The Tools and Methodologies of the Script Kiddie
Know Your Enemy
Lance Spitzner
My commander used to tell me that to secure yourself against the enemy,
you have to first know who your enemy is. This military doctrine readily
applies to the world of network security. Just like the military, you have
resources that you are trying to protect. To help protect these resources,
you need to know who your threat is and how they are going to attack. This
article, the first of a three part series, does just that, it discusses
the tools and methodology used by one of the most common and universal
threats, the Script Kiddie. The second
paper focuses on how you can detect these attempts, identify what
tools they are using and what vulnerabilities they are looking for.
The third paper focuses on what happens once
they gain root. Specifically, how they cover their tracks and what
they do next.
Who is the Script Kiddie
The script kiddie is someone looking for the easy kill.
They are not out for specific information or targeting a
specific company. Their goal is to gain root the easiest
way possible. They do this by focusing on a small number
of exploits, and then searching the entire Internet for
that exploit. Sooner or later they find someone vulnerable.
Some of them are advance users who develop their own tools
and leave behind sophisticated backdoors. Others have no
idea what they are doing and only know how to type "go"
at the command prompt. Regardless of the their skill level,
they all share a common strategy, randomly search for a
specific weakness, then exploit that weakness.
The Threat
It is this random selection of targets that make the script
kiddie such a dangerous threat. Sooner or later your systems
and networks will be probed, you cannot hide from them.
I know of admins who were amazed to have their systems scanned
when they had been up for only two days, and no one knew
about them. There is nothing amazing here. Most likely,
their systems were scanned by a script kiddie who happened
to be sweeping that network block.
If this was limited to several individual scans, statistics
would be in your favor. With millions of systems on the
Internet, odds are that no one would find you. However,
this is not the case. Most of these tools are easy to use
and widely distributed, anyone can use them. A rapidly growing
number of people are obtaining these tools at an alarming
rate. As the Internet knows no geographic bounds, this threat
has quickly spread throughout the world. Suddenly, the law
of numbers is turning against us. With so many users on
the Internet using these tools, it is no longer a question
of if, but when you will be probed.
This is an excellent example of why security through obscurity
can fail you. You may believe that if no one knows about
your systems, you are secure. Others believe that their
systems are of no value, so why would anyone probe them?
It is these very systems that the script kiddies are searching
for, the unprotected system that is easy to exploit, the
easy kill.
The Methodology
The script kiddie methodology is a simple one. Scan the
Internet for a specific weakness, when you find it, exploit
it. Most of the tools they use are automated, requiring
little interaction. You launch the tool, then come back
several days later to get your results. No two tools
are alike, just as no two exploits are alike. However, most
of the tools use the same strategy. First, develop a database
of IPs that can be scanned. Then, scan those IPs for a specific
vulnerability.
For example, lets say a user had a tool that could exploit
imap on Linux systems, such as imapd_exploit.c.
First, they would develop a database of IP addresses that
they could scan (i.e., systems that are up and reachable).
Once this database of IP addresses is built, the user would
want to determine which systems were running Linux. Many
scanners today can easily determine this by sending bad
packets to a system and seeing how they respond, such as
Fyodor's nmap.
Then, tools would be used to determine what Linux systems
were running imap. All that is left now is to exploit those
vulnerable systems.
You would think that all this scanning would be extremely
noisy, attracting a great deal of attention. However, many
people are not monitoring there systems, and do not realize
they are being scanned. Also, many script kiddies quietly
look for a single system they can exploit. Once they have
exploited a system, they now use this systems as a launching
pad. They can boldly scan the entire Internet without fear
of retribution. If their scans are detected, the system
admin and not the black-hat will be held liable.
Also, these scan results are often archived or shared among
other users, then used at a later date. For example,
a user develops a database of what ports are open on reachable
Linux systems. The user built this database to exploit
the current imap vulnerability. However, lets say
that a month from now a new Linux exploit is identified
on a different port. Instead of having to build a
new database (which is the most time consuming part), the
user can quickly review his archived database and compromise
the vulnerable systems. As an alternative, script
kiddies share or even buy databases of vulnerable systems
from each other. The script kiddie can then exploit
your system without even scanning it. Just because
your systems have not been scanned recently does not mean
you are secure.
The more sophisticated black-hats implement trojans and
backdoors once they compromise a system. Backdoors allow
easy and unnoticed access to the system whenever the user
wants. The trojans make the intruder undetectable. He would
not show up in any of the logs, systems processes, or file
structure. He builds a comfortable and safe home where he
can blatantly scan the Internet. For more information
on this, check out Know
Your Enemy: III.
These attacks are not limited to a certain time of the
day. Many admins search their log entries for probes that
happen late at night, believing this is when black-hats
attack. Script kiddies attack at any time. As they are scanning
24hrs a day, you have no idea when the probe will happen.
Also, these attacks are launched throughout the world. Just
as the Internet knows no geographical bounds, it knows no
time zones. It may be midnight where the black-hat is, but
it is 1pm for you.
The Tools
The tools used are extremely simple in use. Most are limited
to a single purpose with few options. First come the tools
used to build an IP database. These tools are truly random,
as they indiscriminently scan the Internet. For example,
one tool has a single option, A, B, or C. The letter you
select determines the size of the network to be scanned.
The tool then randomly selects which IP network to scan.
Another tool uses a domain name (z0ne is an excellent example
of this). The tools builds an IP database by conducting
zone transfers of the domain name and all sub-domains. User's
have built databases with over 2 million IPs by scanning
the entire .com or .edu domain.
Once discovered, the IPs are then scanned by tools to determine
vulnerabilities, such as the version of named, operating
system, or services running on the system Once the vulnerable
systems have been identified, the black-hat strikes. Several
tools exist that combine all these features together, simplifying
the process even greater, such as sscan
by jsbach or cracker.pl
. For a better understanding of how these tools are
used, check out Know
Your Enemy: II.
How to Protect Against This Threat
There are steps you can take to protect yourself against
this threat. First, the script kiddie is going for the easy
kill, they are looking for common exploits. Make sure your
systems and networks are not vulnerable to these exploits.
Both http://www.cert.org
and http://www.ciac.org
are excellent sources on what a common exploit is. Also,
the listserv bugtraq
is one of the best sources of information.
Another way to protect yourself is run only the services
you need. If you do not need a service, turn it off. If
you do need a service, make sure it is the latest version.
For examples on how to do this, check out Armoring
Solaris , Armoring
Linux or Armoring
NT.
As you learned from the tools section, DNS servers are
often used to develop a database of systems that can be
probed. Limit the systems that can conduct zone transfers
from your Name Servers. Log any unauthorized zone transfers
and follow up on them. I highly recommend upgrading to the
latest version of BIND (software used for Domain Name Service),
which you can find at http://www.isc.org/bind.html.
Last, watch for your systems being probed. Once identified,
you can track these probes and gain a better understanding
of the threats to your network and react to these threats.
Conclusion
The script kiddie poses a threat to all systems. They show
no bias and scan all systems, regardless of location and
value. Sooner or later, your system will be probed. By understanding
their motives and methods, you can better protect your systems
against this threat.
NOTE: Thanks to Brad Powell at Sun's Security Team for his
help on this article
|