Feedback: Please send feedback to "hacking-dict@robertgraham.com".
Each word is marked with a number that describe how "technical" the
word is. The following scale is used:
[1] used by people inside and outside the community
[2] common terms used within the community
[3] rarer terms used in technical discussions
[4] rare terms used by experts; these terms will require extensive
study in order to really grok them.
[5] rare terms used by virtually nobody (i.e. if you are using
this guide to learn the lingo, skip these terms).
Copyright 1998-2000 by Robert Graham (hacking-dict@robertgraham.com. All rights reserved. This document may be reproduced only for non-commercial purposes. All reproductions must contain this exact copyright notice. Reproductions must not contain alterations except by permision..
Key point: The debate over strong encryption is never ending. Within the United States, law enforcement is constantly lobbying to restrict the use of strong encryption. Many resist, pointing out how often law enforcement already abuses wiretap powers (such as against Martin Luther King). At the same time, companies making products constantly lobby for the easing of export restrictions, so that they can sell strong encryption products abroad. Another funny thing is that the U.S. government's intransigence on this issue has actually led to stronger encryption abroad. U.S. export restrictions (and desire to spy on foreigners) was one of the reasons France relaxed its own law-enforcement bans on encryption use by citizens.
Key point: Specialized hardware can decrypt 40-bit keys in real time. The average new desktop has enough horsepower to decrypt 40-bit messages. Thus, many people now consider 40-bit encryption to be simply obfuscated plaintext.
Key point: 40-bit often refers to the RC4 system within browsers.
Key point: In January of 1999, the EFF built a custom machine (the "Deep Crack") for $250,000 that could decrypt 56-bit DES encrypted messages in hours.
Key point: 56-bit cryptography almost always refers to DES.
Key point: Security conscious users of such systems need to make sure they use a more random mix of characters because they cannot create long passwords.
Key point: Password cracking such systems is a little easier.
Key point: Web-servers often allow access to user's directories this way. An example would be http://www.robertgraham.com/~rob.
Key point: A big hole on the Internet is that people unexpectedly open up information. For example, the file .bash_history is a hidden file in a person's directory that contains the complete text of all commands they've entered into the shell (assuming their shell is "bash", which is the most popular one on Linux).
Key point: When rooting a machine,
hackers will often redirect logging to /dev/null
For example, the command
Culture: In the vernacular, means much the same thing as "black hole". Typical usage, "if you don't like what I have to say, please direct your comments to /dev/null".
Key point: If a hacker can read files from this directory, then they can likely use the information to attack the machine.
Key point: The passwords are encrypted, so even though everyone can read the file, it doesn't automatically guarantee access to the system. However, programs like crack are very effective at decrypting the passwords. On any system with many accounts, there is a good chance the hacker will be able to crack some of the accounts if they get hold of this file.
Key point: Modern UNIX systems allow for "shadowed" password files, stored in locations like /etc/shadow that only root root has access to. The normal password file still exists, minus the password information. This provides backwards compatibility for programs that still must access the password file for account information, but which have no interest in the passwords themselves.
Key point: The chief goal of most hacks against UNIX systems is to retrieve the password file. Many attacks do not compromise the machine directly, but are able to read files from the machine, such as this file. Typical examples include:
Key point: An Access Control List (ACL) is used to list those accounts that have access to the resource that the list applies to. When talking about firewalls, the ACL implies the list of IP addresses that have access to which ports and systems through the firewall. When talking about WinNT, the ACL implies the list of users that can access a specific file or directory on NTFS.
Contrast: Discretionary Access Control is the ability to have fine grained control over who has access to what resources.
Analogy: An cookbook recipe is an algorithm.
Key point: Different algorithms have different levels of complexity. For example, consider the ancient parable (Babylonian?) about a king and a wise subject who did a favor for him. The subject asked for one piece of grain to be placed on the first square of a chess board, two grains on the second, four grains on the third, and so on, doubling the amount of grain for each successive square.
This problem demonstrates an algorithm of exponential complexity. For the first 10 squares of the chess board, the series is: 1 2 4 8 16 32 64 128 256 512. Thus, for the first 10 squares, roughly a thousand grains must be paid out. However, the series continues (using K=1024): 1k 2k 4k 8k 32k 64k 128k 256k 512k. Thus, for the first 20 squares, roughly a million grains must be paid out. After 30 squares, roughly a billion grains must be paid out. For 40 squares, roughly a trillion grains must be paid out.
This is directly related to such things as key size. A 41-bit key is twice as hard to crack as a 40-bit key. A 50-bit key is a thousand times harder. A 60-bit key is a million times harder. This is why the 128-bit vs. 40-bit encryption debate is so important: 128-bit keys are a trillion trillion times harder to crack (via brute force) than 40-bit keys.
Key point: Most algorithms are public, meaning that somebody trying to decrypt your message knows all the details of the algorithm. Consequently, the message is protected solely by the key. Many people try to add additional protection by making the details of the algorithm secret as well. Experience so far has led to the belief that this actually leads to weaker security for two reasons. First, such secrets always get discovered eventually, so if security depends upon this secret, it will eventually be broken. Secondly, human intelligence is such that someone cannot create a secure algorithm on his/her own. Therefore, only by working with a community of experts over many years can humans create a secure algorithm. To date, only two such communities exist: the entire world of cryptography experts publishing the details of their work and trying to break other people's work, and the tightly knit community of cryptography experts working in secret for the NSA.
Key point: Anonymous e-mail services like Hotmail put the IP address of the person sending the e-mail in the headers (which are normally hidden from view by e-mail clients). Many would-be hackers get caught this way.
Key point: A recurring bug in ASP has allowed hackers to read the script rather than the output of the script. These techniques rely upon changing the name of the script such that the server not longer recognizes it as a script, but as a file instead. Some techniques that have worked in the past have been:
Key point: By sniffing ARP packets off the wire, you can discover a lot of stuff going on. This is especially true of cable-modem and DSL segments. Since ARP packets are broadcasts, you aren't technically breaking your user's agreement by sniffing.
Key point: You can spoof ARP requests and/or responses in order to redirect traffic through your machine.
Example: Some classifications of attacks are:
Example: When you log in with your username and give the password, you are authenticating yourself to the system. You are proving that you are you because, in theory, only you know your password.
Key point: Abstractly, anything that combats forgery is called authentication. For example, IPsec includes an Authentication Header (AH) that proves that a packet hasn't been modified in transit.
Contrast: Remote access trojans (RATs) are NOT examples of back channels, but are instead forward channels. A RAT allows the hacker to contact the system from anywhere in the world, and allows the hacker to hide where he/she is coming from. A back channel, on the other hand, will contact the hacker, who must have a fixed IP address. This clearly fingers who the hacker is.
Key point: Typical back channel protocols are X Windows (xterm) and shells like Telnet. These programs are often built into the victim's system, so many attacks that can't otherwise compromise the system can still trigger a back channel that allows a remote shell.
See also: covert channel
Key point: Back doors are frequently programmed into systems either benignly or maliciously. Most computers shipped today allow BIOS passwords to be set that will prevent the booting of the computer without the administrator first typing the password. However, since many people lose their password, such BIOSes often have a back door passwords that allows the real password to be set. Similarly, a lot of remotely manageable network equipement (routers, switches, dialup banks, etc.) have backdoors for remote Telnet or SNMP. The frequency of such back doors is due to the fact that people are stupid, set passwords, forget them, then whine to customer support.
Example: Most backdoors consists of special username/passwords that can be entered in the normal locations where prompted.
Key point: A backdoor can be added to any system. For example, when generating random session keys, a programmer may actually subvert the random number generator. Such subversion would then allow decrypting of the message by those who knew the specifics. This has already been done accidentally; some paranoids believe that some encryption products do this intentionally in order to get export approval of 128-bit products.
Key point: Many banners reveal the exact version of the product. Over time, exploits are found for specific versions of products. Therefore, the intruder can simply lookup the version numbers in a list to find which exploit will work on the system. In the examples below, the version numbers that reveal the service has known exploitable weaknesses are highlighted.
Example: The example below is a RedHat Linux box with most the default service enabled. The examples below show only the text-based services that show banners upon connection (in some cases, a little bit of input was provided in order to trigger the banners). Note that this is an older version of Linux; exploits exist for most these services that would allow a hacker to break into this box (most are buffer-overflow exploits).
| Protocol | Port | Banner |
|---|---|---|
| FTP | 21 | 220 rh5.robertgraham.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov 1 03:08:32 EST 1997) ready. |
| Telnet | 23 |
Red Hat Linux release 5.0 (Hurricane) Kernel 2.0.31 on an i486 login: |
| SMTP | 25 | 220 rh5.robertgraham.com ESMTP Sendmail 8.8.7/8.8.7; Mon, 29 Nov 1999 23:28:31 -0800 |
| finger | 79 |
Login Name Tty Idle Login Time Office Office Phone rob Robert David Graham p0 Nov 29 22:51 (gandalf) root root p1 Nov 29 23:34 (10.17.128.201:0.0) |
| HTTP | 80 |
HTTP/1.0 200 OK Date: Tue, 30 Nov 1999 07:34:59 GMT Server: Apache/1.2.4 Last-Modified: Thu, 06 Nov 1997 18:20:06 GMT Accept-Ranges: bytes Content-Length: 1928 Content-Type: text/html |
| POP3 | 110 | +OK POP3 rh5.robertgraham.com v4.39 server ready |
| identd | 113 | 0 , 0 : ERROR : UNKNOWN-ERROR |
| IMAP4 | 143 | * OK rh5.robertgraham.com IMAP4rev1 v10.190 server ready |
| lp | 515 | lpd: lp: Malformed from address |
| uucp | 540 | login: |
Key point: BGP can be subverted in numerous ways. BGP is generally unauthenticated, and rogue ISPs can play havoc.
Key pont: The BIOS stores configuration settings in NVRAM (Non-Volatile RAM). Remember that the contents of your normal RAM/memory are lost when you power-off your computer. The contents of NVRAM, in contrast, are retained when power goes off. Most NVRAM consists of CMOS (low-power) chips with a small battery that constantly feeds power to the chips (such batteries last about 5-years). A common trick of hackers and viruses is to corrupt the CMOS settings causing the computer to fail to boot. Removing the battery connection (usually a jumper on the motherboard) will cause the CMOS settings to be lost and be reset back to default (good) state.
Key pont: All of today's BIOSes are stored in programmable ROMs, which allows them to be reprogrammed (usually with bug fixes from the manufacturer). This allows the hacker to reprogram them as well. While in theory the hacker could reprogram his/her own code into the BIOS, in practice this has not been done yet. Instead, hackers can sometimes use this programming feature to corrupt the BIOS code (in much the same way they corrupt the BIOS settings mentioned above). This will usually prevent the system from booting even to a point where a fresh BIOS can be re-programmed into the system. This requires that the system be brought back to the vendor in order to have the BIOS reprogrammed. Note that you can often set a jumper on the motherboard that denies the ability to reprogram the BIOS.
Key pont: In many contexts, each additional bit means "twice as much". 8 extra bits means 256 times as much. 16 extra bits means 65536 times as much. Therefore, it takes 65536 times longer to brute force crack a 56-bit key than a 40-bit key.
Key point: DHCP is simply an extension on top of bootp. This is important because without an IP address, clients cannot reach bootp servers that reside across routers. Virtually all routers have an extension for bootp forwarding that fixes this issue. Since DHCP had the same requires, the designers just stuck it inside bootp packets rather than requiring yet another change to the routing infrastructure.
Example: A cancel-bot is a program that attempts to cancel lots of messages within USENET newsgroups. These are sometimes used by the USENET Death Penalty or rogue cancelers. *
Key point: Netscape and Microsoft have not yet produced a browser that is hardened against predation from hostile websites.
Key point: Disabling Java, JavaScript, and ActiveX will lock out virtually all hacks against the browser. However, thist will also lock out many websites.
Analogy: If you somehow steal somebody's ATM card, you could try to use it in a bank machine. PIN numbers are only 4 digits, meaning 10,000 possible combinations. If you were patient, you could stand at the cash machine trying all possible 10,000 combinations. (Of course, ATM machines will always eat the cards after a few unsuccessful tries in order to stop this).
Key point: The term brute force often means "the most difficult way". In the above example of the PIN number, you can always find the PIN number after guessing 10,000 combinations. But sometimes there are easier ways. For example, a bank may choose to assign PIN numbers based upon a combination of the issuing date and the user's name. Therefore, the problem is reduced to guessing when a card was issued, which may consist of only a few hundred guesses.
Therefore, any technique that is more difficult than brute force is pointless. Likewise, brute force is very difficult, so hackers continually search for techniques that are less difficult.
Key point: The possibility of doing brute-force key-space searches is often compared to the age of the universe, number of atoms in the planet earth, and the yearly output of the sun. For example, Bruce Schneier has calculated that according to what we know of quantum mechanics today, that the entire energy output of the sun is insufficient to break a 197-bit key.
Analogy: Consider two popular bathroom sink designs. One design is a simple sink with a single drain. The other design includes a backup drain near the top of the sink. The first design is easy and often looks better, but suffers from the problem that if the drain is plugged and the water is left running, the sink will overflow all over the bathroom. The second design prevents the sink from overflowing, as the water level can never get past the top drain.
Example: In much the same way, programmers often forget to validate input. They (rightly) believe that a legal username is less than 32 characters long, and (wrongly) reserve "more than enough" memory for it, typically 200 characters. However, they frequently forget to check if some malicious hacker enters an illegal username 1000 characters long.
Key point: This is a classic programming bug that afflicts almost all systems. The average system on the Internet is vulnerable to a well known buffer overflow attack. Many Windows NT servers have IIS services vulnerable to a buffer overflow in ".htr" handler, many Solaris servers have vulnerable RPC services like cmsd, ToolTalk, and statd; many Linux boxes have vulnerable IMAP4, POP3, or FTP services.
Key point: Programs written in C are most vulnerable, C++ is somewhat less vulnerable. Programs written in scripting level languages like VisualBasic and Java are generally not vulnerable. The reason is that C requires the programmer to check buffer lengths, but scripting languages generally make these checks whether the programmer wants them or not.
Key point: Buffer overflows are usually a Denial-of-Service in that they will crash/hang a service/system. The most interesting ones, however, can cause the system to execute code provided by the hacker as part of the exploit.
Key point: The language is quirky, difficult for beginners to learn, and really just an accident of history. Despite this, one must grok the language in order to become a true hacker.
Key point: The large number of buffer overflow exploits is directly related to poor way that C protects programmers from doing the wrong thing. On the other hand, these lack of protections leads directly to its high speed.
Key point: Sometimes systems can be exploited through the cache. Examples are:
Key point: Certificates can be revoked. This means that a company who believes that their site has been compromised can put up a server on the Internet that tells everyone else that the certificate is no longer valid.
Key point: The Verisign embedded certificates in older browsers (IE 3.0, Netscape 4.0) have expiration dates of January 1, 2000. This means that anybody using older browsers will get nasty warnings when they visit ecommerce sites or attempt to verify files with authenticode.
Key point: The way it is supposed to work is that you have a certificate that claims to be "Microsoft" signed by "Verisign" (a popular CA), then you trust that Verisign has done a reasonable job both ensuring that Microsoft is who they say they are, and that Microsoft has done a reasonably good job protecting their private keys from theft.
Contrast: Microsoft could create a "self-signed" certificate, but then anybody else could create a self-signed certificate claiming to be Microsoft. Therefore, you trust a CA-signed certificate more than a self-signed certificate, as long as you trust the CA.
Key point: How do you trust a CA? The answer is marketing. First, a company like Verisign has spent millions of dollars creating a reputable company that would be destroyed if a flaw was found in their process (i.e. thieves were able to steal their private keys). Second, Versign (and a few other CAs) have managed to embed their public keys within Internet Explorer and Netscape Navigator. This means that any website using SSL must obtain a certificate signed by one of these built-in CAs, or else users get confusing warning messages.
Humor: Microsoft uses certificates signed by Verisign, because it is trusted by many people. The reason so many people trust Verisign these days is because its root keys are included with Microsoft's browsers.
Key point: One of the chief RISKS is the theft of the private key used to sign things. If a hacker/thief is able to steal it, then they can masquarade as someone
Key point: Several important CA certificates (i.e. Verisign) expired on Dec. 31, 1999. Since it is feasable to eventually compromise a certificates, they usually expire at some date. The certificates for trusting root CAs that are built-in many browsers (Internet Explorer 4.0 and earlier, Netscape Navigator 4.06 and earlier) were created in 1995, and were made for a 5-year lifespan. One of the creators of these certificates now says he wished he'd put the expiration date a little off, such as on Dec. 15, in order to avoid the Y2K madness.
Key point: The word "CGI" stands for "Common Gateway Interface", which generally confuses people more than help them.
Key point: In most cases the user is prompted for the password, which the client then stores in memory. In the use of smart cards, however, the system may give the user the challenge string, which the user then types into the smart card. The smart card then produces a response, which the user must type back into the system. In this way, the user validates that they have the smart card.
Key point: Challenge-response systems are thought to be more secure because the challenge/response is different every time. This guards against replay attacks as well as making cracking more difficult.
Key point: Favorite because it provides real-time anonymous communication.
Key point: Checksums are not secure against intentional changes by hackers. For that, you need a cryptographic hash.
Key point: A block cipher is one that encrypts a block of data at a time. For example, DES uses a block size of 64-bits. Each input block must correspond to exactly one output block (like a code-book). A block-cipher suffers from the fact the same data repeated in a message would be encoded in the same way. Consider a block size of 8-bit encrypting English text; you could therefore figure out all the letter 'e's in the cipher text because they are the most common letter used. Therefore, block-ciphers are often used in a chaining mode such that the same pattern will indeed be decrypted differently.
Contrast: clear-text, plaintext.
Misconception: The word "text" comes from traditional cryptography that meant the text of messages, though these days "text" can refer to binary computer data as well.
Key point: In block-ciphers, the key represents a code-book. In other words, you could use the key to generate a huge book of matching pairs whereby each plaintext block would match to exactly one ciphertext block. Then, you could encrypt messages by looking them up in this table.
Key point: The term ECB or Electronic Code-Book refers to the use this mode of using a block-cipher. However, since it leaks information, many people prefer to chain blocks of ciphertext and plaintext together in order to make sure that the same pattern will be encrypted differently when it appears multiple times in a message.
Key point: Since encrypted data is essentially random data, you cannot compress it. This defeats networking standards designed to automatically encrypt traffic (such as modems). Therefore, data must be compressed before it is encrypted. For this reason, compression is becoming an automatic feature to most encryption products. The most often used compression standard is gzip and its compression library zlib.
Key point: Cookies are not a security hole in themselves. However, they can be combined in interested ways with other browser features in order to create big security and privacy holes.
Example: The biggest privacy hole is when cookies are combined with the HTTP Referer field. If many sites imbed images (like advertisements) from a single site, that single site can use cookies in order to track a user going among those sites. The cookie does not identify who the user is, but can track what the user does. Other information, like web-site logons, can then be combined with this information in order to track how the person is.
Example: JavaScript has a long history of problems with cookies such that one website can retrieve the cookie information for another website. Since cookie information often contains username/password information, this can compromise the site.
Key point: Turning off cookies is not practical. The best you can hope for is "cookie management" -- choose which sites you want to allow cookies for but deny them to all the rest.
Key point: One rootkit uses ICMP as a covert channel. It creates a virtual TCP-like circuit inside of ping packets.
Key point: Covert channels can become extremely covert. In theory, one can create a covert channel where only the IP identification field (16-bits) carries the data.
Key point: URLs and DNS queries pass through virtually everything (including proxies). Therefore, it is easy to export information from inside a company to the outside using this technique.
History: When the UNIX operating system was first developed, passwords were stored in the file /etc/passwd. This file was made readable by everyone, but the passwords were encrypted so that a user could not figure out who a person's password was. The passwords were encrypted in such a manner that you could test a password to see if it was valid, but you really couldn't decrypt the entry. (Note: not even administrators are able to figure out user's passwords; they can change them, but not decrypt them). However, a program called "crack" was developed that would simply test all the words in the dictionary against the passwords in /etc/passwd. This would find all user accounts whose passwords where chosen from the dictionary. Typical dictionaries also included people's names since a common practice is to choose a spouse's or child's name.
Contrast: A "crack" program is one that takes existing encrypted passwords and attempts to find some that are "weak" and easily discovered. However, it is not a "password guessing" program that tries to login with many passwords, that is known as a grind
Key point: The sources of encrypted passwords typically include the following:
Key point: The "crack" program is a useful tool for system administrators. By running the program on their own systems, they can quickly find users who have chosen weak passwords. In other words, it is a policy enforcement tool.
Tools: on UNIX, the most commonly used program is called simply "crack". On Windows, a popular program is called "l0phtCrack" from http://www.l0pht.com.
Controversy: See the word hacker for a disagreement about the way that "cracker" is used in the computer enthusiast community vs. the security community.
Culture: Cracking programs is its own little underground 'scene' independent of other hacking activities. Groups and individuals often compete to be the first to break a new copy protection scheme in popular programs. There are many sites that catalogue cracked programs.
Key point: The different kinds of cryptanalysis are:
History: So far, there are four major eras in cryptography.
The best example is the "checksum" vs. "hash".
A checksum verifies that data hasn't been corrupted unintentionally. For example, all IP packets are checksumed in case they corrupted accidentally between sender and receiver.
A cryptographic hash verifies that data hasn't been corrupted intentionally. Hackers can (and do) alter IP packets between the sender and receiver in order to carry out an attack. Since IP's checksum is not cryptographically secure against hackers.
There are two features that are required in order to be cryptographic. The first is that the algorithm be secure against attack. A checksum uses simple addtion, while hashes use a complex set of mathematical operations. The second is that the key must be of a sufficient size in order to prevent brute force attacks. The IP checksum is only two-bytes long, so that even if the algorithm were secure, it would require only 65536 tries for the hacker to get it right, which can be done in real-time.
Key point: There are sites, like http://www.attrition.org that catalogue defaced sites and mirror the defaced web-pages.
Key point: Defaced web-pages is an important part of hacker attitude.
Key point: Elite hackers rarely deface web-pages, they instead break in and control the server for other nefarious purposes that yield more profit.
Key point: Web servers are easy to deface because the average OS and web server contains vulnerabilities (defaults and samples) upon installation. It takes extensive effort to harden a server.
Key point: Security irritates customers who prefer products that are easy to use. Therefore, most vendors make the same trade off. They ship their systems with the best "out-of-box" experience, and as a result most boxes are easily hacked in their default state. The more a vendor touts its ease-of-use, the more likely hackers will find that vendor's products easy to hack.
See also: samples
Example: The Ping of Death exploit crashed most machines vintage 1995 by sending illegally fragmented packets at a vicitm.
Culture: A common word for DoS is "nuke", which was first popularized by the WinNuke program (a simple ping-of-death expoit script. These days, "nukes" are thos DoS exploits that script kiddies in chat rooms use against each other.
Key point: It takes only a couple minutes to run through hundreds of thousands of words in a dictionary in order to crack a password. Therefore, never choose a word that might be in a dictionary.
Example: Many programs contain built-in HTTP servers. This allows the program to be remotely managed from any web browser. These servers expect that only the files in their own directory and below will be read. However, hackers can still provide URLs that go up directories, and down into other directories in order to read any file from the system. For example, a hacker might be able to read the UNIX password file by typing in the URL: http://www.robertgraham.com/../../../etc/passwd.
Key point: This bug occurs because programmers frequently forget to doublecheck input.
Example: This bug is common. The original version of Win95 had this bug, so that if you had access to File and Print Sharing to any subdirectory, you also had access to the entire system. A huge number of HTTP servers and CGI scripts have this bug. Many FTP servers have had this bug.
Key point: Win9x has the quirk that three dots "..." means "two directories up", four dots "...." means "three directories up", and so on. Additionally, whereas on many UNIX systems going up past the top directory automatically generates an error, going above the top directory on Windows leaves you in the top directory. Therefore, filenames like "............/Windows/greg.pwl" are frequently seen: the hacker puts more than enough dots in the path in order to guarantee they reach the root directory.
Key point: Many popular Windows "personal web servers", including several versions shipped from Microsoft, have had either the "../.." or "....." vulnerability. In particular, since the "....." issue is not widely know, it is very common among those products that fix the first variant. FrontPage98 from Microsoft shipped with this bug.
History: DNS is relatively new. When the Internet was small, every machine simply had a list of all other machines on the Internet (stored in /etc/hosts). Generally, people just had the IP addresses of machines memorized in much the same way that people memorize phone numbers today.
Key point: DNS is not needed for communication. If a DNS server goes down, newbies will think that the entire network is down. Hackers frequently deal with raw IP addresses, and indeed often bypass DNS entirely as it may give off signs of an attack.
Key point: DNS is a "directory service".
Key point: The DNS hierarchy starts from the "top level domains" of .com, .net, .org, .edu, .giv, .mil, and the two-letter country codes (e.g. .us for United States, .jp for Japan).
Misconception: Both IP addresses and domain names use dots: "www.robertgraham.com" vs. "192.0.2.133". This has no significance; the usage of these dots is basically unrelated. Trying to match things up one-to-one is wrong (i.e. ".com" == "192.").
Misconception: Names and addresses are completely independent. Many people think that *.robertgraham.com might map to all the addresses under 192.0.2.*.
Analogy: What is your phone number? If I asked you this, you might give me both your home number and your cell phone number. I can reach you at either one. In much the same way, the a domain name like www.yahoo.com can have multiple IP addresses. Every time you visit that site, you might go to a separate IP address. You can test this out yourself. Go to the command-line and type "ping www.yahoo.com". Notice how it comes back with an IP address that it pings. After that runs, try it again. Notice how the second time it is pinging a different IP address.
Key point: Dumpster diving is generally legal, as long as you are not trespassing.
Culture: Wasn't really part of the hacker vernacular until the 1995 movie Hackers.
Culture: This word finds itself mangled in many variations: leet, 1337, 31337, etc.
Statistics: Ira Winkler, former analyst at the NSA and now write, estimates that as of 1999, that there are roughly 500 to 1000 "elite" hackers capable of finding new security holes, and roughly 5000 hackers capable of creating exploit scripts. (He further estimates about 100,000 script kiddies).
Key point: Encryption has massive philosophical implications. Widespread use of encryption means that people can hide their data from governments (especially repressive ones) and law enforcement (especially when you are committing a crime).
Contrast: Asymmetric encryption uses different keys for encryption and decryption. Since the most useful form of this is one you keep one key private and make the other public, this is better known as public key encryption. In contrast, symmetric encryption uses the same key for both encryption and decryption.
Example: Some algorithms popular in cryptography are: DES, rc4
Example: Some popular applications that use encryption are: PGP
Analogy: For example, one company provide software that another company sells imbedded in their hardware. The second company (the OEM) is scared that the first company might go out of business, so requests that the first company put the source code for the software in escrow. Should the first company go out of business, the second company would still be able to sell their product.
Key point: Law enforcement is constantly pushing for key escrow where a third party holds back-door keys to all encryption products. Law enforcement would then be able to obtain these keys with a court order into order to decrypt messages or eavesdrop on communications. They first propose a variant of the two-person rule in order to prevent abuse of the system. Note that the general problem is called key recovery (in which law enforcement can recover the key using some means); key escrow is just one way of doing key recovery.
Key point: The need to exchange keys is the reason encryption protocols are not secure. There is an absolutely secure encryptiong method called a one-time-pad. However, in practice, you cannot exchange vast quantities of one-time-pads.
Key point: PKI essentially solves the key exchange problem.
Example: ActiveX, Java, JavaScript, .exe files, programs.
Culture: Exploits, or "exploitz", are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not.
Controversy: There is no good definition for this word. It is debated a lot trying to define exactly what is, and is not, an exploit.
Key point: Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory traversal, defaults, samples, Denial of Service
Key point: The problem is that TCP/IP knows no boundaries. When a user tells the system to share files with the rest of the familly, the user is not quite aware that this means the files are shared with the rest of the Internet. This means that anybody, anywhere on the Internet can at any time connect to the machine and read/write files. To see if somebody has accidentally shared their hard-disk, right-hand-mouse-click on "Network Neighborhood" in Windows, select "Find Computer...", then type in that user's IP address.
Key point: File and Print Sharing used the SMB protocol over NetBIOS on TCP port 139.
Example: The following shows the output of the command "finger rob@rh5.robertgraham.com":
Login: rob Name: Robert David Graham Directory: /home/rob Shell: /bin/bash On since Fri Dec 3 18:13 (PST) on ttyp0 from gemini No mail. No Plan
Key point: The finger command reveals extensive information. For example, if I were attacking the above machine, I would notice that the user is running bash Therefore, I might try something like http://rh5.robertgraham.com/~rob/.bash_history against the user, which in about 1% of the cases will give me a history file of recent commands they've entered, which might contain passwords and such.
A firewall acts as a "choke point". Corporations setup firewalls between their internal networks and the Internet. All traffic between the corporation and the Internet flows through the firewall. It acts as a "gate" with virtual guards that examines the traffic, and decided whether to allow it or block it.
Misconception: Many people believe that a firewall makes your network immune to hacker penetration. Firewalls have no ability to decide for themselves whether traffic is hostile or benign. Instead, the administrator must program the firewall with rules as to what type of traffic to allow or deny. This is similar to a guard checking badges at a gate: the guard can only detect if the badge is allowed/denied, but cannot detect impersonations or somebody climbing the fence in the back.
Key point: Firewalls are based on the principle of blocking everything by default and only allowing those things that are absolutely necessary.
Key point: Firewall administrators are frequently at odds with their management. Executives are frequently frustrated by things that don't work in the network. They don't understand how difficult it is to secure each new application, or the increased risks involved.
Controversy: A lot of time is wasted on trying to come up with the exact definition of the word "firewall", usually by marketing flaks or nerds with attitude. The term isn't well defined. In my definition above, I chose the language explicitly to hilite the fact that firewalls do not have the ability to determine "right from wrong" (like an intrusion detection system), but instead simply closes off most Internet access in the hopes that it closes unknown holes in the network.
Misunderstanding: A common question posed is "what is the best firewall?". This question comes from the belief that a firewall is a magical device that you plug into your network in order to stop hackers. Instead, a firewall is a device that isolates your network from the rest of the Internet.
Example: Ethernet supports a maximum packet size of 1500 bytes. Therefore, in order to send an IP packet of 2000 bytes, the system must first fragment the packet into two pieces before transmission. The other end will then reassemble them back into a single packet on the other end.
Contrast: The general concept of fragmentation applies to all layers of the protocol stack. For example, ATM has a maximum frame size of 48-bytes, which is too small and inefficient for any purpose if higher layers had to deal with it. Therefore, the ATM adapter itself handles the fragmentation and presents a "virtual" interface that allows a full 64-kilobyte packet to be sent without IP level fragmentation. Conversely, when reading files from a file server, even a 64-kilobyte packet size is too small, so the file server layer automatically requests smaller parts of the file. In some cases, applications will attempt to calculate the MTU (Maximum Transmission Unit) of the connection in order to optimize operations to avoid any IP fragmentation.
Key point: IP fragmentation is slow, and is better handled either below the IP layer (like ATM) or above it (like in the application layer).
Key point: Fragmentation and reassembly is difficult to program right. Therefore, there are numerous ways to hack this feature. Some attacks are:
Key point: Most network-based intrusion detection systems do not reassemble packets. Therefore, a hacker can use something like fragrouter in order to evade the IDS.
Key point: Fragmentation is almost never needed. Most communication runs over TCP, which does its own "segmentation" which is more efficient. Therefore, if you see any fragmentation on your network, you should examine it closely to see if it indicates an attack.
Key point: FTP uses an outgoing control connection that only sends commands to the server and receives returned status information. All data is transfered on separate connections (one connection for each file or directory transfered).
Key point: The control connection is text based, so you can use Telnet or netcat as your client (if you understand the protocol).
Key point: Before the web (and graphical browsers) people used command-line versions of FTP. These are still prefered by hackers, becauase GUIs are often too "noisy" (generating unnecessary commands). Such command-line clients that are still included in virtually all UNIX or Windows systems.
Key point: These separate connections are created by sending a PORT command across the control connection. This command accepts both and IP address as well as port number that tells the other side where to connect. Example: PORT 192,2,0,201,10,1 is the string sent across the control connection to tell the server that the client has opened a port on the machine with the IP address 192.2.0.201 with port 2561. The server will then open up a TCP connection as intructed. This command is sent invisibly when the client requests a directory listing or file; all the client sees of this happening is a status message to the effect 200 PORT command successful. which is sent back across the control connection. A neat hack is to specify somebody else's IP address in this command. This hack is called a bounce attack, and can be used to port scan computers or subvert trust relationships.
Key point: An outgoing connection is used for control, but the data is sent on an incoming connection. Firewalls block incoming connections. Therefore, a user will see that they can connect to the FTP server, but directory listings and file transfers don't work.
Key point: In order to solve the incoming connection problem, FTP supports a mode called PASV that forces all connections to be outgoing. Web-browsers like IE and Netscape use PASV mode by default. Command-line FTP clients typically don't support PASV; but people try "quote PASV" commands anyway.
Key point: Lots of FTP servers have buffer overflow exploits in them.
Analogy: If someone steals your bank card, they cannot sit in front of the cash machine and guess all possible PIN numbers. After a certain number of unsuccessful tries, the bank machine will "eat" the card.
Key point: Secure systems (UNIX, Windows NT) lock out accounts after a certain number of unsuccessful tries. These lock-outs can either be temporary (and restore themselves automatically), or permanent until an administrator intervene and unlocks the account.
Key point: Non-secure systems (Win9x and many software applications) do not lock out accounts. For example, if you have Win9x "File and Print Sharing" turned on and protected with a password, a hacker can try continuously and invisibly to gain access to your machine. Nothing is logged, nothing is locked out.
History: The word comes from the book Stranger in a Strange Land by Robert Heinlein. This was a popular counter-culture book in the 1960s, and is a popular Science Fiction book today.
Key point: One of the precepts of Zen philosophy is that the important concepts of life cannot be described by words, and therefore there exists no written description to the path of enlightenment. Grokking means to understand something at a level beyond what mere words can express.
Key point: There are three levels of understanding, which can be illustrated by looking at a cars engine. At the first level, people look at all the parts and say to themselves "This is unnecessarily complicated, I'm sure there is a way we can remove many of these parts and make it simpler". Probably 99% of the population approaches life in this manner. The second level is an engineer who understands how the engine works, and how the various parts work together in the ingeneous fashion that they do. This engineer understands that this the simplest way to produce an engine, and that it has reached this stage after years of being perfected by countless engineers. At the third level is the godlike engineer that understands how to remove one part in order to make the engine even simpler. In this analogy, the engine is the computer. Likewise, the Internet is populated by script-kiddies who are constantly searching for ways to learn about hacking without being bothered by all the unnecessary complexity.
Key point: The failure to grok is often due to failure to understand the correct abstractions. Understanding a thing requires understanding the context in which that thing lives. If one cannot step out of a traditional context in order to regard a thing within the proper context, one cannot grok it. For example, many people have trouble grok the layering of network protocol because the only can only see what the protocols due for them, not what the protocols due in general. Therefore, when they look at protocols, all they see is large amounts of inscrutable unnecessary complexity.
Consider Arthur C. Clark's Third Law: "Any sufficiently advanced technology is indistinguishable from magic". Since normal people have no clue as to how computers work, they often view hackers with suspicion and awe (as magicians, sorcerers, witches, and warlocks). This suspicion leads to the word "hacker" having the connotation of someone up to no good.
History: The word "hacker" started out in the 14th century to mean somebody who was inexperienced or unskilled at a particular activity (such as a golf hacker).
In the 1970s, the word "hacker" was used by computer enthusiasts to refer to themselves. This reflected the way enthusiasts approach computers: they eschew formal education and play around with the computer until they can get it to work. (In much the same way, a golf hacker keeps hacking at the golf ball until they get it in the hole).
Furthermore, as "experts" learn about the technology, the more they realize how much they don't know (especially about the implications of technology). When experts refer to themselves as "hackers", they are making a Socratic statement that they truely know nothing. For more information on this connotation, see There is still a large community of enthusiasts who use this word with only that connotation, such as in ESR's "Hacker Dictionary".
Key point: Today if you do a quick search of "hacker" in a search engine, you will still occasional uses of the word in senses used in the 1400s and 1970s, but the overwhelming usage in the 1990s describes people who break into computers using their sorcerous ways. Likewise, the vast majority of websites with the word "hack" in their title refer to illegitimate entry into computer systems, with notable exceptions like http://www.hacker.com (which refers to golf).
Controversy: The computer-enthusiast community often refers to any malicious hacker as a "cracker". The security-community restricts the use of the word "cracker" to some who breaks encryption and copy-protection schemes.
Consequently, a journalist who writes about cybercriminals cannot use either word without hate mail from the opposing community claiming they are using the word incorrectly. If a journalists writes about hackers breaking into computers, they will receive hate-mail claiming that not all hackers are malicious, and the that the correct word is "cracker". Likewise, if they write about crackers breaking into computers, they will receive hate-mail claiming that crackes only break codes, but its hackers who break into systems. The best choice probably depends upon the audience; for example one should definately talk about malicious crackers in a computer-enthusiast magazine like "Linux Today".
Example: The program "tripwire" detects intrusions by calculating a hash of all programs. On a regular basis, it recalculates the hash. If a file has changed, then tripwire will detect a change in the hash. Therefore, one of the first things hackers will do when breaking into a system is to search for such processes running. (Simply looking for the md5 program is a dead giveaway).
Key point: A hash is "one-way" or "nonreversable". This means that a hash cannot be used to recover the original data.
Key point: A typical hash creates a 128-bit value. This means that there must exist multiple messages that generate the same hash. However, while this can happen in theory, we pretend it can't happen in practice. This is less likely to happen than an asteroid colliding with the Earth destroying all life within the next 100 years.
Key point: Another word for "hash" is message digest.
Key point: The MD5 (Message Digest 5) is the most popular hashing algorithm at this point.
Example: The following quote describes a social engineering attack:
The Hitchhiker's Guide to the Galaxy has a few things to say on the subject of towels.A towel, it says, is about the most massively useful thing an interstellar hitchhiker can have. Partly it has great practical value. You can wrap it around you for warmth as you bound across the cold moons of Jaglan Beta; you can lie on it on the brilliant marble-sanded beaches of Santraginus V, inhaling the heady sea vapors; you can sleep under it beneath the stars which shine so redly on the desert world of Kakrafoon; use it to sail a miniraft down the slow heavy River Moth; wet it for use in hand-to-hand combat; wrap it round your head to ward off noxious fumes or avoid the gaze of the Ravenous Bugblatter Beast of Traal (a mind-bogglingly stupid animal, it assumes that if you can't see it, it can't see you-daft as a brush, but very very ravenous); you can wave your towel in emergencies as a distress signal, and of course dry yourself off with it if it still seems to be clean enough.
More importantly, a towel has immense psychological value. For some reason, if a strag (strag: nonhitchhiker) discovers that a hitchhiker has his towel with him, he will automatically assume that he is also in possession of a toothbrush, washcloth, soap, tin of biscuits, flask, compass, map, ball of string, gnat spray, wet-weather gear, space suit, etc., etc. Furthermore, the strag will then happily lend the hitchhiker any of these or a dozen other items that the hitchhiker might accidentally have "lost." What the strag will think is that any man who can hitch the length and breadth of the Galaxy, rough it, slum it, struggle against terrible odds, win through and still know where his towel is, is clearly a man to be reckoned with.
Hence a phrase that has passed into hitchhiking slang, as in "Hey, you sass that hoopy Ford Prefect? There's a frood who really knows where his towel is." (Sass: know, be aware of, meet, have sex with; hoopy: really together guy; frood: really amazingly together guy.)
Key point: The answer to life, the universe, and everything is 42.
Example: ISPs generally reassign IP addresses of dialing users very quickly after a previous user hung up. Take for example where Alice dials up the Internet, telnets to a host, then for some reason hangs up without gracefully closing the connection. Now consider Mark, who dials-up later and is assigned the same IP address. Let's say that Mark has created his own TCP/IP stack that automatically hijacks any existing connection. The server then sends some response packet back across the connection to Alice (really Mark). At that point, Mark's stack automatically picks up the connection and continues the protocol. At this point, Mark can do anything he wants on Alice's account.
Example: Similar to above, hackers often hijack connections by first nuking one end of the connection, then spoofing that side's IP address.
Example: Spammers scour the Internet looking for open USENET NNTP servers. If they find a server they can post floods of spam through, this is known as "hijacking" the server.
Misconception: A common misconception is that by advertising the system or inviting hackers in causes you to lose all rights to prosecute the hacker. Honeypots do not advertise themselves nor invite hackers. They simply sit on the network waiting to be discovered and hacked. If a hacker doesn't search them out, they won't find them. Similarly, honeypots can contain legal notices in their banners telling hackers to go away.
Culture: The term is an outgrowth of the older abbreviation "h/p" (hack/phreak).
Key point: HTTP is text based, so you can use Telnet or netcat as your client (if you understand the protocol). For example, you can telnet www.example.com 80 to connect to a web-service and enter the command GET / HTTP/1.0<cr><cr> in order to download the home page.
Misconception: Packet filtering firewalls work by filtering source/destination ports in the TCP and UDP transport protocols. However, as a secondary function, they also filter ICMP type and code numbers. They frequently map these to where UDP and TCP have port fields in both the configuration step and the output logs. These concepts are unrelated, however.
Contrast: A host-based IDS monitor system events, logfiles, and so forth. A network-based IDS monitors network traffic, usually promiscuously.
Key point: At the end of 1999, all freshly installed IIS v4.0 servers were vulnerable to the .htr buffer overflow bug and the RDO exploit. Roughly 90% of IIS servers are not sufficiently hardened against these exploits, and are thus vulnerable to being owned or defaced.
Key point: IMAP is important to hackers because many implementations are vulnerable to buffer overflow exploits. In particular, a popular distribution of Linux shipped with a vulnerable IMAP service that was enabled by default. Therefore, even today, security professionals frequently detect scans directed at port 143 looking for vulnerable IMAP servers.
Key point: The following are useful resources to such a team:
The file /etc/inetd.conf configures this service.
See also: buffer overflow, directory traversal
Key point: All data on the Internet is carried by IP packets.
Key point: IP is an unreliable datagram protocol, meaning that routers may sometimes drop packets during congestion. A protocol like TCP must be added to IP in order to track packets and resend them if necessary.
Key point: The ability to manipulate IP headers by programs is limited, so there are few defenses against such techniques. Many hacks rely upon low-level manipulation of headers.
Key point: The IP header is shown below. Since IP is carried across a link between router-router or host-router, link headers like Ethernet, PPP, etc. may come before this header. Likewise, the payload of the IP packet comes after this header.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version ^ | This 4-bit field always has a value of "0100" (binary) or "4" decimal. Many plan to replace IPv4 with the much more complex IPv6 in order to solve addressing and security issues. |
|---|---|
| IHL (Initial Header Length) ^ | Indicates the length of the IP header. The length of the header is always "20-bytes" unless options are present. |
| Type of Service (ToS) ^ | Not really used, the ToS field gives hints to the router how the packet should be routed. The typical example is a connection between Las Angeles |