Digg this story   Add to del.icio.us  
Black Hats Prefer Linux
Jon Lasser, 2001-11-28

Nine out of ten digital desperados choose a Unix flavor for their attack boxes. You don't have to wear a black hat to understand why

Let's face it, black hat hackers don't run Windows.

When insecure.org did a survey of their "top fifty" security tools, it turned out that fewer than ten of those tools run on Windows, with half of those being commercial products. Not one Windows tool made their top five.

And if you've ever been to a hacker convention or a 2600 meeting, you know that Windows laptops are not a fashionable tote among hardcore hackers.

There's a reason for this. Imagine for a moment that you wear a black hat: you spend your day breaking into other people's computers, searching their files for cool data, and then using their systems as launch pads for further attacks. What do you look for in an operating system?

The security of your own system would be paramount: after all, one who attacks other systems (and, more often than not, engages in feuds with other black hats) becomes an obvious target for attacks themselves. In order to protect yourself, you would need to be able to discover everything running on your system and have the ability to turn off every service you don't use. Flexible packet filtering would be a must, so as to block both probes and full-fledged attacks from other sites.

Reliability would be your second consideration: a system that could not perform its tasks unattended would be unsuitable. If you were scanning huge blocks of Internet address space in search of hapless victims, having to reboot the system and restart the software even once or twice a week would be a nightmare. You would want to set it and forget it, and not have anything to do with the system until its nefarious work was complete.

Ease of development would be crucial. After all, there are few off-the-shelf products that can actually penetrate remote systems. While there are commercial systems that scan for vulnerabilities, they are often slower to respond and more difficult to customize than their open-source competitors.

Moreover, when a new WU-FTPD exploit is announced, you don't want to wait until everyone else has had a crack at it: you want to be able to rapidly develop your own exploit using standard tools and a large body of publicly-available example code as your base.

Ease of use would be a final consideration. But we're not talking about easy of use in a traditional sense of "climb the learning curve as quickly as you can by pointing and clicking." Instead, "ease of use" means the ability to automate tasks without having to go to a whole lot of effort: once you've scanned seventy-two million hosts for the new security hole, you want to be able to exploit the hole on sixteen thousand systems without having to type in the commands sixteen thousand times, right?

For all these reasons, black hats choose Linux.

They also choose OpenBSD, FreeBSD, and other open source Unix flavors. Why? Because Unix provides the security, reliability, ease of development, and ease of automation required for monumental tasks managed by a minimum number of people.

The Black Hat's Tool Box
It's not unusual for one script kiddie to control hundreds or thousands of denial of service zombies, and it's certainly not unusual for one script kiddie to crack thousands of systems with a single automated exploit.

The funny thing is, if you look at the above list of requirements, they likely do not differ substantially from your own. The four stumbling blocks to corporate adoption of Linux are desktop ease of use, document interoperability, an existing reliance on non-standard protocols and file formats, and support concerns. If you do not have these concerns, as black hats do not, you would likely make the same choice that they do. Many shops choose Linux for exactly these reasons.

(It should be noted that newer releases of KDE approach, and possibly surpass, Windows' ease of use for many operations, and that StarOffice provides the ability to read and write Microsoft file formats. Furthermore, relying on protocols and file formats that are not open puts your business in the hands of your vendor.)

So what open source Unix tools do black hats use? Three strong tools, which also have white hat applications, are nmap, nessus, and whisker. (It should be noted that just because black hats use these tools, that does not imply that their authors are themselves criminals or vandals. Many are white hats, or at the least, grey hats.)

nmap is the port scanner par excellence: it can scan some or all TCP and UDP ports on one or a block of systems, and can report output in human or machine-readable forms. It also has "stealth" scans that, in the past, could be used to evade some intrusion detection systems. I use nmap when configuring a new system in order to verify that I've shut down all services I don't intend to run. I've also used nmap to scan blocks of IP space under my control to search for compromised systems with back doors installed on a particular port. nmap is available at http://www.insecure.org/nmap/

Nessus is a vulnerability scanner with a plug-in architecture: while nmap tells you what is open, Nessus discovers which exploits are likely to be effective against a particular system. Nessus assesses the degree of risk associated with each discovered vulnerability, and often includes information on resolving the problem. Running Nessus against a system is a good way to check whether servers are reasonably up-to-date. It is available from http://www.nessus.org/

Whisker is a CGI scanner that scans for particular CGI scripts and entire classes of exploits against such scripts. It has the ability to read in nmap's machine-readable output and scan all systems discovered to have their Web server port open, and is an incredibly flexible and programmable CGI scanner. While nefarious individuals might use it to search for holes on other people's systems, it can be used by sites to check their own scripts and systems. Whisker is available from Rain Forest Puppy's Web site at http://www.wiretrip.net/rfp/

Why worry about what black hats use? Because if black hat hackers use a tool, it's likely to be flexible, robust, extensible, and secure. And you don't have to be bad to want good tools.



SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Great Article! 2001-12-12
Peter
Black Hats Prefer Linux 2001-12-12
Anonymous (1 replies)
Great Reply (not really though) 2001-12-14
[sysctl]
Black Hats Prefer Linux 2001-12-13
Anonymous (1 replies)
Black Hats Prefer Linux 2001-12-15
Anonymous
Black Hats Prefer Linux 2001-12-13
Anonymous
Black Hats Prefer Linux 2001-12-17
Anonymous
Black Hats Prefer Linux 2001-12-17
Anonymous
Black Hats Prefer Linux 2001-12-17
Anonymous
Black Hats Prefer Linux 2001-12-18
Anonymous
Black Hats Prefer Linux 2002-01-02
Anonymous
Black Hats Prefer Linux 2002-01-24
spanky


 

Privacy Statement
Copyright 2010, SecurityFocus