WARNING: All information in this document
is purely for educational purposes only. Anybody using any of this information
for illegal or offensive purposes may be brought up on criminal charges
and is risking prosecution.
| Hacker noun colloquial computer enthusiast; person who gains unauthorized access to a computer network |
Hackers are everywhere. You see them at home, you see them in offices, you see them in colleges you even see them in schools. Sipping coffee, and without a care in the world, the tattooed hacker prepares for his next hit. Another unfortunate network begs helplessly for mercy in the hands of this cold-blooded criminal. Of course, you can always blame it on the systems administrator for not taking enough preventive measures. Or has he just done the best he can?
Real hackers are more than reckless youths out on electronic joyrides just looking out for some fun. They are computing professionals who know the ins and outs of networks, communications, operating systems. They’re up to date on the latest security issues and keep up with advancing technology. They can gracefully glide themselves into an unsuspecting system, get what they want and leave without a trace. These are the smarter ones who hack for a purpose. Then, there's the destructive bored soul hacker kind, who hacks systems, destroys whatever he sees and proceeds forth to his next victim. These guys don't quit. They don't care. And they can do really bad things.
So, what're you going to do about it?
This document serves as a starting point to UN*X users who are unaware
of computer security measures, but want to know more. I’ll start with a
few tips on how you can maintain computer security on your UN*X system
and then go on to using a security auditing tool called SATAN. I have also
included some Linux specific instructions on installing SATAN, since the
version available on the web does not compile with the new distributions
of Linux. These instructions include fixes to some minor bugs in the code
which are not available anywhere else.
Starting point:
Watch out for those hackers
· READ THE LOGS!!
The logs are usually kept at /var/logs or var/spool/logs.
Read them. See if they remain consistent. Look out for unfamiliar events.
Install tcpd (TCPWrappers). They help in logging incoming telnet,
FTP, ping, finger and other such requests. Requests which could reveal
a lot of information about your system and network.
· Limit the number of SUID programs on your system. There is no need to have SUID programs unnecessarily lying around all over the place. A buggy or damaged SUID program could mean instant root access.
· Encrypt your packets. Network sniffing is one of the best, if not the best way to acquire passwords. A packet sniffer installed on a hijacked machine can yield hundreds of passwords effortlessly.
· Don’t use stupid passwords. Stupid passwords = Easy access. Passwords like password and (your name here) are a disaster waiting to happen. Don’t use your name, don’t use your number, don’t use your mother’s name, don’t even use your dogs name. If a hacker is desperate enough, he’ll try it all. To make matters worse, these passwords can be cracked easily by public domain programs like Crack. Crack works with wordlists. It tries all the words in the word list which can consist of names, places, keyboard patterns ("qzwxecrv") etc.
Detecting vulnerabilities
on your network using SATAN
What is SATAN?
SATAN (Security Administrator Tool for Analyzing Networks) is a powerful tool for probing networks for security vulnerabilities, written by Dan Farmer and Wietse Venema. It runs on most UNIX computers including Linux.
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
For each type or problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service.
What can SATAN do?
SATAN can probe hosts at various levels of intensity. The scanning level is controlled with the configuration file, but can be overruled with command-line switches or via the graphical user interface.
These are well-known problems. They have been subject of CERT, CIAC, or other advisories, or are described extensively in practical security handbooks. The problems have been exploited by the intruder community for a long time.
SATAN collects information that is available to everyone on with access to the network. With a properly-configured firewall in place, that should be near-zero information for outsiders.
From here on I will continue with Linux specific instructions on installing SATAN.
Where do I get SATAN?
Linux Users:
ftp://sunsite.unc.edu/pub/Linux/system/network/admin/satan-1.1.1.linux.fixed2.tgz (Note: this is the patched version)
Other Systems:
ftp://ftp.win.tue.nl/pub/security
The official mirror sites, which may have less of a load, are:
ftp://ftp.orst.edu/pub/mirrors/ftp.win.tue.nl
ftp://ftp.mcs.anl.gov/pub/security
ftp://coast.cs.purdue.edu/pub/tools/unix/satan
ftp://vixen.cso.uiuc.edu/security
The file is approximately 300k. And precompiled versions are available
but not reccomended.A malicious or accidental bug in the program can cause
extensive damage. There has already been one instance of a trojan inserted
in a Linux SATAN binary. More
Informarion.
What do I need to run SATAN?
· At least a 486 with 16MB RAM (for Intel distributions).
· Linux itself along with root access.
· SATAN itself
· A set of BSD-4.4 compatible include files.
· A forms-compatible web browser. Choose one of: Chimera,
Arena, Netscape, Mosaic.
· perl version 5, get a recent (5.003+security
patches or better) copy for other reasons, SATAN isn't picky.
Okay, what now?
Untar the sources in your /usr directory. The sources will be copied to /usr/satan-1.1.1. The command used to install the files are.
# tar -zxvf satan-1.1.1.linux.fixed2.tgz
Now that the files have been installed, you can get around to compiling them.
# cd /usr/satan-1.1.1
# reconfig (this command checks to see if you have
the necessary prerequisites like perl 5 and a compatible browser).
# make linux (compiles SATAN)
Note that the new distributions of Linux will not compile this code. A few modifications are to be made before you can get it up and running. This information is not included anywhere on the web or on other sources which is a real pain for beginning Linux users.
· In the file satan-1.1.1/include/netinet/tcp.h remove
the line #include <linux/socket.h>.
· In the file satan-1.1.1/src/fping/fping.c
- Remove the line #include "../../include/netinet/ip_icmp.h"
- Add the following lines:
#define ICMP_ECHOREPLY 0
#define ICMP_ECHO 8
After this is done, the code compiles with no errors.
· If you’re using Netscape Navigator as your browser, you’ll have to add "pl" to the extensions associated with HTML files. This can be found under "Edit/Preferences/Navigator/Applications" on the menu bar.
· If you access the web through a proxy server, remember to disable
it.
· Remember, to run SATAN, you have to be running as root.
Using SATAN
Now, we can finally get down to some action. If you’re using a browser that runs under X Windows, you’ll have to start X up and open an X terminal. Then type:
# cd /usr/satan-1.1.1
# ./satan
This starts up the browser and takes you to the SATAN control panel.
What now?
· Click SATAN Data Management.
· Create the new database and name it.
· Go back to the Control Panel and click SATAN Target Selection.
· Enter the hostname of your target (your network host) and
the scan level. (Note: Do not enter hostnames of computers you don’t
have permission to.)
· Click Start the Scan.
SATAN now starts probing the target host (and other hosts in the network, if you opted for it) at the level you selected (light, medium or heavy). The time it takes depends entirely on your selections and the size of the network.
After the scan, click on Continue with reporting and data-analysis. SATAN then generates a report of the vulnerabilities of the target host.
And that’s it. If you find any vulnerabilities on your system (which
you most probably will), there is a tutorial explaining what the problem
is and how it can be fixed.
Analyzing SATAN results
Learning to interpret SATAN results is not an easy task. This is partly
because (as the documentation says) there is no "correct" security level.
"Good" security is very much dependent on the policies or concerns of the
site or system involved.
From the SATAN documentation :
From the control panel in the HTML interface, select SATAN Reporting
& Data Analysis. You will then be prompted with a wealth of choices;
when first learning to use the tool, the Vulnerabilities section will probably
be the one of the most immediate interest. In that section, the By Approximate
Danger Level link is a good place to start. If you find no warnings there,
congratulations! Note that this does NOT mean that your host is secure
- it simply means that SATAN could not find any problems. You might try
scanning your targets at a higher level and check this again; in any case,
you should investigate the other categories (Hosts and Trust) in the reporting
page.
The best way to learn what SATAN can do for you is by using it -
scanning networks and examining the results with the Report and Analysis
tools can reveal interesting things about your network.
Remember, anyone has access to this information, so act accordingly!
A little bit about
SATAN
SATAN is a remote security auditing tool. This means that you don’t need an account or privileges on the targets you are probing. This makes SATAN a good security auditing tool. But, in the wrong hands, this tool could prove extremely dangerous. A hacker could easily incorporate this tool to his hacking tool-chest and use it very effectively. In fact, SATAN would make life much easier for him.
SATAN is a tool which was designed to help improve network security.
Don’t put their work to shame.
For more information on SATAN, follow these links:
SATAN AdvisoriesThe workaround
Fine. Now you’re worried. "What if someone is running SATAN on my machine?"
The solution to this is: BEAT HIM TO IT!
Run SATAN on your own machine. Fix your problems. Make life harder for him. Make him suffer. Make him sweat. Let him know that you're no stranger to the ways of the world.
There is an alternative to this. Use SATAN detectors. Software which
will keep a watch for network probing by programs like SATAN. One such
SATAN detector, called Gabriel, can be found at http://www.lat.com/gabe.htm.
Gabriel can be configured to send a pager message, dial a number, shut
down the system or just display a warning message on screen when an intruder
is detected.
Putting it all together
In the end, it all boils down to one thing, trust. A systems administrator would trust a junior with the root password. A host would similarly allow trusted hosts to log in without passwords. Then, there’s breach of trust. The junior sells the password to the enemy. And the trusted hosts turn out to be untrustable.
The bottom line is, if you’re a systems administrator, don’t trust anybody
(unless you really have to.)
