This introduces some tools useful to both administrators and attackers. While this could easily serve as introduction to the System Attacks section of the course, we place it here to emphasize the inherent neutrality of most network tools. Remember that tools used to gain information or bend protocol rules rarely cause *damage* --it is the use of their side effects that does this. While a sysadmin would rarely want to compromise the security of their network, scanning or temporarily disrupting traffic is essential in testing the effectiveness of a system. This section assumes knowledge of hash functions, which were described in CryptoTools.

On Unix and all other modern operating systems, passwords are stored as hashes rather than as plaintext. This makes password retrieval impossible beyond some method of trail and error. Unix usernames and passwords used to both be contained in the /etc/passwd file. This presented a security risk since the file is readable by anyone, meaning anyone with an account could access the password hashes and crack them at their leisure. The shadow file was introduced to combat this problem, and now usernames are kept in passwd (which is still readable to anybody), while the password hashes are kept in the shadow file, which is readable only by the shadow group. The shadow file is in the /etc/ directory in Linux, but may be located elsewhere on other Unix systems. In Mac OS X for example, the hashes are actually stored in a directory at /var/db/shadow/hash/.

John the Ripper is the most popular Unix password cracker available, and also has versions for cracking Windows hashes as well[1]. By default it tries three different methods for cracking: "single crack", "word list", and "incremental". Single crack uses the username and home directory name as "candidate passwords" with a list of "mangling" rules[2]. Mangling modifies password tries to other likely passwords. Word list is self explanatory, trying a list of words (the list can be specified) and again uses mangling. Incremental is essentially an intelligent brute force search that should guess any password eventually. Its guess order is based on probabilities rather than consecutive order. This means it will run much faster against weak passwords (though much slower against "strong" passwords, even if they are shorter than the weak ones).

Netcat (nc) is nicknamed the "TCP/IP Swiss Army Knife"[3] due to its many capabilities and applications. It allows you to manually read or write to a socket, and can be used to provide back end networking for your own scripts. For example, using its most trivial operation, we can use it as a two-way chat system. The following line listens for traffic on port 2000:

(The -l option sets it to listening mode and -p just specifies the port.) The following line tries to connect to an address on port 2000:

Now both parties are free to type to each other to their hearts' content. By rerouting input/output to and and from files, we can even use netcat to transfer files across a network using the following lines:

It should be noted that transferring files in this way is unencrypted and unauthenticated, meaning anyone could intercept or send the file. Because it can allow unauthenticated access it can be a very dangerous tool in the wrong hands. This has caused it to even be identified and deleted by antivirus software[4].

We've already used telnet to connect to web pages. Now we're going to send some email with it. You'll probably need to do this from within the Marlboro network, so if you're off-campus, log onto CS first. Within the local network, the smtp server is more than happy to send whatever you pass it to whoever you want as whoever you want. Observe the following exchange:

This can be used to do nasty things like automate spam through a script or social engineer ("hmm, the system administrator told me to call this number and give them my password... guess I'd better do what they say").

1) http://en.wikipedia.org/wiki/John_the_Ripper
2) http://www.openwall.com/john/
3) http://en.wikipedia.org/wiki/Netcat
4) http://www.symantec.com/security_response/writeup.jsp?docid=2005-120115-5633-99

http://cs.marlboro.edu/ courses/ fall2006/networking/ private/ tableofcontents/ GoodBadTools
last modified Saturday March 31 2007 7:08 pm EDT