Hacking Techniques: Issue #2 - Bouncing Attacks

Written by b0iler for http://b0iler.eyeonsecurity.net/


(covered in issue #1)

1. Getting info
  -vuln scripts
  -vuln services
  -vuln people

1.99 Intro

2. Bouncing Attacks
  -proxies
  -wingates
  -shells

2.5 Conclusion

(covered in future issue)

3. Once They Are In
  -logs
  -IDS
  -Rootkits
  -sniffers
  -DDoS
  -RootShell
  -Deface



Intro
Welcome to the 2nd issue of Hacking Techniques.  If you read the first one I am glad to see you liked it enough to want to read this one.  This issue will focus on how hackers bounce their attacks so that they do not get caught and so they use the power of a *nix shell.  As with the first one this tutorial can both be used by hackers and admins.  Hackers will learn how to mount an attack and use proxies to help stay anonymous.  Admins will learn how to prevent themselves from being used in an attack as a proxy and prevent stress.  If you don't know what a proxy is or how to use a wingate you need to read this tutorial.  People who run wingates, proxies, or give shells out also should go over this tutorial as to scare them into securing it.  I'll go over a few other random things such as using routers as wingates, and using wingates to bounce your irc sessions.


Bouncing Attacks
There are a few ways to bounce your attack.  Sometimes it depends on how you are gonna to do the attack, sometimes it depends on what you got on hand.  I will introduce you to 3 ways to bounce you attack.  I will not go into using routers as proxies since wingates are fairly easy to get.  And I will not go over bouncing your attack off an ftp because all (or very close to all) ftp programs are patched to this by now. Not only should hackers read this next part, but so should admins who want to keep themselves from being used in an attack.  Securing their proxies and wingates can help prevent trouble with hackers abusing it. This can save some time and hassle because you will not need to bother with an admin who trying to track down a hacker who used your network to bounce off of.


Bouncing through proxies
Proxies are the most basic way to stay anonomous while on the web.  They are used with your web browser to rely data that you are downloading.  So when you send data to get a webpage it is first sent to the proxy and then to the webpage.  like this:

    [your computer] -> [proxy] -> [website]

Some kinds of proxies, known as cache'ing proxies, will hold local copies of websites people visit.  This makes browsing much faster since ideally the connection between you and the proxy is very fast.  So instead of having to query the website the proxy will just send out the saved (cache'd) copy and save time and resources.  Although this can be a problem as I have had first hand experience with this.  When running lame industries we put a script up that allowed people to check out other users email addresses, image, website, names, country, etc.. all info was optional.  But the script would check if you were an admin of lame industries and if you were it would display users passwords, cookies, allow you to change the status of users.  Now somehow a nice fellow named MaAaX found a cache'ing proxy that had this page cached.  Not only was it cache'd.. but it was the admin version cache'd.  Some admin of the site must have used that proxy to visit that script, so the proxy saved what he saw.  And MaAaX reported this, but he was tricked into reporting it to someone who was not an admin of the site.  That person then used the proxy to get an admin's password from the cache'd page.  Moral of the story? Don't leave sensitive info out for everyone to see, I would suggest not using a proxy when admining a site through http and also to put all scripts which can be used by an admin in a .htaccess protected directory.

Proxies are very easy to find and very easy to use.  To find them try using a program called Proxy Hunter what this program will do is it will scan large ranges of ips for open proxies.  Then it will report them to you so you can try them and see if they require a username and password or if you can use them without.  Another way is to look on the web for lists of proxies, a few good sites for this are:


Don't expect proxies to stay up forever, if one goes down try another.  It is fairly simple to set up basic security for your proxy server, get a good access list restricting who can use it.  Also, as with all programs, check for known security vulnerabilities in the proxy server itself, and vulnerabilities in your firewall, which you set the access list for the proxy server.

To use proxies you need to set up your browser to bounce off of them.  In internet explorer this is done by going to Tools->Internet Options...->Connections->(highlighting your connection)->Settings...->check "Use a proxy server for this connection"->file in the ip or hostname and the port number then press ok, and ok.

To set up Netscape to use a proxy select edit->preferences->advanced->proxies->"Manual proxy configuration" then fill in the hostname or ip and the port number.

In lynx (or Mosaic) you would do this at the command line:

http_proxy="http://proxy.com:80/"; export http_proxy; exec lynx

or exec Mosaic.

Now to validate that the proxy is working go to a site which displays server environment variables from a perl/php script. One such site is http://www.cyberarmy.com/cgi/whoami.pl

One proxy is good for everyday surfing, but what if you are up to alittle more than just that?  (I see that smile on your face)  You need to use a technique called chaining proxies.  What happends is you rely the data transfer from one proxy, to another, to another, to another ... until it reaches the destination.  It is fairly simple to do this, but some proxies don't support it.  Other problems include one proxy is slow it makes the connection timeout, too many proxies that the connection times out, and it takes awhile to find 4 or 5 good proxies.  This should work in almost every browser, put the proxies in the address bar in this format: http://proxy.com:80/http://proxy2.com:80/http://proxy3.com:8000/http://site.com this should connect you to site.com using those 3 proxies and the one you put in your configuration (options, preferences.. what we just did above).  I've also heard that using http://proxy.com;80-_-http://site.com works, but from my experience it tends to be less supported by proxy servers.

Now when I say proxies can be used to bounce a connection to a webpage - I mean webpage.  You cannot use a normal http proxy on anything besides port 80 (the http port.. for webpages).  If you want to bounce connections on other ports try a wingate.

So what if you are using an exploit to mount an attack and you are too lazy to use wingates to connect to your shell?  You can use something like rain.forrest.puppy's libwhisker, which makes it extremely easy to add proxy support to perl scripts.  You can get libwhisker at: http://www.wiretrip.net/rfp/bins/libwhisker/pr4/libwhisker.pm  I haven't really looked for a C/C++ version of something like this, since it's just as simple to connect to a shell, but if anyone knows one please send info to b0iler@hotmail.com

One last thing I will go over for proxies is chaining them together, hackers use this so they have more cover when hacking into a script avalible over port 80. To do this you can put proxy1-_-proxy2-_-proxy3-_- before the url, or you can use a program called MultiProxy to chain anonymous proxies together. What is an anonymous proxy? It is a proxy that will not forward information about you. The main peice of information hackers want to keep secret is their IP address, when a proxy forwards this to a computer it is known as the X-Forward-For. It is a header in the packet which tells the target what computer the proxy is going to send the info to (the hackers IP). Anonymous proxies will leave the X-Forward-For header blank so that the target has no idea where the attack is comming from. You can check if a proxy is anonymous at http://www.cyberarmy.com/cgi/whoami.pl


Bouncing through wingates
Wingates are a type of proxy that allow you to make a telnet connection.  They are intended to be used to allow computers to access the internet through another one, but since many types of wingates allow anyone to connect without a password this can be exploited by hackers and other people to be used to bounce their connection off of.  Here is how this works:

    [hacker's computer] -> [wingate] -> [destination]

This snazzy ascii shows how your data will go through a wingate and then to it's destination.  So the destination sees it as if the data is coming from the wingate.  If you can't see how hackers can use this to their advantage let me explain...

Hackers want to keep their ip hidden, they don't want their target to know where they are coming from.  This is both so they cannot block the attack as easy and so they do not get in trouble if they do get caught.  Using a wingate means that the target doesn't see the hackers ip, it sees the wingate's ip instead.  Most hackers use over 3 wingates when hacking, just to be safe.  Because if an admin caught the hack attempt and contacted the admin of the wingate logs can be used to find the hackers ip.  So if they bounce off of like 5 wingates that means alot more hassle for the attacked admin to go through to find the hacker and the more chance that logs will not be kept or will be deleted by one of the wingate admins.

Bouncing hacking attacks off of a wingate is not the only reason a hacker would use one.  They are also quite handy when going on some irc servers.  The same basic concept applies, the data is bounced off the wingate and then sent to the destination (irc server).  So the irc server sees the connection as comming from the wingate.  This can allow hackers to get around channel bans, get around glines, hide themselves from others, create clones, etc..  Check your options in irc client to figure out how to use them. (with mirc it's known as a SOCKS 4 firewall in the options.)

Since they are useful on an irc, many people on irc tend to be using wingates.  This is why I ported a simple port scanner to irssi (also works with BitchX and maybe Xchat).  This port scanner is editted to only look for port 23 and 1080 the most commonly used ports for wingates, 23 is telnet, 1080 is SOCKS.  What it does is collects people's ips when they enter a channel and then when you issue the command /scan it will check the list of ips for avalible wingates.  There is also easy to use scripts for mirc that do this, a search on google for mirc wingate scanner produced many links.  You can also use tools that scan wide blocks of ips for wingates using tools like wingate scanners.  Here is a tip: find a cable or dsl isp and scan their subnet for wingates.  Many people on fast connections use wingates for their network to split their bandwidth up and since cable they have a static ip they will not change as often.  So do a '/whois user' on someone who is on cable to get their ip, then check all-nettols.com (use "smartwhois") to get their isp's ip range and I scan that for wingates.

Wingates tend to go up and down hourly, this is because sometimes people only need them for awhile and when someone does put one up they get alot of traffic from hackers using them to bounce off of, so instead of wasting their bandwidth they secure the wingate or take it down.  Because of this you need to scan for wingates all the time.  Another reason why irc works good for looking for wingates, you let other people find them for you. =)

Not many hackers just use 1 wingate when hacking. This is how using 4 wingates would work:

    [hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [wingate] -> [destination]

Using multiple wingates is required for a hacker, they will not just use one, since it would be easy to track them.  But using too many can make things very slow.  Anything over 4 and under 10 would be normal.

So after you scan (this may take awhile, be patient) and get a few wingates how do you connect to them and use them? This is very simple, but tends to be asked all the time on message boards and chatrooms all over the place.  When you telnet to a wingate you need to have it's ip or hostname and the port the wingate is running on.  Normally the port is 23 or 1080.  Now we can only use wingates which don't require a username and password to use.  So after we get a list of them we will need to test and see which work without a login.  Simply get out telnet and connect to that ip and port, wait for the connection and see if it says something like this:

    Wingate>

If it had a login of some sort then you cannot use it.  This is one way admins of wingates can protect themselves, make sure to password protect the wingate so random hackers cannot use it.  Not only can hackers use your wingate, but spammers often use them aswell.  Having spammers send thousands of emails through your wingate is a surefire way to get your isp to cancel your account.  Besides adding passwords you can also secure your wingate by only allowing computers on your LAN to access it, this is how for GateKeeper:

login as Administrator on GateKeeper
Policies -> Default Policies -> Users can access services -> select everyone
Location -> Specify locations from where this recipient has rights ->
add 127.0.0.1 and 192.168.0.* (or whatever ip range your network uses).

To secure Deerfield's wingate simply upgrade to 3.x home version. The home version of 3.x doesn't let anyone connect at default. It's now configured securely by default :D

There are also other terminal's that will appear, it is not allways "Wingate>".  It could be anything, Wingate> is just default on some.

We got connected, now to use the wingate.  Wingates by default will telnet to any ip port you enter, so try to telnet to a server you know is up:

    Wingate> 204.42.253.18:23

Now if you encounter an error this means somethings ether wrong with the ip:port you entered, the ip:port is down, or the wingate is not working.  Also try to do 'telnet ip:port' since that wingate might not telnet at default.  So we got our list of wingates down to a list of working, none passworded wingate.  Now to link them.  Lets say we have the wingates (note, these are fake):

    203.43.25.104 port 23
    214.133.200.20 port 1080
    180.23.56.93 port 23
    194.51.107.68 port 23


To link these we would telnet into the first one:

    telnet 203.43.25.104 23
    Sparky's server 1.03>

Then enter in the ip:port of the next one on the list.

    Sparky's server 1.03> 214.133.200.20 1080
    CDD Proxy Server>

and link the rest..

    CDD Proxy Server> 180.23.56.93 23
    welcome to 180.23.56.93: 194.51.107.68 23

Now A hacker can telnet into a shell account from the last wingate and launch the attack, or if they know how to do some socket programming they can set up exploits to go through wingates themselves.  For the next section , shells, I'll go over how a hacker can use a shell to make his attack.

I have heard from a few people that routers can be used as a wingate, I myself have never done this since there is always plenty of wingates to use if you just scan for them.  But.. using a router as a wingate is very interesting for a number of reasons.  First, a router gets so much traffic that the admin would probably not know if it was being used to bounce an attack.  Routers don't log by default, and since they get alot of traffic not many admins log everything (or they're logs do not last too long) this means there is less of a chance of the hacker getting tracked down.  Routers are pretty much always up and have a fast connection, so if you got a few routers going as wingates you wouldn't have to scan for new ones as much =)

Now don't go out looking for routers just yet, before you can use a router as a wingate you need to have access to use telnet on it.  Unlike wingates which can sometimes allow anyone to run telnet, routers don't.  You will need to hack into the router to beable to use telnet on it to wingate from it.  Of course the number of routers with default passwords (admin:admin) or simple exploits not patched is pretty high from my experience.  Also to note: it might not be a good idea to telnet directly into a router as your first wingate.. if the admin does find out of your break in (and they log) you will have left your real ip.  Hackers will probably use a regular wingate or two before connecting to a comprimized router.  Needless to say, if you admin a router make sure to keep it locked up tight, not only can hackers screw up your network, sniff passwords, redirect data, and generally cause a muck, but they can also use your router as a launching pad for their next attack.

Another use for wingates is to use them to bounce a connection off of irc.  Most commonly SOCKS (stands for SOCK-et-S), are used for irc, they are very simular to wingates but used mainly at a firewall to allow transparent connections through it.  SOCKS usually run on port 1080.  To bounce your connection to an IRC server with a wingate or SOCKS type the following in your irc client:

/server win.gate.com 23
/quote irc.box.sk 6667
/quote user grendelsucks 123.123.123.123 b0iler :ban evader
/quote nick b0iler2

then use irc like normal, you will have the ip or hostname of the wingate.  I believe if you use mirc you can go to File -> Options -> Connect -> Firewall and then enter in the wingate's IP and port and checking "Use SOCKS Firewall" (correct me if I am wrong).   If you use Xchat try Settings -> Setup -> IRC -> Proxy Server -> Fill in IP and port and select the type as wingate.  You can also use a bnc (stands for BouNCe) to rely your connection to an IRC server.

Same as with proxies, if you don't want people connecting to your wingate set up a strict access list on a firewall.  Also username and passwords are a good idea when it comes to wingates.


Shell Accounts
A shell account is having access to a remote computer.  Users can connect to them and issue commands just like if they were at that computer's keyboard.  This also means that hackers can issue commands, and they often use shell accounts as another way to bounce their attack.

Usually a shell account is used along with wingates and is used by the hacker to launch the attack.  Hackers will not use free shells such as nether.net or hobbiton.org because they do not have the ablity to run programs they need and they cannot delete the log files with a regular user account.  If they were to use one of these shells the admin could easily check the logs and see what they were upto.  So hackers will use what are known as root shells, these are systems the hacker has already comprized and has root on them.  This allows them to delete all nessasary logs of their attack and lets them have full access to *nix tools.  The key tools hackers need are raw packet support, nmap and other auditting programs, a c compiler, a perl interpreter, and exploits.  These come standard on most *nix boxes, so it makes *nix very valuable to hackers.  Although most will have *nix installed on their computer they might still use shells because they have faster connections, and will allow another layer of protection along with the wingates.

This is an example of how a hacker would use 3 wingates with 2 shells:

    [hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [shell] -> [shell] -> [target]

To login to the shells a hacker can use telnet or they can use ssh, whichever they want.  ssh will allow a more secure connection.  A simple: telnet owned.com:5742 would allow them to get in (if they set up telnetd on port 5742).  To connect with ssh is: ssh owned.com -p 5742. If your system would get comprized it too could be used as a shell for the hackers next attack.

There are free shell accounts for beginner hackers to use, again, I stress that these are closely monitored and you only get a user account, so things are logged and power is limitted. Don't use them to hack! What a hacker wants is a 'rootshell' which is root access. This allows the hacker total control over everything on that computer. Raw sockets is a big thing, access to edit logs is another. If you can edit the logs on a rootshell this means that it is all the more harder for anyone to track you. If you use a free shell or a user account on a box you cannot edit the logs and will be vulnerable to be traced. Always using alot of wingates will help in keeping you out of trouble.

Most shells you will want are on *nix boxes, so you need to learn unix commands. Also knowing what files do what will help you understand how to hide yourself and how to modify the system the way you want. Setting up linux and securing your box will help you better understand how to break in, as well as breaking into linux will help you better understand how to secure it =) To help you learn *nix here is a few really good tutorials:


How can you stop hackers from using your system? Well this is a very indepth question, because you will need to completely secure your box to stop them from gaining access to it.  Read up on Unix security, firewalls, and IDS.  Ofcourse take action before the hacker gets in, secure your box...  use tripwire and snort 'just incase'.  One way to catch them is to install a remote logging box. This will allow you to have logs of everything they do, to do this set up any old box with inetd and syslogd and then change syslog's configuration file to have logs sent to that box.

# /etc/syslog.conf file
*.*                             @213.165.52.61

For more info on setting up a secure remote logger try loki's guide on How to set up a secure remote logger

One thing I would like to stress about using shells from a friends box is that they may be logging everything you do and gathering your username:passwords to your email, hacked accounts, sites, ftp, nickserv, and anything else you transfer.  Same holds true for BNCs and wingates.  It's a trick passed around by many hackers to put a wingate on their box and put it on a hacker website's list and wait for people to log into their hacked accounts with it.  I also read somewhere that governments set up wingates to catch hackers, I don't know how true this is.. but it sure is a good way to discurage hackers.


Conclusion
In this issue of Hacking Techniques I went over how and why hackers use proxies, wingates, and shells when attacking and how admins can stop them from using their networks to bounce attacks from.  I think the next issue will be much longer, it will cover many things hackers do once they comprize a system.  I hope everyone learned atleast something from this paper, and I hope I didn't forget anything =)  I am sorry if you felt it was hard to read this tutorial, I had a hard time writting it, it just felt like my words didn't go together right. It may be awhile till I get around to finishing issue #3, thanks for your patients.

-If I made any mistakes please let me know so I can fix them, b0iler@hotmail.com


[-----]
http://b0iler.eyeonsecurity.net/
- A really good site with tons of orignal tutorials.
[-----]