Misc Basic Info
---------------

 3.1  What are backdoors?

Backdoors are ways into a system that typically bypass a system's security to allow
for quicker, easier, and/or "silent" access. There are several different types of
backdoors, and we'll cover each one.

The first type which is the one everyone is probably more familar with is the type
of backdoor installed by an intruder. After an intruder has gained access to a system
and has managed to achieve administrative authority, the intruder will often install
a quicker or simpler method of entering the system. This type of backdoor can take the
form of a "trojaned" login program (one that still allows regular users to log in,
but gives the intruder instance administrative access without logging the access),
or can be in the form of a daemon or process that listens for the intruder's connection
and gives them full system control once connected. It can be in the form of an extra
user ID with elevated priviledges, or even a regular user account that can run a
special program that silently elevates priviledges. There are dozens of different
backdoors like this -- some that are standalone backdoors and some that interact with
additional processes and programs to help hide their existance or presence. It can even
be a legitimate existing account, such as a system account, that has increased levels
of access (for example a "guest" account that normally would be ignored by the 
administrator but has admin priviledges).

A second type of backdoor is the type left by a legitimate administrator of the system.
This is often the "oh crap" backdoor -- when something happens and the administrator
needs a secondary way back into the system. This can be everything from an additional
user that has been added to the system by the administrator with elevated priviledges,
to some of the same techniques used by the intruder to create a backdoor. Often this is
done by an administrator that has put together a system for a client or department that
she/he will not have direct control over, but the administrator anticipates being called
upon to fix a problem, and wants to make sure they have a way back in (especially if the
problem is a forgotten administrative password).

A third type of backdoor is one put into a program or operating system component by the
person or persons who wrote the program or operating system. Some of these barely
qualify as a backdoor (they serve a different purpose or are there to support an app or
legacy function), but some are actual backdoors.

There are examples of backdoors in most major operating systems, such as Unix, Netware,
and Windows NT; and additional backdoors that can exist in applications that require
user IDs and passwords, such as web applications. In each operating system section we 
will cover examples of such backdoors.

 3.2  Why should I care about auditing, logging, and accounting?

Any system that creates a trail that can help an administrator determine what has 
occurred previously on a system is something that every intruder needs to be aware of.
Most modern systems are capable of logging and tracing individual user actions, and
these can help an admin determine if an intruder has invaded the system, and perhaps
even where the intruder invaded the system from. There are two main reasons why an
intruder gets caught -- telling someone else about the intrusion, and being caught by
logging and monitoring. Most inexperienced intruders end up doing both, making it
quite easy to be detected and tracked down.

There are two techniques an intruder should use -- eliminate as many traces as possible,
and minimize the traces that cannot be eliminated. If an intruder knows the system that
they are targetting, they can take steps before even accessing the system to minimize
the chances of being caught.

As you will see as we discuss the major operating systems, a lot of systems are not
logging all that they can, and many have little to no logging, auditing, and 
accounting turned on by default.

 3.3  Why should I not just delete the log files?

There are several reasons why an intruder should not delete the log files. For one,
log files typically do not just "disappear". It is possible that a system process or
program might fail if certain log files do not exist. Even simple log files such as
a shell history file should not simply be deleted if it is normal for the file to
exist.

If it usually better to modify the log files to either remove the traces of the
intrusion, or even modify them to show "normal" behavior. It is even possible to
"frame" other people by making the log files look like another person's actions.

A good and experienced intruder will make the logs look like the intruder was never
even there. The logs should only be deleted if there is no other option (and you
feel discovery of your point of origin will occur) or if you are never going to return
to that system.

 3.4  What's a buffer overflow and why do I care?

A buffer overflow is when a programmer has set aside a buffer for data within a program,
and input into that buffer is greater than the size of the buffer. This usually causes
program crashes because typically the "stack" is overwritten. The stack is a holder of
pointers and other data related to running programs in the system. By altering the 
contents of the stack, the flow of processing is changed. Since a common item stored on
the stack is an address, an overrun of a buffer can rewrite sometimes rewrite addresses.

Buffer overflows exist on every system and with a lot of applications. They are 
important to intruders because if the actual contents of the overflow are carefully
crafted, the system can be made to actually execute code. Depending on the system 
priviledges of the code that contains the overflow (or the priviledges associated with
the code), an intruder could use an overflow to elevate priviledges.

A couple of great resources on buffer overflows do exist:

    "Smashing The Stack For Fun And Profit" by Aleph1
    http://phrack.infonexus.com/search.phtml?view&article=p49-14

    "The Tao of Windows Buffer Overflow" by DilDog
    http://www.cultdeadcow.com/cDc_files/cDc-351/

 3.5  What is spoofing? And hijacking?

Spoofing is a method of fooling a system into believing that it is a different person
or program, and using that impersonation to gain access to or elevate priviledges on
a system. The most commonly thought-of method of spoofing is address spoofing. By
pretending your actions are those of another address, you can possibly bypass security
measures that are tied to a specific address. For example, if IP address 192.168.1.2 is
a trusted address on a target machine, spoofing your address so that you look like you
are coming from that address may gain you access to that target system. Another method
that uses spoofing techniques is hijacking, which is where an existing channel of 
communication is hijacked using spoofing techniques, and the hijack is used to gain
access or elevate priviledges.

Spoofing can also take place on the system itself. It is possible that certain processes
or system calls assume that by supplying certain parameters you can perform certain 
actions. This is probably more common on the Windows NT platform than others, and it
can be quite complex, but it makes for some of the most interesting hacks. Being able to
perform tasks that even a system administrator cannot perform (such as retrieve passwords
or password hashes) are typical examples of this type of "spoof".

 3.6 What is enumeration?

Enumeration comes in two basic flavors - network and object. Network enumeration is
just what it sounds like, the enumeration, or discovery, of hosts on the network.
Object enumeration (for lack of a better term) is the enumeration of items associated
with a host itself, such as account names and user groups.

 3.7 How do I do network enumeration?

This question has an extremely long answer. Be patient. BTW I used a real live site
for this section (names and addresses changed to protect the lame).

There are several approaches to network enumeration. The traditional method involves
building up a map of the network, by examining WHOIS records, getting the DNS servers,
and starting your queries. Here are the steps:

First we do a whois on the domain name:

  [thegnome@blackhole thegnome]$ whois lametarget.com
  [rs.internic.net]

  Whois Server Version 1.1

  Domain names in the .com, .net, and .org domains can now be registered
  with many different competing registrars. Go to http://www.internic.net
  for detailed information.

     Domain Name: LAMETARGET.COM
     Registrar: NETWORK SOLUTIONS, INC.
     Whois Server: whois.networksolutions.com
     Referral URL: www.networksolutions.com
     Name Server: NS1.LAMETARGET.COM
     Name Server: NS2.LAMETARGET.COM
     Updated Date: 06-dec-1999


  >>> Last update of whois database: Fri, 2 Jun 00 05:45:57 EDT <<<

  The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
  Registrars.

Note the two name servers. We'll attach to one of those to learn about
the lametarget.com domain. Type in nslookup, and at the > prompt, type in
the command to attach to one of the name servers, followed by the command
to do a zone dump:

  [thegnome@blackhole thegnome]$ nslookup
  Default Server:  YourLameISP.net
  Address:  123.456.789.0

  > server NS1.LAMETARGET.COM
  Default Server:  NS1.LAMETARGET.COM
  Address:  xxx.xxx.9.1

  > ls -a LAMETARGET.COM > dump-lametarget.com.txt
  [NS1.LAMETARGET.COM]
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  #########################################
  Received 42093 answers (2047 records).
  >

Wow, look at all those pound signs! We just dumped a ton of records into the
dump-lametarget.com.txt file. The site had a couple of class B's and a bunch of
private addresses. Cool. Let's look at what we got:

  > ls -a LAMETARGET.COM 
  [NS1.LAMETARGET.COM]
  $ORIGIN LAMETARGET.COM.
  dfw-4thflr-l4n          15M IN CNAME    dfw-4thflr-lj4n
  x1                      15M IN CNAME    sb-atha22
  dfw-6thflr-l5si         15M IN CNAME    dfw-6thflr-laser5si
  chi-23rdflr-l5si        15M IN CNAME    chi-23rdflr-laser5si
  washdc                  15M IN CNAME    washdc-02n-l45
  ns                      15M IN CNAME    ns1
  aix                     15M IN CNAME    bkupaix
  ntwks001                15M IN CNAME    ntwk001
  ntwks002                15M IN CNAME    ntwk002
  ntwks003                15M IN CNAME    ntwk003
  ntwks004                15M IN CNAME    ntwk004
  ntwks005                15M IN CNAME    ntwk005
  dfwntpdc001             15M IN CNAME    dfwntpdc001
  dfwntbdc001             15M IN CNAME    dfwntbdc001
  dfwntdev001             15M IN CNAME    dfwntdev001
  ftp                     15M IN CNAME    www
  wwwdev                  15M IN CNAME    www2
  ..

The first column has host names and the last column has host names. If they
match, you have the exact name. If they don't, the first column is an alias
for the "real" host name in the last column. We can tell a number of interesting
things from this list. The dfw-*-* listings are in fact printers. We can see
the site has printers in Dallas/Ft.Worth and Chicago, and something in 
Washington, D.C. The ntwks* names are apparently NT workstations, and we have
the names of NT Primary and Backup Domain Controllers in the Dallas/Ft.Worth
area. We have AIX systems. Also note that there is a www server, with an
alias of ftp, which means that the web server doubles as an ftp server. And
the www2 box is considered the "web development" server.

You can do lookups on each one of the addresses in the right column and get
the IP addresses. This can be tedious with our list of 2047 devices, so it is
best to automate the process with a little scripting. The advantage is that
you can often determine what is what and where it is located, as in our
example. In fact, in this particular example we found four other domains and
all of the private addresses, and mapped the entire company!

What if you get nothing, or very little? This means that the site admins have
either prevented zone dumping from the outside, or have split off the "public"
addresses into the public DNS server, and have an internal DNS server with the
private addresses. Don't dispare. After cracking that first public system you
