Hacking and the Enterprise

• 02/17/1999

In early January, Stephen Northcutt, the head of intrusion detection at the Naval Surface Warfare Center (www.nswc.navy.mil) participated in an Internet broadcast sponsored by the SANS Institute (www.sans.org) to discuss what hackers know about enterprise sites and how IT managers can best protect their sites against unwanted intrusion.

Northcutt opened the discussion by keying upon the need for vigilance, especially in the area of network monitoring.

"Very often, before an attack occurs, there’s a period of time where recon probes occur and the person who’s trying to attack a network will spend time and effort to gather information about the target," Northcutt observes.

According to Northcutt, higher numbers of Internet Control Message Protocol (ICMP) requests or Packet Internet Groper (PING) broadcasts can help tip off IT managers that something may be amiss. These traditional methods of mapping potential or existing enterprise targets are still used today. "The primary thing that we still see coming across the Internet are people using ICMP broadcasts [or] PING in a broadcast mode to see what kind of replies they can get," he explains.

But many hackers have added to their repertoire, and Northcutt highlighted several new probing techniques that can prompt the disclosure of private information about enterprise networks.

Through one new probing technique, hackers send to a site an ICMP broadcast that consists of a sequence, such as 255.0.255.0. Northcutt explains that the zero, "is an archaic broadcast that was used in the Berkeley TCP stack." Many Unix machines and routers are derivatives of the Berkeley code and will still answer to a zero prompt. "This particular broadcast, if done slow enough, will allow the person doing the probe to distinguish between what might be Unix computers or routers and NT computers, because [NT computers] don’t answer to the zero."

Another mapping technique sends a large number of "Reset" packets to a particular site. When some routers receive reset packets addressed to a site or node that doesn’t exist, they reply and indicate that the subnet is unreachable or that the host machine itself is unreachable. This is dangerous, Northcutt says, because hackers can begin to map the contents of enterprise networks, even those ostensibly behind firewalls.

"By sending in an exorbitant number of reset packets, the attacker is able to create a map of all of the places that do not exist on a target network," Northcutt indicates. "All that they have to then do is take the converse of that map to figure out the places that do exist."

According to Northcutt, more hackers are beginning to target NetBIOS on Windows computers. NetBIOS provides communication between Windows-based computers and is situated on ports 135 to 139. In most cases, hackers target User Datagram Protocol (UDP) port 137, which must provide information about a Windows computer when queried. If a UDP request to port 137 on a Windows-based machine makes it through a corporate firewall, Northcutt cautions, that machine must respond to the request.

"I would strongly recommend that if your site can block incoming NetBIOs 135 through 139, TCP and UDP, it would be a really good idea," Northcutt adds.

Despite the new attack and probing methodologies, and although hackers remain as enterprising as ever, Northcutt remains optimistic for 1999.

"The good news is, of everything that I’ve seen in 1998 and 1999 so far, there is nothing that really presents a danger to a well-configured, proxy-based firewall site," he contends. "Almost every technique that I’ve seen in use will not pass through that firewall -- now you do have to watch your back doors -- but that’s really good news."

[infobox]