TUCoPS :: Cyber Culture :: know_y1.htm

Know Your Enemy: The Attack of the Script Kiddie
Hacker Scene


                                             Know Your Enemy
                                     The Attack of the Script Kiddie
                                                     
                                              Lance Spitzner
                                                     
    My commander used to tell me that to secure yourself against the enemy, you have to first know who
    your enemy is. This military doctrine readily applies to the world of network security. Just like
    the military, you have resources that you are trying to protect. To help protect these resources,
    you need to know who your threat is and how they are going to attack. This article does just that,
     it discusses the methodology and tools used by one of the most common and universal threats, the
                                              Script Kiddie.
                                                     
                                         Who is the Script Kiddie
                                                     
   The script kiddie is someone looking for the easy kill. They are not out for specific information or
    targeting a specific company. Their goal is to gain root the easiest way possible. They do this by
     focusing on a small number of exploits, and then searching the entire Internet for that exploit.
                              Sooner or later they find someone vulnerable.
                                                     
   Some of them are advance users who develop their own tools and leave behind sophisticated backdoors.
      Others have no idea what they are doing and only know how to type "go" at the command prompt.
       Regardless of the their skill level, they all share a common strategy, randomly search for a
                              specific weakness, then exploit that weakness.
                                                     
                                                The Threat
                                                     
    It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner
    or later your systems and networks will be probed, you cannot hide from them. I know of admins who
    were amazed to have their systems scanned when they had been up for only two days, and no one knew
      about them. There is nothing amazing here. Most likely, their systems were scanned by a script
                          kiddie who happened to be sweeping that network block.
                                                     
   If this was limited to several individual scans, statistics would be in your favor. With millions of
   systems on the Internet, odds are that no one would find you. However, this is not the case. Most of
   these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of
    people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds,
   this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against
   us. With so many users on the Internet using these tools, it is no longer a question of if, but when
                                           you will be probed.
                                                     
   This is an excellent example of why security through obscurity can fail you. You may believe that if
   no one knows about your systems, you are secure. Others believe that their systems are of no value,
   so why would anyone probe them? It is these very systems that the script kiddies are searching for,
                      the unprotected system that is easy to exploit, the easy kill.
                                                     
                                             The Methodology
                                                     
    The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you
     find it, exploit it. Most of the tools they use are automated, requiring little interaction. You
     launch the tool, then come back several days later to get your results.  No two tools are alike,
   just as no two exploits are alike. However, most of the tools use the same strategy. First, develop
        a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability.
                                                     
   For example, lets say a user had a tool that could exploit imap on Linux systems. First, they would
    develop a database of IP addresses that they could scan (i.e., systems that are up and reachable).
     Once this database of IP addresses is built, the user would want to determine which systems were
   running Linux. Many scanners today can easily determine this by sending bad packets to a system and
     seeing how they respond. Then, tools would be used to determine what Linux systems were running
                    imap. All that is left now is to exploit those vulnerable systems.
                                                     
       You would think that all this scanning would be extremely noisy, attracting a great deal of
   attention. However, many people are not monitoring there systems, and do not realize they are being
   scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have
    exploited a system, they now use this systems as a launching pad. They can boldly scan the entire
     Internet without fear of retribution. If their scans are detected, the system admin and not the
                                       hacker will be held liable.
                                                     
   Also, these scan results are often archived or shared among other users, then used at a later date.
   For example, a user develops a database of what ports are open on reachable Linux systems.  The user
   built this database to exploit the current imap vulnerability.  However, lets say that a month from
       now a new Linux exploit is identified on a different port.  Instead of having to build a new
   database (which is the most time consuming part), the user can quickly review his archived database
       and compromise the vulnerable systems.  As an alternative, script kiddies share or even buy
     databases of vulnerable systems from each other.  The script kiddie can then exploit your system
    without even scanning it.  Just because your systems have not been scanned recently does not mean
                                             you are secure.
                                                     
      The more sophisticated hackers implement trojans and backdoors once they compromise a system.
    Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make
      the intruder undetectable. He would not show up in any of the logs, systems processes, or file
        structure. He builds a comfortable and safe home where he can blatantly scan the Internet.
                                                     
   These attacks are not limited to a certain time of the day. Many admins search their log entries for
    probes that happen late at night, believing this is when hackers attack. Script kiddies attack at
   any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these
     attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it
           knows no time zones. It may be midnight where the hacker is, but it is 1pm for you.
                                                     
                                                The Tools
                                                     
    The tools used are extremely simple in use. Most are limited to a single purpose with few options.
         First come the tools used to build an IP database. These tools are truly random, as they
      indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The
    letter you select determines the size of the network to be scanned. The tool then randomly selects
      which IP network to scan. Another tool uses a domain name. The tools builds an IP database by
   conducting zone transfers of the domain name and all sub-domains. User'9s have built databases with
                      over 2 million IPs by scanning the entire .com or .edu domain.
                                                     
   Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version
   of named, operating system, or services running on the system Once the vulnerable systems have been
      identified, the hacker strikes. Several tools exist that combine all these features together,
                                  simplifying the process even greater.
                                                     
                                    How to Protect Against This Threat
                                                     
    There are steps you can take to protect yourself against this threat. First, the script kiddie is
    going for the easy kill, they are looking for common exploits. Make sure your systems and networks
   are not vulnerable to these exploits. Both http://www.cert.org and http://www.ciac.org are excellent
      sources on what a common exploit is. Also, the listserv bugtraq is one of the best sources of
                                               information.
                                                     
     Another way to protect yourself is run only the services you need. If you do not need a service,
    turn it off. If you do need a service, make sure it is the latest version.  For examples on how to
                             do this, check out my article Armoring Solaris.
                                                     
    As you learned from the tools section, DNS servers are often used to develop a database of systems
    that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log
    any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest
                   version of BIND, which you can find at http://www.isc.org/bind.html.
                                                     
    Last, watch for your systems being probed. Once identified, you can track these probes and gain a
             better understanding of the threats to your network and react to these threats.
                                                     
                                                Conclusion
                                                     
   The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless
    of location and value. Sooner or later, your system will be probed. By understanding their motives
                  and methods, you can better protect your systems against this threat.
                                                     
             NOTE:  Thanks to Brad Powell at Sun's Security Team for his help on this article
                                                     
                                              Author'9s bio
      Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an
   Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach
                                       him at lance@spitzner.net .
                                                     

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH