Know Your
Enemy
The Attack of
the
Script Kiddie
Lance
Spitzner
My commander used to tell me
that
to secure yourself against the enemy, you have to first know who your
enemy
is. This military doctrine readily applies to the world of network
security.
Just like the military, you have resources that you are trying to
protect.
To help protect these resources, you need to know who your threat is
and
how they are going to attack. This article does just that, it
discusses
the methodology and tools used by one of the most common and universal
threats, the Script Kiddie.
Who is the
Script
Kiddie
The script kiddie is someone
looking
for the easy kill. They are not out for specific information or
targeting
a specific company. Their goal is to gain root the easiest way
possible.
They do this by focusing on a small number of exploits, and then
searching
the entire Internet for that exploit. Sooner or later they find
someone
vulnerable.
Some of them are advance users
who
develop their own tools and leave behind sophisticated backdoors.
Others
have no idea what they are doing and only know how to type "go" at the
command prompt. Regardless of the their skill level, they all share a
common
strategy, randomly search for a specific weakness, then exploit that
weakness.
The
Threat
It is this random selection of
targets
that make the script kiddie such a dangerous threat. Sooner or later
your
systems and networks will be probed, you cannot hide from them. I know
of admins who were amazed to have their systems scanned when they had
been
up for only two days, and no one knew about them. There is nothing
amazing
here. Most likely, their systems were scanned by a script kiddie who
happened
to be sweeping that network block.
If this was limited to several
individual
scans, statistics would be in your favor. With millions of systems on
the
Internet, odds are that no one would find you. However, this is not
the
case. Most of these tools are easy to use and widely distributed,
anyone
can use them. A rapidly growing number of people are obtaining these
tools
at an alarming rate. As the Internet knows no geographic bounds, this
threat
has quickly spread throughout the world. Suddenly, the law of numbers
is
turning against us. With so many users on the Internet using these
tools,
it is no longer a question of if, but when you will be probed.
This is an excellent example of
why
security through obscurity can fail you. You may believe that if no
one
knows about your systems, you are secure. Others believe that their
systems
are of no value, so why would anyone probe them? It is these very
systems
that the script kiddies are searching for, the unprotected system that
is easy to exploit, the easy kill.
The
Methodology
The script kiddie methodology is
a simple one. Scan the Internet for a specific weakness, when you find
it, exploit it. Most of the tools they use are automated, requiring
little
interaction. You launch the tool, then come back several days later to
get your results. No two tools are alike, just as no two
exploits
are alike. However, most of the tools use the same strategy. First,
develop
a database of IPs that can be scanned. Then, scan those IPs for a
specific
vulnerability.
For example, lets say a user had
a tool that could exploit imap on Linux systems. First, they would
develop
a database of IP addresses that they could scan (i.e., systems that
are
up and reachable). Once this database of IP addresses is built, the
user
would want to determine which systems were running Linux. Many
scanners
today can easily determine this by sending bad packets to a system and
seeing how they respond. Then, tools would be used to determine what
Linux
systems were running imap. All that is left now is to exploit those
vulnerable
systems.
You would think that all this
scanning
would be extremely noisy, attracting a great deal of attention.
However,
many people are not monitoring there systems, and do not realize they
are
being scanned. Also, many script kiddies quietly look for a single
system
they can exploit. Once they have exploited a system, they now use this
systems as a launching pad. They can boldly scan the entire Internet
without
fear of retribution. If their scans are detected, the system admin and
not the hacker will be held liable.
Also, these scan results are
often
archived or shared among other users, then used at a later date.
For example, a user develops a database of what ports are open on
reachable
Linux systems. The user built this database to exploit the
current
imap vulnerability. However, lets say that a month from now a
new
Linux exploit is identified on a different port. Instead of
having
to build a new database (which is the most time consuming part), the
user
can quickly review his archived database and compromise the vulnerable
systems. As an alternative, script kiddies share or even buy
databases
of vulnerable systems from each other. The script kiddie can
then
exploit your system without even scanning it. Just because your
systems
have not been scanned recently does not mean you are secure.
The more sophisticated hackers
implement
trojans and backdoors once they compromise a system. Backdoors allow
easy
and unnoticed access to the system whenever the user wants. The
trojans
make the intruder undetectable. He would not show up in any of the
logs,
systems processes, or file structure. He builds a comfortable and safe
home where he can blatantly scan the Internet.
These attacks are not limited to
a certain time of the day. Many admins search their log entries for
probes
that happen late at night, believing this is when hackers attack.
Script
kiddies attack at any time. As they are scanning 24hrs a day, you have
no idea when the probe will happen. Also, these attacks are launched
throughout
the world. Just as the Internet knows no geographical bounds, it knows
no time zones. It may be midnight where the hacker is, but it is 1pm
for
you.
The
Tools
The tools used are extremely
simple
in use. Most are limited to a single purpose with few options. First
come
the tools used to build an IP database. These tools are truly random,
as
they indiscriminently scan the Internet. For example, one tool has a
single
option, A, B, or C. The letter you select determines the size of the
network
to be scanned. The tool then randomly selects which IP network to
scan.
Another tool uses a domain name. The tools builds an IP database by
conducting
zone transfers of the domain name and all sub-domains. User'9s have
built
databases with over 2 million IPs by scanning the entire .com or .edu
domain.
Once discovered, the IPs are
then
scanned by tools to determine vulnerabilities, such as the version of
named,
operating system, or services running on the system Once the
vulnerable
systems have been identified, the hacker strikes. Several tools exist
that
combine all these features together, simplifying the process even
greater.
How to Protect
Against
This Threat
There are steps you can take to
protect
yourself against this threat. First, the script kiddie is going for
the
easy kill, they are looking for common exploits. Make sure your
systems
and networks are not vulnerable to these exploits. Both http://www.cert.org
and http://www.ciac.org are
excellent
sources on what a common exploit is. Also, the listserv bugtraq
is one of the best sources of information.
Another way to protect yourself
is
run only the services you need. If you do not need a service, turn it
off.
If you do need a service, make sure it is the latest version.
For
examples on how to do this, check out my article Armoring
Solaris.
As you learned from the tools
section,
DNS servers are often used to develop a database of systems that can
be
probed. Limit the systems that can conduct zone transfers from your
Name
Servers. Log any unauthorized zone transfers and follow up on them. I
highly
recommend upgrading to the latest version of BIND, which you can find
at
http://www.isc.org/bind.html.
Last, watch for your systems
being
probed. Once identified, you can track these probes and gain a better
understanding
of the threats to your network and react to these threats.
Conclusion
The script kiddie poses a threat
to all systems. They show no bias and scan all systems, regardless of
location
and value. Sooner or later, your system will be probed. By
understanding
their motives and methods, you can better protect your systems against
this threat.
NOTE: Thanks to
Brad
Powell at Sun's Security Team for his help on this article
Author'9s
bio
Lance Spitzner enjoys learning by blowing up his Unix systems
at
home. Before this, he was an Officer
in the Rapid Deployment Force, where he blew up things of a
different
nature. You can reach him at lance@spitzner.net
.