Attack and Defense practices: hackers are here.

Not long ago, my eleven colleagues and I intruded into the Windows NT System on the crown of Microsoft and copied the password to our hard disk.
Fred Norwood, information equipment technology manager at EL Paso Energy, once asked us: "What do you know about the word 'ply ?" I think the word is "fun ".

In a short test recently conducted by Houston, my companions and I fully enjoyed this "pleasure", and the companies that participated in this activity, for example, Motorola, electronic data systems, and national farm insurance companies want their network engineers, auditors, and security experts to gain some experience in dealing with such hackers.

John McGraw, a security technical expert at a large computer service company, said: "This activity gave me a new understanding of the intelligence and capabilities of these attackers. We have a lot of knowledge about network defects, but sometimes new problems and vulnerabilities are hard to prevent ."

The following is the three-day activity process.

Day 1: search Target

On the first day, we tried to find something, as our coach Stuart McClure said ". First, we searched for some public information on the Internet. The Security and Exchange Commission (SEC) website was our first choice, obtain basic information about a company and information about its organizations and laboratories. Thus, it is easy to start from its subsidiaries and then further attack the company, because these subsidiaries are often weak in the security assurance system.

But as a matter of expediency, we passed the SEC's direct access to InterNic Registrar, a Domain Name Server. After entering a simple "Who is" command, we get the attacked object, that is, all the IP addresses of the target website server, the anonymity of the company, and the addresses of the auxiliary domain name servers of its institution and laboratory. We even discovered the type of the server and the name and phone number of the server administrator.

For the IP addresses we have collected, we have adopted some common fault lookup tools (such as the region change tool, which is used to exchange data between the backup server and the original server ). In this way, we have a list of domain names and IP addresses of all machines connected to the target network.

Next, we will use the tracking program to observe the network layout and find potential access control devices such as the sending program to avoid conflicts with them.

Using administrative tools and downloadable hacking tools, we found open ports and the services being provided on these ports. McClure calls this process port search ".

I am mainly responsible for Nmap, which is a practical network map that can be used to find open ports and their network protocols and application services. For example, at the beginning of our list, we see "port 7 is open; Protocol: TCP; Service: Telnet ". In this case, there will be 10 open ports on this machine.

We were excited by this achievement, but it was chilling to think that there were countless underground hackers who would attack a website as easily as we did.

Day 2: "dancing" at the bottom of NT"

On this day, we met Eric Schultze, 31 years old. He was known as a "vacuum cleaner" by his friends and was able to completely empty the "inner" of the target object ", schultze's performance does prove that he is a real man.

In the beginning, we first select the target and test which servers do not have strict password control and monitoring. We decided to start with the backup domain name controller. This type of server is used to store the user name, and the security is low.

Using the target server, we have created an empty dialog Service Project (that is, a call can be made without the need to indicate the user identity ). This is a ghost that I feel like quietly breaking. I can see everything-NETWORK SERVICE password files, user records, and even payroll. But I cannot touch them, because the empty dialog project only serves inter-process communication.

We are eager to enter the underlying access phase (the most in-depth access phase ). But first, we have to exit the system and then log in as a valid user to get the encoded passwords and load them into our password editing tool.

We try to log on again with the "backup" username, and the "Successful Completion command" information is displayed on the machine.

I asked Schultze if network intrusion would increase the vigilance of network administrators and make them spend more time on passwords, but his answer is no. He said most network administrators are still using very easy-to-crack passwords.

In just a few minutes, we have obtained a simple password of 70%.

The Microsoft LAN Manager password is the most irregular in the target object. It divides the password into two halves and encrypts each half. Our cracking tools are designed for this situation, so they crack such passwords much faster than in UNIX systems. If the LAN Manager is hacked, the NT system cannot communicate with Win95 and Win98 systems, and the result is hard to imagine.

With the newly discovered password as a weapon, we finally achieved underlying control over the machine.

Coach Ron Nguyen said: "What is the first thing you do when you enter the bottom layer? It's just dancing there ."

We will hide the hacker tool in the readme.txt file of the target server for the final purpose. Schultze said that you can completely hide a 10 m-byte hacker tool in such a text without changing the text size. The only way for network administrators to prevent such a situation is to create a review column, which can arouse their vigilance when the disk space changes significantly.

Day 3: Win the UNIX System

"Intrusion into the underlying system is enough to penetrate ". From the third day, we have entered this phase. UNIX systems are our targets.

Another coach, Chris Prosise, didn't disappoint us either.

At the beginning, we entered UNIX through the techniques used in the NT System, but Prosise wanted to be a bit exciting. He taught us how to destroy the DNS server to re-determine the path to the IP address on the "evil.com" server.

He also demonstrated how to attack common HTTP (Super Text transfer protocol. We install the "Trojan Horse" (a remote executable password) on the machine, and use the Telnet terminal to communicate, we can return to the system without identity authentication and password.

Next, we started to try it out in four UNIX systems. This time, I think it will take a long time.

We also learned a lot from the three-day experiment.

Network and security managers still have a lot to do. The so-called pervasive network security system is undoubtedly one-sided. More or less, we may all have some hacking behaviors, but by studying hacking techniques, information security experts will certainly be better at fighting with hackers.