Hacking Methodologies

Hacking Methodologies
An overview of historical hacking An overview of historical hacking
approaches approaches
Johnny Long Johnny Long
http://johnny.ihackstuff.com http://johnny.ihackstuff.com
johnny johnny@ @ihackstuff ihackstuff.com .com
Varied Approaches
Varied Approaches
! ! Old School Old School : Slow, careful, precise, : Slow, careful, precise,
invasive invasive
! ! Pros Pros : Fast, careful, precise, sometimes : Fast, careful, precise, sometimes
invasive invasive
! ! Skript Skript Kiddies Kiddies : Slow, reckless, : Slow, reckless,
imprecise, invasive imprecise, invasive
! ! Defacers Defacers : Fast, reckless, precise, mildly : Fast, reckless, precise, mildly
invasive invasive
Old school
Old school
For years, information security pundits have followed and believed in a For years, information security pundits have followed and believed in a
hacking methodology hacking methodology which described the steps a hacker classically which described the steps a hacker classically
followed when performing an attack. followed when performing an attack.
That methodology followed the following basic steps: That methodology followed the following basic steps:
! ! Information Gathering Information Gathering
! ! Probe Probe
! ! Attack Attack
! ! Advancement Advancement
! ! Entrenchment Entrenchment
! ! Infiltration/Extraction Infiltration/Extraction
Old School: Information
Old School: Information
Gathering
Gathering
! ! Decide and discover which targets to Decide and discover which targets to
attack attack
! ! Often begin with a specific network or a Often begin with a specific network or a
specific company specific company
! ! Whois Whois, , nslookup nslookup queries queries
! ! samspade samspade.org .org
! ! Search engines ( Search engines ( googlescanning googlescanning ) )
Old School: Probe
Old School: Probe
! ! Scan specific targets for vulnerabilities Scan specific targets for vulnerabilities
! ! Search sweeping ranges of ports with a Search sweeping ranges of ports with a portscan portscan
( (nmap nmap) )
! ! Grab details such as service versions from the Grab details such as service versions from the
discovered ports discovered ports aka aka banner grabbing banner grabbing ( (netcat netcat) )
! ! NT: Connect to and enumerate information from NT: Connect to and enumerate information from
NETBios NETBios ( (enum enum) )
! ! Search the Internet for vulnerabilities based on Search the Internet for vulnerabilities based on
versions of software found on targets versions of software found on targets
Old School: Probe
Old School: Probe
! ! NMAP ( NMAP ( http://www.insecure.org/nmap http://www.insecure.org/nmap) )
! ! Superscan Superscan
( (http://www. http://www.webattack webattack.com/get/ .com/get/superscan superscan. .shtml shtml) )
! ! Nessus Nessus: ( : (http://www.nessus.org http://www.nessus.org) )
! ! Whisker: ( Whisker: (http://sourceforge.net/projects/whisker/ http://sourceforge.net/projects/whisker/) )
! ! Netcat Netcat: ( : (http://www.atstake.com/research/tools/ http://www.atstake.com/research/tools/) )
! ! Enum Enum ( (http://razor.bindview.com/tools/index.shtml http://razor.bindview.com/tools/index.shtml) )
! ! THC-Probe THC-Probe
( (http://www.thehackerschoice.com/download.php?t= http://www.thehackerschoice.com/download.php?t=
r&d=probe-4.1.tar.gz r&d=probe-4.1.tar.gz ) )
Old School: Probe
Old School: Probe
Nmap is used to scan the
ports of the target system.
Using the O option would
also report the Operating
System of the target.
Old School: Probe
Old School: Probe
Nmaps guess at
the operating
system type
Old School: Probe
Old School: Probe
some services
listen behind RPC.
rpcinfo can give us
this info.
Old School: Attack
Old School: Attack
! ! Gather compatible exploits Gather compatible exploits
! ! Compile exploits (if required) Compile exploits (if required)
! ! Launch exploits against targets Launch exploits against targets
! ! Modify parameters, re-launch exploits (if Modify parameters, re-launch exploits (if
required) required)
Old School: Attack
Old School: Attack
! ! There are many different types of attacks which There are many different types of attacks which
can be broken down into several can be broken down into several
classifications. classifications.
! ! The attacks are performed from one of two The attacks are performed from one of two
perspectives: perspectives:
! ! Local: The attacker has access to a command Local: The attacker has access to a command
prompt or has gained the ability to execute prompt or has gained the ability to execute
commands on the target commands on the target
! ! Remote: The attacker exploits the target box Remote: The attacker exploits the target box
without first gaining access to a command shell without first gaining access to a command shell
Attacks: Buffer Overflow
Attacks: Buffer Overflow
! ! Aka Aka the the Boundary Condition Error Boundary Condition Error : Stuff more data : Stuff more data
into a buffer than it can handle. The resulting into a buffer than it can handle. The resulting
overflowed data overflowed data falls falls into a precise location and is into a precise location and is
executed by the system executed by the system
! ! Local overflows are executed while logged into the target Local overflows are executed while logged into the target
system system
! ! Remote overflows are executed by processes running on the Remote overflows are executed by processes running on the
target that the attacker target that the attacker connects connects to to
! ! Result: Commands are executed at the privilege level Result: Commands are executed at the privilege level
of the overflowed program of the overflowed program
! ! Example: SNMPXDMID overflow (Solaris 6-8) Example: SNMPXDMID overflow (Solaris 6-8)
http://www. http://www.securityfocus securityfocus.com/bid/2417 .com/bid/2417
Attacks: Input Validation
Attacks: Input Validation
! ! An process does not An process does not strip strip input before input before
processing it, processing it, ie ie special shell characters special shell characters
such as semicolon and pipe symbols such as semicolon and pipe symbols
! ! An attacker provides data in unexpected An attacker provides data in unexpected
fields, fields, ie ie SQL database parameters SQL database parameters
Attacks: Input Validation
Attacks: Input Validation
! ! Example: Example: Trillian Trillian IRC Module Format String IRC Module Format String
Vulnerability Vulnerability
( (http://online.securityfocus.com/bid/5388 http://online.securityfocus.com/bid/5388) )
! ! A format string vulnerability has been reported A format string vulnerability has been reported
in the in the Trillian Trillian IRC module. An attacker can IRC module. An attacker can
exploit this vulnerability by enticing a user to exploit this vulnerability by enticing a user to
join a channel with a malicious channel name join a channel with a malicious channel name
(e.g. #%n%n%n). An attacker in control of a (e.g. #%n%n%n). An attacker in control of a
malicious server may exploit vulnerable clients malicious server may exploit vulnerable clients
who have connected. who have connected.
Attacks: Race Conditions
Attacks: Race Conditions
! ! An attacker forces an action during a sensitive time An attacker forces an action during a sensitive time
window between two operations window between two operations
! ! A program checks to make sure output file A program checks to make sure output file
/ /tmp tmp/temp_output /temp_output does not exist does not exist
! ! The program wanders off and does other stuff The program wanders off and does other stuff
! ! An attacker quickly creates a An attacker quickly creates a symlink symlink from from
/ /tmp tmp/temp_output /temp_output to to /etc/shadow /etc/shadow
! ! The program writes to the The program writes to the / /tmp tmp/temp_output /temp_output which which
clobbers clobbers /etc/shadow /etc/shadow
! ! Example: Example: RedHat RedHat Linux Linux diskcheck diskcheck
( (http://online.securityfocus.com/bid/2050 http://online.securityfocus.com/bid/2050 ) )
Attacks: Environment
Attacks: Environment
Errors
Errors
! ! An attacker makes a change to a program An attacker makes a change to a program s s
environment that was not expected environment that was not expected
! ! For example, a program relies on the UNIX For example, a program relies on the UNIX
environment variable $USER to determine who environment variable $USER to determine who
is running the program is running the program
! ! An attacker changes this value to An attacker changes this value to root root before before
executing the program executing the program
Attacks: Weak Passwords
Attacks: Weak Passwords
! ! accounts with weak passwords are accounts with weak passwords are
guessed by a remote attacker guessed by a remote attacker
! ! Accounts with weak passwords are Accounts with weak passwords are
cracked by attacker with access to a cracked by attacker with access to a
password database password database
! ! THC-HYDRA Login Hacker THC-HYDRA Login Hacker
(http://www. (http://www.thehackerschoice thehackerschoice.com/releases. .com/releases.php php) )
Attack: Exploit Sites
Attack: Exploit Sites
! ! SecurityFocus SecurityFocus: ( : (http://www. http://www.securityfocus securityfocus.com .com) )
! ! Packetstorm Packetstorm: ( : (http:// http://packetstormsecurity packetstormsecurity.org .org) )
! ! New Order: ( New Order: (http:// http://neworder neworder.box. .box.sk sk/ /) )
! ! Hack in the Box: Hack in the Box:
( (http://www.hackinthebox.org/ http://www.hackinthebox.org/) )
! ! phreak phreak.org .org
( (http://www. http://www.phreak phreak.org/archives/exploits/ .org/archives/exploits/unix unix/) /)
Old School: Attack phases
Old School: Attack phases
! ! The Attack is most often broken into several The Attack is most often broken into several
phases (perhaps running cyclically) phases (perhaps running cyclically)
! ! Locating Exploits Locating Exploits
! ! Getting Exploits Getting Exploits
! ! Modification of Exploits Modification of Exploits
! ! Building Exploits Building Exploits
! ! Testing Exploits Testing Exploits
! ! Running Exploits Running Exploits
Old School: Locating
Old School: Locating
exploits
exploits
Old School: Locating
Old School: Locating
exploits
exploits
Old School: Getting
Old School: Getting
Exploits
Exploits
The wget program
downloads the exploit to the
attackers machine
Old School: Modifying
Old School: Modifying
exploit
exploit
(-lsocket wont work)
Most exploits will not work across all
platforms, so modifications generally
need to be made. In this case, -
lsocket is removed for running on out
RedHat 7.2 attack box.
Old School: Building
Old School: Building
Exploit
Exploit
Some exploits come complete with a
Makefile, so a simple make command
is all thats required to build the exploit.
Old School: Building
Old School: Building
Exploit
Exploit
The make command
successfully produces the
exploit, in this case
automountdexp
Old School: Testing
Old School: Testing
Exploit
Exploit
The h parameter shows the
usage for this exploit.
Old School: Attack
Old School: Attack
Running Exploit
Running Exploit
This attack executes commands
on the target (a Solaris 2.5.1
box) as root. In this case, the
attacker drops a line into
/etc/inet/inetd.conf and a line
into /etc/services. When the
system is restarted (or inet is
restarted) a listening root shell
is opened on port 31337.
Old School: Attack
Old School: Attack
Success!
Success!
The attacker connects to the
31337 port on the target and is
greeted with a root prompt.
Old School: Advancement
Old School: Advancement
(optional)
(optional)
! ! If needed, gain further access to targets If needed, gain further access to targets
by further exploitation by further exploitation
! ! Trojans Trojans
! ! Local Exploits Local Exploits
! ! The advancement phase will somewhat The advancement phase will somewhat
mirror the Attack phases unless the mirror the Attack phases unless the
attacker has already tested the exploits attacker has already tested the exploits
Old School: Entrenchment
Old School: Entrenchment
! ! Modify targets to ensure future access Modify targets to ensure future access
! ! Backdoors Backdoors
! ! Rootkits Rootkits
Entrenchment: Backdoors
Entrenchment: Backdoors
! ! Linux Non-listening backdoor programs = No Linux Non-listening backdoor programs = No
listening port! listening port!
! ! SAdoor SAdoor ( (http:// http://cmn cmn. .listprojects listprojects. .darklab darklab.org/ .org/) )
! ! Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html) (http://www.phenoelit.de/stuff/cd00rdescr.html)
! ! NT/2K NT/2K
! ! Fake GINA Fake GINA Username and password interceptor Username and password interceptor
( (http://www.rootkit.com/projects/ginatroj/ http://www.rootkit.com/projects/ginatroj/ ) )
! ! NTKap NTKap Removes NT ACL protection Removes NT ACL protection
( (http://www.rootkit.com/projects/ntkap/ http://www.rootkit.com/projects/ntkap/ ) )
Entrenchment:
Entrenchment:
Rootkits
Rootkits
! ! Linux Linux
! ! LRK5: LRK5: ( (http://online.securityfocus.com/data/tools/lrk5.src.tar.gz http://online.securityfocus.com/data/tools/lrk5.src.tar.gz) )
! ! ADORE: ADORE: ( (http://online.securityfocus.com/tools/1490 http://online.securityfocus.com/tools/1490 ) )
! ! KNARK KNARK ( (http://online.securityfocus.com/tools/1163 http://online.securityfocus.com/tools/1163 ) )
! ! NT NT
! ! NT NT Rootkit Rootkit
( (http://www. http://www.rootkit rootkit.com/projects/ .com/projects/ntroot ntroot/ /) )
! ! NULL.SYS NULL.SYS
( (http://www.rootkit.com/projects/nullsys/ http://www.rootkit.com/projects/nullsys/ ) )
Old School:
Old School:
Infiltration/Extraction
Infiltration/Extraction
! ! Install Install sniffers sniffers to monitor network traffic, to monitor network traffic,
gather usernames/passwords gather usernames/passwords
! ! Extract data from compromised systems Extract data from compromised systems
! ! Compromise neighboring targets based Compromise neighboring targets based
on captured data or trust relationships on captured data or trust relationships
Professionals
Professionals
Professional hackers, or ethical hackers, tend to follow the following Professional hackers, or ethical hackers, tend to follow the following
methodologies: methodologies:
! ! Information Gathering Information Gathering
! ! Probe Probe
! ! Attack Attack
! ! Advancement Advancement
! ! Infiltration/Extraction Infiltration/Extraction
Professionals
Professionals
! ! Most often, professional ethical hackers rely on Most often, professional ethical hackers rely on
Vulnerability Scanners Vulnerability Scanners to perform their jobs. to perform their jobs.
! ! Nessus Nessus
! ! Retina by Retina by eeye eeye
! ! Network Associates Network Associates CyberCop CyberCop
! ! H.E.A.T. H.E.A.T.
! ! Internet Security Systems Internet Scanner Internet Security Systems Internet Scanner
(see http://www. (see http://www.networkcomputing networkcomputing.com/1201/1201f1b1.html) .com/1201/1201f1b1.html)
Professionals
Professionals
! ! Vulnerability Scanner Demo Vulnerability Scanner Demo

Skript
Skript
Kiddies
Kiddies

Skript
Skript
Kiddies
Kiddies
! ! Skript Skript Kiddies, named for their annoying ability Kiddies, named for their annoying ability
to (sometimes) successfully compromise a to (sometimes) successfully compromise a
system using pre-written scripts, generally system using pre-written scripts, generally
follow a very simple follow a very simple non-cyclical non-cyclical methodology. methodology.
(See (See http://project.honeynet.org/papers/enemy/ http://project.honeynet.org/papers/enemy/
for an interesting for an interesting writeup writeup on the topic) on the topic)
Exploit Selection Exploit Selection
Target Selection Target Selection
Attack Attack
Skript
Skript
Kiddies: Exploit
Kiddies: Exploit
Selection
Selection
! ! Nearly identical to the Nearly identical to the Old School Old School method of method of
locating exploits, locating exploits, skript skript kiddies generally use kiddies generally use
Search engines to locate exploits Search engines to locate exploits
! ! Skript Skript Kiddies are generally not a technically Kiddies are generally not a technically
savvy lot, so exploit selection is made based savvy lot, so exploit selection is made based
on attack platforms available (generally on attack platforms available (generally
Windows-based) and ease of use. Windows-based) and ease of use.
Skript
Skript
Kiddies: Target
Kiddies: Target
Selection
Selection
! ! Most target selection involves noisy Most target selection involves noisy
scanners, often launched from Windows scanners, often launched from Windows
platforms platforms
! ! An increasing number of An increasing number of Skript Skript Kiddies, Kiddies,
however, are gaining familiarity with however, are gaining familiarity with
Linux and use fairly standard tools such Linux and use fairly standard tools such
as as nmap nmap. .
Skript
Skript
Kiddies: Attack!
Kiddies: Attack!
! ! Unlike old-school attacks, Unlike old-school attacks, Skript Skript Kiddies tools Kiddies tools
are generally pre-compiled, or written in are generally pre-compiled, or written in
interpretive languages such as PERL interpretive languages such as PERL
! ! If an exploit needs to be built, most kiddies will If an exploit needs to be built, most kiddies will
not be able to get them working not be able to get them working
! ! If a built exploit fails, a If a built exploit fails, a skript skript kiddie kiddie usually usually
moves along to another target instead of fixing moves along to another target instead of fixing
the exploit. This makes the process non- the exploit. This makes the process non-
cyclical. cyclical.

Defacers
Defacers

Web Defacers
Web Defacers
While While old school old school methods methods
are still in use, web defacers are still in use, web defacers
statistically own the hacking statistically own the hacking
landscape landscape
http://www. http://www.alldas alldas.org .org
Profile of a web defacer
Profile of a web defacer
! ! Handle: intrud3rm4n Handle: intrud3rm4n
! ! Age: 21 Age: 21
! ! Group: Leader of ISOTK (In Search of the Knowledge!) Group: Leader of ISOTK (In Search of the Knowledge!)
! ! Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass
defacements defacements
! ! My favorite defacement: My favorite defacement:
http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/ http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/
! ! Country of Origin: Brazil Country of Origin: Brazil
! ! Language: Portuguese Language: Portuguese
! ! Favorite Hacking food: Hamburgers and Fries Favorite Hacking food: Hamburgers and Fries
! ! Favorite Hacking Music: Favorite Hacking Music: Metallica Metallica =) =)
! ! Favorite exploit: whacking LINUX Favorite exploit: whacking LINUX boxen boxen
! ! Reason for defacing: FUN Reason for defacing: FUN
Defaced: Cap Gemini
Defaced: Cap Gemini
Following web defacers
Following web defacers
http://www.alldas.org
Following web defacers
Following web defacers
http://www.zone-h.com/en/defacements
Following web defacers
Following web defacers
http://www.delta5.com.br/mirror/
Common Web Defacement
Common Web Defacement
Methodology
Methodology
Web Defacers, for the most part, have a slightly different Web Defacers, for the most part, have a slightly different
methodology. Instead of basing the exploit on the methodology. Instead of basing the exploit on the
target, the target is selected based on it target, the target is selected based on it s vulnerability s vulnerability
to the exploit! to the exploit!
The web defacement methodology (again, often cyclical) The web defacement methodology (again, often cyclical)
is generally as follows: is generally as follows:
Exploit Selection Exploit Selection
Target Selection Target Selection
Attack Attack
Defacement Defacement
Web Defacement
Web Defacement
Amateur defacers
usually stick with
one exploit and
one target
platform,,,
Defacer
Defacer

s Exploit
s Exploit
Selection
Selection
! ! An attacker An attacker s level of comfort with an Operating s level of comfort with an Operating
System will often decide the types of exploits used System will often decide the types of exploits used
! ! UNIX-based attackers often opt for C-based remote overflows UNIX-based attackers often opt for C-based remote overflows
! ! Windows-based attackers often opt for Windows-based attackers often opt for perl perl-based remote -based remote
overflows, visual basic tools, or command-line overflows, visual basic tools, or command-line net net
commands commands
! ! Attackers with only browser-based experience or simplistic Attackers with only browser-based experience or simplistic
attackers seeking privacy through proxies will opt for URL- attackers seeking privacy through proxies will opt for URL-
based attacks such as UNICODE or DECODE, Front Page based attacks such as UNICODE or DECODE, Front Page
exploits, or PHP-Nuke attacks exploits, or PHP-Nuke attacks
Defacer
Defacer

s Search for
s Search for
Exploits
Exploits
Often an amateur defacer
will monitor popular
security sites (such as
securityfocus) to select
exploits
Defacer
Defacer

s Target Selection
s Target Selection
! ! Armed with an exploit, most web defacers now Armed with an exploit, most web defacers now
seek for vulnerable targets using various seek for vulnerable targets using various
methods methods
! ! Web searching Web searching
! ! Netcraft Netcraft
! ! Netstat Netstat
! ! Google Google
! ! Host scanning Host scanning
! ! Nmap Nmap
! ! Custom scanners Custom scanners
Defacer
Defacer

s Target Selection:
s Target Selection:
Web Searches
Web Searches
http://www. http://www.netcraft netcraft.com .com
Defacer
Defacer

s Target Selection:
s Target Selection:
Web Searches
Web Searches
! ! Using search engines to locate Using search engines to locate
vulnerable servers is a very interesting vulnerable servers is a very interesting
and fruitful technique which hasn and fruitful technique which hasn t been t been
explored in great detail. explored in great detail.
! ! http://johnny.ihackstuff.com/security/googledorks.shtml http://johnny.ihackstuff.com/security/googledorks.shtml
Defacer
Defacer

s Target Selection:
s Target Selection:
Web Searches
Web Searches
Google query: intitle:Index of Apache 1.3.11
Here, Apache 1.3.11
servers are located
through creative use
of the Google search
engine.
Defacer
Defacer

s Target Selection:
s Target Selection:
Web Searches
Web Searches
http://www.netstat.ru
Defacer
Defacer

s Target
s Target
Selection: Host Scanning
Selection: Host Scanning
Nmaps OS
detection feature
(-O) provides a
decent guess as
to the operating
system of the
target
Defacer
Defacer

s Target
s Target
Selection: Host Scanning
Selection: Host Scanning
http://packetstormsecurity.com
provides a great resource for
custom vulnerability scanners.
Defacer
Defacer

s Attack
s Attack
! ! Once the target and the exploit are Once the target and the exploit are
selected, the attacker launches the attack selected, the attacker launches the attack
against the server. against the server.
! ! If the attack fails, the attacker will often If the attack fails, the attacker will often
modify the attack and try again. modify the attack and try again.
Questions?
Questions?