Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Thinking like a hacker
- March 7, 2002 — By Eric Schultze, Chief Security Architect, Shavlik Technologies
- Thinking like a successful hacker is not much different from thinking like a good
- developer. The most successful hackers follow a specific methodology that they have
- developed over time. They apply patience and carefully document every step of their
- work, much like developers.
- The hacker's objective is to compromise the intended target or application. The hacker
- begins with little or no information about the target; however, by the end of the analysis,
- the attacker will have constructed a detailed roadmap that will allow them to compromise
- the target. This can only be achieved through careful analysis and a methodical approach
- to investigating the soon-to-be-victim.
- The hacker's systematic method generally covers these seven steps:
- 1. Perform a footprint analysis
- 2. Enumerate information
- 3. Obtain access through user manipulation
- 4. Escalate privileges
- 5. Gather additional passwords and secrets
- 6. Install backdoors
- 7. Leverage the compromised system
- This article shows you how hackers approach the tasks of breaking into networks and
- systems and compromising software applications. By knowing more about the hackers'
- methodology, you can beat them at their own game.
- Perform a footprint analysis
- The attacker first identifies the various domain names that he's interested in exploiting.
- He then performs a footprint analysis of the target to gather as much information as
- possible through publicly available sources. The footprint analysis gives the hacker an
- indication of how large the target might be, how many potential entry points exist, and
- what, if any, security mechanisms might exist to thwart the attack.
- During a footprint analysis, the hacker attempts to discover all potentially related
- information that may be useful during the attack. This information includes:
- Company names
- Domain names
- Business subsidiaries
- Internet Protocol (IP) networks
- Phone numbers
- Hackers pay particular attention to potential entry points that might circumvent the "front
- door." For example, rather than attempting to break through a major corporation's
- firewall, the attacker identifies a startup company (just acquired by the major
- corporation) and then attempts to leverage weak security in the smaller company that
- might provide unrestricted virtual private network (VPN) access to the larger target.
- Port scanners are used to determine which hosts are alive on the Internet, which
- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are
- listening on each system, and the operating system that is installed on each host.
- Traceroutes are performed to help identify the relationship of each host to every other and
- to identify potential security mechanisms between the attacker and the target.
- After the port scanning and tracerouting is finished, attackers create a network map that
- represents their understanding of the target's Internet footprint. This map is used for the
- second phase of the attack: information enumeration.
- Commonly used tools
- Nslookup Command line tool in Windows NT 4.0, Windows 2000, and Windows XP
- that can be used to perform DNS queries and zone transfers.
- Tracert Command line tool used by hackers to create network maps of the target's
- network presence.
- SamSpade The SamSpade.org Web interface that performs Whois lookups, forward and
- reverse DNS searches, and traceroutes.
- Nmap Unix-based port scanner.
- ScanLine Windows NT-based port scanner.
- Things to consider
- Look at utilizing some of same methodologies that hackers use to assess an application
- that they're trying to penetrate. Questions to ask yourself about the applications that you
- develop include:
- What is your application's footprint on the operating system?
- What partner code does the application rely upon? If the partner application is
- hacked, will that enable the attacker to hack your application?
- What information is the application, or system, presenting to unauthenticated
- users?
- What listening ports does your software open on the system? Will malformed
- packets or flood attacks stop the service, or consume memory or CPU cycles?
- Are there firewalls, or application chokepoints, that can be used to prevent
- unauthenticated users from walking in the front door?
- Enumerate information
- After the hackers have performed the footprint analysis and generated a map that
- approximates their knowledge of the target network, they then gather as much data as
- possible from the targeted system.
- Web, FTP, and mail server version Hackers will try to determine what version of
- Web, File Transfer Protocol (FTP), or mail server is running by connecting to the
- listening TCP and UDP ports and sending random data to each. Many services respond to
- this random data with a banner—data that identifies the running application and
- potentially version information. Hackers will cross-reference this information to
- vulnerability databases such as SecurityFocus to look for possible exploits.
- Sensitive information If the hackers are able to contact the host on certain ports (for
- example, TCP 139 or 445), they will attempt to anonymously enumerate sensitive
- information from the system including:
- User names
- Last logon dates
- Password change dates
- Group membership
- The hacker can use the information obtained from this query in a brute force attack to
- gain access to the system as an authenticated user. For example, the hacker will
- enumerate members of the local administrators group, looking for user names like TEST
- or BACKUP that might have easily guessed passwords.
- Commonly used tools
- Netcat (listed under Network Utility Tools) The hacker's Swiss army knife. Used for
- banner grabbing and port scanning, among other things.
- Epdump/Rpcdump Tools to gain information about remote procedure call (RPC)
- services on a server.
- Getmac (Windows NT resource kit) Windows NT command to obtaining the media
- access control (MAC) Ethernet layer address and binding order for a computer running
- Windows NT 4.0, Windows 2000, or Windows XP.
- DumpSec Security auditing program for Windows NT systems. It enumerates user and
- group details from a chosen system. This is the audit and enumeration tool of choice for
- Big Five auditors (PricewaterhouseCoopers, Ernst & Young, KPMG, Arthur Andersen,
- and Deloitte & Touche) and hackers alike.
- SDKs Many software development kits (SDKs) provide hackers with the basic tools that
- they need to learn more about systems.
- Things to consider
- What information can be obtained from listening ports? What level of permission
- is required to enumerate this information?
- Is there logging in place to determine that someone has enumerated this
- information?
- Does the potential exist for an authenticated user to view security-sensitive data or
- personally identified information (PII) that might compromise privacy concerns?
- What banner information does the application provide to the user? Can this be
- suppressed or modified by the system administrator?
- Obtain access through user manipulation
- After the hackers have learned enough basic information about their target, they will
- attempt to gain access to the target system by masquerading as authorized users. This
- means that they need a password for a user account that they have discovered through
- steps one and two above. There are two common ways to get that password: by using
- social engineering or by using a brute force attack.
- Social engineering
- It's amazing what an unsuspecting employee will do for someone who sounds
- authoritative. Some hackers will take the information that they acquired from the domain
- registration or the company's Web site and directly contact an employee by phone.
- With a little conning, they can get that employee to reveal their password without raising
- any concerns. Their conversations might go something like this:
- This is the help desk and we're troubleshooting various network segments. I'm
- sniffing the network segment you're on, and I'd like to watch the network as you
- type in your password. Please tell me each character of your password as you type
- it in, and I will watch to make sure that I see them on the network.
- Or,
- We've done an audit of your password and found it to be insecure. Please change it
- to xYzA1G24# so that it will be less likely to be cracked in the future.
- Brute force attack
- If the social engineering approach doesn't work or isn't an option, there's the brute force
- approach. These attacks can be waged against any application or service that accepts user
- authentication, including (but not limited to):
- Network basic input/output system (NetBIOS) over TCP (TCP 139)
- Direct Host (TCP 445)
- Lightweight Directory Access Protocol (LDAP), (TCP 389)
- FTP (TCP 21)
- Telnet (TCP 23)
- Simple Network Management Protocol (SNMP), (UDP 161)
- Point-to-Point Tunneling Protocol (PPTP), (TCP 1723)
- Terminal Services (TCP 3389)
- If the hacker is able to contact one of these services, he will use the user names gathered
- in earlier steps to launch a brute force attack. Brute force guessing tools leverage
- dictionary files that might represent the user's password. Each dictionary word (or variant
- thereof) is considered a potential password and is paired with each user name until access
- is obtained.
- Typical installations of Windows NT 4.0, Windows 2000, and Windows XP will not
- capture this attack because failed logon auditing is not enabled by default. Unless
- complex passwords are present for each user account, a dictionary attack can be quite
- successful against an unmonitored host.
- In order to mask their identity, hackers will attempt to elude detection even if failed logon
- auditing has been enabled. By using computer names with non-printable ASCII
- characters, their computer names will appear as blank in the audit logs.
- Commonly used tool
- NetBIOS auditing tool Brute force password guessing tool.
- Things to consider
- Is failed logon auditing enabled by default?
- Are there server-side mechanisms that you can use to slow down or lock out a
- brute force attack?
- Can you trace the source of the brute force logon attack back to a specific
- location? What location information can you obtain? DNS name or IP address?
- Computer name? Gateway address or specific host address?
- Can the attackers subvert the event logs or application-specific logs after they get
- in?
- Does this protocol need to be turned on by default?
- Escalate privileges
- After hackers have discovered a password for a user account and obtained user-level
- privileges to a host, they will attempt to escalate their permissions. They usually start by
- reviewing all the information on the host that they are able to view:
- Batch files containing hardcoded user names and passwords are hacker's gold.
- Registry keys containing application or user passwords are also worthy of a peek.
- Reading e-mail or other documents that are stored on the system may also provide
- additional information to hackers that may enable them to gain privileges to other
- systems on the network.
- If hackers are unable to enumerate any useful static information from the system, they
- may proceed to trojan the system. This usually involves copying malicious code to the
- user's system and giving it the same name as a frequently used piece of software.
- For example, a hacker may replace Notepad.exe with a piece of trojan code that makes
- someone called "Eric" an administrator on the system before the program launches
- Notepad. The next time the system owner logs on as administrator and launches Notepad,
- the "Eric" account is added to the administrators group, unbeknownst to the person who
- launched Notepad.
- If the hacker is not willing to wait for the user to take a specific action on the system, he
- may leverage system services to do the dirty work for them. For example, the attacker
- may locate a system service that launches with administrative or system privileges, and
- then replace this file with a trojan file to "make Eric admin." When this system is
- restarted, the service will launch, causing the trojan to execute with administrative
- privileges.
- Things to consider
- Are users able to view sensitive information?
- Are passwords for the application stored in a secure manner?
- Are passwords stored in clear text in batch files?
- What registry keys can ordinary users write to? Do any of these keys execute with
- higher-level (or system) privileges?
- Can user-level accounts modify the security context for services such that they
- can be used to launch trojans with local system privileges?
- Are there any files that the user can overwrite that are called by services running
- under higher levels of privileges?
- Gather additional passwords and secrets
- The first thing that hackers do after they have logged on to a system with administrator
- credentials is to obtain the password file. Hackers can use tools such as Pwdump2 to
- obtain the password hashes from the local security accounts manager (SAM) database or
- Active Directory of a domain controller. Password hashes can be fed to programs like
- LC3 or John the Ripper and cracked.
- As an administrator, hackers can obtain the clear-text passwords from the local security
- authority (LSA). Specifically, passwords that are used to start services are stored
- (obfuscated and reversibly encrypted) in the LSA. Using tools such as Lsadump2, the
- clear-text passwords for the accounts that are used to start corresponding services can be
- enumerated.
- Although this may not be a risk if the account starting the service is an administrative
- member on this local system (or a lesser privileged account), a larger threat may be
- present if the account that is used to start the service is an administrative member of the
- domain (or higher-level domain). In the worst instance, the hacker (as a local
- administrator) may be able to obtain the clear-text password for a domain administrator
- account for a domain that they had yet to hack.
- After local, and potentially domain level, passwords have been obtained, the hacker will
- cross-reference user name\password combinations that have been obtained with user
- names that they've enumerated from other systems during the enumeration phase. With
- enough time or the right amount of luck, the hacker will be able to obtain administrative
- access to all computers in the network, having only initially compromised one computer.
- Commonly used tools
- Pwdump2 Tool that can obtain password hashes from the SAM database or the Active
- Directory.
- Lsadump2 Tool that exposes the contents of the LSA in clear text.
- LC3 Password auditing tool that evaluates Windows NT, Windows 2000, and Windows
- XP password hashes.
- John the Ripper Password cracking tool for several operating systems.
- Things to consider
- Are logs generated when the password files are accessed?
- Are logs generated when the administrator attempts to inject rogue code into
- system processes in an attempt to access password data?
- Are passwords being stored on the system for any accounts that may have greater
- levels of permission than the local administrator accounts?
- Is the password for the administrator-level accounts on one system the same as
- the password for administrator accounts on other systems?
- Are users encouraged to select complex passwords?
- Install backdoors
- In case hackers are detected and need to leave the computer in a hurry, they frequently
- create a backdoor on each system they compromise. Backdoors can take many forms, but
- the most common is a listening port on the system that will enable the hacker to access
- the system remotely (with or without special credentials).
- Firewalls or router filtering may prevent the hacker from later accessing these ports;
- however, common router filtering may not block high numbered TCP ports (or any UDP
- ports), or may allow traffic to pass if it originates on a specific source port, like TCP 20,
- 53, or 8. If strong filtering or firewalling is in place, more complex backdoors may be
- necessary.
- One form of a complex backdoor involves reverse trafficking. Reverse trafficking enables
- the attacker to bypass the existing security mechanisms. While routers and firewalls may
- prevent all unsolicited packets from entering the network from the outside, it is highly
- likely that a client within the firewall is allowed to initiate a connection on a specified
- port number to any host on the outside. A trojan of this type might be scheduled to
- contact the hacker's computer on a regular basis over TCP port 80. The client computer
- may "push" a system-level command shell to the hacker, so the hacker can then execute
- code on the "protected" computer.
- An example of reverse trafficking was the Code Red worm. Code Red would instruct
- unpatched Web servers (over TCP port 80) to execute a Trivial File Transfer Protocol
- (TFTP) connection from the server to a host on the Internet, where it would then obtain a
- piece of rogue code. The initiating traffic to the Web server over port 80 was completely
- legitimate (and would even pass firewalls), and in most cases, the firewalls and routers
- would allow the Web server to initiate a TFTP (UDP 69) connection to the hacker's
- computer on the Internet.
- There are few, if any, valid reasons why Web servers should ever need to initiate a TFTP
- or server message block (SMB) connection to any host on the Internet. Firewalls and
- routers should be configured to block unsolicited outbound traffic originating from Web
- or mail servers to untrusted computers on the Internet.
- Commonly used tool
- Netcat Hacker's Swiss army knife. Can be used to "shovel shells" to remote systems.
- Things to consider
- Does the system or application have any mechanism to identify trojan code that
- may be running on the system?
- Can the system detect devices or services that the attacker has created?
- Is there a baseline of known listening ports, services, and devices against which
- the system can be monitored to help determine if a rogue piece of code has been
- executed?
- Are security devices (firewalls, routers) configured to prevent unwanted outbound
- traffic from originating from each host?
- Leverage the compromised system
- Port redirectors In order to circumvent traditional security devices, hackers may create
- port redirectors on the first compromised host that will automatically pass all traffic to
- other internal hosts. Port redirectors can help bypass port filters, routers, and firewalls,
- and may even be encrypted over a Secure Sockets Layer (SSL) tunnel to evade intrusion
- detection devices.
- When a port redirector is used to traffic packets between the hacker's computer and the
- target system, the hacker's true identity is essentially "laundered." If the target system is
- enabled for failed logon auditing, or is running a third-party intrusion detection system, it
- will record the IP address or computer name of the host running the port redirector, not
- the hacker's computer. This may make it very difficult for the attacker to be identified, as
- all traffic going to and coming from the target system appears to be legitimate
- connections to the computer that is proxying the hacker's traffic by means of the port
- redirector.
- Hacking other systems After the hacker has fully hacked the local system, installed
- their backdoors and port redirectors, and obtained all the information available to them,
- they will proceed to hack other systems on the network. Most often there are matching
- service, administrator, or support accounts residing on each system that make it easy for
- the attacker to compromise each system in a short amount of time. As each new system is
- hacked, the attacker performs the steps outlined above to gather additional system and
- password information.
- Attackers continue to leverage information on each system until they identify passwords
- for accounts that reside on highly prized systems including payroll, root domain
- controllers, and Web servers. The process of scanning and exploiting systems in this
- manner can often be automated, letting hackers grab a few hours of rest, or allowing them
- to focus their attentions on other areas of the target company.
- It's difficult to identify this type of activity because the attacker is usually operating under
- the guise of a valid administrator account. Unless the attacker is caught before he gains
- administrator access, it may be nearly impossible to flush him from the network.
- Commonly used tool
- Fpipe A port redirector for Windows systems. Allows the source port for redirected
- traffic to be specified.
- Things to consider
- Are processes in place to monitor system logs across multiple computers and
- correlate attack sequences to suggest that an automated attack is in process?
- Are group memberships reviewed on a regular basis to ensure that new "hacker
- accounts" haven't been added to administrative groups?
- Resources
- Microsoft Security Web site Public Web site with links to security bulletins and product
- security information.
- Hacking Exposed: Network Security Secrets and Solutions, Third Edition Stuart
- McClure, Joel Scambray, and George Kurtz take a comprehensive look at hacker
- methodologies across multiple platforms and devices.
- Hacking Exposed Windows 2000: Network Security Secrets and Solutions Scambray and
- McClure detail hacker techniques specific to Microsoft platforms.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement