8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 1/61
Hackingacking
Methodologiesethodologies
An overview of historical hackingAn overview of historical hacking
approachesapproaches
Johnny LongJohnny Long
http://johnny.ihackstuff.comhttp://johnny.ihackstuff.com
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 2/61
Varied Approachesaried Approaches
““Old School”: Slow, careful, precise,Old School”: Slow, careful, precise,invasiveinvasive
““Pros”: Fast, careful, precise, sometimesPros”: Fast, careful, precise, sometimesinvasiveinvasive
““Skript Kiddies”: Slow, reckless,Skript Kiddies”: Slow, reckless,imprecise, invasiveimprecise, invasive
““Defacers”: Fast, reckless, precise, mildlyDefacers”: Fast, reckless, precise, mildlyinvasiveinvasive
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 3/61
Old schoolld school
For years, information security pundits have followed and believed in aFor years, information security pundits have followed and believed in a“hacking methodology” which described the steps a hacker classically“hacking methodology” which described the steps a hacker classicallyfollowed when performing an attack.followed when performing an attack.
That methodology followed the following basic steps:That methodology followed the following basic steps:
Information GatheringInformation Gathering ProbeProbe AttackAttack
AdvancementAdvancement
EntrenchmentEntrenchment Infiltration/ExtractionInfiltration/Extraction
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 4/61
Old School: Informationld School: Information
Gatheringathering
Decide and discover which targets toDecide and discover which targets toattackattack
Often begin with a specific network or aOften begin with a specific network or aspecific companyspecific company
Whois, nslookup queriesWhois, nslookup queries samspade.orgsamspade.org Search engines (“googlescanning”)Search engines (“googlescanning”)
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 5/61
Old School: Probeld School: Probe
Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities Search sweeping ranges of ports with a portscanSearch sweeping ranges of ports with a portscan
(nmap)(nmap)
Grab details such as service versions from theGrab details such as service versions from thediscovered ports aka “banner grabbing” (netcat)discovered ports aka “banner grabbing” (netcat)
NT: Connect to and enumerate information fromNT: Connect to and enumerate information fromNETBios (enum)NETBios (enum)
Search the Internet for vulnerabilities based onSearch the Internet for vulnerabilities based onversions of software found on targetsversions of software found on targets
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 6/61
Old School: Probeld School: Probe
NMAP (NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap))
Superscan (Superscan (http://www.http://www.webattackwebattack.com/get/.com/get/superscansuperscan..shtmlshtml))
Nessus: (Nessus: (http://www.nessus.orghttp://www.nessus.org))
Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/))
Netcat: (Netcat: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/))
Enum (Enum (http://razor.bindview.com/tools/index.shtmlhttp://razor.bindview.com/tools/index.shtml)) THC-Probe (THC-Probe (
http://www.thehackerschoice.com/download.php?t=r&dhttp://www.thehackerschoice.com/download.php?t=r&d))
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 7/61
Old School: Probeld School: Probe
Nmap is used to scan theports of the target system.Using the –O option wouldalso report the OperatingSystem of the target.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 8/61
Old School: Probeld School: Probe
Nmap’s guess atthe operatingsystem type
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 9/61
Old School: Probeld School: Probe
some serviceslisten behind RPC.rpcinfo can give us
this info.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 10/61
Old School: Attackld School: Attack
Gather compatible exploitsGather compatible exploits
Compile exploits (if required)Compile exploits (if required)
Launch exploits against targetsLaunch exploits against targets
Modify parameters, re-launch exploits (if Modify parameters, re-launch exploits (if required)required)
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 11/61
Old School: Attackld School: Attack
There are many different types of attacks whichThere are many different types of attacks whichcan be broken down into several classifications.can be broken down into several classifications.
The attacks are performed from one of twoThe attacks are performed from one of twoperspectives:perspectives:
Local: The attacker has access to a commandLocal: The attacker has access to a commandprompt or has gained the ability to executeprompt or has gained the ability to executecommands on the targetcommands on the target
Remote: The attacker exploits the target boxRemote: The attacker exploits the target boxwithout first gaining access to a command shellwithout first gaining access to a command shell
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 12/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 13/61
Attacks: Inputttacks: Input
Validationalidation An process does not “strip” input beforeAn process does not “strip” input before
processing it, ie special shell charactersprocessing it, ie special shell characters
such as semicolon and pipe symbolssuch as semicolon and pipe symbols An attacker provides data in unexpectedAn attacker provides data in unexpected
fields, ie SQL database parametersfields, ie SQL database parameters
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 14/61
Attacks: Inputttacks: Input
Validationalidation Example: Trillian IRC Module Format String VulnerabilityExample: Trillian IRC Module Format String Vulnerability
((http://online.securityfocus.com/bid/5388http://online.securityfocus.com/bid/5388))
““A format string vulnerability has been reported in theA format string vulnerability has been reported in theTrillian IRC module. An attacker can exploit thisTrillian IRC module. An attacker can exploit thisvulnerability by enticing a user to join a channel with avulnerability by enticing a user to join a channel with amalicious channel name (e.g. #%n%n%n). An attacker inmalicious channel name (e.g. #%n%n%n). An attacker incontrol of a malicious server may exploit vulnerablecontrol of a malicious server may exploit vulnerable
clients who have connected.”clients who have connected.”
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 15/61
Attacks: Racettacks: Race
Conditionsonditions An attacker forces an action during a sensitive time windowAn attacker forces an action during a sensitive time window
between two operationsbetween two operations
A program checks to make sure output fileA program checks to make sure output file“/tmp/temp_output” does not exist“/tmp/temp_output” does not exist
The program wanders off and does other stuff…The program wanders off and does other stuff…
An attacker quickly creates a symlink fromAn attacker quickly creates a symlink from“/tmp/temp_output” to “/etc/shadow”“/tmp/temp_output” to “/etc/shadow”
The program writes to the “/tmp/temp_output” whichThe program writes to the “/tmp/temp_output” whichclobbers “/etc/shadow”clobbers “/etc/shadow”
Example:Example: RedHat Linux diskcheckRedHat Linux diskcheck ((http://online.securityfocus.com/bid/2050http://online.securityfocus.com/bid/2050 ))
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 16/61
Attacks: Environmentttacks: Environment
Errorsrrors An attacker makes a change to a program’sAn attacker makes a change to a program’s
environment that was not expectedenvironment that was not expected
For example, a program relies on the UNIXFor example, a program relies on the UNIX
environment variable $USER to determine whoenvironment variable $USER to determine whois running the programis running the program
An attacker changes this value to “root” beforeAn attacker changes this value to “root” beforeexecuting the programexecuting the program
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 17/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 18/61
Attack: Exploit Sitesttack: Exploit Sites
SecurityFocus: (SecurityFocus: (http://www.http://www.securityfocussecurityfocus.com.com))
Packetstorm: (Packetstorm: (http://http://packetstormsecuritypacketstormsecurity.org.org))
New Order: (New Order: (http://http://neworder neworder .box..box.sksk//))
Hack in the Box: (Hack in the Box: (http://www.hackinthebox.org/http://www.hackinthebox.org/
))
phreak.org (phreak.org (http://www.http://www.phreakphreak.org/archives/exploits/.org/archives/exploits/unixunix/)/)
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 19/61
Old School: Attackld School: Attack
phaseshases
The Attack is most often broken into severalThe Attack is most often broken into severalphases (perhaps running cyclically)phases (perhaps running cyclically)
Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits
Modification of ExploitsModification of Exploits
Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 20/61
Old School: Locatingld School: Locating
exploitsxploits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 21/61
Old School: Locatingld School: Locating
exploitsxploits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 22/61
Old School: Gettingld School: Getting
Exploitsxploits
The ‘wget’ programdownloads the exploit to the
attacker’s machine
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 23/61
Old School: Modifyingld School: Modifying
exploitxploit
(-lsocket won’t work)
Most exploits will not work across allplatforms, so modifications generallyneed to be made. In this case, -lsocketis removed for running on out RedHat7.2 attack box.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 24/61
Old School: Buildingld School: Building
Exploitxploit
Some exploits come complete with aMakefile, so a simple ‘make’ commandis all that’s required to build the exploit.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 25/61
Old School: Buildingld School: Building
Exploitxploit
The make commandsuccessfully produces theexploit, in this case
‘automountdexp’
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 26/61
Old School: Testingld School: Testing
Exploitxploit
The ‘–h’ parameter shows theusage for this exploit.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 27/61
Old School: Attackld School: Attack
Running Exploitunning Exploit
This attack executes commandson the target (a Solaris 2.5.1
box) as root. In this case, theattacker drops a line into/etc/inet/inetd.conf and a lineinto /etc/services. When thesystem is restarted (or inet isrestarted) a listening root shell is
opened on port 31337.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 28/61
Old School: Attackld School: Attack
Success!uccess!
The attacker connects to the31337 port on the target and is
greeted with a root prompt.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 29/61
Old School:ld School:
Advancementdvancement
(optional)optional) If needed, gain further access to targetsIf needed, gain further access to targets
by further exploitationby further exploitation
TrojansTrojans Local ExploitsLocal Exploits
The advancement phase will somewhatThe advancement phase will somewhatmirror the Attack phases unless themirror the Attack phases unless theattacker has already tested the exploitsattacker has already tested the exploits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 30/61
Old School:ld School:
Entrenchmentntrenchment
Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors
RootkitsRootkits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 31/61
Entrenchment:ntrenchment:
Backdoorsackdoors
Linux Non-listening backdoor programs = NoLinux Non-listening backdoor programs = Nolistening port!listening port! SAdoor SAdoor ((http://http://cmncmn..listprojectslistprojects..darklabdarklab.org/.org/))
Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)(http://www.phenoelit.de/stuff/cd00rdescr.html)
NT/2KNT/2K Fake GINAFake GINA Username and password interceptor Username and password interceptor ((
http://www.rootkit.com/projects/ginatroj/http://www.rootkit.com/projects/ginatroj/ ))
NTKap Removes NT ACL protection (NTKap Removes NT ACL protection (http://www.rootkit.com/projects/ntkap/http://www.rootkit.com/projects/ntkap/ ))
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 32/61
Entrenchment:ntrenchment:
Rootkitsootkits
LinuxLinux LRK5:LRK5: ((http://online.securityfocus.com/data/tools/lrk5.src.tar.gzhttp://online.securityfocus.com/data/tools/lrk5.src.tar.gz ))
ADORE:ADORE: ((http://online.securityfocus.com/tools/1490http://online.securityfocus.com/tools/1490 ))
KNARKKNARK ((http://online.securityfocus.com/tools/1163http://online.securityfocus.com/tools/1163 ))
NTNT NT Rootkit (NT Rootkit (http://www.http://www.rootkitrootkit.com/projects/.com/projects/ntrootntroot//
))
NULL.SYS (NULL.SYS (http://www.rootkit.com/projects/nullsys/http://www.rootkit.com/projects/nullsys/ ))
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 33/61
Old School:ld School:
Infiltration/Extractionnfiltration/Extraction
Install sniffers to monitor network traffic,Install sniffers to monitor network traffic,
gather usernames/passwordsgather usernames/passwords
Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets basedCompromise neighboring targets based
on captured data or trust relationshipson captured data or trust relationships
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 34/61
Professionalsrofessionals
Professional hackers, or ethical hackers, tend to follow the followingProfessional hackers, or ethical hackers, tend to follow the followingmethodologies:methodologies:
Information GatheringInformation Gathering
ProbeProbe AttackAttack
AdvancementAdvancement
Infiltration/ExtractionInfiltration/Extraction
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 35/61
Professionalsrofessionals
Most often, professional ethical hackers rely onMost often, professional ethical hackers rely on“Vulnerability Scanners” to perform their jobs.“Vulnerability Scanners” to perform their jobs. NessusNessus
Retina by eeyeRetina by eeye
Network Associates CyberCopNetwork Associates CyberCop
H.E.A.T.H.E.A.T.
Internet Security Systems Internet Scanner Internet Security Systems Internet Scanner (see http://www.networkcomputing.com/1201/1201f1b1.html)(see http://www.networkcomputing.com/1201/1201f1b1.html)
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 36/61
Professionalsrofessionals
Vulnerability Scanner DemoVulnerability Scanner Demo
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 37/61
“Skript Kiddies”kript Kiddies”
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 38/61
Skript Kiddieskript Kiddies
Skript Kiddies, named for their annoying ability to (sometimes)Skript Kiddies, named for their annoying ability to (sometimes)successfully compromise a system using pre-written scripts,successfully compromise a system using pre-written scripts,generally follow a very simplegenerally follow a very simple non-cyclical non-cyclical methodology.methodology.
(See(See http://project.honeynet.org/papers/enemy/http://project.honeynet.org/papers/enemy/ for anfor an
interesting writeup on the topic)interesting writeup on the topic)
Exploit SelectionExploit Selection
Target SelectionTarget Selection
AttackAttack
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 39/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 40/61
Skript Kiddies: Targetkript Kiddies: Target
Selectionelection
Most target selection involves noisyMost target selection involves noisyscanners, often launched from Windowsscanners, often launched from Windows
platformsplatforms
An increasing number of Skript Kiddies,An increasing number of Skript Kiddies,
however, are gaining familiarity with Linuxhowever, are gaining familiarity with Linuxand use fairly standard tools such asand use fairly standard tools such asnmap.nmap.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 41/61
Skript Kiddies: Attack!kript Kiddies: Attack!
Unlike old-school attacks, Skript Kiddies tools areUnlike old-school attacks, Skript Kiddies tools aregenerally pre-compiled, or written in interpretivegenerally pre-compiled, or written in interpretivelanguages such as PERLlanguages such as PERL
If an exploit needs to be built, most kiddies will not beIf an exploit needs to be built, most kiddies will not beable to get them workingable to get them working
If a built exploit fails, a skript kiddie usually movesIf a built exploit fails, a skript kiddie usually movesalong to another target instead of fixing the exploit.along to another target instead of fixing the exploit.This makes the process non-cyclical.This makes the process non-cyclical.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 42/61
“Defacers”efacers”
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 43/61
Web Defacerseb Defacers
While “old school” methodsWhile “old school” methods
are still in use, web defacersare still in use, web defacers
statistically own the hackingstatistically own the hacking
landscapelandscape
http://www.alldas.orghttp://www.alldas.org
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 44/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 45/61
Defaced: Cap Geminiefaced: Cap Gemini
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 46/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 47/61
Following webollowing web
defacersefacershttp://www.zone-h.com/en/defacements
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 48/61
Following webollowing web
defacersefacershttp://www.delta5.com.br/mirror/
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 49/61
Common Web Defacementommon Web Defacement
Methodologyethodology
Web Defacers, for the most part, have a slightly differentWeb Defacers, for the most part, have a slightly differentmethodology. Instead of basing the exploit on the target, themethodology. Instead of basing the exploit on the target, thetarget is selected based on it’s vulnerability to the exploit!target is selected based on it’s vulnerability to the exploit!
The web defacement methodology (again, often cyclical) isThe web defacement methodology (again, often cyclical) isgenerally as follows:generally as follows:
Exploit SelectionExploit Selection
Target SelectionTarget Selection
AttackAttackDefacementDefacement
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 50/61
Web Defacementeb Defacement
Amateur defacersusually stick withone exploit andone targetplatform,,,
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 51/61
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 52/61
Defacer’s Search forefacer’s Search for
Exploitsxploits
Often an amateur defacer will monitor popular security sites (such assecurityfocus) to selectexploits
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 53/61
Defacer’s Targetefacer’s Target
Selectionelection
Armed with an exploit, most web defacers nowArmed with an exploit, most web defacers nowseek for vulnerable targets using variousseek for vulnerable targets using various
methodsmethods Web searchingWeb searching
NetcraftNetcraft
NetstatNetstat
GoogleGoogle
Host scanningHost scanning NmapNmap
Custom scannersCustom scanners
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 54/61
Defacer’s Targetefacer’s Target
Selection: Web Searcheselection: Web Searches
http://www.netcraft.comhttp://www.netcraft.com
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 55/61
Defacer’s Targetefacer’s Target
Selection: Web Searcheselection: Web Searches
Using search engines to locateUsing search engines to locate
vulnerable servers is a very interestingvulnerable servers is a very interesting
and fruitful technique which hasn’t beenand fruitful technique which hasn’t beenexplored in great detail.explored in great detail.
http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 56/61
Defacer’s Targetefacer’s Target
Selection: Web Searcheselection: Web SearchesGoogle query: intitle:”Index of” “Apache 1.3.11”
Here, Apache 1.3.11
servers are locatedthrough creative use of the Google searchengine.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 57/61
Defacer’s Targetefacer’s Target
Selection: Web Searcheselection: Web Searches
http://www.netstat.ru
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 58/61
Defacer’s Targetefacer’s Target
Selection: Hostelection: Host
ScanningcanningNmap’s OSdetection feature (-O) provides adecent guess as tothe operatingsystem of thetarget
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 59/61
Defacer’s Targetefacer’s Target
Selection: Hostelection: Host
Scanningcanninghttp://packetstormsecurity.com provides a great resource for custom vulnerability scanners.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 60/61
Defacer’s Attackefacer’s Attack
Once the target and the exploit areOnce the target and the exploit are
selected, the attacker launches theselected, the attacker launches the
attack against the server.attack against the server.
If the attack fails, the attacker will oftenIf the attack fails, the attacker will often
modify the attack and try again.modify the attack and try again.
8/14/2019 Hacking Methodologies[1]
http://slidepdf.com/reader/full/hacking-methodologies1 61/61
Questions?uestions?