Then, we proceed to strobe any internal machines that can be reached from this vantage point. We attempt to connect directly to machines behind the firewall, hoping that the firewall has been misconfigured in some way--many times it is. In all cases, we look for old versions of common system services that can be exploited, such as sendmail, yellow pages or Network Information Service (NIS). Utilizing the trusted host information we previously gleaned, we often obtain instant access to many more machines using rsh, rlogin an d other Unix programs. We also look for any unusual services running on these machines and attempt to exploit security holes that may be present. We may even have a go at gaining access to the firewall machine itself.

Once on the internal network, we proceed to search for notoriously insecure system services that we can use to get a firm foothold inside the network proper. The more territory we can secure for ourselves early on, the harder it will be to lock us out. This usually takes just 10 to 30 minutes because most organizations are not expecting an attack on their internal network.

Fortifying Our Keep After we've gained access, our next goal is to secure multiple access points into the network in case our initial intrusion is detected. We usually have two main priorities: ascertaining other firewalls on the inside (in the case of a large organization) a nd identifying any dial-up terminal servers or workstations/servers with directly connected modems. In the course of this search, we ke ep an eye out for any systems designated as network administration servers.

Typically, network administration machines run some commercial network management software, such as Computer Associates International's CA-Unicenter, Hewlett-Packard Co.'s HP OpenView or IBM Corp.'s NetView. Network administration machines often have trust relationships with other key machines on the network and, more important, boot images and configuration files for routers and terminal servers. These configuration files invariably contain clear-text passwords for routers that are network boot clients.

Most router and terminal server vendors support password encryption, which would make an attack more difficult. However, it seems many administrators are unaware of this feature: Most of them do not enable it.

After securing at least one other Internet gateway for our use, we concentrate on the terminal servers. Dial-up access through a terminal server ensures that we will not be locked out of the network if the organizat ion discovers it is under attack and decides to shut off all Internet access. Dial-up lines are almost always overlooked by network security administrators or are managed by a separate group with minimal communication between the two groups. As an added bonus, most organizations rely on remote dial-up access, rather than Internet connections, as part of their core business and will not shut it down--even in the event of an attack. And it is very difficult to change all dial-up passwords and notify the users in a short period of time. It is also rare for an organization to have any significant monitoring capability for dial-up usage. This gives us a stealthy and almost guaranteed way into the network.

The only remaining challenge is to determine the phone numbers assigned to the now-compromised terminal servers. We usually start by looking in both the network administration mac hines and terminal servers for notes or comments about dial-up telephone numbers. At the same time, we attempt to dial out using t he terminal servers' modems to a phone equipped with Caller ID. Failing this, we will run a "war dialer" program that scans phone exchanges looking for modem carriers, and try calling the helpdesk to "social engineer" the dial-up numbers. At least one of these methods always works.

We make assumptions about what exchanges to "war dial" based on phone numbers listed for the organization in the InterNIC, and from files perused on the machines on which we've gained access. We commonly find a helpdesk phone number in the post-login banner of the machines we've compromised.

Once we're sure that we can't easily be locked out, we proceed to map out the internal topology of the network in great detail. We embark on a campaign to get as much "real estate" (compromised machines) as possible. On each new machine, we search for files containing information about our ultimate target machines--those machines the organization considers most sensitive. We note the names of machines that sound interesting, popular app lications running on the network and valid user name/password combinations. Using a combination of this information and assorted technical attacks, we attack our target machines, usually mainframe systems or high-performance Unix servers.