sure that two end points of a signaling
link can reliably exchange signaling messages.
It incorporates error checking, flow control
and sequence checking.
Message Transfer Part-Level 3 - This extends on MTP-2 to provide network
layer functionality. It ensures that messages
can be delivered between signaling points
regardless of whether there is a direct
signaling link. It has such features as node
addressing, routing, alternate routing and
congestion control.
The MTP-Level 2 and MTP-Level 3 layers together are referred to as the MTP.
Signaling Connection Control Part - This adds to major functions that the MTP
lack. One is the capability to address
applications within a signaling point. The
MTP can only send a receive messages from
a node as a whole, it does not deal with
software applications within a node. While
MTP call-setup messages and
network-management messages are addressed
to a node as a whole, other messages are
used by seperate applications(subsystems).
For example, 1800 call processing. SCCP
allows these subsystem to be explicitly
addressed.
Global Title Translation - The second function performed by SCCP is the
ability to perform incremental routing through the
use of Global Title Translation (GTT). With GTT a
SSP does not need to know every destination point
it may need to route to. It can send a message to
the STP along with a GTT query. The STP will then
find the destination and route the message
appropriately. An example of GTT would be calling
a national number which would connect your to the
closest office. The switch sends the message to the
STP along with a GTT query. The STP checks its
database and routes the call to the correct
destination. The STP may also route to another STP
further down the line which will find the final
destination. GTT can also be used to share load
among paired SCPs. The STP can chose from redundant
SCPs to share the load accross availabe SCPs.
ISDN User Part - This defines the messages and protocol used in the
establishment and tear down of voice and data calls. It is
also used to manage the trunk network which they use. ISUP is
used for both ISDN and non-ISDN calls.
Transaction Capabilities Application Part - TCAP defines messages and protocols
used to communicate between
subsystems in a node. They use SCCP
for transport.
Operations, Maintenance and Administration Part - OMAP defines messages and
protocol to be used to
administrate the SS7 network.
Some of these features are
validating network routing
tables and diagnosing link
troubles. OMAP uses both MTP
and SCCP for routing.
Acronyms Summary
-----------------
I will provide a summary of the acronyms used in this text for ease of
reference.
A Link - Access Link
B Link - Bridge Link
C Link - Cross Link
D Link - Diagonal Link
GTT - Global Title Translation
ISUP - ISDN User Part
MF - Multi Frequency
MTP - Message Transfer Part
OMAP - Operations, Maintenance Administration Part
PSTN - Public Switched Telephone Network
SCCP - Signal Connection Control Part
SCP - Signal Control Point
SS7 - Signaling System 7
SSP - Signal Switched Point
STP - Signal Transfer Point
TCAP - Transaction Capabilities Application Part
Outro
------
This ends this article. This file may quite possibly contain a few errors. The
majority was typed up from memory, and memory is flawed(or at least mine is).
I have purposely not gone into details such as the actual message types sent
during calls. I have also not gone into packet structure on SS7. These things
will be covered in another article. Hopefully, you have a basic idea of how
signaling works after reading this and will see phreaking in a different sense.
.eof.
........[ Basic Linux Security ]......................[ phase5 ]............
. intro
. security policy
. OS installation
. password security
. services and daemons
. tcp wrappers
. logging
. watching your logs
. firewalling
. scan and probe detection
. local access
. outro
. references
[intro]
Basic Linux security texts. There a dime-a-dozen. It seems every person writes
one of these, so heres mine. This is designed for the average home user, who
just uses linux as a desktop OS. It is also aimed at those who maybe offer a
few shell accounts and therefore need to think about local security a bit
more. This is definitely not aimed at those offering many shells, for free or
for profit, or running a server of some kind as alot more securing would need
to be done for those setups.
note: commands will be surrounded by single quotes for readability. these
commands should be typed without the quotes.
[security policy]
First of all you must consider a security policy. Identify your needs,
security over usability. If this is your home box and you don't plan on
letting anyone else telnet, ftp, etc.. into your box then your going to really
lock down on remote access and detection. If you maybe give out a couple of
shells to friends you know then your going to have to relax a little on remote
access and concentrate more on local security. And in either scenario your
going to carefully monitor probes, scans and attacks.
[OS installation]
This is were security beings. Don't just install everything or whatever sounds
cool. Since this is your personal box you don't need (m)any server daemons.
Just install what you need. Know everything your installing. If you keep the
install minimal to your needs this will cut down on both maintenance and
security risks, as the less installed the less chance of a vulnerability. Once
you've installed your system and everything is working your going to want to
update your packages. Look on the web site of the distro you installed and see
if any vulnerabilities have been found for your version. Download and install
all necessary patches. For the paranoid among you, using a different box or a
windows os on the same box should be used to download these patches. This
prevents the newly installed system being vulnerable in this time frame. Once
again, only for the paranoid.
Now, most people would recommend getting the very latest version of your
particular version. The theory is the older versions have many vulnerabilities
and therefore are insecure. However, the latest version is new. It's unknown
and untested. By using the very latest version you are vulnerable to the latest
exploits which may not be publically released or a patch may not yet exist.
However, an older distribution, while having several published exploits, will
also have patches. Obtaining an older version and patching and upgrading it to
fix all known vulnerabilities will lead to a box equal or more secure than the
latest version. This does not mean using a version many years old. A version
one or two release prior to the latest or about one year before the latest
would be a good choice. This is personal preference however and many among
you will undoubtably choose to use the latest. You will have to keep a very
close eye on security mailing lists to make sure you remain vulnerability
free though. (this does not mean using an older version means you don't look
out for new exploits). I will note however i don't follow my own advice and
run a fairly recent distribution.
[password security]
Ok, let's start with the basics. Shadow passwords. Shadow passwords is where
your accounts passwords, normally located in /etc/passwd is moved to another
file, only accessible to root. /etc/passwd must be world-readable as many
things need them for checking uid's & guid's. By using shadow passwords the
passwords are moved to a safe location but the other information is still
accessible. Now, shadow passwords should be turned on during the install. If
not then once you have logged onto your system for the first time run the
command 'pwconv' as root. If that command doesn't exist you are probably
running a very old distro in which case you will need to install a shadow suite
yourself. I can't really be bothered finding one and giving you the url. Use
the net for something other than pr0n and find one.
Another thing which you may wish to implement is PAM[1]. PAM stands for
Pluggable Authentication Module. Basically, it allows you to choose how you
want various applications to authentication users. Most of the latest distro's
come with PAM. As an example of PAM, we will enable md5 hashes for your
passwords. This makes passwords harder to crack. PAM stores it's files in
/etc/pam.d. This directory stores various files for different applications.
Now.. this is what a line will look like before md5 hashes.
password required /lib/security/pam_pwdb.so use_authtok nullok shadow
Note the shadow at the end. This indicates were using shadow passwords. Simply
change this line to the use of md5. The line line looks like this.
password required /lib/security/pam_pwdb.so use_authtok nullok shadow md5
You will need to edit most if not all of the files in this directory. As you
can see PAM easily allows you to change authentication methods without doing
a whole heap of recompiles and configurations.
Just before I finish on passwords, it's best to look through your passwd file
and remove default accounts. Most of them will be disabled anyway (invalid
password field such as an * or X instead of the encrypted password) but they
still shouldn't be there. Such accounts such as nobody, games, etc should be
removed. Also accounts that perform functions such as halt, shutdown, etc.
There will also be accounts things such as mail, news, etc. This are generally
not needed and can be removed.
[services and daemons]
The average linux distro will come with many open ports and services. What
your going to want to do is shut those off. Open up the file /etc/inetd.conf
and comment out (prefix the line with a #) any services you don't need. This
should be all of them except maybe telnet or ftp. Also, you may wish to leave
auth open. Shutting this off shouldn't generally cause any problems though
some servers, such as certain ftp or irc servers may not allow you access.
If your giving out shells or running a small ftp server or what have u then
leave whatever you need uncommented. Don't leave things like telnet open just
for the hell of it, or you want your friends to see your el1te banner and
fjear you. After making the changes to /etc/inetd.conf your will need to
restart the inetd daemon. Either 'killall -HUP inetd' or 'ps aux | grep inetd'
take note of the PID of inetd, then 'kill -HUP PID_OF_INETD'.
When you install linux, most likely a wide variety of daemons and programs
will be loaded at startup. Some of these are useful such as gpm, others are
downright dangerous. Next thing to do is to shut off some of those daemons.
These daemons get loaded every boot. In linux the startup files are found in
/etc/rc.d/rc3.d. To change what's started either
a) run '/usr/sbin/setup' and select System Services
b) run 'chkconfig' this program will list each startup service and display
whether it is off or on for runlevels 0-6. Services can be added and
deleted.
c) enter the directory /etc/rc.d/rc3.d. For services that are active, the
filename will begin will a capital S. For those that are not, the filename
will begin with a capital K or lowercase s. Simply rename files as needed.
[tcp wrappers]
Any decent system these days should be running tcp wrappers. What this is is a
wrapper over a normal daemon. It checks the users host against it's list and
performs actions depending on what is configured. It can allow access and run
the real daemon, deny access, run a program, etc. It should be already
installed and configured. TCP Wrappers uses the files /etc/hosts.allow and
/etc/hosts.deny. Quite obviously, they are lists of who to allow and who to
deny respectively. The format of an entry in these files is service:host:action
First let's configure the hosts.allow file. You will want to allow localhost
access. Do this by entering the following line into the hosts.allow file.
ALL: 127.0.0.1
Note that no action was specified. The default is to allow access. Now, move on
to hosts.deny. The most basic setup would be
ALL:ALL
This will deny access to all hosts on all services. However, you may want a
little more feedback. Perhaps when someone connects to certain ports root is
mailed or a line is added to a special log file. Perhaps you want to keep track
of .gov or .mil address's. You should be logging and monitoring your normal
syslogd logs anyway but maybe you want a seperate, clean log. In this case you
may want to do something like this.
ALL: .gov, .mil: spawn /usr/bin/finger @%h | /bin/mail -s "Gov/Mil Access Attempt from %h using %s" root &
in.telnetd: ALL: spawn /usr/bin/finger @%h | /bin/mail -s "Telnet attempt from %h" root &
In that example whenever a .gov or .mil address attempts to any port then a
mail is sent to root with the address, system and finger info. Also, if
anybody attempts to telnet in then a mail is sent to root with their host and
finger info. btw.. %h and %s stand for host and service respectively. You can
find out the full list through 'man hosts.deny'
You can do anything you want really. Generally, the ALL:ALL deny should be
fine. Note that if you have a service commented out in /etc/inetd.conf then
your wont get a connection log. Hence therefore it is useful to run a simple
script that adds a line to the log of your choice with the service and host.
You may prefer however to do connection logging with a third party logger such
as tcplogd.
[logging]
Logging is a vital part of system security. Without an audit trail, there can
be no hope of finding the intruder or even seeing what happened to your system
For our purposes, logging shall be done via the syslog daemon. This daemon is
started at boot time and should not be turned off. The problem with logs is
that if a intruder manages to obtain root, logs are useless. The solution to
this is to setup a secondary host as a logbox. This means it is just a system
that stores logs. For the home user, this may just be a 386 box connected to
the main box. This logging box should not be running ANY services and should be
completely firewalled off(except for the main box which is sending the logs).
You will also need to implement a third party logging tool for logging
connections. There are plenty of these around. I use tcplogd, which is part
of the snplogd[2] package. This will log basic tcp connects. Your main log
to watch will be /var/log/messages. The majority of logging information will
end up here. Also /var/log/secure will log things such as logins, su's, etc.
[watching your logs]
As we all know, logs grow quickly. It gets hard to keep an eye on them all the
time. This is were log filtering programs come in. These go through your logs,
find bits of interest and do various things from there. One example is
Swatch[3], which will tail a logfile, a when it finds certain user-definable
patterns in the logfile can echo them to screen, beep, run a command, etc.
This can be a way of keeping a xterm or console open watching the log without
superfluous information being displayed, only things of interest.
[scan and probe detection]
Having a secure box is one thing, but that's only one part. You should also
have a good detection system, so you can spot an attack before it happens. A
good utility for this is portsentry[4], which is part of the abacus project.
Basically portsentry will monitor a set of ports, either by binding to them
in basic tcp mode or by watching packets as they come in and checking the
destination in the advanced modes. You set a limit of how many connects to
different ports are allowed before it is considered a portscan. Once a
portscan is detected portsentry takes appropriate action such as adding them
to your /etc/hosts.deny or blocking them with a local packet filter such as
ipchains. Portsentry will also detect the majority of the "stealth" scan types
such as SYN, FIN, XMAS and NULL.
Now, different people argue over whether to automatically block the scanning
person via a local packet filter. Some claim that it's a good option and the
odds of a DoS attack being used against you are very slim. Others say its
stupid and people can make you block things you don't want to block. This is
due to the fact these "stealth" scans are very easily spoofed. I will leave
this decision up to you. However, if you have a decent understanding of your
packet filter you should change the blocking rule so that the even though the
host is blocked you can still open connections to that host, while they cannot
establish a connection to you.
[local access]
Now we've dealt with remote access we now have to deal with the local system.
Assuming an attacker managed to get onto your system or that you let people
have shells on your box, we have to limit the damage that they can do. Before
starting it's best to create a group for priviledged commands. I will use
the group wheel in this example. Add people who need priviledged access to
this group.
Suid Root
Suid stands for Set User ID. Basically, when the program executes it runs as
the UID of the owner. Suid root programs obviously run as uid 0 and as such
can be a source of system weakness's. If you can't figure out why they pose
a potential problem then you need to think a bit harder. Anyway, you should
locate all suid root programs on your system and decide individualy whether
they should stay suid root. These lines will find all suid root programs on
your system.
find / -perm 4777 >> suid.txt
find / -perm 4770 >> suid.txt
find / -perm 4755 >> suid.txt
find / -perm 4750 >> suid.txt
find / -perm 4751 >> suid.txt
find / -perm 4500 >> suid.txt
find / -perm 4555 >> suid.txt
find / -perm 4550 >> suid.txt
find / -perm 4551 >> suid.txt
Check each file and decide if it needs to stay suid. You should. If it doesn't
then a simple 'chmod o-x file' and 'chgrp wheel file' will fix it. Things such
as su should be changed to privlidged group access only.
Remote Root
This is something you don't want. Root should never be able to remotely login.
To remove this ability edit the file /etc/securetty and make sure only local
tty's are listed.
[outro]
I'm too tired to continue so that will wrap up this file. This should give you
a BASIC idea of linux security. If you want more advanced information then I
suggest you go out and learn more about your system. Theres a lot more I
could have added, especially to the local access section but I find it better
if you actually go out and figure out how to do things yourself.
[references]
[1] PAM - Pluggable Authentication Module
ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
[2] snplogd - 3 part of the logging package (tcp,udp,icmp)
http://www.franken.de/users/gauss/snplog/
[3] Swatch, log watcher
ftp://ftp.stanford.edu/general/security-tools/swatch.
[4] portsentry - part of the abacus sentry project
http://www.psionic.com
.eof.
........[ Basic Perl ]................................[ bsdave ]............
So... you want to learn perl, why? because all the 133t h4x0r's know
perl, like bsdave and lymco. Well contrary to popular belief perl is
really simple (not really but its comforting to think so). Read on
and find out...
To use this tutorial you will need a recent'ish linux/bsd because most
come with perl pre-installed. Or if your desperate and waaaay to lame to
install a free unix on your computer you could always go to www.perl.com
and download a version for win32 BUT. Alot of the example programs here
won't work under Win32 because they rely on other programs which are BSD
and linux only, like grep and traceroute etc... So if this is the case you
should probably get a shell account or not be a total fetus-head and learn
about free unix's which is what perl is designed for.
Chapter one, information about Perl:
First off, perl is an interpreted language, which means you don't compile
it and then have a binary of your program. You just pipe it to the perl
interpretar and it follows the commands. Almost like a bash script.
Perl has 2 basic types of variables. All variables begin with a $ sign.
eg $myvariablename. This is so it isn't confused with Perl's command words
like print, and if...
Variables : This is a character or string that holds a defined value.
for example $x = 1, so if you were to print x to the screen you would see
1. In perl you can create empty variables with "my" or "local" but you'll
learn about this later.
Arrays : This is a character or string that holds multiple variables.
for example @X = (1,2,3,4,5) and you could print any of those values to the
screen with $X[variable position -1]. eg $X[2] would print 3 in this instance
because 3 is in the 2nd position. this may seem slightly consfusing but it
really isn't after a while.
Loops: These are the heart of programming,without these every program would
just do the same thing everytime with no input.
if (this happens) {
do this;
}
see?, here's a more real world example,
if ($x=5) {
print "X was five!\\\\n";
}
while (this is happening) {
do this;
}
while ($x<10) {
print "HEEELP! I'm stuck in a loop! press Ctrl+C To stop me!\\\\n";
}
Your first script:
Ok... so now you know some basics we're gunna right a simple script and
deconstruct it, This small program generates a block of IP's for you. you'd
start it with: perl ipmake.pl ip.ip.ip and it'd generate the last octet.
#Title:ipmake.pl - These are comments left for anyone viewing the source.
#Author:bsdave - Anything with a # in front won't be run by perl so you
#================================== - can leave things in here explaining what you script does.
if (length($ARGV[0])==0) { -This here says if there is nothing in perls
print "Usage is: perl ipmake.pl [three octet IP with no trailing .]\\\\n"; -array $ARGV[0] print to the screen that stuff.
} -the "\\\\n" means for perl to press enter.
else { -This says if the if statement isn't right, do this instead.
$ip=$ARGV[0]; -This assigns a value to $ip
$testip=0; -This assigns a value to $testip
while ($testip<255) { -This says that while the number being held by $testip is less then 255
$testip=$testip + 1; -add 1 to it
print $ip . ".$testip\\\\n"; -and print it to the screen like $ip + $testip
} -This ends the 'while' loop.
} -This ends off the 'else' loop that the 'while' loop is in.
Ok that seems simple enough, right? BTW. I should of told you that $ARGV[x] is
an in-built perl array that stands for "Argument Vector" which is basically any
command line input. eg perl myscript.pl $ARGV[0] $ARGV[1] $ARGV[2] etc.
So. you've successfully read your first perl script? do you feel 133ter
already? :). Well here's a challenge and some tips, try to make a script that
counts to a specified number from looking at the script above. The answer
you'll need is in the while loop, you'll need to make your own while loop to do
this but nothing else really. When you've done one scroll down some more and
check out the at the end. :). If its not the same as mine don't worry, mine is
just how I did it, two people never write a script exactly the same. As long as
it looks clean and works its A-OK and correct.
***Answer to this issues challenge number 1: The script that counts to a
specified number.
#Title:count.pl
#Author:bsdave
#==================================
$number = 0;
$finish = $ARGV[0];
while ($number<$finish) {
$number++;
print "$number\\\\n";
}
NB: $number++ tells perl to add one to $number. its common to do this to save
space in a script.
Well thats it for this issue. bye from bsdave. check us out at
http://charisma.rendrag.net or come on over to #charisma on au.austnet.org...
next issue is about opening and handling files. seeya then.
- Bsdave
........[ Outro ].....................................[ phase5 ]............
That's all folks.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³³²ÛÛßÛß ³²ÛÛÛÜÛßß²ÛÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ³²ÛÛßÛßßß²ÛÛÛÛ ³
³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³
³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛß ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³
³³²ÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛÛÜܲÛÛÛÛܳ
ÚÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄ¿
³³²ÛÛÛÛÛßß ß ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛßß²ÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ ³²ÛÛßÛßßß²ÛÛÛÛ ³
³ ßßßßßßß²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛßß²ÛÛÛÜ ³²ÛÛÛÛÛ ³ ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³
³³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛÛ ³²ÛÛÛÛ ³²ÛÛÛÛÛ ³ßÛÛÛÛ ³²ÛÛÛÛÛßßßßßßß ³
³³²ÛÛÜÛÜÜܲÛÛÛÛÛܳ²ÛÛÜÛÜÜܲÛÛÛÛÛܳ²ÛÛÛÛÛ ³²ÛÛÛÛܳ²ÛÛÛÛÛÜܲÛÛÛÛܳ²ÛÛÛÛÛÜܲÛÛÛÛܳ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
v64!MSN^PCS
. EOF .