Lesson A.1: Advanced Cracking: Internet Cracking (Unix)

     With each new company that connects to the "Information
Superhighway" new frontiers are created for crackers to explore.
Site administrators (Siteads) have implemented various security
measures to protect their internal networks. One of these is
xinetd, covered later. A more general solution is to construct
a guarded gateway, called a [Firewall], that sits between a
site's internal network and the wild and woolly Internet where
we roam. In fact only one third of all Internet connected
machines are already behind firewalls. Most information services
have to deal with the same problem we have: getting OUT through
a local firewall or GETTING INTO a service through their
Firewall. There lays also the crack_solution.
------------>         What is a Firewall?
     The main purpose of a Firewall is to prevent unauthorized
access between networks. Generally this means protecting a site's
inner network from the Internet. If a site has a firewall,
decisions have been made as to what is allowed and disallowed
across the firewall. These decisions are always different and
always incomplete, given the multiplicity of Internet, there are
always loopholes where a cracker can capitalize on.
     A firewall basically works by examining the IP packets that
travel between the server and the client. This provides a way to
control the information flow for each service by IP address, by
port and in each direction.
     A firewall embodies a "stance". The stance of a firewall
describes the trade-off between security and ease-of-use. A
stance of the form "that which is not expressly permitted is
prohibited" requires that each new service be enabled
individually and is seldom used, coz very slow and annoying.
Conversely, the stance "that which is not expressly prohibited
is permitted" has traded a level of security for convenience. It
will be useful to guess the stance of the firewall you are
cracking when making probe decisions.
     A firewall has some general responsibilities:
*    First and foremost if a particular action is not allowed by
the policy of the site, the firewall must make sure that all
attempts to perform the action will fail.
*    The firewall should log suspicious events
*    The firewall should alert internal administration of all
cracking attempts
*    Some firewall provide usage statistics as well.

------------>          Types of Firewall
     In order to avoid head-scratching, it's a good idea to know
the TOPOLOGY of "your" firewall -and its limitations- before
attempting to get through it. Discussed below are two popular
firewall topologies. Although other types exist, the two below
represent the basic forms; most other firewalls employ the same
concepts and thus have -luckily- the same limitations.
                   1) THE DUAL-HOMED GATEWAY
     A dual-homed Gateway is a firewall composed of a single
system with at least two network interfaces. This system is
normally configured such that packets are not directly routed
from one network (the Internet) to the other (the internal net
you want to crack). Machines on the Internet can talk to the
gateway, as can machines on the internal network, but direct
traffic between nets is blocked.
     In discussing firewalls, it's generally accepted that you
should think of the inner network as a medieval castle. The
"bastions" of a castle are the critical points where defence is
concentrated. In a dual-homed gateway topology, the dual-homed
host itself is called the [BASTION HOST].
     The main disadvantage of a dual-homed gateway, from the
viewpoints of the users of the network and us crackers alike, is
the fact that it blocks direct IP traffic in both directions. Any
programs running on the inner network that require a routed path
to external machines will not function in this environment. The
services on the internal network don't have a routed path to the
clients outside. To resolve these difficulties, dual-homed
gateways run programs called [PROXIES] to forward application
packets between nets. A proxy controls the conversation between
client and server processes in a firewalled environment. Rather
than communicating directly, the client and the server both talk
to the proxy, which is usually running on the bastion host
itself. Normally the proxy is transparent to the users.
     A proxy on the bastion host does not just allow free rein
for certain services. Most proxy software can be configured to
allow or deny forwarding based on source or destination addresses
or ports. Proxies may also require authentication of the
requester using encryption- or password-based systems.
     The use of proxy software on the bastion host means that the
firewall administrator has to provide replacements for the
standard networking clients, a nightmare in heterogeneous
environments (sites with many different operating systems
platforms, PC, Sun, IBM, DEC, HP...) and a great burden for
administrator and users alike. 
                 2) THE SCREENED HOST GATEWAY
     A screened host gateway is a firewall consisting of at least
one router and a bastion host with a single network interface.
The router is typically configured to block (screen) all traffic
to the internal net such that the bastion host is the only
machine that can be reached from the outside. Unlike the dual-
homed gateway, a screened host gateway does not necessarily force
all traffic through the bastion host; through configuration of
the screening router, it's possible to open "holes" in the
firewall to the other machines on the internal net you want to
get into.
     The bastion host in a screened host firewall is protected
from the outside net by the screening router. The router is
generally configured to only allow traffic FROM SPECIFIC PORTS
on the bastion host. Further, it may allow that traffic only FROM
SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet
news traffic to reach the bastion host ONLY if the traffic
originated from the site's news provider. This filtering can be

easily cracked: it is relying on the IP address of a remote
machine, which can be forged.
     Most sites configure their router such that any connection
(or a set of allowed connections) initiated from the inside net
is allowed to pass. This is done by examining the SYN and ACK
bits of TCP packets. The "start of connection" packet will have
both bits set. If this packets source address is internal... or
seems to be internal :=) the packet is allowed to pass. This
allows users on the internal net to communicate with the internet
without a proxy service.
     As mentioned, this design also allows "holes" to be opened
in the firewall for machines on the internal net. In this case
you can crack not only the bastion host, but also the inner
machine offering the service. Mostly this or these machine/s will
be far less secure than the bastion host.
     New services, for instance recent WEB services, contain a
lot of back doors and bugs, that you'll find in the appropriate
usenet discussion groups, and that you could use at freedom to
crack inner machines with firewall holes. Sendmail is a good
example of how you could crack in this way, read the whole
related history... very instructive. The rule of thumb is "big
is good": the bigger the software package, the more chance that
we can find some security related bugs... and all packages are
huge nowadays, 'coz the lazy bunch of programmers uses
overbloated, buggy and fatty languages like Visual Basic or
Finally, remember that the logs are 'mostly) not on the bastion
host! Most administrators collect them on an internal machine not
accessible from the Internet. An automated process scan the logs
regularly and reports suspicious information.
The dual-homed gateway and the screened host are probably the
most popular, but by no mean the only firewall topologies. Other
configurations include the simple screening router (no bastion
host), the screened subnet (two screening routers and a bastion
host) as well as many commercial vendor solutions.

------------>   Which software should we study?
Three popular unix software solutions allow clients inside a
firewall to communicate with server outside: CERN Web server in
proxy mode, SOCKS and the TIS Firewall toolkit. 

1)   The CERN Web server handles not only HTTP but also the other
protocols that Web clients use and makes the remote connections,
passing the information back to the client transparently. X-based
Mosaic can be configured for proxy mode simply by setting a few
environment variables.
2)   The SOCKS package (available free for anonymous ftp from in the file
includes a proxy server that runs on the bastion host of a
firewall. The package includes replacements for standard IP
socket calls such as connect(), getsockname(), bind(), accept(),
listen() and select(). In the package there is a library which
can be used to SOCKSify your crack probes.
3)   The Firewall Toolkit
The toolkit contains many useful tools for cracking firewall and
proxy server. netacl can be used in inetd.conf to conceal

incoming requests against an access table before spawning ftpd,
httpd or other inetd-capable daemons. Mail will be stored in a
chroot()ed area of the bastion for processing (mostly by
The Firewall toolkit is available for free, in anonymous ftp from in the file
The popular PC firewall solution is the "PC Socks Pack", for MS-
Windows, available from It includes a winsock.dll


     The cracking attempts should concentrate on ftpd, normally
located on the bastion host. It's a huge application, necessary
to allow anonymous ftp on and from the inner net, and full of
bugs and back doors. Normally, on the bastion host, ftpd is
located in a chroot()ed area and runs as nonprivileged user. If
the protection is run from an internal machine (as opposing the
bastion host), you could take advantage of the special inner-net
privileges in hostp.equiv or .rhosts. If the internal machine
"trusts" the server machine, you'll be in pretty easily.
     Another good method, that really works, is to locate your
PC physically somewhere along the route between network and
archie server and "spoof" the firewall into believing that you
are the archie server. You'll need the help of a fellow hacker
for this, though.
     Remember that if you gain supervisor privileges on a machine
you can send packets from port 20, and that in a screened host
environment, unless FTP is being used in proxy mode, the access
filters allow often connections from any external host if the
source port is 20 and the destination port is greater than 1023!
     remember that NCSA Mosaic uses several protocols, each on
a different port, and that -if on the firewall no proxy Web
server is operating- each protocol must be dealt with
individually, what lazy administrators seldom do.
     Be careful for TRAPS: networking clients like telnet and ftp
are often viciously replaced with programs that APPEAR to execute
like their namesake, but actually email an administrator. A
fellow cracker was almost intercepted, once, by a command that
simulated network delays and spat out random error messages in
order to keep me interested long enough to catch me. Read the
(fictions) horror story from Bill Cheswick: "An evening with
Berferd in which a cracked is lured, endured and studied",
available from in
As usual, all kind of traps can be located and uncovered by
correct zen-cracking: you must *FEEL* that some code (or that
some software behaviour) is not "genuine". Hope you believe me
and learn it before attempting this kind of cracks. 

------------>      How do I crack Firewalls?
     Some suggestions have been given above, but teaching you how
to crack firewalls would take at least six complete tutorial
lessons for a relatively unimportant cracking sector, and you
would almost surely get snatched immediately, 'coz you would
believe you can crack it without knowing nothing at all. So, for
your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT
(quite a fascinating difference): First Text, then the software
above. For text, start with Marcus Ranum's paper "Thinking about
Firewalls", available from in the file/pub/firewalls/
and do an archie search for newer literature.
Join the firewall discussion list sending a message to, you'll get a message with
instructions, as usual, lurk only... never show yourself to the
     You can find for free on the web quite a lot of early
versions of proxy software. Study it, study it and then study it
again. The cracking efforts on your copies, and your machines,
before attempting anything serious, are MANDATORY if you do not
want to be immediately busted on the Internet. When you feel
ready to try serious cracking, you must OBLIGATORY start with a
small BBS which uses a firewall version you already studied very
well (sysops are not firewall administrators, and many of them
do not know nothing about the software they use). As soon as you
gain access to the bastion host, remember to subvert entirely the
firewall itself before entering the inner net.  
If you feel ready and everything went well so far, if your zen-
cracking abilities are working well... then take a moment for
yourself... prepare yourself a good Martini-Wodka (you should
only use Moskovskaia), take a deep breath and by all means go
ahead! You will then be able to try your luck on the Cyberspace
and get quickly busted (if you did not follow my admonitions and
if you cannot zen-crack) or, may be, fish quite a lot of
jewels... :=) 

------------->     INTERNET CRACKING: XINETD
     [Xinetd] a freely available enhanced replacement for the
internet service daemon inetd, allows just those particular users
to have FTP or Telnet access, without opening up access to the
world. Xinetd can only protect the system from intrusion by
controlling INITIAL access to most system services and by logging
activities so that you can detect break-in attempts. However,
once a connection has been allowed to a service, xinetd is out
of the picture. It cannot protect against a server program that
has security problems internally. For example, the finger server
had a bug several years ago that allowed a particularly clever
person to overwrite part of its memory. This was used to gain
access to many systems. Even placing finger under the control of
xinetd wouldn't have helped.
     Think of the secured firewall system as a fortress wall:
each service that is enabled for incoming connections can be
viewed as a door or window in the walls. Not all these doors have
secure and reliable locks. The more openings are available, the
more opportunities are open for us.
------------->         What xinetd does

Xinetd listens to all enabled service ports and permits only
those incoming connection request that meet authorization
-    Accept connections from only certain IP addresses
-    Accept connections only from authorized users

-    Reject connections outside of aithorized hours
-    Log selected service when connections are accepted or
     rejected, capturing following informations: 
     * Remote Host Address
     * User ID of remote user (in some cases)
     * Entry and Exit time
     * Terminal type 
     Support login, shell, exec and finger

------------->        SERVICES TO CRACK &
In this order the easy services:
     FTP  TELNET    LOGIN (rlogin) SHELL (rcmd)   EXEC
In this order the more difficult ones:
     MOUNT     TFT  FINGER    NFS(Network File System) 
     DNS(Domain Name Service)
Remember that sendmail (SMTP), by default, accepts a message from
any incoming connection. The "sender" of such a message can
appear to have originated anywhere, therefore your claim of
identity will be accepted! Thus you can forge a message's
originator. Most of the recipients inside the protected
(firewalled) net will take your claim at face value and send you
(to the "return address" you provide) all the sensitive
information you need to crack the system. Finding unwitting
inside complices is most of the time pretty easy.
     By far the best method, for entering xinetd, is to get the
real version from, modify the system files
in order to have some backdoors, and then distribute them to the
mirror servers on the WEB. Each time a new administrator will
download "your" version of xinetd, you'll have an easy access to
the "protected" system.
     On the Nets, it's important to conceal your identity (they
will find you out pretty quickly if you do not). The best method
is to obtain the IP address of a legitimate workstation during
normal hours. Then, late at night, when the workstation is known
to be powered-off or disconnected from a dialup PPP link, a
different node on the network can be configured to use the
counterfeit IP address. To everyone on the network, it will
appear that the "legitimate" user is active. If you follow this
strategy, you may want to crack somehow more negligently... the
search for the cracker will go on -later- in the false confidence
that a sloppy novice (the legitimate user) is at work, this will
muddle the waters a little more.

Well, that's it for this lesson, reader. Not all lessons of my
tutorial are on the Web.

     You 'll obtain the missing lessons IF AND ONLY IF you mail
me back (via with some tricks of the trade I may
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
I'll send you the remaining lessons nevertheless. Your
suggestions and critics on the whole crap I wrote are also

E-mail +ORC