Hacking MethodologiesHacking Methodologies

An overview of historical hacking An overview of historical hacking approachesapproaches

Johnny LongJohnny Longhttp://johnny.ihackstuff.comhttp://johnny.ihackstuff.com

johnny@ihackstuff.comjohnny@ihackstuff.com

Varied ApproachesVaried Approaches ““Old School”: Slow, careful, precise, Old School”: Slow, careful, precise,

invasiveinvasive ““Pros”: Fast, careful, precise, sometimes Pros”: Fast, careful, precise, sometimes

invasiveinvasive ““Skript Kiddies”: Slow, reckless, Skript Kiddies”: Slow, reckless,

imprecise, invasiveimprecise, invasive ““Defacers”: Fast, reckless, precise, mildly Defacers”: Fast, reckless, precise, mildly

invasiveinvasive

Old schoolOld school

For years, information security pundits have followed and believed in a For years, information security pundits have followed and believed in a “hacking methodology” which described the steps a hacker classically “hacking methodology” which described the steps a hacker classically followed when performing an attack. followed when performing an attack.

That methodology followed the following basic steps:That methodology followed the following basic steps:

Information GatheringInformation Gathering ProbeProbe AttackAttack

AdvancementAdvancement EntrenchmentEntrenchment

Infiltration/ExtractionInfiltration/Extraction

Old School: Information Old School: Information GatheringGathering

Decide and discover which targets to Decide and discover which targets to attackattack

Often begin with a specific network or a Often begin with a specific network or a specific companyspecific company

Whois, nslookup queriesWhois, nslookup queries samspade.orgsamspade.org Search engines (“googlescanning”)Search engines (“googlescanning”)

Old School: ProbeOld School: Probe Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities

Search sweeping ranges of ports with a portscan Search sweeping ranges of ports with a portscan (nmap)(nmap)

Grab details such as service versions from the Grab details such as service versions from the discovered ports aka “banner grabbing” (netcat)discovered ports aka “banner grabbing” (netcat)

NT: Connect to and enumerate information from NT: Connect to and enumerate information from NETBios (enum)NETBios (enum)

Search the Internet for vulnerabilities based on Search the Internet for vulnerabilities based on versions of software found on targetsversions of software found on targets

Old School: ProbeOld School: Probe NMAP ( NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap)) Superscan (Superscan (http://www.http://www.webattackwebattack.com/get/.com/get/

superscansuperscan..shtmlshtml)) Nessus: (Nessus: (http://www.nessus.orghttp://www.nessus.org)) Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/)) Netcat: (Netcat: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/)) Enum (http://razor.bindview.com/tools/index.shtml)Enum (http://razor.bindview.com/tools/index.shtml) THC-Probe THC-Probe

(http://www.thehackerschoice.com/download.php?(http://www.thehackerschoice.com/download.php?t=r&d=probe-4.1.tar.gz )t=r&d=probe-4.1.tar.gz )

Old School: ProbeOld School: Probe

Nmap is used to scan the ports of the target system. Using the –O option would also report the Operating System of the target.

Old School: ProbeOld School: Probe

Nmap’s guess at the operating system type

Old School: ProbeOld School: Probe

some services listen behind RPC. rpcinfo can give us

this info.

Old School: AttackOld School: Attack Gather compatible exploits Gather compatible exploits Compile exploits (if required)Compile exploits (if required) Launch exploits against targetsLaunch exploits against targets Modify parameters, re-launch exploits (if Modify parameters, re-launch exploits (if

required)required)

Old School: AttackOld School: Attack There are many different types of attacks There are many different types of attacks

which can be broken down into several which can be broken down into several classifications. classifications.

The attacks are performed from one of two The attacks are performed from one of two perspectives:perspectives:

Local: The attacker has access to a command Local: The attacker has access to a command prompt or has gained the ability to execute prompt or has gained the ability to execute commands on the targetcommands on the target

Remote: The attacker exploits the target box Remote: The attacker exploits the target box without first gaining access to a command shellwithout first gaining access to a command shell

Attacks: Buffer OverflowAttacks: Buffer Overflow Aka the “Boundary Condition Error”: Stuff more data Aka the “Boundary Condition Error”: Stuff more data

into a buffer than it can handle. The resulting into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is overflowed data “falls” into a precise location and is executed by the systemexecuted by the system Local overflows are executed while logged into the target Local overflows are executed while logged into the target

systemsystem Remote overflows are executed by processes running on the Remote overflows are executed by processes running on the

target that the attacker “connects” totarget that the attacker “connects” to Result: Commands are executed at the privilege level Result: Commands are executed at the privilege level

of the overflowed programof the overflowed program Example: SNMPXDMID overflow (Solaris 6-8) Example: SNMPXDMID overflow (Solaris 6-8)

http://www.securityfocus.com/bid/2417http://www.securityfocus.com/bid/2417

Attacks: Input ValidationAttacks: Input Validation An process does not “strip” input before An process does not “strip” input before

processing it, ie special shell characters processing it, ie special shell characters such as semicolon and pipe symbols such as semicolon and pipe symbols

An attacker provides data in unexpected An attacker provides data in unexpected fields, ie SQL database parametersfields, ie SQL database parameters

Attacks: Input ValidationAttacks: Input Validation Example: Trillian IRC Module Format String Example: Trillian IRC Module Format String

Vulnerability Vulnerability (http://online.securityfocus.com/bid/5388)(http://online.securityfocus.com/bid/5388)

““A format string vulnerability has been reported in A format string vulnerability has been reported in the Trillian IRC module. An attacker can exploit this the Trillian IRC module. An attacker can exploit this vulnerability by enticing a user to join a channel vulnerability by enticing a user to join a channel with a malicious channel name (e.g. #%n%n%n). with a malicious channel name (e.g. #%n%n%n). An attacker in control of a malicious server may An attacker in control of a malicious server may exploit vulnerable clients who have connected.”exploit vulnerable clients who have connected.”

Attacks: Race ConditionsAttacks: Race Conditions An attacker forces an action during a sensitive time window An attacker forces an action during a sensitive time window

between two operationsbetween two operations

A program checks to make sure output file A program checks to make sure output file “/tmp/temp_output” does not exist“/tmp/temp_output” does not exist

The program wanders off and does other stuff…The program wanders off and does other stuff… An attacker quickly creates a symlink from An attacker quickly creates a symlink from

“/tmp/temp_output” to “/etc/shadow” “/tmp/temp_output” to “/etc/shadow” The program writes to the “/tmp/temp_output” which The program writes to the “/tmp/temp_output” which

clobbers “/etc/shadow”clobbers “/etc/shadow” Example: Example: RedHat Linux diskcheckRedHat Linux diskcheck

(http://online.securityfocus.com/bid/2050 )(http://online.securityfocus.com/bid/2050 )

Attacks: Environment Attacks: Environment ErrorsErrors

An attacker makes a change to a program’s An attacker makes a change to a program’s environment that was not expectedenvironment that was not expected

For example, a program relies on the UNIX For example, a program relies on the UNIX environment variable $USER to determine who environment variable $USER to determine who is running the programis running the program

An attacker changes this value to “root” before An attacker changes this value to “root” before executing the programexecuting the program

Attacks: Weak PasswordsAttacks: Weak Passwords accounts with weak passwords are accounts with weak passwords are

guessed by a remote attackerguessed by a remote attacker Accounts with weak passwords are Accounts with weak passwords are

cracked by attacker with access to a cracked by attacker with access to a password databasepassword database

THC-HYDRA Login Hacker THC-HYDRA Login Hacker (http://www.thehackerschoice.com/releases.php)(http://www.thehackerschoice.com/releases.php)

Attack: Exploit SitesAttack: Exploit Sites SecurityFocus: (SecurityFocus: (http://www.http://www.securityfocussecurityfocus.com.com)) Packetstorm: (Packetstorm: (http://http://packetstormsecuritypacketstormsecurity.org.org)) New Order: (New Order: (http://http://neworderneworder.box..box.sksk//)) Hack in the Box: (Hack in the Box: (http://www.hackinthebox.org/http://www.hackinthebox.org/

)) phreak.org (phreak.org (http://www.http://www.phreakphreak

.org/archives/exploits/.org/archives/exploits/unixunix/)/)

Old School: Attack Old School: Attack phasesphases

The Attack is most often broken into several The Attack is most often broken into several phases (perhaps running cyclically) phases (perhaps running cyclically)

Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits

Modification of ExploitsModification of Exploits Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits

Old School: Locating Old School: Locating exploitsexploits

Old School: Locating Old School: Locating exploitsexploits

Old School: Getting Old School: Getting ExploitsExploits

The ‘wget’ program downloads the exploit to the attacker’s machine

Old School: Modifying Old School: Modifying exploitexploit

(-lsocket won’t work)

Most exploits will not work across all platforms, so modifications generally need to be made. In this case, -lsocket is removed for running on out RedHat 7.2 attack box.

Old School: Building Old School: Building ExploitExploit

Some exploits come complete with a Makefile, so a simple ‘make’ command is all that’s required to build the exploit.

Old School: Building Old School: Building ExploitExploit

The make command successfully produces the exploit, in this case ‘automountdexp’

Old School: Testing Old School: Testing ExploitExploit

The ‘–h’ parameter shows the usage for this exploit.

Old School: Attack Old School: Attack Running ExploitRunning Exploit

This attack executes commands on the target (a Solaris 2.5.1 box) as root. In this case, the attacker drops a line into /etc/inet/inetd.conf and a line into /etc/services. When the system is restarted (or inet is restarted) a listening root shell is opened on port 31337.

Old School: Attack Old School: Attack Success!Success!

The attacker connects to the 31337 port on the target and is greeted with a root prompt.

Old School: Advancement Old School: Advancement (optional)(optional)

If needed, gain further access to targets If needed, gain further access to targets by further exploitationby further exploitation TrojansTrojans Local ExploitsLocal Exploits

The advancement phase will somewhat The advancement phase will somewhat mirror the Attack phases unless the mirror the Attack phases unless the attacker has already tested the exploitsattacker has already tested the exploits

Old School: Old School: EntrenchmentEntrenchment

Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors RootkitsRootkits

Entrenchment: BackdoorsEntrenchment: Backdoors

Linux Non-listening backdoor programs = No Linux Non-listening backdoor programs = No listening port!listening port! SAdoor SAdoor (http://cmn.listprojects.darklab.org/)(http://cmn.listprojects.darklab.org/) Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html) (http://www.phenoelit.de/stuff/cd00rdescr.html)

NT/2KNT/2K Fake GINA Fake GINA Username and password interceptor Username and password interceptor

(http://www.rootkit.com/projects/ginatroj/ )(http://www.rootkit.com/projects/ginatroj/ )

NTKap Removes NT ACL protection NTKap Removes NT ACL protection (http://www.rootkit.com/projects/ntkap/ )(http://www.rootkit.com/projects/ntkap/ )

Entrenchment: RootkitsEntrenchment: Rootkits LinuxLinux

LRK5: LRK5: (http://online.securityfocus.com/data/tools/lrk5.src.tar.gz)(http://online.securityfocus.com/data/tools/lrk5.src.tar.gz)

ADORE: ADORE: (http://online.securityfocus.com/tools/1490 )(http://online.securityfocus.com/tools/1490 )

KNARK KNARK (http://online.securityfocus.com/tools/1163 )(http://online.securityfocus.com/tools/1163 )

NTNT NT Rootkit NT Rootkit

(http://www.rootkit.com/projects/ntroot/)(http://www.rootkit.com/projects/ntroot/) NULL.SYS NULL.SYS

(http://www.rootkit.com/projects/nullsys/ )(http://www.rootkit.com/projects/nullsys/ )

Old School: Old School: Infiltration/ExtractionInfiltration/Extraction

Install sniffers to monitor network traffic, Install sniffers to monitor network traffic, gather usernames/passwords gather usernames/passwords

Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets based Compromise neighboring targets based

on captured data or trust relationshipson captured data or trust relationships

ProfessionalsProfessionals

Professional hackers, or ethical hackers, tend to follow the following Professional hackers, or ethical hackers, tend to follow the following methodologies:methodologies:

Information GatheringInformation Gathering ProbeProbe AttackAttack

AdvancementAdvancement Infiltration/ExtractionInfiltration/Extraction

ProfessionalsProfessionals Most often, professional ethical hackers rely on Most often, professional ethical hackers rely on

“Vulnerability Scanners” to perform their jobs.“Vulnerability Scanners” to perform their jobs. NessusNessus Retina by eeyeRetina by eeye Network Associates CyberCopNetwork Associates CyberCop H.E.A.T.H.E.A.T. Internet Security Systems Internet ScannerInternet Security Systems Internet Scanner(see http://www.networkcomputing.com/1201/1201f1b1.html)(see http://www.networkcomputing.com/1201/1201f1b1.html)

ProfessionalsProfessionals

Vulnerability Scanner DemoVulnerability Scanner Demo

““Skript Kiddies”Skript Kiddies”

Skript KiddiesSkript Kiddies Skript Kiddies, named for their annoying ability to Skript Kiddies, named for their annoying ability to

(sometimes) successfully compromise a system (sometimes) successfully compromise a system using pre-written scripts, generally follow a very using pre-written scripts, generally follow a very simple simple non-cyclical non-cyclical methodology. methodology. (See http://project.honeynet.org/papers/enemy/ (See http://project.honeynet.org/papers/enemy/ for an interesting writeup on the topic)for an interesting writeup on the topic)

Exploit SelectionExploit SelectionTarget SelectionTarget Selection

AttackAttack

Skript Kiddies: Exploit Skript Kiddies: Exploit SelectionSelection

Nearly identical to the “Old School” method of Nearly identical to the “Old School” method of locating exploits, skript kiddies generally use locating exploits, skript kiddies generally use Search engines to locate exploitsSearch engines to locate exploits

Skript Kiddies are generally not a technically Skript Kiddies are generally not a technically savvy lot, so exploit selection is made based savvy lot, so exploit selection is made based on attack platforms available (generally on attack platforms available (generally Windows-based) and ease of use. Windows-based) and ease of use.

Skript Kiddies: Target Skript Kiddies: Target SelectionSelection

Most target selection involves noisy Most target selection involves noisy scanners, often launched from Windows scanners, often launched from Windows platformsplatforms

An increasing number of Skript Kiddies, An increasing number of Skript Kiddies, however, are gaining familiarity with Linux however, are gaining familiarity with Linux and use fairly standard tools such as and use fairly standard tools such as nmap.nmap.

Skript Kiddies: Attack!Skript Kiddies: Attack! Unlike old-school attacks, Skript Kiddies tools are Unlike old-school attacks, Skript Kiddies tools are

generally pre-compiled, or written in interpretive generally pre-compiled, or written in interpretive languages such as PERLlanguages such as PERL

If an exploit needs to be built, most kiddies will If an exploit needs to be built, most kiddies will not be able to get them workingnot be able to get them working

If a built exploit fails, a skript kiddie usually If a built exploit fails, a skript kiddie usually moves along to another target instead of fixing moves along to another target instead of fixing the exploit. This makes the process non-cyclical.the exploit. This makes the process non-cyclical.

““Defacers”Defacers”

Web DefacersWeb DefacersWhile “old school” methods While “old school” methods

are still in use, web defacers are still in use, web defacers statistically own the hacking statistically own the hacking

landscapelandscapehttp://www.alldas.orghttp://www.alldas.org

Profile of a web defacerProfile of a web defacer Handle: intrud3rm4nHandle: intrud3rm4n Age: 21Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!)Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass

defacementsdefacements My favorite defacement: My favorite defacement:

http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/ Country of Origin: BrazilCountry of Origin: Brazil Language: PortugueseLanguage: Portuguese Favorite Hacking food: Hamburgers and FriesFavorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Metallica =)Favorite Hacking Music: Metallica =) Favorite exploit: whacking LINUX boxenFavorite exploit: whacking LINUX boxen Reason for defacing: FUNReason for defacing: FUN

Defaced: Cap GeminiDefaced: Cap Gemini

Following web defacersFollowing web defacershttp://www.alldas.org

Following web defacersFollowing web defacershttp://www.zone-h.com/en/defacements

Following web defacersFollowing web defacershttp://www.delta5.com.br/mirror/

Common Web Defacement Common Web Defacement MethodologyMethodology

Web Defacers, for the most part, have a slightly different Web Defacers, for the most part, have a slightly different methodology. Instead of basing the exploit on the methodology. Instead of basing the exploit on the target, the target is selected based on it’s vulnerability target, the target is selected based on it’s vulnerability to the exploit!to the exploit!

The web defacement methodology (again, often cyclical) The web defacement methodology (again, often cyclical) is generally as follows:is generally as follows:

Exploit SelectionExploit SelectionTarget SelectionTarget Selection

AttackAttackDefacementDefacement

Web DefacementWeb Defacement

Amateur defacers usually stick with one exploit and one target platform,,,

Defacer’s Exploit Defacer’s Exploit SelectionSelection An attacker’s level of comfort with an Operating An attacker’s level of comfort with an Operating

System will often decide the types of exploits usedSystem will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflowsUNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for perl-based remote Windows-based attackers often opt for perl-based remote

overflows, visual basic tools, or command-line “net” overflows, visual basic tools, or command-line “net” commandscommands

Attackers with only browser-based experience or simplistic Attackers with only browser-based experience or simplistic attackers seeking privacy through proxies will opt for URL-attackers seeking privacy through proxies will opt for URL-based attacks such as UNICODE or DECODE, Front Page based attacks such as UNICODE or DECODE, Front Page exploits, or PHP-Nuke attacksexploits, or PHP-Nuke attacks

Defacer’s Search for Defacer’s Search for ExploitsExploits

Often an amateur defacer will monitor popular security sites (such as securityfocus) to select exploits

Defacer’s Target Defacer’s Target SelectionSelection

Armed with an exploit, most web defacers now Armed with an exploit, most web defacers now seek for vulnerable targets using various seek for vulnerable targets using various methodsmethods Web searchingWeb searching

NetcraftNetcraft NetstatNetstat GoogleGoogle

Host scanningHost scanning NmapNmap Custom scannersCustom scanners

Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches

http://www.netcraft.comhttp://www.netcraft.com

Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches

Using search engines to locate Using search engines to locate vulnerable servers is a very interesting vulnerable servers is a very interesting and fruitful technique which hasn’t been and fruitful technique which hasn’t been explored in great detail.explored in great detail.

http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml

Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches

Google query: intitle:”Index of” “Apache 1.3.11”

Here, Apache 1.3.11 servers are located through creative use of the Google search engine.

Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches

http://www.netstat.ru

Defacer’s Target Defacer’s Target Selection: Host ScanningSelection: Host Scanning

Nmap’s OS detection feature (-O) provides a decent guess as to the operating system of the target

Defacer’s Target Defacer’s Target Selection: Host ScanningSelection: Host Scanning

http://packetstormsecurity.com provides a great resource for custom vulnerability scanners.

Defacer’s AttackDefacer’s Attack Once the target and the exploit are Once the target and the exploit are

selected, the attacker launches the attack selected, the attacker launches the attack against the server.against the server.

If the attack fails, the attacker will often If the attack fails, the attacker will often modify the attack and try again.modify the attack and try again.

Questions?Questions?