Thinking like a hackerMarch 7, 2002 — By Eric Schultze, Chief Security Archite

1. Thinking like a hacker
2. March 7, 2002 — By Eric Schultze, Chief Security Architect, Shavlik Technologies
3. Thinking like a successful hacker is not much different from thinking like a good
4. developer. The most successful hackers follow a specific methodology that they have
5. developed over time. They apply patience and carefully document every step of their
6. work, much like developers.
7. The hacker's objective is to compromise the intended target or application. The hacker
8. begins with little or no information about the target; however, by the end of the analysis,
9. the attacker will have constructed a detailed roadmap that will allow them to compromise
10. the target. This can only be achieved through careful analysis and a methodical approach
11. to investigating the soon-to-be-victim.
12. The hacker's systematic method generally covers these seven steps:
13. 1. Perform a footprint analysis
14. 2. Enumerate information
15. 3. Obtain access through user manipulation
16. 4. Escalate privileges
17. 5. Gather additional passwords and secrets
18. 6. Install backdoors
19. 7. Leverage the compromised system
20. This article shows you how hackers approach the tasks of breaking into networks and
21. systems and compromising software applications. By knowing more about the hackers'
22. methodology, you can beat them at their own game.
23. Perform a footprint analysis
24. The attacker first identifies the various domain names that he's interested in exploiting.
25. He then performs a footprint analysis of the target to gather as much information as
26. possible through publicly available sources. The footprint analysis gives the hacker an
27. indication of how large the target might be, how many potential entry points exist, and
28. what, if any, security mechanisms might exist to thwart the attack.
29. During a footprint analysis, the hacker attempts to discover all potentially related
30. information that may be useful during the attack. This information includes:
31. Company names
32. Domain names
33. Business subsidiaries
34. Internet Protocol (IP) networks
35. Phone numbers
36. Hackers pay particular attention to potential entry points that might circumvent the "front
37. door." For example, rather than attempting to break through a major corporation's
38. firewall, the attacker identifies a startup company (just acquired by the major
39. corporation) and then attempts to leverage weak security in the smaller company that
40. might provide unrestricted virtual private network (VPN) access to the larger target.
41. Port scanners are used to determine which hosts are alive on the Internet, which
42. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are
43. listening on each system, and the operating system that is installed on each host.
44. Traceroutes are performed to help identify the relationship of each host to every other and
45. to identify potential security mechanisms between the attacker and the target.
46. After the port scanning and tracerouting is finished, attackers create a network map that
47. represents their understanding of the target's Internet footprint. This map is used for the
48. second phase of the attack: information enumeration.
49. Commonly used tools
50. Nslookup Command line tool in Windows NT 4.0, Windows 2000, and Windows XP
51. that can be used to perform DNS queries and zone transfers.
52. Tracert Command line tool used by hackers to create network maps of the target's
53. network presence.
54. SamSpade The SamSpade.org Web interface that performs Whois lookups, forward and
55. reverse DNS searches, and traceroutes.
56. Nmap Unix-based port scanner.
57. ScanLine Windows NT-based port scanner.
58. Things to consider
59. Look at utilizing some of same methodologies that hackers use to assess an application
60. that they're trying to penetrate. Questions to ask yourself about the applications that you
61. develop include:
62. What is your application's footprint on the operating system?
63. What partner code does the application rely upon? If the partner application is
64. hacked, will that enable the attacker to hack your application?
65. What information is the application, or system, presenting to unauthenticated
66. users?
67. What listening ports does your software open on the system? Will malformed
68. packets or flood attacks stop the service, or consume memory or CPU cycles?
69. Are there firewalls, or application chokepoints, that can be used to prevent
70. unauthenticated users from walking in the front door?
71. Enumerate information
72. After the hackers have performed the footprint analysis and generated a map that
73. approximates their knowledge of the target network, they then gather as much data as
74. possible from the targeted system.
75. Web, FTP, and mail server version Hackers will try to determine what version of
76. Web, File Transfer Protocol (FTP), or mail server is running by connecting to the
77. listening TCP and UDP ports and sending random data to each. Many services respond to
78. this random data with a banner—data that identifies the running application and
79. potentially version information. Hackers will cross-reference this information to
80. vulnerability databases such as SecurityFocus to look for possible exploits.
81. Sensitive information If the hackers are able to contact the host on certain ports (for
82. example, TCP 139 or 445), they will attempt to anonymously enumerate sensitive
83. information from the system including:
84. User names
85. Last logon dates
86. Password change dates
87. Group membership
88. The hacker can use the information obtained from this query in a brute force attack to
89. gain access to the system as an authenticated user. For example, the hacker will
90. enumerate members of the local administrators group, looking for user names like TEST
91. or BACKUP that might have easily guessed passwords.
92. Commonly used tools
93. Netcat (listed under Network Utility Tools) The hacker's Swiss army knife. Used for
94. banner grabbing and port scanning, among other things.
95. Epdump/Rpcdump Tools to gain information about remote procedure call (RPC)
96. services on a server.
97. Getmac (Windows NT resource kit) Windows NT command to obtaining the media
98. access control (MAC) Ethernet layer address and binding order for a computer running
99. Windows NT 4.0, Windows 2000, or Windows XP.
100. DumpSec Security auditing program for Windows NT systems. It enumerates user and
101. group details from a chosen system. This is the audit and enumeration tool of choice for
102. Big Five auditors (PricewaterhouseCoopers, Ernst & Young, KPMG, Arthur Andersen,
103. and Deloitte & Touche) and hackers alike.
104. SDKs Many software development kits (SDKs) provide hackers with the basic tools that
105. they need to learn more about systems.
106. Things to consider
107. What information can be obtained from listening ports? What level of permission
108. is required to enumerate this information?
109. Is there logging in place to determine that someone has enumerated this
110. information?
111. Does the potential exist for an authenticated user to view security-sensitive data or
112. personally identified information (PII) that might compromise privacy concerns?
113. What banner information does the application provide to the user? Can this be
114. suppressed or modified by the system administrator?
115. Obtain access through user manipulation
116. After the hackers have learned enough basic information about their target, they will
117. attempt to gain access to the target system by masquerading as authorized users. This
118. means that they need a password for a user account that they have discovered through
119. steps one and two above. There are two common ways to get that password: by using
120. social engineering or by using a brute force attack.
121. Social engineering
122. It's amazing what an unsuspecting employee will do for someone who sounds
123. authoritative. Some hackers will take the information that they acquired from the domain
124. registration or the company's Web site and directly contact an employee by phone.
125. With a little conning, they can get that employee to reveal their password without raising
126. any concerns. Their conversations might go something like this:
127. This is the help desk and we're troubleshooting various network segments. I'm
128. sniffing the network segment you're on, and I'd like to watch the network as you
129. type in your password. Please tell me each character of your password as you type
130. it in, and I will watch to make sure that I see them on the network.
131. Or,
132. We've done an audit of your password and found it to be insecure. Please change it
133. to xYzA1G24# so that it will be less likely to be cracked in the future.
134. Brute force attack
135. If the social engineering approach doesn't work or isn't an option, there's the brute force
136. approach. These attacks can be waged against any application or service that accepts user
137. authentication, including (but not limited to):
138. Network basic input/output system (NetBIOS) over TCP (TCP 139)
139. Direct Host (TCP 445)
140. Lightweight Directory Access Protocol (LDAP), (TCP 389)
141. FTP (TCP 21)
142. Telnet (TCP 23)
143. Simple Network Management Protocol (SNMP), (UDP 161)
144. Point-to-Point Tunneling Protocol (PPTP), (TCP 1723)
145. Terminal Services (TCP 3389)
146. If the hacker is able to contact one of these services, he will use the user names gathered
147. in earlier steps to launch a brute force attack. Brute force guessing tools leverage
148. dictionary files that might represent the user's password. Each dictionary word (or variant
149. thereof) is considered a potential password and is paired with each user name until access
150. is obtained.
151. Typical installations of Windows NT 4.0, Windows 2000, and Windows XP will not
152. capture this attack because failed logon auditing is not enabled by default. Unless
153. complex passwords are present for each user account, a dictionary attack can be quite
154. successful against an unmonitored host.
155. In order to mask their identity, hackers will attempt to elude detection even if failed logon
156. auditing has been enabled. By using computer names with non-printable ASCII
157. characters, their computer names will appear as blank in the audit logs.
158. Commonly used tool
159. NetBIOS auditing tool Brute force password guessing tool.
160. Things to consider
161. Is failed logon auditing enabled by default?
162. Are there server-side mechanisms that you can use to slow down or lock out a
163. brute force attack?
164. Can you trace the source of the brute force logon attack back to a specific
165. location? What location information can you obtain? DNS name or IP address?
166. Computer name? Gateway address or specific host address?
167. Can the attackers subvert the event logs or application-specific logs after they get
168. in?
169. Does this protocol need to be turned on by default?
170. Escalate privileges
171. After hackers have discovered a password for a user account and obtained user-level
172. privileges to a host, they will attempt to escalate their permissions. They usually start by
173. reviewing all the information on the host that they are able to view:
174. Batch files containing hardcoded user names and passwords are hacker's gold.
175. Registry keys containing application or user passwords are also worthy of a peek.
176. Reading e-mail or other documents that are stored on the system may also provide
177. additional information to hackers that may enable them to gain privileges to other
178. systems on the network.
179. If hackers are unable to enumerate any useful static information from the system, they
180. may proceed to trojan the system. This usually involves copying malicious code to the
181. user's system and giving it the same name as a frequently used piece of software.
182. For example, a hacker may replace Notepad.exe with a piece of trojan code that makes
183. someone called "Eric" an administrator on the system before the program launches
184. Notepad. The next time the system owner logs on as administrator and launches Notepad,
185. the "Eric" account is added to the administrators group, unbeknownst to the person who
186. launched Notepad.
187. If the hacker is not willing to wait for the user to take a specific action on the system, he
188. may leverage system services to do the dirty work for them. For example, the attacker
189. may locate a system service that launches with administrative or system privileges, and
190. then replace this file with a trojan file to "make Eric admin." When this system is
191. restarted, the service will launch, causing the trojan to execute with administrative
192. privileges.
193. Things to consider
194. Are users able to view sensitive information?
195. Are passwords for the application stored in a secure manner?
196. Are passwords stored in clear text in batch files?
197. What registry keys can ordinary users write to? Do any of these keys execute with
198. higher-level (or system) privileges?
199. Can user-level accounts modify the security context for services such that they
200. can be used to launch trojans with local system privileges?
201. Are there any files that the user can overwrite that are called by services running
202. under higher levels of privileges?
203. Gather additional passwords and secrets
204. The first thing that hackers do after they have logged on to a system with administrator
205. credentials is to obtain the password file. Hackers can use tools such as Pwdump2 to
206. obtain the password hashes from the local security accounts manager (SAM) database or
207. Active Directory of a domain controller. Password hashes can be fed to programs like
208. LC3 or John the Ripper and cracked.
209. As an administrator, hackers can obtain the clear-text passwords from the local security
210. authority (LSA). Specifically, passwords that are used to start services are stored
211. (obfuscated and reversibly encrypted) in the LSA. Using tools such as Lsadump2, the
212. clear-text passwords for the accounts that are used to start corresponding services can be
213. enumerated.
214. Although this may not be a risk if the account starting the service is an administrative
215. member on this local system (or a lesser privileged account), a larger threat may be
216. present if the account that is used to start the service is an administrative member of the
217. domain (or higher-level domain). In the worst instance, the hacker (as a local
218. administrator) may be able to obtain the clear-text password for a domain administrator
219. account for a domain that they had yet to hack.
220. After local, and potentially domain level, passwords have been obtained, the hacker will
221. cross-reference user name\password combinations that have been obtained with user
222. names that they've enumerated from other systems during the enumeration phase. With
223. enough time or the right amount of luck, the hacker will be able to obtain administrative
224. access to all computers in the network, having only initially compromised one computer.
225. Commonly used tools
226. Pwdump2 Tool that can obtain password hashes from the SAM database or the Active
227. Directory.
228. Lsadump2 Tool that exposes the contents of the LSA in clear text.
229. LC3 Password auditing tool that evaluates Windows NT, Windows 2000, and Windows
230. XP password hashes.
231. John the Ripper Password cracking tool for several operating systems.
232. Things to consider
233. Are logs generated when the password files are accessed?
234. Are logs generated when the administrator attempts to inject rogue code into
235. system processes in an attempt to access password data?
236. Are passwords being stored on the system for any accounts that may have greater
237. levels of permission than the local administrator accounts?
238. Is the password for the administrator-level accounts on one system the same as
239. the password for administrator accounts on other systems?
240. Are users encouraged to select complex passwords?
241. Install backdoors
242. In case hackers are detected and need to leave the computer in a hurry, they frequently
243. create a backdoor on each system they compromise. Backdoors can take many forms, but
244. the most common is a listening port on the system that will enable the hacker to access
245. the system remotely (with or without special credentials).
246. Firewalls or router filtering may prevent the hacker from later accessing these ports;
247. however, common router filtering may not block high numbered TCP ports (or any UDP
248. ports), or may allow traffic to pass if it originates on a specific source port, like TCP 20,
249. 53, or 8. If strong filtering or firewalling is in place, more complex backdoors may be
250. necessary.
251. One form of a complex backdoor involves reverse trafficking. Reverse trafficking enables
252. the attacker to bypass the existing security mechanisms. While routers and firewalls may
253. prevent all unsolicited packets from entering the network from the outside, it is highly
254. likely that a client within the firewall is allowed to initiate a connection on a specified
255. port number to any host on the outside. A trojan of this type might be scheduled to
256. contact the hacker's computer on a regular basis over TCP port 80. The client computer
257. may "push" a system-level command shell to the hacker, so the hacker can then execute
258. code on the "protected" computer.
259. An example of reverse trafficking was the Code Red worm. Code Red would instruct
260. unpatched Web servers (over TCP port 80) to execute a Trivial File Transfer Protocol
261. (TFTP) connection from the server to a host on the Internet, where it would then obtain a
262. piece of rogue code. The initiating traffic to the Web server over port 80 was completely
263. legitimate (and would even pass firewalls), and in most cases, the firewalls and routers
264. would allow the Web server to initiate a TFTP (UDP 69) connection to the hacker's
265. computer on the Internet.
266. There are few, if any, valid reasons why Web servers should ever need to initiate a TFTP
267. or server message block (SMB) connection to any host on the Internet. Firewalls and
268. routers should be configured to block unsolicited outbound traffic originating from Web
269. or mail servers to untrusted computers on the Internet.
270. Commonly used tool
271. Netcat Hacker's Swiss army knife. Can be used to "shovel shells" to remote systems.
272. Things to consider
273. Does the system or application have any mechanism to identify trojan code that
274. may be running on the system?
275. Can the system detect devices or services that the attacker has created?
276. Is there a baseline of known listening ports, services, and devices against which
277. the system can be monitored to help determine if a rogue piece of code has been
278. executed?
279. Are security devices (firewalls, routers) configured to prevent unwanted outbound
280. traffic from originating from each host?
281. Leverage the compromised system
282. Port redirectors In order to circumvent traditional security devices, hackers may create
283. port redirectors on the first compromised host that will automatically pass all traffic to
284. other internal hosts. Port redirectors can help bypass port filters, routers, and firewalls,
285. and may even be encrypted over a Secure Sockets Layer (SSL) tunnel to evade intrusion
286. detection devices.
287. When a port redirector is used to traffic packets between the hacker's computer and the
288. target system, the hacker's true identity is essentially "laundered." If the target system is
289. enabled for failed logon auditing, or is running a third-party intrusion detection system, it
290. will record the IP address or computer name of the host running the port redirector, not
291. the hacker's computer. This may make it very difficult for the attacker to be identified, as
292. all traffic going to and coming from the target system appears to be legitimate
293. connections to the computer that is proxying the hacker's traffic by means of the port
294. redirector.
295. Hacking other systems After the hacker has fully hacked the local system, installed
296. their backdoors and port redirectors, and obtained all the information available to them,
297. they will proceed to hack other systems on the network. Most often there are matching
298. service, administrator, or support accounts residing on each system that make it easy for
299. the attacker to compromise each system in a short amount of time. As each new system is
300. hacked, the attacker performs the steps outlined above to gather additional system and
301. password information.
302. Attackers continue to leverage information on each system until they identify passwords
303. for accounts that reside on highly prized systems including payroll, root domain
304. controllers, and Web servers. The process of scanning and exploiting systems in this
305. manner can often be automated, letting hackers grab a few hours of rest, or allowing them
306. to focus their attentions on other areas of the target company.
307. It's difficult to identify this type of activity because the attacker is usually operating under
308. the guise of a valid administrator account. Unless the attacker is caught before he gains
309. administrator access, it may be nearly impossible to flush him from the network.
310. Commonly used tool
311. Fpipe A port redirector for Windows systems. Allows the source port for redirected
312. traffic to be specified.
313. Things to consider
314. Are processes in place to monitor system logs across multiple computers and
315. correlate attack sequences to suggest that an automated attack is in process?
316. Are group memberships reviewed on a regular basis to ensure that new "hacker
317. accounts" haven't been added to administrative groups?
318. Resources
319. Microsoft Security Web site Public Web site with links to security bulletins and product
320. security information.
321. Hacking Exposed: Network Security Secrets and Solutions, Third Edition Stuart
322. McClure, Joel Scambray, and George Kurtz take a comprehensive look at hacker
323. methodologies across multiple platforms and devices.
324. Hacking Exposed Windows 2000: Network Security Secrets and Solutions Scambray and
325. McClure detail hacker techniques specific to Microsoft platforms.