Hacking Methodologies[1]

8/14/2019 Hacking Methodologies[1]

http://slidepdf.com/reader/full/hacking-methodologies1 1/61

Hackingacking

Methodologiesethodologies

An overview of historical hackingAn overview of historical hacking

approachesapproaches

Johnny LongJohnny Long

http://johnny.ihackstuff.comhttp://johnny.ihackstuff.com

[email protected] [email protected]

http://johnny.ihackstuff.com/





Varied Approachesaried Approaches

““Old School”: Slow, careful, precise,Old School”: Slow, careful, precise,invasiveinvasive

““Pros”: Fast, careful, precise, sometimesPros”: Fast, careful, precise, sometimesinvasiveinvasive

““Skript Kiddies”: Slow, reckless,Skript Kiddies”: Slow, reckless,imprecise, invasiveimprecise, invasive

““Defacers”: Fast, reckless, precise, mildlyDefacers”: Fast, reckless, precise, mildlyinvasiveinvasive



Old schoolld school

For years, information security pundits have followed and believed in aFor years, information security pundits have followed and believed in a“hacking methodology” which described the steps a hacker classically“hacking methodology” which described the steps a hacker classicallyfollowed when performing an attack.followed when performing an attack.

That methodology followed the following basic steps:That methodology followed the following basic steps:

Information GatheringInformation Gathering ProbeProbe AttackAttack

AdvancementAdvancement

EntrenchmentEntrenchment Infiltration/ExtractionInfiltration/Extraction



Old School: Informationld School: Information

Gatheringathering

Decide and discover which targets toDecide and discover which targets toattackattack

Often begin with a specific network or aOften begin with a specific network or aspecific companyspecific company

Whois, nslookup queriesWhois, nslookup queries samspade.orgsamspade.org Search engines (“googlescanning”)Search engines (“googlescanning”)



Old School: Probeld School: Probe

Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities Search sweeping ranges of ports with a portscanSearch sweeping ranges of ports with a portscan

(nmap)(nmap)

Grab details such as service versions from theGrab details such as service versions from thediscovered ports aka “banner grabbing” (netcat)discovered ports aka “banner grabbing” (netcat)

NT: Connect to and enumerate information fromNT: Connect to and enumerate information fromNETBios (enum)NETBios (enum)

Search the Internet for vulnerabilities based onSearch the Internet for vulnerabilities based onversions of software found on targetsversions of software found on targets




NMAP (NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap))

Superscan (Superscan (http://www.http://www.webattackwebattack.com/get/.com/get/superscansuperscan..shtmlshtml))

Nessus: (Nessus: (http://www.nessus.orghttp://www.nessus.org))

Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/))

Netcat: (Netcat: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/))

Enum (Enum (http://razor.bindview.com/tools/index.shtmlhttp://razor.bindview.com/tools/index.shtml)) THC-Probe (THC-Probe (

http://www.thehackerschoice.com/download.php?t=r&dhttp://www.thehackerschoice.com/download.php?t=r&d))

http://www.insecure.org/nmap


http://www.webattack.com/get/superscan.shtml












http://www.nessus.org/


http://sourceforge.net/projects/whisker/


http://www.atstake.com/research/tools/


http://razor.bindview.com/tools/index.shtml


http://www.thehackerschoice.com/download.php?t=r&d=probe-4.1.tar.gz

















Nmap is used to scan theports of the target system.Using the –O option wouldalso report the OperatingSystem of the target.




Nmap’s guess atthe operatingsystem type




some serviceslisten behind RPC.rpcinfo can give us

this info.



Old School: Attackld School: Attack

Gather compatible exploitsGather compatible exploits

Compile exploits (if required)Compile exploits (if required)

Launch exploits against targetsLaunch exploits against targets

Modify parameters, re-launch exploits (if Modify parameters, re-launch exploits (if required)required)




There are many different types of attacks whichThere are many different types of attacks whichcan be broken down into several classifications.can be broken down into several classifications.

The attacks are performed from one of twoThe attacks are performed from one of twoperspectives:perspectives:

Local: The attacker has access to a commandLocal: The attacker has access to a commandprompt or has gained the ability to executeprompt or has gained the ability to executecommands on the targetcommands on the target

Remote: The attacker exploits the target boxRemote: The attacker exploits the target boxwithout first gaining access to a command shellwithout first gaining access to a command shell





Attacks: Inputttacks: Input

Validationalidation An process does not “strip” input beforeAn process does not “strip” input before

processing it, ie special shell charactersprocessing it, ie special shell characters

such as semicolon and pipe symbolssuch as semicolon and pipe symbols An attacker provides data in unexpectedAn attacker provides data in unexpected

fields, ie SQL database parametersfields, ie SQL database parameters



Attacks: Inputttacks: Input

Validationalidation Example: Trillian IRC Module Format String VulnerabilityExample: Trillian IRC Module Format String Vulnerability

((http://online.securityfocus.com/bid/5388http://online.securityfocus.com/bid/5388))

““A format string vulnerability has been reported in theA format string vulnerability has been reported in theTrillian IRC module. An attacker can exploit thisTrillian IRC module. An attacker can exploit thisvulnerability by enticing a user to join a channel with avulnerability by enticing a user to join a channel with amalicious channel name (e.g. #%n%n%n). An attacker inmalicious channel name (e.g. #%n%n%n). An attacker incontrol of a malicious server may exploit vulnerablecontrol of a malicious server may exploit vulnerable

clients who have connected.”clients who have connected.”

http://online.securityfocus.com/bid/5388





Attacks: Racettacks: Race

Conditionsonditions An attacker forces an action during a sensitive time windowAn attacker forces an action during a sensitive time window

between two operationsbetween two operations

A program checks to make sure output fileA program checks to make sure output file“/tmp/temp_output” does not exist“/tmp/temp_output” does not exist

The program wanders off and does other stuff…The program wanders off and does other stuff…

An attacker quickly creates a symlink fromAn attacker quickly creates a symlink from“/tmp/temp_output” to “/etc/shadow”“/tmp/temp_output” to “/etc/shadow”

The program writes to the “/tmp/temp_output” whichThe program writes to the “/tmp/temp_output” whichclobbers “/etc/shadow”clobbers “/etc/shadow”

Example:Example: RedHat Linux diskcheckRedHat Linux diskcheck ((http://online.securityfocus.com/bid/2050http://online.securityfocus.com/bid/2050 ))






Attacks: Environmentttacks: Environment

Errorsrrors An attacker makes a change to a program’sAn attacker makes a change to a program’s

environment that was not expectedenvironment that was not expected

For example, a program relies on the UNIXFor example, a program relies on the UNIX

environment variable $USER to determine whoenvironment variable $USER to determine whois running the programis running the program

An attacker changes this value to “root” beforeAn attacker changes this value to “root” beforeexecuting the programexecuting the program





Attack: Exploit Sitesttack: Exploit Sites

SecurityFocus: (SecurityFocus: (http://www.http://www.securityfocussecurityfocus.com.com))

Packetstorm: (Packetstorm: (http://http://packetstormsecuritypacketstormsecurity.org.org))

New Order: (New Order: (http://http://neworder neworder .box..box.sksk//))

Hack in the Box: (Hack in the Box: (http://www.hackinthebox.org/http://www.hackinthebox.org/

))

phreak.org (phreak.org (http://www.http://www.phreakphreak.org/archives/exploits/.org/archives/exploits/unixunix/)/)

http://www.securityfocus.com/






http://packetstormsecurity.org/






http://neworder.box.sk/










http://www.hackinthebox.org/


http://www.phreak.org/archives/exploits/unix



























phaseshases

The Attack is most often broken into severalThe Attack is most often broken into severalphases (perhaps running cyclically)phases (perhaps running cyclically)

Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits

Modification of ExploitsModification of Exploits

Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits



Old School: Locatingld School: Locating

exploitsxploits



Old School: Locatingld School: Locating

exploitsxploits



Old School: Gettingld School: Getting

Exploitsxploits

The ‘wget’ programdownloads the exploit to the

attacker’s machine



Old School: Modifyingld School: Modifying

exploitxploit

(-lsocket won’t work)

Most exploits will not work across allplatforms, so modifications generallyneed to be made. In this case, -lsocketis removed for running on out RedHat7.2 attack box.



Old School: Buildingld School: Building

Exploitxploit

Some exploits come complete with aMakefile, so a simple ‘make’ commandis all that’s required to build the exploit.



Old School: Buildingld School: Building

Exploitxploit

The make commandsuccessfully produces theexploit, in this case

‘automountdexp’



Old School: Testingld School: Testing

Exploitxploit

The ‘–h’ parameter shows theusage for this exploit.




Running Exploitunning Exploit

This attack executes commandson the target (a Solaris 2.5.1

box) as root. In this case, theattacker drops a line into/etc/inet/inetd.conf and a lineinto /etc/services. When thesystem is restarted (or inet isrestarted) a listening root shell is

opened on port 31337.




Success!uccess!

The attacker connects to the31337 port on the target and is

greeted with a root prompt.



Old School:ld School:

Advancementdvancement

(optional)optional) If needed, gain further access to targetsIf needed, gain further access to targets

by further exploitationby further exploitation

TrojansTrojans Local ExploitsLocal Exploits

The advancement phase will somewhatThe advancement phase will somewhatmirror the Attack phases unless themirror the Attack phases unless theattacker has already tested the exploitsattacker has already tested the exploits




Entrenchmentntrenchment

Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors

RootkitsRootkits



Entrenchment:ntrenchment:

Backdoorsackdoors

Linux Non-listening backdoor programs = NoLinux Non-listening backdoor programs = Nolistening port!listening port! SAdoor SAdoor ((http://http://cmncmn..listprojectslistprojects..darklabdarklab.org/.org/))

Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)(http://www.phenoelit.de/stuff/cd00rdescr.html)

NT/2KNT/2K Fake GINAFake GINA Username and password interceptor Username and password interceptor ((

http://www.rootkit.com/projects/ginatroj/http://www.rootkit.com/projects/ginatroj/ ))

NTKap Removes NT ACL protection (NTKap Removes NT ACL protection (http://www.rootkit.com/projects/ntkap/http://www.rootkit.com/projects/ntkap/ ))

http://cmn.listprojects.darklab.org/














http://www.rootkit.com/projects/ginatroj/


http://www.rootkit.com/projects/ntkap/













Entrenchment:ntrenchment:

Rootkitsootkits

LinuxLinux LRK5:LRK5: ((http://online.securityfocus.com/data/tools/lrk5.src.tar.gzhttp://online.securityfocus.com/data/tools/lrk5.src.tar.gz ))

ADORE:ADORE: ((http://online.securityfocus.com/tools/1490http://online.securityfocus.com/tools/1490 ))

KNARKKNARK ((http://online.securityfocus.com/tools/1163http://online.securityfocus.com/tools/1163 ))

NTNT NT Rootkit (NT Rootkit (http://www.http://www.rootkitrootkit.com/projects/.com/projects/ntrootntroot//

))

NULL.SYS (NULL.SYS (http://www.rootkit.com/projects/nullsys/http://www.rootkit.com/projects/nullsys/ ))

http://online.securityfocus.com/data/tools/lrk5.src.tar.gz


http://online.securityfocus.com/tools/1490




http://www.rootkit.com/projects/ntroot/










http://www.rootkit.com/projects/nullsys/














Infiltration/Extractionnfiltration/Extraction

Install sniffers to monitor network traffic,Install sniffers to monitor network traffic,

gather usernames/passwordsgather usernames/passwords

Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets basedCompromise neighboring targets based

on captured data or trust relationshipson captured data or trust relationships



Professionalsrofessionals

Professional hackers, or ethical hackers, tend to follow the followingProfessional hackers, or ethical hackers, tend to follow the followingmethodologies:methodologies:

Information GatheringInformation Gathering

ProbeProbe AttackAttack

AdvancementAdvancement

Infiltration/ExtractionInfiltration/Extraction




Most often, professional ethical hackers rely onMost often, professional ethical hackers rely on“Vulnerability Scanners” to perform their jobs.“Vulnerability Scanners” to perform their jobs. NessusNessus

Retina by eeyeRetina by eeye

Network Associates CyberCopNetwork Associates CyberCop

H.E.A.T.H.E.A.T.

Internet Security Systems Internet Scanner Internet Security Systems Internet Scanner (see http://www.networkcomputing.com/1201/1201f1b1.html)(see http://www.networkcomputing.com/1201/1201f1b1.html)




Vulnerability Scanner DemoVulnerability Scanner Demo



“Skript Kiddies”kript Kiddies”



Skript Kiddieskript Kiddies

Skript Kiddies, named for their annoying ability to (sometimes)Skript Kiddies, named for their annoying ability to (sometimes)successfully compromise a system using pre-written scripts,successfully compromise a system using pre-written scripts,generally follow a very simplegenerally follow a very simple non-cyclical non-cyclical methodology.methodology.

(See(See http://project.honeynet.org/papers/enemy/http://project.honeynet.org/papers/enemy/ for anfor an

interesting writeup on the topic)interesting writeup on the topic)

Exploit SelectionExploit Selection

Target SelectionTarget Selection

AttackAttack

http://project.honeynet.org/papers/enemy/







Skript Kiddies: Targetkript Kiddies: Target

Selectionelection

Most target selection involves noisyMost target selection involves noisyscanners, often launched from Windowsscanners, often launched from Windows

platformsplatforms

An increasing number of Skript Kiddies,An increasing number of Skript Kiddies,

however, are gaining familiarity with Linuxhowever, are gaining familiarity with Linuxand use fairly standard tools such asand use fairly standard tools such asnmap.nmap.



Skript Kiddies: Attack!kript Kiddies: Attack!

Unlike old-school attacks, Skript Kiddies tools areUnlike old-school attacks, Skript Kiddies tools aregenerally pre-compiled, or written in interpretivegenerally pre-compiled, or written in interpretivelanguages such as PERLlanguages such as PERL

If an exploit needs to be built, most kiddies will not beIf an exploit needs to be built, most kiddies will not beable to get them workingable to get them working

If a built exploit fails, a skript kiddie usually movesIf a built exploit fails, a skript kiddie usually movesalong to another target instead of fixing the exploit.along to another target instead of fixing the exploit.This makes the process non-cyclical.This makes the process non-cyclical.



“Defacers”efacers”



Web Defacerseb Defacers

While “old school” methodsWhile “old school” methods

are still in use, web defacersare still in use, web defacers

statistically own the hackingstatistically own the hacking

landscapelandscape

http://www.alldas.orghttp://www.alldas.org





Defaced: Cap Geminiefaced: Cap Gemini





Following webollowing web

defacersefacershttp://www.zone-h.com/en/defacements



Following webollowing web

defacersefacershttp://www.delta5.com.br/mirror/



Common Web Defacementommon Web Defacement

Methodologyethodology

Web Defacers, for the most part, have a slightly differentWeb Defacers, for the most part, have a slightly differentmethodology. Instead of basing the exploit on the target, themethodology. Instead of basing the exploit on the target, thetarget is selected based on it’s vulnerability to the exploit!target is selected based on it’s vulnerability to the exploit!

The web defacement methodology (again, often cyclical) isThe web defacement methodology (again, often cyclical) isgenerally as follows:generally as follows:

Exploit SelectionExploit Selection

Target SelectionTarget Selection

AttackAttackDefacementDefacement



Web Defacementeb Defacement

Amateur defacersusually stick withone exploit andone targetplatform,,,





Defacer’s Search forefacer’s Search for

Exploitsxploits

Often an amateur defacer will monitor popular security sites (such assecurityfocus) to selectexploits



Defacer’s Targetefacer’s Target

Selectionelection

Armed with an exploit, most web defacers nowArmed with an exploit, most web defacers nowseek for vulnerable targets using variousseek for vulnerable targets using various

methodsmethods Web searchingWeb searching

NetcraftNetcraft

NetstatNetstat

GoogleGoogle

Host scanningHost scanning NmapNmap

Custom scannersCustom scanners




Selection: Web Searcheselection: Web Searches

http://www.netcraft.comhttp://www.netcraft.com





Using search engines to locateUsing search engines to locate

vulnerable servers is a very interestingvulnerable servers is a very interesting

and fruitful technique which hasn’t beenand fruitful technique which hasn’t beenexplored in great detail.explored in great detail.

http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml

http://johnny.ihackstuff.com/security/googledorks.shtml






Selection: Web Searcheselection: Web SearchesGoogle query: intitle:”Index of” “Apache 1.3.11”

Here, Apache 1.3.11

servers are locatedthrough creative use of the Google searchengine.





http://www.netstat.ru




Selection: Hostelection: Host

ScanningcanningNmap’s OSdetection feature (-O) provides adecent guess as tothe operatingsystem of thetarget




Selection: Hostelection: Host

Scanningcanninghttp://packetstormsecurity.com provides a great resource for custom vulnerability scanners.

http://packetstormsecurity.com/

http://packetstormsecurity.com/



Defacer’s Attackefacer’s Attack

Once the target and the exploit areOnce the target and the exploit are

selected, the attacker launches theselected, the attacker launches the

attack against the server.attack against the server.

If the attack fails, the attacker will oftenIf the attack fails, the attacker will often

modify the attack and try again.modify the attack and try again.



Questions?uestions?

Date post:	30-May-2018
Category:	Documents
Upload:	raj-g
View:	220 times
Download:	0 times

Hacking Methodologies[1]

Documents