type a couple of quick commands.
I got the Internet protocol (IP)
addresses of the computer that stored
that information,” says Winkler.
In another pen test, Mr. Winkler
stole a $1 billion in sensitive
information in just a day and a
half after getting himself hired as a
temporary employee. The list of cases
is long and distinguished.
The Technical Side
of Pen Tests
There are only two ways to hack.
One is to exploit weaknesses built into
operating systems and software. The
other is to exploit the human error that
shows up in the form of administrator’s
or user’s configuration errors. These
are things like username and password
selections or permissions for who can
access which computers or data.
As Ira put it in a presentation, “All
software has bugs; some bugs
are security related.” Bugs can be
exploited to gain privileges on a
system. Bugs also come in the form of
information leakage, which can be
tapped to steal critical information.
Even Unix and Linux systems can
be broken (hacked). “The way you
take advantage is to go to a website
and just download the exploits. Sadly,
it’s that easy. Then you try to run them
against individual systems or IP
address ranges; frequently you’ll get
in,” explains Winkler.
Another method is to ping IP
addresses in a pingable address range.
IP addresses and ranges are numbers in
patterns like 255.255.255.104 through
255.255.255.111. Then, if you identify
servers in that range, you can look to
see if the servers have exported hard
drives. For example, an administrator
may have used a tool, like NFS
Manager, to export a hard drive. If the
setting was to export it to the world,
then anyone could mount that drive
from an Internet connection. It’s even
easier if no permissions have been set.
User ID (UID) and Password (PW)
guessing are also easy, due to nonrandom or default UID and PW selections.
According to Ira, “most of the time, the
administrator password on Windows
systems is the same as the password
for the administrator accounts. Just
type in “administrator,” “administrator,”
and you’ll gain access frequently.”
Here’s another example from Ira
on password guessing: “I always tell
the story where I knew this woman and
her user id was “Kirk” and I was just
joking around with her that her password was “captain.” She just looked at
me in horror, saying, ‘how do you
know what my password is?’” People
tend to think in associative ways. If you
start where they start, you’ll often
come up with the same choices.
Other common holes include the
default Login/Password (LP) accounts
on Unix systems. It’s called LP
because the default login is “login”
and the default password is “
password.” Amazingly enough, these are
often not changed. “If people don’t
administer their systems properly, it’s
really easy to take them over.”
More Examples —
Oldies but Goodies
“This is an old one, but I prefer
older ones because, hopefully, they
are not as vulnerable now,” Winkler
elaborates. This one exploits early
versions of the Windows 95 operating
system. With these older versions, the
password was stored in clear text,
right out in the open in the Windows
With physical access, you only had
to wait until someone was away from
his or her computer and go into his or
her Windows registry file to see his or
her password. You could also take a
look using the Internet, if the user had
shared their hard drive with the world.
Each computer type and operating system has its own vulnerabilities.
“For the Virtual Addressing Extended
(VAX) computers, the Virtual Memory
System (VMS) systems, frequently you
could walk over to a VMS computer
and type in the user id ‘field’ and the
password ‘service’ and that would
give you administrative privileges,”
There are many examples for
exploiting default accounts. You can
get all the systems on a network by
using the Unix “hosts” command.
With the right attributes, you can type
in “hosts” at “ company.com” [using
Tips From Ira Winkler
for Hardening Your
antEsystems should run
i-virus software. Enable
the feature to automatically
check for updates.
makOck for backups and
e your own backups
on a regular basis.
areE[software] fire-a must. Some
DSL routers include firewall
functionality. Some attacks can
tunnel through these. Even if
you have a DSL router that has
firewall functionality, you have
to make sure it’s updated
regularly. Make sure your
personal firewall is on each
computer system. Attacks can
make it through a firewall.
You don’t want to have your
firewall as a single point of
failure,” cautions Winkler.
tweRa hardware firewall
en the Internet
connection and your internal
ebEaway from malicious
sites. Stay away from
pornography sites because
those tend to install back doors
and key capture mechanisms.
[Try using a hosts file, as at
toXeriodically check systems
see that firewalls are up
May 2007 63