The tools used are complex to develop but extremely simple to use. Developing the tools requires an intimate knowledge of low-level coding, such as assembler, and the inner workings of operating systems and application development. Only a small percentage of the blackhat community has such skills. Developing tools/techniques is not exclusively a blackhat activity; many whitehat or corporate products are abused and used for malicious purposes. However, the tools are often developed or modified so anyone can use them, with little or no knowledge of how they work. The result is a far larger number of individuals having access to extremely powerful tools that are extremely complex to develop but that are simple to use. Most tools are limited to a single purpose with few options, in part because limited functionality is faster and easier to code and to use. Some tools, however, are also starting to increase functionality, so instead of having to run five programs to perform a task, one program can be used.
First come the tools used to build an IP database. These tools are truly random, as they indiscriminantly scan the Internet. For example, many tools have a single option: A, B, or C. The letter selected determines the size of the network to be scanned. These tools then randomly select which IP network to scan. Other tools use a domain name (z0ne is an excellent example of this). The tools build an IP database by conducting zone transfers of the domain name and all subdomains. Blackhats have built databases with more than 2 million IP addresses by scanning the entire .com or .edu domain. Once discovered, these addresses are then scanned by tools to determine vulnerabilities, such as the version of named operating system or services running on the system. These tools often probe for a single service, then determine the version of that service. Once the vulnerable systems have been identified, the blackhat strikes.
Tools have been developed to automate this entire process. The steps of probing, identifying, and attacking systems are all built into a single package. Once launched, these automated tools spend hours doing the work for the blackhat. For example, one of our UNIX honeypots was compromised via the rpc.statd vulnerability. The blackhats then attempted to use the honeypot as a platform to scan and to exploit other systems on the Internet with the same vulnerability. Their weapon of choice was an autorooter, a tool that automated the entire process, sequentially scanning, probing, and exploiting thousands of systems. This tool even automated the process of downloading and installing a rootkit, ensuring ownership of the compromised system. In a four-hour period, we logged the tool attempting to scan more than 500,000 systems. All these attempts were blocked; however, these numbers indicate just how aggressive and truly random these tools can be. Following are the captured keystrokes of one such attempt. Here, we see the automated tool luckgo being called on to sequentially scan and compromise entire class B networks. If left unchecked, such activity can damage thousands of systems. This tool has also been included with the book's CD-ROM for you to analyze.
Feb 18 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Feb 18 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot Feb 18 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 Feb 18 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Feb 18 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120 Feb 18 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200 Feb 18 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200 Feb 18 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Feb 18 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1 Feb 18 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10 Feb 18 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120 Feb 18 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1 Feb 18 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Feb 18 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1 Feb 18 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Feb 18 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128
The blackhat community has developed advanced means of distributing these tools and teaching others how to use them. Two extremely common methods are Web sites and IRC channels. Blackhats set up Web sites to distribute these tools, so anyone on the Internet can easily access them. These underground Web sites are often set up on compromised systems. Little do administrators know it, but often their compromised systems are being used to distribute gigabytes of data to the blackhat community. Publicly released tools can also be found on such sites as Bugtraq (http://www.securityfocus.com). To use the tools, often very simple and detailed HOWTOs are published, explaining to even the most novice users how to exploit vulnerable systems. One example is the Named NXT HOWTO distributed by the blackhat community (see Appendix C). These HOWTOs are commonly distributed with the tools themselves. Another means of communication is IRC, or Internet relay chat. IRC gives the blackhat community realtime communication. This is where the more experienced blackhats teach the beginners how to use the tools or the accounts of compromised systems. IRC also allows the transfer of files in realtime. Blackhats can quickly communicate and share the latest vulnerabilities and exploits. Chapter 11 provides examples of how blackhats use IRC to exchange tools and tactics. Another means of communication and distribution are publications. Electronic publications, such as "Phrack" (http://www.phrack.com), detail cutting-edge technologies. Some of these publications are also released in print, such as 2600 (http://www.2600.com) magazine.