Hacking Methodologies

Hacking MethodologiesHacking Methodologies

An overview of historical hackingAn overview of historical hackingapproachesapproaches

Johnny LongJohnny Longhttp://johnny.ihackstuff.comhttp://johnny.ihackstuff.com

johnnyjohnny@@ihackstuffihackstuff.com.com

Varied ApproachesVaried Approaches

Old SchoolOld School: Slow, careful, precise,: Slow, careful, precise,invasiveinvasive

ProsPros: Fast, careful, precise, sometimes: Fast, careful, precise, sometimesinvasiveinvasive

SkriptSkript Kiddies Kiddies: Slow, reckless,: Slow, reckless,imprecise, invasiveimprecise, invasive

DefacersDefacers: Fast, reckless, precise, mildly: Fast, reckless, precise, mildlyinvasiveinvasive

Old schoolOld school

For years, information security pundits have followed and believed in aFor years, information security pundits have followed and believed in ahacking methodologyhacking methodology which described the steps a hacker classically which described the steps a hacker classicallyfollowed when performing an attack.followed when performing an attack.

That methodology followed the following basic steps:That methodology followed the following basic steps:

Information GatheringInformation Gathering ProbeProbe AttackAttack

AdvancementAdvancement EntrenchmentEntrenchment

Infiltration/ExtractionInfiltration/Extraction

Old School: InformationOld School: InformationGatheringGathering

Decide and discover which targets toDecide and discover which targets toattackattack

Often begin with a specific network or aOften begin with a specific network or aspecific companyspecific company

WhoisWhois, , nslookupnslookup queries queries samspadesamspade.org.org Search engines (Search engines (googlescanninggooglescanning))

Old School: ProbeOld School: Probe

Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities Search sweeping ranges of ports with a Search sweeping ranges of ports with a portscanportscan

((nmapnmap)) Grab details such as service versions from theGrab details such as service versions from the

discovered ports discovered ports akaaka banner grabbingbanner grabbing ( (netcatnetcat)) NT: Connect to and enumerate information fromNT: Connect to and enumerate information from

NETBiosNETBios ( (enumenum)) Search the Internet for vulnerabilities based onSearch the Internet for vulnerabilities based on

versions of software found on targetsversions of software found on targets


NMAP ( NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap)) SuperscanSuperscan

((http://www.http://www.webattackwebattack.com/get/.com/get/superscansuperscan..shtmlshtml)) NessusNessus: (: (http://www.nessus.orghttp://www.nessus.org)) Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/)) NetcatNetcat: (: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/)) EnumEnum ( (http://razor.bindview.com/tools/index.shtmlhttp://razor.bindview.com/tools/index.shtml)) THC-ProbeTHC-Probe

((http://www.thehackerschoice.com/download.php?t=http://www.thehackerschoice.com/download.php?t=r&d=probe-4.1.tar.gzr&d=probe-4.1.tar.gz ) )


Nmap is used to scan theports of the target system.Using the O option wouldalso report the OperatingSystem of the target.


Nmaps guess atthe operatingsystem type


some serviceslisten behind RPC.rpcinfo can give us

this info.

Old School: AttackOld School: Attack

Gather compatible exploitsGather compatible exploits Compile exploits (if required)Compile exploits (if required) Launch exploits against targetsLaunch exploits against targets Modify parameters, re-launch exploits (ifModify parameters, re-launch exploits (if

required)required)

Old School: AttackOld School: Attack

There are many different types of attacks whichThere are many different types of attacks whichcan be broken down into severalcan be broken down into severalclassifications.classifications.

The attacks are performed from one of twoThe attacks are performed from one of twoperspectives:perspectives:

Local: The attacker has access to a commandLocal: The attacker has access to a commandprompt or has gained the ability to executeprompt or has gained the ability to executecommands on the targetcommands on the target

Remote: The attacker exploits the target boxRemote: The attacker exploits the target boxwithout first gaining access to a command shellwithout first gaining access to a command shell

Attacks: Buffer OverflowAttacks: Buffer Overflow

AkaAka the the Boundary Condition ErrorBoundary Condition Error: Stuff more data: Stuff more datainto a buffer than it can handle. The resultinginto a buffer than it can handle. The resultingoverflowed data overflowed data fallsfalls into a precise location and is into a precise location and isexecuted by the systemexecuted by the system Local overflows are executed while logged into the targetLocal overflows are executed while logged into the target

systemsystem Remote overflows are executed by processes running on theRemote overflows are executed by processes running on the

target that the attacker target that the attacker connectsconnects to to Result: Commands are executed at the privilege levelResult: Commands are executed at the privilege level

of the overflowed programof the overflowed program Example: SNMPXDMID overflow (Solaris 6-8)Example: SNMPXDMID overflow (Solaris 6-8)

http://www.http://www.securityfocussecurityfocus.com/bid/2417.com/bid/2417

Attacks: Input ValidationAttacks: Input Validation

An process does not An process does not stripstrip input before input beforeprocessing it, processing it, ieie special shell characters special shell characterssuch as semicolon and pipe symbolssuch as semicolon and pipe symbols

An attacker provides data in unexpectedAn attacker provides data in unexpectedfields, fields, ieie SQL database parameters SQL database parameters

Attacks: Input ValidationAttacks: Input Validation

Example: Example: TrillianTrillian IRC Module Format String IRC Module Format StringVulnerabilityVulnerability((http://online.securityfocus.com/bid/5388http://online.securityfocus.com/bid/5388))

A format string vulnerability has been reportedA format string vulnerability has been reportedin the in the TrillianTrillian IRC module. An attacker can IRC module. An attacker canexploit this vulnerability by enticing a user toexploit this vulnerability by enticing a user tojoin a channel with a malicious channel namejoin a channel with a malicious channel name(e.g. #%n%n%n). An attacker in control of a(e.g. #%n%n%n). An attacker in control of amalicious server may exploit vulnerable clientsmalicious server may exploit vulnerable clientswho have connected.who have connected.

Attacks: Race ConditionsAttacks: Race Conditions

An attacker forces an action during a sensitive timeAn attacker forces an action during a sensitive timewindow between two operationswindow between two operations

A program checks to make sure output fileA program checks to make sure output file//tmptmp/temp_output/temp_output does not exist does not exist

The program wanders off and does other stuffThe program wanders off and does other stuff An attacker quickly creates a An attacker quickly creates a symlinksymlink from from

//tmptmp/temp_output/temp_output to to /etc/shadow/etc/shadow The program writes to the The program writes to the //tmptmp/temp_output/temp_output which which

clobbers clobbers /etc/shadow/etc/shadow Example: Example: RedHatRedHat Linux Linux diskcheckdiskcheck

((http://online.securityfocus.com/bid/2050http://online.securityfocus.com/bid/2050 ) )

Attacks: EnvironmentAttacks: EnvironmentErrorsErrors

An attacker makes a change to a programAn attacker makes a change to a programssenvironment that was not expectedenvironment that was not expected

For example, a program relies on the UNIXFor example, a program relies on the UNIXenvironment variable $USER to determine whoenvironment variable $USER to determine whois running the programis running the program

An attacker changes this value to An attacker changes this value to rootroot before beforeexecuting the programexecuting the program

Attacks: Weak PasswordsAttacks: Weak Passwords

accounts with weak passwords areaccounts with weak passwords areguessed by a remote attackerguessed by a remote attacker

Accounts with weak passwords areAccounts with weak passwords arecracked by attacker with access to acracked by attacker with access to apassword databasepassword database

THC-HYDRA Login HackerTHC-HYDRA Login Hacker(http://www.(http://www.thehackerschoicethehackerschoice.com/releases..com/releases.phpphp))

Attack: Exploit SitesAttack: Exploit Sites

SecurityFocusSecurityFocus: (: (http://www.http://www.securityfocussecurityfocus.com.com)) PacketstormPacketstorm: (: (http://http://packetstormsecuritypacketstormsecurity.org.org)) New Order: (New Order: (http://http://neworderneworder.box..box.sksk//)) Hack in the Box:Hack in the Box:

((http://www.hackinthebox.org/http://www.hackinthebox.org/)) phreakphreak.org.org

((http://www.http://www.phreakphreak.org/archives/exploits/.org/archives/exploits/unixunix/)/)

Old School: Attack phasesOld School: Attack phases

The Attack is most often broken into severalThe Attack is most often broken into severalphases (perhaps running cyclically)phases (perhaps running cyclically)

Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits

Modification of ExploitsModification of Exploits Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits

Old School: LocatingOld School: Locatingexploitsexploits

Old School: GettingOld School: GettingExploitsExploits

The wget programdownloads the exploit to theattackers machine

Old School: ModifyingOld School: Modifyingexploitexploit

(-lsocket wont work)

Most exploits will not work across allplatforms, so modifications generallyneed to be made. In this case, -lsocket is removed for running on outRedHat 7.2 attack box.

Old School: BuildingOld School: BuildingExploitExploit

Some exploits come complete with aMakefile, so a simple make commandis all thats required to build the exploit.

Old School: BuildingOld School: BuildingExploitExploit

The make commandsuccessfully produces theexploit, in this caseautomountdexp

Old School: TestingOld School: TestingExploitExploit

The h parameter shows theusage for this exploit.

Old School: AttackOld School: AttackRunning ExploitRunning Exploit

This attack executes commandson the target (a Solaris 2.5.1box) as root. In this case, theattacker drops a line into/etc/inet/inetd.conf and a lineinto /etc/services. When thesystem is restarted (or inet isrestarted) a listening root shellis opened on port 31337.

Old School: AttackOld School: AttackSuccess!Success!

The attacker connects to the31337 port on the target and isgreeted with a root prompt.

Old School: AdvancementOld School: Advancement(optional)(optional)

If needed, gain further access to targetsIf needed, gain further access to targetsby further exploitationby further exploitation TrojansTrojans Local ExploitsLocal Exploits

The advancement phase will somewhatThe advancement phase will somewhatmirror the Attack phases unless themirror the Attack phases unless theattacker has already tested the exploitsattacker has already tested the exploits

Old School: EntrenchmentOld School: Entrenchment

Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors RootkitsRootkits

Entrenchment: BackdoorsEntrenchment: Backdoors

Linux Non-listening backdoor programs = NoLinux Non-listening backdoor programs = Nolistening port!listening port! SAdoorSAdoor ((http://http://cmncmn..listprojectslistprojects..darklabdarklab.org/.org/)) Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)(http://www.phenoelit.de/stuff/cd00rdescr.html)

NT/2KNT/2K Fake GINA Fake GINA Username and password interceptorUsername and password interceptor

((http://www.rootkit.com/projects/ginatroj/http://www.rootkit.com/projects/ginatroj/ ) )

NTKapNTKap Removes NT ACL protection Removes NT ACL protection((http://www.rootkit.com/projects/ntkap/http://www.rootkit.com/projects/ntkap/ ) )

Entrenchment: Entrenchment: RootkitsRootkits

LinuxLinux LRK5: LRK5: ((http://online.securityfocus.com/data/tools/lrk5.src.tar.gzhttp://online.securityfocus.com/data/tools/lrk5.src.tar.gz)) ADORE: ADORE: ((http://online.securityfocus.com/tools/1490http://online.securityfocus.com/tools/1490 ) ) KNARK KNARK ((http://online.securityfocus.com/tools/1163http://online.securityfocus.com/tools/1163 ) )

NTNT NT NT RootkitRootkit

((http://www.http://www.rootkitrootkit.com/projects/.com/projects/ntrootntroot//)) NULL.SYSNULL.SYS

((http://www.rootkit.com/projects/nullsys/http://www.rootkit.com/projects/nullsys/ ) )

Old School:Old School:Infiltration/ExtractionInfiltration/Extraction

Install Install snifferssniffers to monitor network traffic, to monitor network traffic,gather usernames/passwordsgather usernames/passwords

Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets basedCompromise neighboring targets based

on captured data or trust relationshipson captured data or trust relationships

ProfessionalsProfessionals

Professional hackers, or ethical hackers, tend to follow the followingProfessional hackers, or ethical hackers, tend to follow the followingmethodologies:methodologies:

Information GatheringInformation Gathering ProbeProbe AttackAttack

AdvancementAdvancement Infiltration/ExtractionInfiltration/Extraction


Most often, professional ethical hackers rely onMost often, professional ethical hackers rely onVulnerability ScannersVulnerability Scanners to perform their jobs. to perform their jobs. NessusNessus Retina by Retina by eeyeeeye Network Associates Network Associates CyberCopCyberCop H.E.A.T.H.E.A.T. Internet Security Systems Internet ScannerInternet Security Systems Internet Scanner(see http://www.(see http://www.networkcomputingnetworkcomputing.com/1201/1201f1b1.html).com/1201/1201f1b1.html)


Vulnerability Scanner DemoVulnerability Scanner Demo

SkriptSkript Kiddies Kiddies

SkriptSkript Kiddies Kiddies

SkriptSkript Kiddies, named for their annoying ability Kiddies, named for their annoying abilityto (sometimes) successfully compromise ato (sometimes) successfully compromise asystem using pre-written scripts, generallysystem using pre-written scripts, generallyfollow a very simple follow a very simple non-cyclical non-cyclical methodology.methodology.(See (See http://project.honeynet.org/papers/enemy/http://project.honeynet.org/papers/enemy/for an interesting for an interesting writeupwriteup on the topic) on the topic)

Exploit SelectionExploit SelectionTarget SelectionTarget Selection

AttackAttack

SkriptSkript Kiddies: Exploit Kiddies: ExploitSelectionSelection

Nearly identical to the Nearly identical to the Old SchoolOld School method of method oflocating exploits, locating exploits, skriptskript kiddies generally use kiddies generally useSearch engines to locate exploitsSearch engines to locate exploits

SkriptSkript Kiddies are generally not a technically Kiddies are generally not a technicallysavvy lot, so exploit selection is made basedsavvy lot, so exploit selection is made basedon attack platforms available (generallyon attack platforms available (generallyWindows-based) and ease of use.Windows-based) and ease of use.

SkriptSkript Kiddies: Target Kiddies: TargetSelectionSelection

Most target selection involves noisyMost target selection involves noisyscanners, often launched from Windowsscanners, often launched from Windowsplatformsplatforms

An increasing number of An increasing number of SkriptSkript Kiddies, Kiddies,however, are gaining familiarity withhowever, are gaining familiarity withLinux and use fairly standard tools suchLinux and use fairly standard tools suchas as nmapnmap..

SkriptSkript Kiddies: Attack! Kiddies: Attack!

Unlike old-school attacks, Unlike old-school attacks, SkriptSkript Kiddies tools Kiddies toolsare generally pre-compiled, or written inare generally pre-compiled, or written ininterpretive languages such as PERLinterpretive languages such as PERL

If an exploit needs to be built, most kiddies willIf an exploit needs to be built, most kiddies willnot be able to get them workingnot be able to get them working

If a built exploit fails, a If a built exploit fails, a skriptskript kiddiekiddie usually usuallymoves along to another target instead of fixingmoves along to another target instead of fixingthe exploit. This makes the process non-the exploit. This makes the process non-cyclical.cyclical.

DefacersDefacers

Web DefacersWeb Defacers

While While old schoolold school methods methodsare still in use, web defacersare still in use, web defacersstatistically own the hackingstatistically own the hacking

landscapelandscapehttp://www.http://www.alldasalldas.org.org

Profile of a web defacerProfile of a web defacer

Handle: intrud3rm4nHandle: intrud3rm4n Age: 21Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!)Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 massDefacement count (8/09/02): 960 sites, 785 addresses, 175 mass

defacementsdefacements My favorite defacement:My favorite defacement:

http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/ Country of Origin: BrazilCountry of Origin: Brazil Language: PortugueseLanguage: Portuguese Favorite Hacking food: Hamburgers and FriesFavorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Favorite Hacking Music: MetallicaMetallica =) =) Favorite exploit: whacking LINUX Favorite exploit: whacking LINUX boxenboxen Reason for defacing: FUNReason for defacing: FUN

Defaced: Cap GeminiDefaced: Cap Gemini

Following web defacersFollowing web defacers

http://www.alldas.org

Following web defacersFollowing web defacershttp://www.zone-h.com/en/defacements

Following web defacersFollowing web defacershttp://www.delta5.com.br/mirror/

Common Web DefacementCommon Web DefacementMethodologyMethodology

Web Defacers, for the most part, have a slightly differentWeb Defacers, for the most part, have a slightly differentmethodology. Instead of basing the exploit on themethodology. Instead of basing the exploit on thetarget, the target is selected based on ittarget, the target is selected based on its vulnerabilitys vulnerabilityto the exploit!to the exploit!

The web defacement methodology (again, often cyclical)The web defacement methodology (again, often cyclical)is generally as follows:is generally as follows:

Exploit SelectionExploit SelectionTarget SelectionTarget Selection

AttackAttackDefacementDefacement

Web DefacementWeb Defacement

Amateur defacersusually stick withone exploit andone targetplatform,,,

DefacerDefacers Exploits ExploitSelectionSelection An attackerAn attackers level of comfort with an Operatings level of comfort with an Operating

System will often decide the types of exploits usedSystem will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflowsUNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for Windows-based attackers often opt for perlperl-based remote-based remote

overflows, visual basic tools, or command-line overflows, visual basic tools, or command-line netnetcommandscommands

Attackers with only browser-based experience or simplisticAttackers with only browser-based experience or simplisticattackers seeking privacy through proxies will opt for URL-attackers seeking privacy through proxies will opt for URL-based attacks such as UNICODE or DECODE, Front Pagebased attacks such as UNICODE or DECODE, Front Pageexploits, or PHP-Nuke attacksexploits, or PHP-Nuke attacks

DefacerDefacers Search fors Search forExploitsExploits

Often an amateur defacerwill monitor popularsecurity sites (such assecurityfocus) to selectexploits

DefacerDefacers Target Selections Target Selection

Armed with an exploit, most web defacers nowArmed with an exploit, most web defacers nowseek for vulnerable targets using variousseek for vulnerable targets using variousmethodsmethods Web searchingWeb searching

NetcraftNetcraft NetstatNetstat GoogleGoogle

Host scanningHost scanning NmapNmap Custom scannersCustom scanners

DefacerDefacers Target Selection:s Target Selection:Web SearchesWeb Searches

http://www.http://www.netcraftnetcraft.com.com


Using search engines to locateUsing search engines to locatevulnerable servers is a very interestingvulnerable servers is a very interestingand fruitful technique which hasnand fruitful technique which hasnt beent beenexplored in great detail.explored in great detail.

http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml


Google query: intitle:Index of Apache 1.3.11

Here, Apache 1.3.11servers are locatedthrough creative useof the Google searchengine.


http://www.netstat.ru

DefacerDefacers Targets TargetSelection: Host ScanningSelection: Host Scanning

Nmaps OSdetection feature(-O) provides adecent guess asto the operatingsystem of thetarget

DefacerDefacers Targets TargetSelection: Host ScanningSelection: Host Scanning

http://packetstormsecurity.comprovides a great resource forcustom vulnerability scanners.

DefacerDefacers Attacks Attack

Once the target and the exploit areOnce the target and the exploit areselected, the attacker launches the attackselected, the attacker launches the attackagainst the server.against the server.

If the attack fails, the attacker will oftenIf the attack fails, the attacker will oftenmodify the attack and try again.modify the attack and try again.

Questions?Questions?

Documents

Hacking Methodologies