192 lines
8.6 KiB
Plaintext
192 lines
8.6 KiB
Plaintext
|
|
|
|
A Guide to Internet Security: Becoming an Uebercracker
|
|
and Becoming an UeberAdmin to stop Uebercrackers.
|
|
|
|
|
|
Author: Christopher Klaus <cklaus@shadow.net>
|
|
Date: December 5th, 1993.
|
|
Version: 1.1
|
|
|
|
This is a paper will be broken into two parts, one showing 15 easy steps
|
|
to becoming a uebercracker and the next part showing how to become a
|
|
ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased
|
|
by Dan Farmer to refer to some elite (cr/h)acker that is practically
|
|
impossible to keep out of the networks.
|
|
|
|
Here's the steps to becoming a uebercracker.
|
|
|
|
Step 1. Relax and remain calm. Remember YOU are a Uebercracker.
|
|
|
|
Step 2. If you know a little Unix, you are way ahead of the crowd and skip
|
|
past step 3.
|
|
|
|
Step 3. You may want to buy Unix manual or book to let you know what
|
|
ls,cd,cat does.
|
|
|
|
Step 4. Read Usenet for the following groups: alt.irc, alt.security,
|
|
comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background
|
|
in uebercracker culture.
|
|
|
|
Step 5. Ask on alt.irc how to get and compile the latest IRC client and
|
|
connect to IRC.
|
|
|
|
Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way
|
|
there!)
|
|
|
|
Step 7. Now, sit on #hack and send messages to everyone in the channel
|
|
saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks
|
|
questions like "Why cant I join #warez?"
|
|
|
|
Step 8. (Important Step) Send private messages to everyone asking for new
|
|
bugs or holes. Here's a good pointer, look around your system for binary
|
|
programs suid root (look in Unix manual from step 3 if confused). After
|
|
finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
|
|
new bug in that program and you wrote a script for it. If they ask how it
|
|
works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
|
|
them to trade for their get-root scripts.
|
|
|
|
Step 9. Make them send you some scripts before you send some garbage file
|
|
(ie. a big core file). Tell them it is encrypted or it was messed up and
|
|
you need to upload your script again.
|
|
|
|
Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be
|
|
obnoxious on #hack otherwise people will look down on you and not give you
|
|
anything.)
|
|
|
|
Step 11. Hopefully you will now have atleast one or two scripts that get
|
|
you root on most Unixes. Grab root on your local machines, read your
|
|
admin's mail, or even other user's mail, even rm log files and whatever
|
|
temps you. (look in Unix manual from step 3 if confused).
|
|
|
|
Step 12. A good test for true uebercrackerness is to be able to fake mail.
|
|
Ask other uebercrackers how to fake mail (because they have had to pass the
|
|
same test). Email your admin how "layme" he is and how you got root and how
|
|
you erased his files, and have it appear coming from satan@evil.com.
|
|
|
|
Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
|
|
about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
|
|
a uebercracker.)
|
|
|
|
Step 14. Wait a few months and have all your notes, etc ready in your room
|
|
for when the FBI, Secret Service, and other law enforcement agencies
|
|
confinscate your equipment. Call eff.org to complain how you were innocent
|
|
and how you accidently gotten someone else's account and only looked
|
|
because you were curious. (Whatever else that may help, throw at them.)
|
|
|
|
Step 15. Now for the true final supreme eliteness of all uebercrackers, you
|
|
go back to #hack and brag about how you were busted. YOU are finally a
|
|
true Uebercracker.
|
|
|
|
|
|
Now the next part of the paper is top secret. Please only pass to trusted
|
|
administrators and friends and even some trusted mailing lists, Usenet
|
|
groups, etc. (Make sure no one who is NOT in the inner circle of security
|
|
gets this.)
|
|
|
|
This is broken down on How to Become an UeberAdmin (otherwise know as a
|
|
security expert) and How to stop Uebercrackers.
|
|
|
|
Step 1. Read Unix manual ( a good idea for admins ).
|
|
|
|
Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install
|
|
sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers
|
|
now. Rdist scripts is among the favorites for getting root by
|
|
uebercrackers.
|
|
|
|
Step 3. Okay, maybe you want to actually secure your machine from the
|
|
elite Uebercrackers who can break into any site on Internet.
|
|
|
|
Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
|
|
packets. (This only applies to advanced admins who have control of the
|
|
router, but this will stop 90% of all uebercrackers from attempting your
|
|
site.)
|
|
|
|
Step 5. Apply all CERT and vendor patches to all of your machines. You have
|
|
just now killed 95% of all uebercrackers.
|
|
|
|
Step 6. Run a good password cracker to find open accounts and close them.
|
|
Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
|
|
to find if a uebercracker is knocking on your machines. Run ISS to make
|
|
sure that all your machines are reasonably secure as far as remote
|
|
configuration (ie. your NFS exports and anon FTP site.)
|
|
|
|
Step 7. If you have done all of the following, you will have stopped 99%
|
|
of all uebercrackers. Congrads! (Remember, You are the admin.)
|
|
|
|
Step 8. Now there is one percent of uebercrackers that have gained
|
|
knowledge from reading some security expert's mail (probably gained access
|
|
to his mail via NFS exports or the guest account. You know how it is, like
|
|
the mechanic that always has a broken car, or the plumber that has the
|
|
broken sink, the security expert usually has an open machine.)
|
|
|
|
Step 9. Here is the hard part is to try to convince these security experts
|
|
that they are not so above the average citizen and that by now giving out
|
|
their unknown (except for the uebercrackers) security bugs, it would be a
|
|
service to Internet. They do not have to post it on Usenet, but share
|
|
among many other trusted people and hopefully fixes will come about and
|
|
new pressure will be applied to vendors to come out with patches.
|
|
|
|
Step 10. If you have gained the confidence of enough security experts,
|
|
you will know be a looked upto as an elite security administrator that is
|
|
able to stop most uebercrackers. The final true test for being a ueberadmin
|
|
is to compile a IRC client, go onto #hack and log all the bragging and
|
|
help catch the uebercrackers. If a uebercracker does get into your system,
|
|
and he has used a new method you have never seen, you can probably tell
|
|
your other security admins and get half of the replies like - "That bug
|
|
been known for years, there just isn't any patches for it yet. Here's my
|
|
fix." and the other half of the replies will be like - "Wow. That is very
|
|
impressive. You have just moved up a big notch in my security circle."
|
|
VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups
|
|
mention anything about that security hole, Flame him for discussing it
|
|
since it could bring down Internet and all Uebercrackers will now have it
|
|
and the million other reasons to keep everything secret about security.
|
|
|
|
|
|
Well, this paper has shown the finer details of security on Internet. It has
|
|
shown both sides of the coin. Three points I would like to make that would
|
|
probably clean up most of the security problems on Internet are as the
|
|
following:
|
|
|
|
1. Vendors need to make security a little higher than zero in priority.
|
|
If most vendors shipped their Unixes already secure with most known bugs
|
|
that have been floating around since the Internet Worm (6 years ago) fixed
|
|
and patched, then most uebercrackers would be stuck as new machines get
|
|
added to Internet. (I believe Uebercracker is german for "lame copy-cat
|
|
that can get root with 3 year old bugs.") An interesting note is that
|
|
if you probably check the mail alias for "security@vendor.com", you will
|
|
find it points to /dev/null. Maybe with enough mail, it will overfill
|
|
/dev/null. (Look in manual if confused.)
|
|
|
|
2. Security experts giving up the attitude that they are above the normal
|
|
Internet user and try to give out information that could lead to pressure
|
|
by other admins to vendors to come out with fixes and patches. Most
|
|
security experts probably don't realize how far their information has
|
|
already spread.
|
|
|
|
3. And probably one of the more important points is just following the
|
|
steps I have outlined for Stopping a Uebercracker.
|
|
|
|
|
|
Resources for Security:
|
|
Many security advisories are available from anonymous ftp cert.org.
|
|
Ask archie to find tcp_wrapper, security programs. For more information
|
|
about ISS (Internet Security Scanner), email cklaus@shadow.net.
|
|
|
|
|
|
Acknowledgements:
|
|
|
|
Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott
|
|
Miles, Scott Yelich, and Henri De Valois.
|
|
|
|
|
|
Copyright:
|
|
|
|
This paper is Copyright 1993, 1994. Please distribute to only trusted
|
|
people. If you modify, alter, disassemble, reassemble, re-engineer or have
|
|
any suggestions or comments, please send them to:
|
|
|
|
cklaus@shadow.net
|
|
|
|
|