b0g!#@! Magazine

[home] [<-back] [index] [next->]



 ____________________________________________________________________
 
[ 7:. - [ Hacking Techniques: bouncing the attack ]      [b0iler] :. ]
                                                 [b0iler@b0g.org] :. ]
 ____________________________________________________________________


Intro
 Bouncing Attacks
  -proxies
  -wingates
  -shells
Conclusion



-Intro-

Welcome to the 2nd issue of Hacking Techniques.  If you read the first one I am
glad to see you liked it enough to want to read this one.  This issue will
focus on how hackers bounce their attacks so that they do not get caught and so
they use the power of a *nix shell.  As with the first one this tutorial can
both be used by hackers and admins.  Hackers will learn how to mount an attack
and use proxies to help stay anonymous.  Admins will learn how to prevent
themselves from being used in an attack as a proxy and prevent stress.  If you
don't know what a proxy is or how to use a wingate you need to read this
tutorial.  People who run wingates, proxies, or give shells out also should go
over this tutorial as to scare them into securing it.  I'll go over a few other
random things such as using routers as wingates, and using wingates to bounce
your irc sessions.



-Bouncing Attacks-

There are a few ways to bounce your attack.  Sometimes it depends on how you
are gonna to do the attack, sometimes it depends on what you got on hand.  I
will introduce you to 3 ways to bounce you attack.  I will not go into using
routers as proxies since wingates are fairly easy to get.  And I will not go
over bouncing your attack off an ftp because all (or very close to all) ftp
programs are patched to this by now. Not only should hackers read this next
part, but so should admins who want to keep themselves from being used in an
attack.  Securing their proxies and wingates can help prevent trouble with
hackers abusing it. This can save some time and hassle because you will not
need to bother with an admin who trying to track down a hacker who used your
network to bounce off of.


    * Bouncing through proxies

    * Bouncing through wingates

    * Bouncing with shells


Bouncing through proxies
Proxies are the most basic way to stay anonymous while on the web.  They are
used with your web browser to rely data that you are downloading.  So when you
send data to get a webpage it is first sent to the proxy and then to the
webpage.  like this:


    [your computer] -> [proxy] -> [website]


Some kinds of proxies, known as cache'ing proxies, will hold local copies of
websites people visit.  This makes browsing much faster since ideally the
connection between you and the proxy is very fast.  So instead of having to
query the website the proxy will just send out the saved (cache'd) copy and
save time and resources.  Although this can be a problem as I have had first
hand experience with this.  When running lame industries we put a script up
that allowed people to check out other users email addresses, image, website,
names, country, etc.. all info was optional.  But the script would check if
you were an admin of lame industries and if you were it would display users
passwords, cookies, allow you to change the status of users.  Now somehow a
nice fellow named MaAaX found a cache'ing proxy that had this page cached.
Not only was it cache'd.. but it was the admin version cache'd.  Some admin of
the site must have used that proxy to visit that script, so the proxy saved
what he saw.  And MaAaX reported this, but he was tricked into reporting it to
someone who was not an admin of the site.  That person then used the proxy to
get an admin's password from the cache'd page.  Moral of the story? Don't leave
sensitive info out for everyone to see, I would suggest not using a proxy when
admining a site through and also to put all scripts which can be used by
an admin in a .htaccess protected directory.


Proxies are very easy to find and very easy to use.  To find them try using a
program called Proxy Hunter [ http://go8.163.com/windzh/indexe.htm ] what this
program will do is it will scan large ranges of ips for open proxies.  Then it
will report them to you so you can try them and see if they require a username
and password or if you can use them without.  Another way is to look on the
web for lists of proxies, a few good sites for this are:


    * cyberarmy's proxy list - ttp://www.cyberarmy.com/lists/proxy/index.shtml

    * roswell's proxy list - http://tools.rosinstrument.com/proxy/


Don't expect proxies to stay up forever, if one goes down try another.  It is
fairly simple to set up basic security for your proxy server, get a good access
list restricting who can use it.  Also, as with all programs, check for known
security vulnerabilities in the proxy server itself, and vulnerabilities in
your firewall, which you set the access list for the proxy server.


To use proxies you need to set up your browser to bounce off of them.  In
internet explorer this is done by going to Tools->Internet Options...->
Connections->(highlighting your connection)->Settings...->check "Use a proxy
server for this connection"->file in the ip or hostname and the port number
then press ok, and ok.


To set up Netscape to use a proxy select edit->preferences->advanced->proxies
->"Manual proxy configuration" then fill in the hostname or ip and the port
number.


In lynx (or Mosaic) you would do this at the command line:

http_proxy="http://proxy.com:80/"; export http_proxy; exec lynx

or exec Mosaic.


Now to validate that the proxy is working go to a site which displays server
environment variables from a perl/php script. One such site is
http://www.cyberarmy.com/cgi/whoami.pl


One proxy is good for everyday surfing, but what if you are up to alittle more
than just that?  (I see that smile on your face)  You need to use a technique
called chaining proxies.  What happends is you rely the data transfer from one
proxy, to another, to another, to another ... until it reaches the destination.
It is fairly simple to do this, but some proxies don't support it.  Other
problems include one proxy is slow it makes the connection timeout, too many
proxies that the connection times out, and it takes awhile to find 4 or 5 good
proxies.  This should work in almost every browser, put the proxies in the
address bar in this format:
http://proxy1.com:80/http://proxy2.com:80/http://proxy3.com:8000/http://site.com
this should connect you to site.com using those 3 proxies and the one you put in
your configuration (options, preferences.. what we just did above).  I've also
heard that using http://proxy.com;80-_-http://site.com works, but from my
experience it tends to be less supported by proxy servers.  Of course if you are
having problems getting this to work it may be that the proxy doesn't allow
chaining.


Now when I say proxies can be used to bounce a connection to a webpage - I mean
webpage.  You cannot use a normal http proxy on anything besides port 80 (the
http port.. for webpages).  If you want to bounce connections on other ports try
a wingate.


So what if you are using an exploit to mount an attack and you are too lazy to
use wingates to connect to your shell?  You can use something like
rain.forrest.puppy's libwhisker, which makes it extremely easy to add proxy
support to perl scripts.  You can get libwhisker at:
http://www.wiretrip.net/rfp/bins/libwhisker/pr4/libwhisker.pm  I haven't really
looked for a C/C++ version of something like this, since it's just as simple to
connect to a shell.


One last thing I will go over for proxies is chaining them together, hackers use
this so they have more cover when hacking into a script avalible over port 80.
To do this you can put proxy1-_-proxy2-_-proxy3-_- before the url, or you can
use a program called MultiProxy [ www.multiproxy.org ] to chain anonymous
proxies together. What is an anonymous proxy? It is a proxy that will not
forward information about you. The main peice of information hackers want to
keep secret is their IP address, when a proxy forwards this to a computer it is
known as the X-Forward-For.  It is a header in the packet which tells the target
what computer the proxy is going to send the info to (the hackers IP). Anonymous
proxies will leave the REMOTE_ADDR, HTTP_X_FORWARDED_FOR or HTTP_VIA headers
blank so that the target has no idea where the attack is comming from.  You can
check if a proxy is anonymous at http://www.cyberarmy.com/cgi/whoami.pl



-Bouncing through wingates-

Wingates are a type of proxy that allow you to make a telnet connection.  They
are intended to be used to allow computers to access the internet through
another one, but since many types of wingates allow anyone to connect without
a password this can be exploited by hackers and other people to be used to
bounce their connection off of.  Here is how this works:


    [hacker's computer] -> [wingate] -> [destination]


This snazzy ascii shows how your data will go through a wingate and then to
it's destination.  So the destination sees it as if the data is coming from
the wingate.  If you can't see how hackers can use this to their advantage
let me explain...


Hackers want to keep their ip hidden, they don't want their target to know where
they are coming from.  This is both so they cannot block the attack as easy and
so they do not get in trouble if they do get caught.  Using a wingate means
that the target doesn't see the hackers ip, it sees the wingate's ip instead.
Most hackers use over 3 wingates when hacking, just to be safe.  Because if an
admin caught the hack attempt and contacted the admin of the wingate logs can be
used to find the hackers ip.  So if they bounce off of like 5 wingates that
means alot more hassle for the attacked admin to go through to find the hacker
and the more chance that logs will not be kept or will be deleted by one of the
wingate admins.


Bouncing hacking attacks off of a wingate is not the only reason a hacker would
use one.  They are also quite handy when going on some irc servers.  The same
basic concept applies, the data is bounced off the wingate and then sent to the
destination (irc server).  So the irc server sees the connection as coming
from the wingate.  This can allow hackers to get around channel bans, get around
glines, hide themselves from others, create clones, etc..  Check your options in
irc client to figure out how to use them. (with mirc it's known as a SOCKS 4
firewall in the options.)


Since they are useful on an irc, many people on irc tend to be using wingates.
This is why I ported a simple port scanner to irssi (also works with BitchX
and maybe Xchat).  This port scanner is edited to only look for port 23 and
1080 the most commonly used ports for wingates, 23 is telnet, 1080 is SOCKS.
What it does is collects people's ips when they enter a channel and then when
you issue the command /scan it will check the list of ips for avalible wingates.
There is also easy to use scripts for mirc that do this, a search on google
for mirc wingate scanner produced many links.  You can also use tools that scan
wide blocks of ips for wingates using tools like wingate scanners
[ http://packetstormsecurity.org/wingate-scanner/ ].  Here is a tip: find a
cable or dsl isp and scan their subnet for wingates.  Many people on fast
connections use wingates for their network to split their bandwidth up and
since cable they have a static ip they will not change as often.  So do a
'/whois user' on someone who is on cable to get their ip, then check
all-nettols.com (use "smartwhois") to get their isp's ip range and I scan that
for wingates.


Wingates tend to go up and down hourly, this is because sometimes people only
need them for awhile and when someone does put one up they get alot of traffic
from hackers using them to bounce off of, so instead of wasting their bandwidth
they secure the wingate or take it down.  Because of this you need to scan for
wingates all the time.  Another reason why irc works good for looking for
wingates, you let other people find them for you. =)


Not many hackers just use 1 wingate when hacking. This is how using 4 wingates
would work (wg = wingate:


    [hacker] -> [wg] -> [wg] -> [wg] -> [wg] -> [destination]


Using multiple wingates is required for a hacker, they will not just use one,
since it would be easy to track them.  But using too many can make things very
slow.  Anything over 4 and under 10 would be normal.


So after you scan (this may take awhile, be patient) and get a few wingates how
do you connect to them and use them? This is very simple, but tends to be asked
all the time on message boards and chatrooms all over the place.  When you
telnet to a wingate you need to have it's ip or hostname and the port the
wingate is running on.  Normally the port is 23 or 1080.  Now we can only use
wingates which don't require a username and password to use.  So after we get
a list of them we will need to test and see which work without a login.  Simply
get out telnet and connect to that ip and port, wait for the connection and see
if it says something like this:


    Wingate>


If it had a login of some sort then you cannot use it.  This is one way admins
of wingates can protect themselves, make sure to password protect the wingate
so random hackers cannot use it.  Not only can hackers use your wingate, but
spammers often use them as well.  Having spammers send thousands of emails
through your wingate is a surefire way to get your isp to cancel your account.
Besides adding passwords you can also secure your wingate by only allowing
computers on your LAN to access it, this is how for GateKeeper
[ http://www.infopulse.net/store/index.html ]


login as Administrator on GateKeeper
Policies -> Default Policies -> Users can access services -> select everyone
Location -> Specify locations from where this recipient has rights -> add
127.0.0.1 and 192.168.0.* (or whatever ip range your network uses).


To secure Deerfield's wingate [ http://wingate.deerfield.com ] simply upgrade
to 3.x home version. The home version of 3.x doesn't let anyone connect at
default. It's now configured securely by default :D


There are also other terminal's that will appear, it is not allways "Wingate>".
It could be anything, Wingate> is just default on some.


We got connected, now to use the wingate.  Wingates by default will telnet to
any ip port you enter, so try to telnet to a server you
know is up:


    Wingate> 204.42.253.18:23


Now if you encounter an error this means something’s either wrong with the ip:port
you entered, the ip:port is down, or the wingate is not working.  Also try to
do 'telnet ip:port' since that wingate might not telnet at default.  So we got
our list of wingates down to a list of working, none passworded wingate.  Now
to link them.  Lets say we have the wingates (note, these are fake):


    203.43.25.104 port 23
    214.133.200.20 port 1080
    180.23.56.93 port 23
    194.51.107.68 port 23


To link these we would telnet into the first one:


    telnet 203.43.25.104 23
    Sparky's server 1.03>


Then enter in the ip:port of the next one on the list.


    Sparky's server 1.03> 214.133.200.20 1080
    CDD Proxy Server>


and link the rest..


    CDD Proxy Server> 180.23.56.93 23
    welcome to 180.23.56.93: 194.51.107.68 23


Now A hacker can telnet into a shell account from the last wingate and launch
the attack, or if they know how to do some socket programming they can set up
exploits to go through wingates themselves.  For the next section , shells,
I'll go over how a hacker can use a shell to make his attack.


I have heard from a few people that routers can be used as a wingate, I myself
have never done this since there is always plenty of wingates to use if you
just scan for them.  But.. using a router as a wingate is very interesting for
a number of reasons.  First, a router gets so much traffic that the admin
would probably not know if it was being used to bounce an attack.  Routers
don't log by default, and since they get a lot of traffic not many admins log
everything (or they're logs do not last too long) this means there is less of
a chance of the hacker getting tracked down.  Routers are pretty much always up
and have a fast connection, so if you got a few routers going as wingates you
wouldn't have to scan for new ones as much =)


Now don't go out looking for routers just yet, before you can use a router as
a wingate you need to have access to use telnet on it.  Unlike wingates which
can sometimes allow anyone to run telnet, routers don't.  You will need to
hack into the router to be able to use telnet on it to wingate from it.  Of
course the number of routers with default passwords (admin:admin) or simple
exploits not patched is pretty high from my experience.  Also to note: it might
not be a good idea to telnet directly into a router as your first wingate.. if
the admin does find out of your break in (and they log) you will have left your
real ip.  Hackers will probably use a regular wingate or two before connecting
to a compromised router.  Needless to say, if you admin a router make sure to
keep it locked up tight, not only can hackers screw up your network, sniff
passwords, redirect data, and generally cause a muck, but they can also use
your router as a launching pad for their next attack.


Another use for wingates is to use them to bounce a connection off of irc.
Most commonly SOCKS (stands for SOCK-et-S), are used for irc, they are very
simular to wingates but used mainly at a firewall to allow transparent
connections through it.  SOCKS usually run on port 1080.  To bounce your
connection to an IRC server with a wingate or SOCKS type the following in your
irc client:


/server win.gate.com 23
/quote irc.box.sk 6667
/quote user grendelsucks 123.123.123.123 b0iler :ban evader
/quote nick b0iler2


Then use irc like normal, you will have the ip or hostname of the wingate.
I believe if you use mirc you can go to File -> Options -> Connect -> Firewall
and then enter in the wingate's IP and port and checking "Use SOCKS Firewall"
(correct me if I am wrong).   If you use Xchat try Settings -> Setup -> IRC
-> Proxy Server -> Fill in IP and port and select the type as wingate.  You
can also use a bnc (stands for BouNCe) to rely your connection to an IRC server.


Same as with proxies, if you don't want people connecting to your wingate set
up a strict access list on a firewall.  Also username and passwords are a good
idea when it comes to wingates.



-Shell Accounts-

A shell account is having access to a remote computer.  Users can connect to
them and issue commands just like if they were at that computer's keyboard.
This also means that hackers can issue commands, and they often use shell
accounts as another way to bounce their attack.


Usually a shell account is used along with wingates and is used by the hacker
to launch the attack.  Hackers will not use free shells such as nether.net or
hobbiton.org because they do not have the ability to run programs they need and
they cannot delete the log files with a regular user account.  If they were to
use one of these shells the admin could easily check the logs and see what
they were upto.  So hackers will use what are known as root shells, these are
systems the hacker has already comprised and has root on them.  This allows them
to delete all necessary logs of their attack and lets them have full access to
*nix tools.  The key tools hackers need are raw packet support, nmap and other
auditing programs, a c compiler, a perl interpreter, and exploits.  These come
standard on most *nix boxes, so it makes *nix very valuable to hackers.
Although most will have *nix installed on their computer they might still use
shells because they have faster connections, and will allow another layer of
protection along with the wingates.


This is an example of how a hacker would use 3 wingates with 2 shells
(wg = wingate):


  [hacker] -> [wg] -> [wg] -> [wg] -> [shell] -> [shell] -> [target]


To login to the shells a hacker can use telnet or they can use ssh
[ http://www.openssh.org ], whichever they want.  ssh will allow a more secure
connection.  A simple: telnet owned.com:5742 would allow them to get in (if
they set up telnetd on port 5742).  To connect with ssh is: ssh owned.com -p
5742. If your system would get comprised it too could be used as a shell for
the hackers next attack.


There are free shell accounts for beginner hackers to use, again, I stress
that these are closely monitored and you only get a user account, so things
are logged and power is limited. Don't use them to hack! What a hacker wants
is a 'rootshell' which is root access.  This allows the hacker total control
over everything on that computer.  Please don't ever, ever, ever ask anyone
for a root shell, and don't ask "which free shell is the best" - because all
free shells pretty much stink.  Raw sockets is a big thing, access to edit
logs is another.  If you can edit the logs on a rootshell this means that it
is all the more harder for anyone to track you. If you use a free shell or a
user account on a box you cannot edit the logs and will be vulnerable to be
traced. Always using a lot of wingates will help in keeping you out of trouble.


Most shells you will want are on *nix boxes, so you need to learn unix commands.
Also knowing what files do what will help you understand how to hide yourself
and how to modify the system the way you want. Setting up linux and securing
your box will help you better understand how to break in, as well as breaking
into linux will help you better understand how to secure it =) To help you
learn *nix here is a few really good tutorials:


    * http://unixhelp.ed.ac.uk - A very easy and detailed step by step
      guide to getting started with Unix, with examples, solution to
      problems, and some cool facts.

    * http://www.mines.utah.edu/~wmgg/ - A short and sweet Unix
      tutorial to help with the basic commands.

    * http://www.belgarath.demon.co.uk/guide/ - A very nice guide
      that takes things slow and uses helpful pictures to explain
      things.

    * http://www.linuxnewbie.org - A very helpful stop for anyone new
      to linux, it has many helpful files.

    * And of course the best one of all:  man

	How can you stop hackers from using your system? Well this is a very in-depth question, because you will need to completely secure your box to stop them from gaining access to it.  Read up on Unix security, firewalls, and IDS. Of course take action before the hacker gets in, secure your box...  use tripwire and snort 'just incase'.  One way to catch them is to install a remote logging box. This will allow you to have logs of everything they do, to do this set up any old box with inetd and syslogd and then change syslog's configuration file to have logs sent to that box. # /etc/syslog.conf file *.*                             @213.165.52.61 For more info on setting up a secure remote logger try loki's guide on How to set up a secure remote logger - [ http://www.linuxsecurity.com/feature_stories/remote_logserver-1.html ] One thing I would like to stress about using shells from a friends box is that they may be logging everything you do and gathering your username:passwords to your email, hacked accounts, sites, ftp, nickserv, and anything else you transfer.  Same holds true for BNCs and wingates.  It's a trick passed around by many hackers to put a wingate on their box and put it on a hacker website's list and wait for people to log into their hacked accounts with it.  I also read somewhere that governments set up wingates to catch hackers, I don't know how true this is.. but it sure is a good way to discourage hackers. -Conclusion- In this paper of Hacking Techniques I went over how and why hackers use proxies, wingates, and shells when attacking and how admins can stop them from using their networks to bounce attacks from.  I think the next issue will be much longer, it will cover many things hackers do once they comprize a system.  I hope everyone learned atleast something from this issue, and I hope I didn't forget anything =)  I am sorry if you felt it was hard to read this tutorial, I had a hard time writing it, it just felt like my words didn't go together right.  It may be awhile till I get around to finishing issue #3, thanks for your patients. b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! DARWIN AWARD CANDIDATES 1. In September in Detroit, a 41-year-old man got stuck and drowned in two feet of water after squeezing head first through an 18-inch-wide sewer grate to retrieve his car keys. 2. In October, a 49-year-old San Francisco stockbroker, who "totally zoned when he ran," according to his wife, accidentally jogged off a 200-foot-high cliff on his daily run. 3. Buxton, NC: A man died on a beach when an 8-foot-deep hole he had dug into the sand caved in as he sat inside it. Beachgoers said Daniel Jones, 21, dug the hole for fun, or protection from the wind, and had been sitting in a beach chair at the bottom Thursday afternoon when it collapsed, burying him beneath 5 feet of sand. People on the beach, on the outer banks, used their hands and shovels, trying to claw their way to Jones, a resident of Woodbridge, VA, but could not reach him. It took rescue workers using heavy equipment almost an hour to free him while about 200 people looked on. Jones was pronounced dead at a hospital. 4. In February, Santiago Alvarado, 24, was killed in Lompoc, CA, as he fell face-first through the ceiling of a bicycle shop he was burglarizing. Death was caused when the long flashlight he had placed in his mouth (to keep his hands free) rammed into the base of his skull as he hit the floor. 5. According to police in Dahlonega, GA, ROTC cadet Nick Berrena, 20, was stabbed to death in January by fellow cadet Jeffrey Hoffman, 23, who was trying to prove that a knife could not penetrate the flak vest Berrena was wearing. 6. Sylvester Briddell, JR , 26, was killed in February in Selbyville, Del, as he won a bet with friends who said he would not put a revolver loaded with four bullets into his mouth and pull the trigger. 7. In February, according to police in Windsor, Ontario, Daniel Kolta, 27, and Randy Taylor, 33, died in a head-on collision, thus earning a tie in the game of chicken they were playing with their snowmobiles. DARWIN AWARD HONORABLE MENTIONS 1. In Guthrie, Okla , in October, Jason Heck tried to kill a millipede with a shot from his 22-caliber rifle, but the bullet ricocheted off a rock near the hole and hit pal Antonio Martinez in the head, fracturing his skull. 2. In Elyria, Ohio, in October, Martyn Eskins, attempting to clean out cobwebs in his basement, declined to use a broom in favor of a propane torch and caused a fire that burned the first and second floors of his house. 3. Paul Stiller, 47, was hospitalized in Andover Township, NJ, in September, and his wife Bonnie was also injured, by a quarter-stick of dynamite that blew up in their car. While driving around at 2AM, the bored couple lit the dynamite and tried to toss it out the window to see what would happen, but they apparently failed to notice that the window was closed. 4. Taking "Amateur Night" Too Far: In Betulia, Colombia, an annual festival in November includes five days of amateur bullfighting. This year, no bull was killed, but dozens of matadors were injured, including one gored in the head and one Bobbittized. Said one participant, "It's just one bull against [a town of] a thousand Morons." AND THE WINNER.... PADERBORN, GERMANY - Overzealous zoo keeper Friedrich Riesfeldt fed his constipated elephant, Stefan, 22 doses of animal laxative and more than a bushel of berries, figs and prunes before the plugged-up pachyderm finally let fly - and suffocated the keeper under 200 pounds of poop! Investigators say ill-fated Friedrich, 46, was attempting to give the ailing elephant an olive-oil enema when the relieved beast unloaded on him like a dump truck full of mud. "The sheer force of the elephant's unexpected defecation knocked Mr. Riesfeldt to the ground, where he struck his head on a rock and lay unconscious as the elephant continued to evacuate his bowels on top of him," said flabbergasted Paderborn police detective Erik Dern. "With no one there to help him, he lay under all that dung for at least an hour before a watchman came along, and during that time he suffocated. It seems to be just one of those freak accidents." b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@! b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!b0g!#@!
[^-top] [next->]