Das Internet hacken: "The Internet Auditing Project"
Das Internet hacken? Das scheint auf den ersten Blick
unmöglich. Aber wie steht es um die Sicherheit des Internet als
ganzem? Ein grossangelegter Angriff auf die vielen kleinen
Sicherheitslocher könnte das weltweite Netz mit einem Schlag ins
Wanken bringen.
Dieser Artikel erschien zuerst bei security-focus.com und wurde
für die Datenschleuder gekürzt:
The Internet Auditing Project by Liraz Siri <Lraz@bigfoot.com>
Wed Aug 11 1999
Today, when too many people think of security on the Internet,
they think of individual hosts and networks. Alone. Got a problem?
Damn! Must be those damn hacker punks. Again. Keep it to yourself.
Call the Feds, call the New York Times. Make sure we don't get it.
Didn't keep your Systems patched? Moron. Don't make us sue you.
With the growing irrelevance of security organizations like CERT
and law enforcement on the Internet, an ever growing number of
attacks are handled in isolation.
Hundreds of millions of Internet users around the world have
become accustomed to an Internet beyond boundaries. One site flows to
the next, a jungle of Software, protocols, media and people
connecting, signal, noise, mixing, evolving, together.
It seems silly to ignore the security of the System as a whole,
but we still do. A helpful analogy might be to consider the Internet
more a living organism than a neighborhood. A security compromise is
can behave more like a disease then a "break-in". It is
often contagious and can spread. Remotely exploitable security
vulnerabilities are like the natural wounds of the skin. They are
relatively rare, sometimes difficult to squirm through, but once
inside, infection can begin. This article describes the efforts of a
small, independent, security research group to audit some 36 million
hosts connected to the Internet, for commonly known security
vulnerabilities in an unfocused low-res scan.
Why? Because we're a curious bunch, because we've been speculating
(rather academiciy) over the results for several years, and of
course, because we can.
Walk forth in dread
So you want to scan the millions of Computers on the Internet from
Japan to Egypt to Florida? Reach out and audit the networks of
Internet Service Providers, corporations, universities, government
facilities, banks and sensitive military installations?
First, take another moment to think about it.
Many people get nervous on the receiving end of an uninvited
security audit, and you'll eventually step on quite a few toes. In
some countries, you can even expect unpleasant house-calls from local
law enforcement which will brand you a criminal for your unusual
efforts. Citizens of a large democracy with many three letter
agencies should be aware that a fully-equipped SWAT team is likely to
tag along.
While this may deter, possibly comfort law-abiding readers, a
criminally inclined party is not without it's options. Resources are
abundant on the Internet, and many suitable, unsuspecting,
high-bandwidth volunteers are not hard to find, with the modest help
of your favorite bulk auditing Software.
Not intimidated? That's the spirit!
Quick & Dirty Overview
Let's take a look at some of the basic ingredients we're going to
need:
Some wheels. (BASS, a Bulk Auditing Security Scanner)
A map. (address search space)
Fuel. (resources)
Wheels
The Internet is getting rather big these days, and exploring it's
tens of millions of unique hosts is by no means an easy task.
Manually, we could never get the Job done. Fortunately, we can let a
Computer (or several) do most of the dirty work, allowing us to
concentrate on coordination and management.
Assuming, of course, we have the right Software. In this case,
we're going to need a robust bulk security Scanner that can
monotonically run for weeks, even months at a time, efficiently
processing millions of addresses, generating gigabytes of traffic and
surviving everything from broken routing, to System shutdowns and
unfriendly sysadmins.
After a several weeks of on-off programming, the first alpha
Version of BASS, the Bulk Auditing Security Scanner was ready for
it's first test run. Israel was the first target in a series of
trials.
At this point (Sep-Oct 98) BASS could only identify 4 common
security vulnerabilities, but adding more later was a simple matter.
The scan finished on schedule. 110,000 addresses in under 4 hours, on
a dual ISDN 128k connection. We selected the United Kingdom, with an
address space of 1.4 million, for our next trial.
Now that the architecture was stable, we proceeded to
familiarizing BASS with the wonders of CGI and RPC, allowing the
Scanner to test for up to 18 widely known security vulnerabilities.
The tests were designed to reduce false positives and false negatives
to a minimum, combining passive (server's version header) and
interactive (server's response to ill-formed input: a
buffer-overflow, sneaky characters) implementation signatures to
determine vulnerability.
A map
Yeah, well what I really mean is a really long list of "all"
the Computers connected to the Internet. Please note the term "all"
is used loosely ("most" or the "majority" would
probably be more accurate).
An Internet Protocol address, or IP for short, is a 32 bit
integer. This means are there 2^2 (4.3 billion) possible unique IPs,
the IP address space. In practice, only a very small fraction of this
space is really used.
Due to the anarchic nature of the Internet, nobody has any exact
figures on usage statistics, but most estimates (circa Jan 1999)
settle around 100 million users worldwide. The number of Computers
online is more around an Order of a magnitude lower (15 million).
In our case, we ended up scanning around 36 million IPs, which we
estimates covered 85 percent of the active address space at the time.
Keep in mind, however, that the Internet is growing very quickly,
so these numbers will get bigger by the time you try this out
yourself. Search for "Internet Surveys" on the web, and get
an updated figure.
Fuel
Swarming the Internet with probes requires some resources,
bandwidth mostly. How much of it you need depends on how flexible
your schedule is. Generally speaking, You're likely to find you need
a lot less of it then you might first imagine.
The good news is that scans are easy to parallelize, so you can
divide the load over as many different Computers and networks as you
have access to, to either get the scan finished faster, or to consume
fewer resources from each participating scanning node.
A minor detour, introducing IDDN. (the International Digital
Defense Network)
All of this brings us to an interesting idea we've been playing
around with that could dramatically influence Internet security for
the good, if / when it is eventually implemented. Frankly, the idea
deserves an artide of it's own, but since we are so busy, we will
introduce it here.
Inspired by the high response to cryptographic key challenges,
distributed.net and the SETI effort, we vision a non-profit
foundation, which we like to ambitiously call IDDN, the International
Digital Defense Network, working in the public interest to organize
massively distributed scanning efforts which routinely probe the
Internet for security vulnerabilities. 10,000 participants could
finish a scan cycle every 2-3 days. At the end of a cycle, an
automated System could draw the attention of administrators worldwide
to some of their local security problems, and offer whatever
Information and solutions (bug-fixes, patches, workarounds) it has on
database (patches, advisories, exploits). In our opinion, such an
effort is highiy practical and could contribute more to the stability
and security of the Internet then the traditional (somewhat
pointless?) bruteforce crypto key challenges. We believe organizing
an Internet neighborhood-watch of sorts is in everyone's interests,
especially the Internets commercial industry which depend on the
Internet to eventually fulfill it's potential for global electronic
commerce.
Let the show begin
Tuesday, 1 December 1998.
We've installed BASS on 8 Unix boxes around the world, each with
at least 512kbps bandwidth. 8 different geographically located
participants iry5 different countries: Israel(l), Mexico(l),
Russia(2), Japan(2) and Brazil(2). Two machines have already proven
their strength during the scanner's painful debugging sessions. Three
more will join them for the first time when we begin. The others are
backups, ready in case anything goes wrong, and frankly, we have some
concerns.
At 02:00 GMT, we flip the switch, so to speak, activating BASS on
the five participating hosts. Since these have all been configured to
automaticiy recover from any power failure or unexpected System
shutdowns, we really don't have much to do now, besides keeping a
lazy eye on progress.
First week
There is definitely a response out there to the scan, but it's
much friendlier then we anticipated. Harmless acts of mindless
automata and mutual curiosity, mostly. Pings, traceroutes, telnet
sessions and finger attempts. Four to eight portscans a day. An
occasional TCP/IP stack exercise, an OS fingerprint, a few mostly
polite e-mails asking why our network was "attacking"
theirs, frequently warning us that crackers may be abusing our
Systems, suggesting we look into it. Very mild, we are running into
much less hostility then we expected.
People either don't realize the scope of the scan, or don't care.
On an individual basis, one quick security probe isn't usually enough
to get the local sysadmin to notice. Those who do are probably
security conscious enough to keep their networks up to date anyway,
and confident enough to keep their cool when yet another 13 year old
punk (who else?) bangs on their network walls.
Oh, did we mention the Scanner is precisely on schedule? 12
million hosts scanned by the end of the week, covering the US
government's *.gov domain, Canada, Australia, Europe, and a window to
some of the most intriguing corners of the world: Hostile
mind-control regimes like China and Iran for example, which suffocate
their repressed population's access to free ideas and information,
but are still paradoxically connected (albeit, very poorly) to the
Internet. Third world Potentials like India (the world's largest
democracy!) and the rapidly developing countries of the far east. All
of them as dose and accessible as if they were right across the
street, and in a certain way even closer. Computer expertise is rare
in many of these countries, security expertise even rarer. Cracking
into a Chinese Computer half a world away, for example, is usually
easier, more interesting, and safer (assuming you are not in Chinese
jurisdiction of course) then Cracking into a comparable western
computer.
Second week
We started the week off by scanning US Military networks.
Admitingly, we were pretty nervous, and spent much of the day keeping
an eye out for telltale signs of a pissed off military retaliation
(also known as "InfoWar" and "spooky shit" in
Professional terminology).
In just under 24 hours it was all over, and while we did notice a
significant increase in the number of probes we were getting, to say
we were not impressed by the security of the military network is a
big fat major Understatement. This might not be a problem, since
according to NSCS (National Computer Security Center) network
security policies, none of the Systems on the public *.mil network
could qualify for the storage and handling of classified DoD
(Department of Defense) information. How strictly these policies are
adhered to is another matter. And even if they are (and this is a
_big_ if), the DoD is still (justifiably) concerned that crackers
might glue together classified information from the little pieces of
unclassified information fragments lying around their *.mil network
(in great abundance). So they have plenty of good reasons to keep
their network secure, but are (un)?fortunately doing a pretty lousy
Job.
"You're gonna rot in jail" - the legal corner
We've began receiving e-mail's this week by people with a lot less
tolerance for our activities, most in delayed response to last week's
scans. Some of these were written by lawyers who informed us we were
either supporting or perpetrating acts of Computer crime against
their clients. They had notified the authorities (CERT and the FBI
were commonly cited) and threatened to take us to court if we did not
offer our full cooperation in immediately identifying the attacking
party. Right...
The Internet however is a public network, and the majority of it's
Services are used anonymously, by users with which there is no
persistent relationship. The Computer world is pure code,
instructions and information, none of which are capable of
discrimination. The Computer programmer is the god of a perfectly
obedient universe. This means Software, like the law, can inherit the
imperfections of it's creator. Poorly written Computer and legal code
can allow the System to behave in conflict with the original
intentions of the men who wrote it. Legal loopholes and Software
bugs, Lawyers and Hackers, different sides of the same coin. The only
way to really prevent the abuse of the System is to write better
code.
Third week
Last week. Only the mammoth *.com and half of the *.net domain
left and we're done.
Friday, our Japanese participants discover that a Computer on
their Company network has been cracked into, one very secure Linux
box running only SSH and Apache l .3.4. Now this would definitely
send a chill up your spine if you knew just how fanatic our friends
are when it comes to network security. Furthermore, they only
detected the intrusion three days after the fact, which is
unbelievable when you consider the insane monitoring levels they've
been keeping since they agreed to participate in the scan. They would
have noticed any funny stuff, and in fact, they did, lots of it, but
none of which came dose enough to a security breach to raise any
alarms.
Readers should also note how although a key binary in the cracked
machine had been modified, tripwire and an assortment of other booby
traps failed to detect this had happened. Even a close-up manual
inspection (comparing the contents with a trusted backup, playing
with it's name) could not detect any odd behavior. This trick, and
others equally spooky were achieved by clever manipulation of the
OS's kernel code (dynamically, through a module).
The attacker is using a custom built software penetration agent.
This is only an hypothesis, but is strongly supported by the fact
that the entire attack only lasted an incredible 8 seconds! During
which the attacker manages to log on (over an employee's SSH account,
no less), gain root Privileges, backdoor the System, remove any
(Standard) traces of it's activity and log off.
And Wow! If there ever was a crack to appreciate for it's
elegance, simplicity, and efficiency, this was it. Whoever they were,
they certainly knew what they were doing, and for the most part
seemed very good at it. But being determined, clever, and
sophisticated just doesn't cut it when you do battle with wizardly
foes (that's us) yielding the great powers of the Universe to their
command: Dumb luck and clinical paranoia
IAP cheat-sheet
BEGIN TIME: 02:00, Dec 01, 1998 GMT
END TIME: 08:00, Dec. 21 1998 GMT
Scanning nodes; 5
Jobs Per Minute: 250
Scan time: 20.24 days
Vulnerabilities tested: 18
Domain count: 7 three letter domains, 214 national domains (jp, us, uk, de, ca, ...)
Host count: 36,431,374
Vulnerability count: 730,213
Vulnerable host count: 450,000
Statistical Output:
service vulnerability count,
percentage (from total)
webdist 5622 hosts counted, 0.77%
wu_imapd 113183 hosts counted, 15.5%
qpopper 90546 hosts counted, 12.4%
innd 3797 hosts counted, 0.52%
tooltalk 190585 hosts counted, 26.1%
rpcmountd 78863 hosts counted, 10.8%
bind 132168 hosts counted, 18.1%
wwwcount 86165 hosts counted, 11.8%
phf 6790 hosts counted, 0.93%
ews 9346 hosts counted, 1.28%
(other Vulnerabilities which weren't common enough to generate statistics for)
other: 18K hosts counted, 2.42%
Conclusions
A global fury of half a billion packets, digital Signals zipping
back and force across the planet at the speed of light. Above the
Earth, across the land, under the sea, over satellite microwave,
copper wiring, fiber optics, wireless and undersea cable. Probing
Cyberspace. Pretty cool, the kind of power information technology
puts m our hands these days.
Seven hundred thousand vulnerabilities, gaping holes, wounds in
the skin of our present and future information infrastructures, our
dream for a free nexus of knowledge, a prosperous digital economy,
where we learn, work, play and live our lives. Easy pickings, at the
fingerprints of anyone who follows in our footsteps, friend or foe.
These open points of penetration immediately threaten the security
of their affiliated networks, putting many millions of Systems in
commercial, academic, government and military organizations at a high
compromise risk. We were stunned to find just how many networks you
would expect to be ultra secure were wide open to attack. Banks,
billion dollar commerce sites, Computer security companies, even
nuclear weapon research centers, goddamit!
Looking at the big picture, the problem gets worse. A catastrophe
in the works. So far, we've been pretty lucky.
Consider the power these unsecure networks represent together.
Penetrating and controlling millions of hosts? You couldn't do it
manually, but with the right Software, you could automate most of the
dirty work. You'd need a careful network worm, stealthy remote
administration Software and a seif organizing network nervous System
by which you could propagate control.
Imagine the implications if this sort of capability ever fell into
the wrong hands. A government (China perhaps), a political terrorist
group or organized crime. On bandwidth alone they could shut down any
part (or all) of the Internet in mammoth DoS attacks. A country, a
portal, a news site, or maybe just InterNIC. Leverage and attention,
for fun and profit. They could "build" the world's largest
distributed supercomputer, or construct an Intelligence network
rivalled only by the NSA's Echelon.
Of course, who says only one group can play the game? Struggles
for power in the digital domain could very well develop into the
world's first real information war, with the very future of the
Internet as a free unregulated supernetwork caught in the cross fire.
Unlikely? Far fetched? We hope so.
The only thing necessary for the triumph of evil is for good men
to do nothing. Wake up fellow countrymen. Let's get to work.
Wer mehr über den Japan-Hack erfahren will, ausserdem über
eine DoS-Attacke auf den russischen BASS-Scanner und über die
Funktionsweise des Domain-Name- System, findet den Text in voller
Länge im Web. Daneben liegt dann auch der Source-Code für
den BASS-Scanner.
http://www.security-focus.com/templates/forum_message.html?forum=2&head=32&id=32
Liraz Siri <liraz@bigfoot.com>, Wed Aug 11 1999
|
![[Chaos CD]](../../images/chaoscd.jpg){kind=small}
![[Gescannte Version]](../../images/scan.jpg){kind=small}
![[ -- ]](../../images/prev.jpg){kind=small}
![[ ++ ]](../../images/next.jpg){kind=small}
![[Suchen]](../../images/search.jpg){kind=small}