Network Security Auditing with aHack Simon J. Gerraty QUICK.COM.AU ABSTRACT This paper describes aHack, a re- implementation (with permission) of Alec Muffet's AutoHack tool. Like AutoHack, aHack is a tool for performing wide scale network security audits. It is aimed at testing the host security of general UNIX systems not firewall bastions. The tool is described briefly and the tests currently imple- mented detailed. 1. Introduction against a network without necessarily re-running pre- Alec Muffet's vious tests. AutoHack [Muffet1995a] is an engine for implementing wide scale security auditing of 2. The aHack implementation hosts attached to a network. It is designed in such a way AHack implements the as to be easy to introduce final structure described in and integrate new tests and Muffet's paper. It is writ- more importantly, when prob- ten in a mixture of C, perl, ing large networks, to do so expect/tcl and shell in an efficient manner. scripts. Most of the tool AutoHack is used by Sun is simply an engine to drive Microsystems to regularly the attack and exploit code check the security of hosts in the directory hack.d and on their corporate network. to store the results in a directory per host. The Since AutoHack is not avail- storage tree is broken up at able outside of Sun each octet of a hosts IP Microsystems, the author address so that no directory decided to implement a simi- contains more than 255 lar tool. With Alec Muf- entries. The engine is not fet's permission and his described in detail as it description of AutoHack, the closely matches that aHack engine was soon ready. described by Muffet. Providing it with attack and exploit code is an on-going The aHack engine is actually exercise. The aHack engine at the end of a pipe-line of allows for new exploits to commands. be implemented, and run Copyright (C) 1995, Quick Cons1lting December 10, 1995 genaddr.pl hack.d that match the crite- Produces on its stan- ria given (default is all). dard output all the IP addresses described by The basic model is that the its command line argu- output from an module such ments. as A30.sendmail is stored in a file called sendmail. If avoidaddr.pl no output is produced, the Allows certain IP empty file is removed. Oth- addresses to not be erwise if there is a script tested. named exploit.sendmail then it will be invoked. mux.sh Is a multiplexer. It runs multiple copies of 3. Attack modules. the command line given as an argument and This section describes feeds each one a slice the attack modules currently of its input. implemented as part of aHack. Most of these mod- testaddr ules are based on vulnera- Checks whether IP bilities described by Alec addresses read from Muffet[Muffet1995], Dan stdin are valid by Farmer and Wietsa sending either (or Venema [Farmer1992a] and both) an ICMP echo others. packet or a packet to the UPD echo port. Presently aHack implements Valid addresses are the following types of mod- copied to stdout. ules. sortaddr.sh o Probe only modules. Sorts the input from These simply gather the multiple testaddr information. processes back into a coherent stream. o Attack modules. These attack network services engine.sh known to be potentially Again run via mux.sh vulnerable. this is where the real work begins. Each mod- o Exploit modules. These ule in hack.d is tried modules exploit data against each IP address gathered by the other read from stdin. modules. The purpose of the modules 2.1. Engine is to gather data that would facilitate an attack or For each IP address directly attack known vul- read from stdin, aHack cre- nerabilities. Obtaining the ates a directory named for content of the /etc/passwd the IP address (by replacing file for offline password the ``.''s with ``/'') and cracking is a common goal. then run all the modules in Copyright (C) 1995, Quick Cons2lting December 10, 1995 3.1. Information probes. system attackers. The first steps taken attempt to iden- The following checks are tify the sendmail binary. made against all hosts. The greeting from the SMTP daemon is logged as a source o A TCP port scan. of useful information. The following tests are then o Check for rpc services performed. advertised. o Check for NFS file- 3.4.1. Debug and wizard systems exported. Two commands that should o Check for HTTP daemons. never be enabled in produc- tion sendmail binaries. The o Check for SNMP read debug command allowed the community of "public". Morris [Eichina] worm to break into a large number of Most of the attack modules, Sun systems. check the results of the above probes to see whether an attack is feasible. 3.4.2. EXPN A list of dangerous aliases 3.2. FTP are tested for support. A name that should not succeed Many sites still set up is also tested as SMTP dae- anonymous FTP so as to allow mons such as smap from the anyone to retrieve the real TIS fwtk fake the answers to /etc/passwd or create/modify EXPN queries. If smap is ~ftp/.rhosts and hence detected most subsequent rlogin to the system. We tests are skipped. list the content of ~ftp so that this can be checked. 3.4.3. Sendmail security There are a number of bugs hole #1 in various FTP servers that allow normal authentication This hole is flagged if to be bypassed. The common sendmail does not complain site exec and bad password about mail addressed to pro- holes are checked. grams. Some SMTP daemon's do not complain and silently drop the mail. 3.3. Finger If access is gained to the Many sites provide a wealth system via rcmd, then the of useful data via the fin- tag file left by this test ger daemon. is checked for and if pre- sent, the sendmail hole is flagged as confirmed. 3.4. Sendmail attacks Sendmail is a large, complex program and a favorite of Copyright (C) 1995, Quick Cons3lting December 10, 1995 3.4.4. Sendmail security passwd map. hole #2 Some sendmail's check for 3.9. NFS mail addressed to programs, but do not make similar Exporting file-systems that checks on the return contain home directories to address. Thus mail the world means that anyone addressed to an invalid user that can mount the file- with a return address that system can login to the host is a program will often suc- - unless rcmd/rlogin is dis- ceed where the more direct abled. attack fails. Even if file-systems are not Again we attempt to confirm exported, many NFS servers the bug by looking for the use predictable file handles presence of a tag file on which if given to the server the target system. in a request will be hon- ored. 3.5. rexd 3.10. telnet - bad user This service is so hopeless, passwords that we merely look for its presence and do not even This test checks a number of bother attacking it. common user id's such as root, nobody, games, guest, play and any obtained via 3.6. tftp fingerd, to see whether any have blank or trivial pass- Many sites offer their words. The success rate is /etc/passwd file via TFTP. generally high! 3.7. X11 3.11. rcmd Any host that runs an X11 The same list of users display that allows us to tested via telnet plus some connect to it, allows us to others are tested for rcmd control the display. We access. A modified rcmd simply check if the display client (in perl) obviates can be opened. the need to have matching accounts on the attacking system. 3.8. ypserv Many sites with old or 3.12. Buffer overrun. poorly setup yp servers will gladly hand out their passwd These tests are not yet files to anyone who asks. implemented due to their We use the ypx tool and some very specific nature and reasonable guesses at the thus the effort required. YP(NIS) domain name to However, many network pro- attempt to retrieve the grams are vulnerable. Any Copyright (C) 1995, Quick Cons4lting December 10, 1995 sendmail binary prior to References sendmail-8.6.10 is vulnera- ble. The morris worm used a Muffet1995a. buffer overrun attack Alec Muffet, "WAN- against fingerd on VMS. hacking with AutoHack - Auditing security As stated above these behind the firewall," attacks are tedious to ini- Proceedings of The 5th tially setup, but are virtu- USENIX UNIX Security ally guaranteed to succeed Symposium, Network on all but the most modern Security Group - Sun systems. Microsystems (June 1995). There are also many buffer overrun exploits that can be Farmer1992a. used once access to the sys- Dan Farmer and Wietsa tem has been obtained and Venema, Improving the are much simpler to imple- security of your UNIX ment. Given a small amount system by breaking into of appropriate machine code, it (1992). and a willing architecture (i386, sparc and most oth- Eichina. ers), a root shell can be Mark W. Eichin and Jon guaranteed. A. Rochlis, With Microscope and Tweez- ers: An Analysis of the 4. Report Internet Virus of November 1988 .. After running all the tests, a report script is run to summarize the results. Each comment in the report is tagged with 1-5 ``*''. A single ``*'' indicates information only, while 5 means the host is directly and readily vulner- able - usually as root. Some examples are shown in Appendix A. 5. Availability Unlike many security checking tools, aHack actu- ally exploits the vulnera- bilities it finds. While aHack does this in benign ways, it can be easily modi- fied to be quite unfriendly. For this reason, aHack is not publicly available. Copyright (C) 1995, Quick Cons5lting December 10, 1995 Appendix A A secure hosts may show a result like (only the addresses have been changed): host 192.168.12.4 not date Fri Sep 29 17:27:24 EST 1995 192.168.10.4 * version='Sendmail 8.6.12/8.6.9' 192.168.10.4 * sendmail='sendmail-8' 192.168.10.4 * sendmail protected. smap? 192.168.10.4 * info: last probed Thu Sep 28 23:33:54 EST 1995 192.168.10.4 * hostname='not' while an insecure host may show a result more like: host 192.168.10.2 rex date Fri Sep 29 17:27:20 EST 1995 192.168.10.2 ***** sendmail security hole #1 192.168.10.2 ***** direct access as root 192.168.10.2 ***** confirm sendmail security hole #2 192.168.10.2 ***** confirm sendmail security hole #1 192.168.10.2 **** passwd file available via tftp 192.168.10.2 **** passwd file available via rcmd 192.168.10.2 **** might have sendmail security hole #2 192.168.10.2 **** got 12 passwd entries to crack 192.168.10.2 **** direct access as uucp 192.168.10.2 **** direct access as sys 192.168.10.2 **** direct access as sjg 192.168.10.2 **** direct access as operator 192.168.10.2 **** direct access as nobody 192.168.10.2 **** direct access as games 192.168.10.2 **** direct access as ftp 192.168.10.2 **** direct access as daemon 192.168.10.2 **** direct access as bin 192.168.10.2 **** direct access as adm 192.168.10.2 **** access via telnet as games with NO passwd 192.168.10.2 * version='Sendmail 4.0/SMI-4.0' 192.168.10.2 * uname: SunOS rex 4.0 sun 192.168.10.2 * sendmail='sendmail-5' 192.168.10.2 * info: last probed Thu Sep 28 23:00:20 EST 1995 192.168.10.2 * hostname='rex' Copyright (C) 1995, Quick Cons6lting December 10, 1995