| "Deep
in the sea are riches beyond compare.
But if you seek safety, it is on the shore."
Hacking
Lexicon
This document
explains what people may mean by words. This does not attempt
to define how words should be used.
Disclaimer:
This document has many omissions and contains much that is apocryphal,
or at least wildly inaccurate. This document does not define terms,
but only explains what many people mean when they use these terms
in the context of information security.
0-day
(zero-day
The term 0-day exploit describes an exploit that is not publicly
known. It describe tools by elite hackers who have discovered
a new bug and shared it only with close friends. It also describes
some new exploit for compromising popular services (the usual
suspects: BIND, FTP services, Linux distros, Microsoft IIS, Solaris
servers). Many 0-day exploits are discovered by the victims when
hackers use them, or by honeypots.
The term "0-day" describes the fact that the value of
exploits quickly goes down as soon as they are announced. The
next day they are half as valuable. The 2nd day they are a 1/4
as valuable. Ten days later they are 1/1000 as valuable as on
day 0. This is because script-kiddies quickly use the exploits
on computers throughout the Internet, compromising systems before
anybody else can get to them.
Contrast:
The term 0-day exploit describe the hard-to-use exploits by the
discoverer himself (or close friends), in contrast to the easy-to-use
scripts employed by script kiddies. For example, a buffer-overflow
script will go through many phases as people try to find the right
offsets for the target platforms, but will eventually end up as
a broad-spectrum aim-and-shoot script that anybody could use.
Key point:
One of the dangers of 0-day exploits is BUGTRAQ camping. A hacker
discovers all the services running on the target victim and waits
for day-0 when the exploit is announced. At that time, the hacker
attacks the systems with the new exploit.
Key point:
The term "0-day" describes any bit of information in
the community, whether it is serial numbers, lists of proxies,
or passwords to porn sites. As soon as such information becomes
well-known and exploited by large numbers of people, it is then
fixed by the victim. Information has a "half-life":
the older it is, the less value it has.
128-bit
Generally describes strong (unbreakable) encryption. Web-browsers
contain an option for 40-bit vs. 128-bit encryption. The United
States only allows export of the weaker version in order to allow
the government to spy on foreigners, especially during times of
war (Author's note: my grandfather worked with the code-breakers
in WWII -- it had a major impact indeed on winning the war). However,
the U.S. export restrictions can easily be easily be bypassed,
allowing many foreigners access to products with 128-bit encryption
(example: https://www.ccc.de). Likewise, it has stifled development
within the United States of products that need encryption, such
as IEEE 802.11 wireless Ethernet.
Key point:
The debate over strong encryption is never ending. Within the
United States, law enforcement is constantly lobbying to restrict
the use of strong encryption. Many resist, pointing out how often
law enforcement already abuses wiretap powers (such as against
Martin Luther King). At the same time, companies making products
constantly lobby for the easing of export restrictions, so that
they can sell strong encryption products abroad. Another funny
thing is that the U.S. government's intransigence on this issue
has actually led to stronger encryption abroad. U.S. export restrictions
(and desire to spy on foreigners) was one of the reasons France
relaxed its own law-enforcement bans on encryption use by citizens.
Key point:
The random number generators within systems are often weaker than
the key itself. For example, when you connect via SSL from your
browser to a web-server, they choose a key for that session. That
key is chosen with a random number generator. One estimate was
that the average 128-bit session key contains only 47-bits of
randomness. Other browsers have had even weaker systems allowing
the session key to be recovered in only a few minutes.
2600
2600 Hz is the frequency of the whistle that was provided in Captain
Crunch cereal boxes. It happen to also be the frequency that was
used by older phone systems in order to reset them for operator
controlled calls.
Culture: This number is often used within the hacking culture.
It is the name of a magazine (http://www.2600.com) as well as
that of a series of newsgroup (news:alt.2600).
40-bit
The term "40-bit encryption" describes the U.S. encryption
export laws (note: in January, 2000, the U.S. upped the maximum
size to 64-bits. The U.S. restricts the export of strong encryption
technology. Products that include 40-bit encryption or less can
freely be exported. Therefore, products like web browsers, wireless
communications, DVD keys, etc. all use 40-bit encryption.
Key point: Specialized hardware can decrypt 40-bit keys in real
time. The average new desktop has enough horsepower to decrypt
40-bit messages. Thus, many people now consider 40-bit encryption
to be simply obfuscated plaintext.
Key point:
The term 40-bit often means the RC4 system within browsers.
56-bit
56-bit encryption contains 16-more bits than 40-bit encryption,
and is therefore 65536 times more difficult to crack. On the other
hand, it is likewise 256 times easier to crack than 64-bit encryption.
Key point:
In January of 1999, the EFF built a custom machine (the "Deep
Crack") for $250,000 that could decrypt 56-bit DES encrypted
messages in hours.
Key point:
56-bit cryptography almost always means DES.
64-bit
In January of 2000, the U.S. government eased its export regulations
of encryption 40-bit to 64-bit keys. Presumably, the government
would only do so if the NSA had the capability of decrypting 64-bit
encrypted messages. It is interesting to note that distributed.net's
RC5-64 challenge cracking team of 100,000 computers working for
about 2.5 years had managed only to check about 18% of the keyspace.
This implies that the NSA has extremely hefty software.
802.11 (IEEE
802.11 Wireless)
The IEEE 802.11 standard is for wireless, Ethernet-like LANs.
The insecurities in this protocol have popularized the concept
of war driving: driving around town looking for all the wireless
networks you can sniff or connect to (named after war-dialing).
Status: At the current time (year 2001), 802.11 is completely
broken as far as security is concerned. There exists no solutions
at this time that companies can use to create secure networks.
However, within a couple years, it is likely that secure standards
will be created.
Key point:
The following techniques are used in an attempt to secure a wireless
network:
SSID (Service
Set Identifier)
The SSID provides a basic sort of VLAN: different SSIDs may be
active at the same time on the same wireless equipment. In theory,
the SSID acts as a sort of password because a user must know it
before connecting to the LAN. However, SSIDs are easily sniffed,
which means they really provide no additional security.
MAC address
filtering
Most access points have the ability to only accept an access control
list of specific MAC addresses. This means that only owners of
the allowed cards may access the network. However, this provides
no additional defense against packet sniffing. Moreover, once
MAC addresses have been sniffed, an intruder can reconfigure the
MAC address of their own hardware to match an allowed addresses,
thereby gaining access to the network.
WEP (Wired
Equvelent Privacy)
WEP is the scheme used to encrypt data. At the current time (year
2001), many ways are known to break this scheme.
spread-spectrum
radio
Rather than operating at a fixed frequency, 802.11 spreads its
signal across a range of frequencies. However, this is done only
to increase reliability, and is not intended for security.
802.11X
An update to the standard is being designed to allow standard
authentication methods to secure the network. These are likely
to include support for PKI, RADIUS, and Kerberos. This should
fix most currently known problems.
Key point:
An employee leaving the company is likely to know all necessary
SSIDs, MAC addresses, and WEP keys in order to get back on the
network. This means that they can sit in the parking lot and gain
access to the network and/or sniff traffic. Unless better key-management
techniques are standardized, 802.11 cannot be securely used in
corporate environments.
Key point:
Other 802.11 terms:
AP (Access
Point)
An 802.11 "access point" is the bridge between a wireless
network and the real network. While it is typically built from
the same hardware as client machines, it has radically different
software.
Point: IEEE
802.11b transmits in the 2.4 GHz radio band (the same as microwave
ovens, so it is recommended to keep it away from your body). This
band is unregulated by the U.S. government. This means that it
is a desireable technology for creating ad-hoc networks. For example,
satellite dishes can be used with 802.11 to connect networks up
to 30-kilometers away from each other -- without government licenses.
8-character password
Some systems, like Win9x and Solaris, limit the user to 8 characters
in the password.
Key point: Security conscious users of such systems need to make
sure they use a more random mix of characters because they cannot
create long passwords.
Key point:
Password cracking such systems is a little easier.
~user
On UNIX, a home directory can be referenced by using a tilde (~)
followed by their login name. For example, "ls ~rob"
on my computer will list all the files in "/home/rob".
Key point: Web-servers often allow access to user's directories
this way. An example would be http://www.robertgraham.com/~rob.
Key point:
A big hole on the Internet is that people unexpectedly open up
information. For example, the file .bash_history is a hidden file
in a person's directory that contains the complete text of all
commands they've entered into the shell (assuming their shell
is bash, which is the most popular one on Linux).
.forward
On UNIX, a user can place an e-mail address in his ".forward"
file. This will cause all e-mail sent to his account to be forwarded
to that e-mail address.
This file a is prime target of attackers. If they can overwrite
this file, they can subtly start capturing the user's e-mail.
This is especially dangerous if the the account in question is
the root account. Note that the user doesn't have to know any
about this file or have one on his system. The mere creation of
this file by the intruder will activate this feature. Furthermore,
since this file starts with a 'dot', it is normally hidden from
the user, so they won't even be ware that this feature exists.
/dev/null
On UNIX, this is a virtual-file that can be written to. Data written
to this file gets discarded. It is similar to the file call NUL
on Windows machines.
Key point: When rooting a machine, intruders will often redirect
logging to /dev/null For example, the command ln -s /dev/null
.bash_history will cause the system to stop logging bash commands.
Culture: In
the vernacular, means much the same thing as black hole. Typical
usage: if you don't like what I have to say, please direct your
comments to /dev/null.
/etc
The directory on UNIX where the majority of the configuration
information is kept. It is roughly analogous to the Windows registry.
Of particular interest is /etc/passwd file that stores all the
passwords.
Key point: If an intruder can read files from this directory,
then they can likely use the information to attack the machine.
/etc/hosts
The file that contains a list of hostname to IP address mappings.
In the old days of the Internet, this is how machines contacted
each other. A master hosts file was maintained and downloaded
to machines on a regular basis. Then DNS came along. Like the
vestigial appendix. On Windows, this file is stored in %SystemRoot%\system32\drivers\etc.
Hack: If you can write files to a user's machine, then you can
add entries to his/her hosts files to point to your own machine
instead. For example, put an entry for www.microsoft.com to point
to your machine, then proxy all the connections for the user.
This will allow you to perform a man in the middle attack.
/etc/hosts.equiv
On UNIX, the "hosts.equiv" file lists other hosts that
can be thought of as "equivalent" to this one. This
machine will therefore "trust" these other machines.
Users connecting to this machine from the listed machines will
not have to present a password, it is assumed that these other
machines have already verified the password.
Analogy: The European Union (EU) doesn't have passport control
between countries. You only have to present your passport when
entering the first European country, then you can roam freely
once inside the union. The "hosts.equiv" file creates
a similar union of machines.
Hack: Hackers
will target this file. If their target is machine A, they may
instead find that A trusts B, and B may be easier to break into
first. At that point, the hacker can hop back to A using an account
on B. Likewise, if a hacker can write to this file, they can tell
the system to trust any other system on the network (including
the hackers own machine).
Hack: Older
software would do a reverse DNS lookup on a connecting IP address.
If the hacker controlled the DNS server, s/he could return a trusted
domain name, and therefore be allowed into the system. Another
older hack is the default "+" entry.
See also:
.rhosts
/etc/passwd
The UNIX file that contains the account information, such as username,
password, login directory, and default shell. All normal users
on the system can read this file.
Key point: The passwords are encrypted, so even though everyone
can read the file, it doesn't automatically guarantee access to
the system. However, programs like crack are very effective at
decrypting the passwords. On any system with many accounts, there
is a good chance the hacker will be able to crack some of the
accounts if they get hold of this file.
Key point:
Modern UNIX systems allow for shadowed password files, stored
in locations like /etc/shadow that only root has access to. The
normal password file still exists, minus the password information.
This provides backwards compatibility for programs that still
must access the password file for account information, but which
have no interest in the passwords themselves.
Key point:
The chief goal of most hacks against UNIX systems is to retrieve
the password file. Many attacks do not compromise the machine
directly, but are able to read files from the machine, such as
this file. Typical examples include:
TFTP
Typical exploit asks for the filename "/etc/passwd".
Some systems are misconfigured so that this works.
FTP
Similar to TFTP above, simply asking for the file can get it.
Backtracking sometimes works. Sometimes a shell can be exploited
to reveal the file.
HTTP
Many custom web-servers (such as built-in ones used for remote
management) contain backtrack bugs that can be used to retrieve
the file. Example: http://www.robertgraham.com/../../../etc/passwd.
/cgi-bin
A huge number of CGI scripts contain bugs that can be exploited
to read files from the system. These include backtracking vulnerabilities,
shell vulnerabilities, as well as other stupid mistakes.
Key point: /etc/passwd is a simple text file, with one line per
account. The line is broken down into seven columns:
account
The username. Note that a lot of systems ship with well-known
names in their default passwd file.
password
An encrypted form of the user's password. Since they are encrypted,
they are viewable by anybody who has access to the system. However,
since users often choose weak passwords, hackers will often run
crack programs that can decrypt the weak passwords. For this reason,
administrators often create a shadow password file that contains
the real passwords, in which case this field will simply contain
a "*".
UID
The user identifier, a unique number like "500" that
identifies the user. Internally within the system, all users are
referenced by their number rather than their name. One way to
put a backdoor into the system is to place a string like "x500"
rather than "500" in this field. This causes programs
who read the file to parse this as the number "0", which
is the UID for root.
GID
A primary group the user belongs to. The user can belong to secondary
groups as configured in /etc/group.
GECOS
Some additional information about the account. For real users,
this is often their full human readable name. For other pseudo-accounts,
this may be some parameters.
directory
The user's home directory.
shell
The login shell that will be given to the user when they logon.
See also: shadowed passwords
/etc/services
On UNIX, the configuration file /etc/services maps port numbers
to named services.
Key point: Its role in life is so that programs can do a getportbyname()
sockets call in their code in order to get what port they should
use. For example, a POP3 email daemon would do a getportbyname("pop3")
in order to retrieve the number 110 that pop3 runs at. The idea
is that if all POP3 daemons use getportbyname(), then no matter
what POP3 daemon you run, you can always reconfigure its port
number by editing /etc/services.
Misunderstanding:
This file is bad in order to figure out what port numbers mean.
If you want to find out what ports programs are using, you should
instead use the program lsof to find out exactly which ports are
bound to which processes. If running lsof is not appropriate,
then you should lookup the ports in a more generic reference.
-
Robert Graham
|
