Demonstration of Hacker Techniques


Cynthia Cullen, Senior Consultant
Bell Communications Research

This demonstration will include several tools that are commonly used by hackers. Tools exist for attacking most network protocols (e.g., TCP/IP, IPX, etc.) The tools I will demonstrate are used against TCP/IP networks; it is by no means a comprehensive list of tools available. Some existing applications and management tools are used as hacking tools. For example, simple network management protocol (SNMP) applications such as cmu-snmp are used to obtain information via SNMP. SNMP has default community strings (passwords) that are often not changed; also the community string is passed as clear text across the network making it vulnerable to be eavesdropping.

Three hacker tools will be demonstrated: rootkit, ttywatcher, and ypgrab. Each of these programs has been around in the hacker community for an extended period of time. These tools were chosen because they can be used to go from no authorized access to totally compromising the ee network.

The general idea is to use ypgrab to gain access to a system. Then, obtain root (administrative) access and install rootkit on the compromised system. Finally, use ttywatcher to compromise systems that attach via ttys to the compromised system.

Ypgrab is used to obtain NIS (Network Information System) tables. The main target (also the default) is the password table. In order to download NIS tables only the domain name is required. Often this is easy to guess. NIS password files often contain hundreds of entries. Once obtained, the passwords are run through a password cracker program. If even one of the passwords is cracked (successfully guessed), access is gained to all systems in that NIS domain. One of a multitude of security weaknesses is then used to obtain root on the NIS servers, slaves or any of the clients.

Once root access is obtained rootkit is installed. Rootkit is used to maintain control of a compromised system and to hide the existence of the hacker.

Rootkit initially was only available to an elite group of hackers. It is a comprehensive set of programs that includes a makefile and documentation. It is used to hide the existence of the hacker on a UNIX system. Initially a hacker must obtain root on the system, then install rootkit making it very difficult to be detected. The program:

Once one system is compromised, ttywatcher is used to compromise other systems that are connected to the compromised system via ttys. Ttywatcher provides a GUI interface that shows all active ttys. The tty connections can be monitored and data can be inserted into the existing connections. Note that all inserted data is displayed to the screen of the connection originator.

These three tools, ypgrab, rootkit, and ttywatcher, are examples of how an intruder who has access to your network can go from no authorized access to total control of the network.

Other tools may be demonstrated as time permits.

rootkit release 1.

After spending tons of time having to do all of this by myself, I finally decided to write a simple makefile to do it for me. Call me a script cracker, but I'm lazy as hell. You don't want to use it, you don't have to. Keep in mind it takes me a max of 40 seconds on a 4/65 to compile and install every program here. Can you beat that by hand? :-) Here is how it works: execute the command: ` make all install ' The following programs will be installed suid root in DESTDIR:

z2: removes entries from utmp, wtmp, and lastlog. es: rokstar's ethernet sniffer for sun4 based kernels. fix: try to fake checksums, install with same dates/perms/u/g.

note: if you do not want these files installed suid (the administrator has a cron to check for suid files, or the like), then type make cleansuid and the suid bits will be removed.

The following programs will be patched and an attempt at spoofing the checksums of the files will be made. Also, these files will be installed with the same dates, permissions, owners, and groups of the originals.

Here are some notes on the patch for `ps`: Here are some notes on the patch for `netstat`: Here are some notes on the patch for `ls` && `du` && `du5` && `ls5`: