|
With
the spread of Hackers and Hacking incidents, the time has come, when
not only system administrators of servers of big companies, but also
people who connect to the Internet by dialing up into their ISP,
have to worry about securing their system. It really does not make
much difference whether you have a static IP or a dynamic one, if
your system is connected to the Internet, then there is every chance
of it being attacked.
This
manual is aimed at discussing methods of system security analysis
and will shed light on as to how to secure your standalone (also a
system connected to a LAN) system.
Open
Ports: A Threat to Security?
Now, the ‘–a’ option is used to display all open connections
on the local machine. It also returns the remote system to which we
are connected to, the port numbers of the remote system we are
connected to (and the local machine) and also the type and state of
connection we have with the remote system.
For
Example,
C:\windows>netstat
-a
Active
Connections
Proto
Local Address
Foreign Address
State
TCP
ankit:1031
dwarf.box.sk:ftp
ESTABLISHED
TCP
ankit:1036
dwarf.box.sk:ftp-data
TIME_WAIT
TCP
ankit:1043
banners.egroups.com:80
FIN_WAIT_2
TCP
ankit:1045
mail2.mtnl.net.in:pop3
TIME_WAIT
TCP
ankit:1052
zztop.boxnetwork.net:80
ESTABLISHED
TCP
ankit:1053
mail2.mtnl.net.in:pop3
TIME_WAIT
UDP
ankit:1025
*:*
UDP
ankit:nbdatagram
*:*
Now,
let us take a single line from the above output and see what it
stands for:
Proto
Local Address
Foreign Address
State
TCP
ankit:1031
dwarf.box.sk:ftp
ESTABLISHED
Now,
the above can be arranged as below:
Protocol:
TCP (This can be Transmission Control Protocol or TCP, User Datagram
Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local
System Name: ankit (This is the name of the local system that you
set during the Windows setup.)
Local
Port opened and being used by this connection: 1031
Remote
System: dwarf.box.sk (This is the non-numerical form of the system
to which we are connected.)
Remote
Port: ftp (This is the port number of the remote system dwarf.box.sk
to which we are connected.)
State
of Connection: ESTABLISHED
‘Netstat’
with the ‘–a’ argument is normally used, to get a list of open
ports on your own system i.e. on the local system. This can be
particularly useful to check and see whether your system has a
Trojan installed or not. Yes, most good Antiviral software are able
to detect the presence of Trojans, but, we are hackers, and need to
software to tell us, whether we are infected or not. Besides, it is
more fun to do something manually than to simply click on the
‘Scan’ button and let some software do it.
The
following is a list of Trojans and the port numbers which they use,
if you Netstat yourself and find any of the following open, then you
can be pretty sure, that you are infected.
Port
12345(TCP)
Netbus
Port
31337(UDP)
Back Orifice
----
Now,
the above tutorial resulted in a number of people raising questions
like: If the 'netstat -a' command shows open ports on my system,
does this mean that anyone can connect to them? Or, How can I close
these open ports? How do I know if an open port is a threat to my
system's security of not? Well, the answer to all these question
would be clear, once you read the below paragraph:
Now,
the thing to understand here is that, Port numbers are divided into
three ranges:
The Well Known Ports are those from 0 through 1023. This range or
ports is bound to the services running on them. By this what I mean
is that each port usually has a specific service running on it. You
see there is an internationally accepted Port Numbers to Services
rule, which specifies as to on what port number a particular
service runs. For Example, By Default or normally FTP runs on Port
21. So if you find that Port 21 is open on a particular system, then
it usually means that that particular system uses the FTP Protocol
to transfer files. However, please note that some smart system
administrators delibrately i.e. to fool lamers run fake services on
popular ports. For Example, a system might be running a fake FTP
daemon on Port 21. Although you get the same interface like the FTP
daemon banner, response numbers etc, however, it actually might be a
software logging your prescence and sometimes even tracing you!!!
The Registered Ports are those from 1024 through 49151. This range
of port numbers is not bound to any specific service. Actually,
Networking utlites like your Browser, Email Client, FTP software
opens a random port within this range and starts a communication
with the remote server. A port number within this range is the
reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number
of ports within this range are open, then you should probably not
worry. These ports are simply opened so that you can get your
software applications to do what you want them to do. These ports
are opened temporarily by various applications to perform tasks.
They act as a buffer transfering packets (data) received to the
application and vis-a-versa. Once you close the application, then
you find that these ports are closed automatically. For Example,
when you type www.hotmail.com in your browser, then your browser
randomly chooses a Registered Port and uses it as a buffer to
communicate with the various remote servers involved.
The Dynamic and/or Private Ports are those from 49152 through 65535.
This range is rarely used, and is mostly used by trojans, however
some application do tend to use such high range port numbers. For
Example,Sun starts their RPC ports at 32768.
So
this basically brings us to what to do if you find that Netstat
gives you a couple of open ports on your system:
1. Check the Trojan Port List and check if the open port matches
with any of the popular ones. If it does then get a trojan Removal
and remove the trojan.
2. If it doesn't or if the Trojan Remover says: No trojan found,
then see if the open port lies in the registered Ports range. If
yes, then you have nothing to worry, so forget about it.
***********************
HACKING TRUTH: A common technique employed by a number of system
administrators, is remapping ports. For example, normally the
default port for HTTP is 80. However, the system administrator could
also remap it to Port 8080. Now, if that is the case, then the
homepage hosted at that server would be at:
http://domain.com:8080 instead of
http://domain.com:80
The idea behind Port Remapping is that instead of running a service
on a well known port, where it can easily be exploited, it would be
better to run it on a not so well known port, as the hacker, would
find it more difficult to find that service. He would have to port
scan high range of numbers to discover port remapping.
The ports used for remapping are usually pretty easy to remember.
They are choosen keeping in mind the default port number at which
the service being remapped should be running. For Example, POP by
default runs on Port 110. However, if you were to remap it, you
would choose any of the following: 1010, 11000, 1111 etc etc
Some sysadmins also like to choose Port numbers in the following
manner: 1234,2345,3456,4567 and so on... Yet another reason as to
why Port Remapping is done, is that on a Unix System to be able to
listen to a port under 1024, you must have root previledges.
************************
Firewalls
Use of Firewalls is no longer confined to servers or websites or
commerical companies. Even if you simply dial up into your ISP or
use PPP (Point to Point Protocol) to surf the net, you simply cannot
do without a firewall. So what exactly is a firewall?
Well, in non-geek language, a firewall is basically a shield which
protects your system from the untrusted non-reliable systems
connected to the Internet. It is a software which listens to all
ports on your system for any attempts to open a connection and when
it detects such an attempt, then it reacts according to the
predefined set of rules. So basically, a firewall is something that
protects the network(or systen) from the Internet. It is derived
from the concept of firewalls used in vehicles which is a barrier
made of fire resistant material protecting the vehicle in case of
fire.
Now, for a better 'according to the bible' defination of a firewall:
A firewall is best described as a software or hardware or both
Hardware and Software packet filter that allows only selected
packets to pass through from the Internet to your private internal
network. A firewall is a system or a group of systems which guard a
trusted network( The Internal Private Network from the untrusted
network (The Internet.)
NOTE: This was a very brief desciption of what a firewall is, I
would not be going into the details of their working in this manual.
Anyway,the term 'Firewalls', (which were generally used by companies
for commerical purposes) has evolved into a new term called
'Personal Firewalls'. Now this term is basically used to refer to
firewalls installed on a standalone system which may or may not be
networked i.e. It usually connects to an ISP. Or in other words a
personal firewall is a firewall used for personal use.
Now that you have a basic desciption as to what a firewall is, let
us move on to why exactly you need to install a Firewall? Or, how
can not installing a firewall pose a threat to the security of your
system?
You see, when you are connected to the Internet, then you have
millions of other untrusted systems connected to it as well. If
somehow someone found out your IP address, then they could do
probably anything to your system. They could exploit any
vulnerability existing in your system, damage your data, and even
use your system to hack into other computers.
Finding out someone'e IP Address is not very difficult. Anybody can
find out your IP, through various Chat Services, Instant Messengers
(ICQ, MSN, AOL etc), through a common ISP and numerous other ways.
Infact finding out the IP Address of a specific person is not always
the priority of some hackers.
What I mean to say by that is that there are a number of Scripts and
utilities available which scan all IP addresses between a certain
range for predefined common vulnerabilities. For Example, Systems
with File Sharing Enabled or a system running an OS which is
vulnerable to the Ping of Death attack etc etc As soon as a
vulnerable system is found, then they use the IP to carry out the
attacks.
The most common scanners look for systems with RAT's or Remote
Administration Tools installed. They send a packet to common Trojan
ports and display whether the victim's system has that Trojan
installed or not. The 'Scan Range of IP Addresses' that these
programs accept are quite wide and one can easily find a vulnerable
system in the matter of minutes or even seconds.
Trojan Horses like Back Orifice provide remote access to your system
and can set up a password sniffer. The combination of a back door
and a sniffer is a dangerous one: The back door provides future
remote access, while the sniffer may reveal important information
about you like your other Passwords, Bank Details, Credit Card
Numbers, Social Security Number etc If your home system is connected
to a local LAN and the attacker manages to install a backdoor on it,
then you probably have given the attacker the same access level to
your internal network, as you have. This wouls also mean that you
will have created a back door into your network that bypasses any
firewall that may be guarding the front door.
You may argue with me that as you are using a dial up link to your
ISP via PPP, the attacker would be able to access your machine only
when you are online. Well, yes that is true, however, not completely
true. Yes, it does make access to your system when you reconnect,
difficult, as you have a dynamic Internet Protocol Address. But,
although this provides a faint hope of protection, routine scanning
of the range of IP's in which your IP lies, will more often than not
reveal your current Dynamic IP and the back door will provide access
to your system.
*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically
scan for modems by trying every phone number within an exchange. If
the modem can only be used for dial-out connections, a War Dialer
won't discover it. However, PPP changes the equation, as it provides
bidirectional transportmaking any connected system visible to
scanners—and attackers.
*******************
So how do I protect myself from such Scans and unsolicitated
attacks? Well, this is where Personal Firewalls come in. They just
like their name suggests, protect you from unsolicitated connection
probes, scans, attacks.
They listen to all ports for any connection requests received (from
both legitimate and fake hosts) and sent (by applications like
Browser, Email Client etc.) As soon as such an instance is recorded,
it pops up a warning asking you what to do or whether to allow the
connection to initiate or not. This warning message also contains
the IP which is trying to initiate the connection and also the Port
Number to which it is trying to connect i.e. the Port to which the
packet was sent. It also protects your system from Port Scans, DOS
Attacks, Vulnerability attacks etc. So basically it acts as a shield
or a buffer which does not allow your system to communicate with the
untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which
allows you to track down the attackers. Some popular firewalls are:
1.BlackICE Defender : An IDS for PC's. It's available at http://www.networkice.com.
2. ZoneAlarm: The easiest to setup and manage firewall. Get it for
free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often
get a number of Warnings which might seem to be as if someone is
trying to break into your system, however, they are actually bogus
messages, which are caused by either your OS itself or due to the
process called Allocation of Dynamic IP's. For a details description
of these two, read on.
Many people complain that as soon as they dial into their ISP, their
firewall says that such and such IP is probing Port X. What causes
them?
Well, this is quite common. The cause is that somebody hung up just
before you dialed in and your ISP assigned you the same IP address.
You are now seeing the remains of communication with the previous
person. This is most common when the person to which the IP was
assigned earlier was using ICQ or chat programs, was connected to a
Game Server or simply turned off his modem before his communication
with remote servers was complete.
You might even get a message like: Such and Such IP is trying to
initaite a Netbios Session on Port X. This again is extrememly
common. The following is an explanation as to why it happens, which
I picked up a couple of days ago: NetBIOS requests to UDP port 137
are the most common item you will see in your firewall reject logs.
This comes about from a feature in Microsoft's Windows: when a
program resolves an IP address into a name, it may send a NetBIOS
query to IP address. This is part of the background radiation of the
Internet, and is nothing to be concerned about.
What Causes them? On virtually all systems (UNIX, Macintosh,
Windows), programs call the function 'gethostbyaddr()' with the
desired address. This function will then do the appropriate lookup,
and return the name. This function is part of the sockets API. The
key thing to remember about gethostbyaddr() is that it is virtual.
It doesn't specify how it resolves an address into a name. In
practice, it will use all available mechanisms. If we look at UNIX,
Windows, and Macintosh systems, we see the following techniques:
DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus
techniques. In more excruciating detail, Microsoft has a generic
system component called a naming service. All the protocol stacks in
the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.)
register the kinds of name resolutions they can perform. Some RPC
products will likewise register an NIS naming service. When a
program requests to resolve an address, this address gets passed
onto the generic naming service. Windows will try each registered
name resolution subsystem sequentially until it gets an answer.
(Side note: User's sometimes complained that accessing Windows
servers is slow. This is caused by installing unneeded protocol
stacks that must timeout first before the real protocol stack is
queried for the server name.).
The order in which it performs these resolution steps for IP
addresses can be configured under the Windows registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.
Breaking Through Firewalls
Although Firewalls are meant to provide your complete protection
from Port Scan probes etc there are several holes existing in
popular firewalls, waiting to be exploited. In this issue, I will
discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows
the attacker to port scan the target system (Although normally it
should stop such scans.)
If one uses port 67 as the source port of a TCP or UDP scan,
ZoneAlarm will let the packet through and will not notify the user.
This means, that one can TCP or UDP port scan a ZoneAlarm protected
computer as if there were no firewall there IF one uses port 67 as
the source port on the packets.
Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command
line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command
line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
|
