Hackers and Scanners

1
Hackers and Scanners

• Antti Palokangas

2
Hackers scanners

• Most of scanners are easy to use and widely
  distributed
• It is no longer a question of if, but when you
  will be probed
• You may believe that if no one knows about your
  systems, you are secure. Others believe that
  their systems are of no value, so why would
  anyone probe them? But these kind of unprotected
  systems are easy to exploit for example to
  DDoS-attacks

3
What is a script kiddie?

• Script kiddies can be advanced users or just kids
  who have found a nice application and bugs from
  Internet
• Script kiddies look for an easy kill
• They do this by focusing on a small number of
  exploits, and then searching randomly the entire
  Internet for that exploit
• Scanners are important tools for searching the
  exploitable systems

4
Example of script kiddie using scanners

• Step 1 Script kiddie finds a bug nobody else
  knows about or uses a common exploit from e.g.
  www.cert.org or bugtraq (archived at
  www.securityfocus.com), hoping that administrator
  of a system hasnt fixed the bug
• Step 2 Uses tools (e.g. z0ne) to scan random
  networks for IP-addresses. Tool builds an
  IP-database which can be used also later
  (databases may contain over 2 million addresses)

5
Example of script kiddie using scanners

• Step 3 Scans IP-addresses for information e.g.
  operating system type, running services, system
  architecture (x86, Alpha, Sparc)
• Step 4 Breaks into exploitable systems where bug
  hasnt been fixed

6
Usefulness of a scanner for a hacker

• Its important to fix bugs immediately to prevent
  above-mentioned attacks and run only needed
  services
• The way bug fixes are updated now would mean that
  a hacker who tries to take advantage of a known
  bug before the bug is fixed would have a small
  time margin from an unpredictable time when a bug
  is found to an uncertain time when a bug is fixed
• This type of attack may not be suitable for a
  hacker who wants to break into certain
  well-administered system. But there is always
  somewhere a system that hasnt been updated

7
Usefulness of a scanner for a hacker

• We may say that finding holes with a publicly
  known vulnerability scanner is probably most
  useful if the goal of the hacker is
• - just to break in somewhere
• - terrorist action or vandalism
• - make a computer crime anywhere
• If the target is a specific system which is known
  to have high security, the hacker should
• find new holes, not the ones in the bulletin
  boards,
• or plant holes using viruses or other
  distribution methods
• A scanner can be useful, but it should be not
  detected easily. Therefore it may be not
  necessary for the attacker to find all
  information he can get. After all, he may have
  rather few new holes that can be used.

8
Reverse engineering security patches

• Currently security patches in software releases
  are reverse engineered and their security
  implications are sought for and similar holes in
  other pieces of software are looked for.
• This is relatively slow work (though not very
  slow reverse engineering a security patch may
  be done in a day), but it will find new holes.
• Being too certain of security after having
  successfully scanned a system without any
  vulnerabilities found is quite wrong. Security
  scanner can be compared to an anti-virus program
  it only checks for known holes and it must be
  updated to remain functional

9
Detecting scanning

• It may be possible to monitor the network for
  odd behaviour and detect scanning
• One way is to find scanning patterns in our log
  files after scan has occured (manually or
  automatically by Intrusion Detection Systems)

10
Detecting a scanner

• There are programs which detect a scanner
  Courtney, Gabriel, scan_detector, TCP Wrapper,
  scanlogd, Argus.
• Some of them have a sniffer, like tcpdump, and
  look for a rapid sequence of short connection
  attempts to TCP and UDP ports. Some use proxies
  and make logs
• There has not been any raise in the number of
  attacks made with SATAN or other scanners.
• We may assume it is because real attackers modify
  the scanners so, that scanning goes undetected.
  It is for instance possible to slow down scanning
  below the level which causes a scanner detector
  to alarm.

11
Detecting a scanner

• There are also stealth scanners which do not
  leave traces of the scan. Jakal and Nmap are
  stealth scanners using half scan (start SYN/ACK
  but never complete it).
• Half scanning wont fool e.g. PortSentry,
  tcplogd or Intrusion Detection Systems (IDS) but
  it will prevent applications logging suspiciously
  closed connections

12
Detecting scanning

• Courtney detects if the system has been scanned
  by SATAN, or any other similar port scanner and
  notifies this to the administrator. Courtney is a
  short PERL script, which uses tcpdump sniffer.
• tcpdump is a sniffer, which puts a LAN interface
  to a promiscuous mode so, that all IP packets can
  be read by the sniffer. tcpdump is one of the
  more popular programs for traffic measurement
  also. The Courtney program notices port scanning
  from a rapid sequence of connection attempts to
  many UDP and TCP ports.
• Gabriel is similar to Courtney, but it is a
  binarycreated from C and does not use tcpdump. It
  only runs on Sun.
• Either of these are not very useful nowadays

13
Other ways to improve security

• Scanning a system and finding no bad holes (most
  systems cannot protect against DoS-attacks, so
  this vulnerability there is) may give a wrong
  feeling of security. There are bugs though they
  are not found.
• What one can do is to replace the services by
  something more simple ones which hopefully have
  much fewer bugs or none at all (if they are very
  simple, this is possible)
• Usually services are not replaceable, they can
  only be patched and updated
• TCP ports need not have the real daemon listening
  them (or have the inetd daemon start the service,
  which is another common way). One can also make a
  proxy service using TCP Port Wrappers developed
  by Wietse Venema.

14
Other ways to improve security

• SOCKS is a proxy technique which is used to build
  circuit level firewalls. Socksifying all ports is
  one way to stop an intruder from using them.
• There are tools (IP Personality, Fingerprint
  fucker, Stealth patch, IPlog) to fake your
  operating system so that Nmap will be fooled and
  guesses wrong.
• Exploits are often OS-specific, so faking makes
  hacking more difficult

15
Other ways to improve security

• The defender could offer some traps to see if the
  attacker tries them
• These traps are called honeypots
• Honeypots should be implemented so that attacker
  cant do anything harmful, but honeypot
  administrator gains valuable information on
  attackers methods
• More on honeypots http//project.honeynet.org/

16
How to test your own vulnerabilities?

• If you have only one computer, you could use an
  Internet-service to scan your vulnerabilities.
  Several sites do it for free usually after
  registering.
• How much do you trust these kind of services?