Hacking Methodologies
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Hacking Methodologies as PDF for free.
More details
- Words: 1,970
- Pages: 61
Ha cking Me thodolo gie s An overview of historical hacking approaches Johnny Long http://johnny.ihackstuff.com [email protected]
Va rie d Ap proaches “Old School”: Slow, careful, precise, invasive “Pros”: Fast, careful, precise, sometimes invasive “Skript Kiddies”: Slow, reckless, imprecise, invasive “Defacers”: Fast, reckless, precise, mildly invasive
Old sc hool For years, information security pundits have followed and believed in a “hacking methodology” which described the steps a hacker classically followed when performing an attack. That methodology followed the following basic steps:
Information Gathering Probe Attack Advancement Entrenchment Infiltration/Extraction
Ol d School : Inf ormat ion Gatheri ng Decide and discover which targets to attack Often begin with a specific network or a specific company
Whois, nslookup queries samspade.org Search engines (“googlescanning”)
Old Sc hool: Pr obe Scan specific targets for vulnerabilities Search sweeping ranges of ports with a portscan (nmap) Grab details such as service versions from the discovered ports aka “banner grabbing” (netcat) NT: Connect to and enumerate information from NETBios (enum) Search the Internet for vulnerabilities based on versions of software found on targets
Old Sc hool: Pr obe
NMAP ( http://www.insecure.org/nmap) Superscan (http://www.webattack.com/get/ superscan.shtml) Nessus: (http://www.nessus.org) Whisker: (http://sourceforge.net/projects/whisker/) Netcat: (http://www.atstake.com/research/tools/) Enum (http://razor.bindview.com/tools/index.shtml) THC-Probe ( http://www.thehackerschoice.com/download.php?t=r&d= )
Old Sc hool: Pr obe
Nmap is used to scan the ports of the target system. Using the –O option would also report the Operating System of the target.
Old Sc hool: Pr obe
Nmap’s guess at the operating system type
Old Sc hool: Pr obe
some services listen behind RPC. rpcinfo can give us this info.
Old Sc hool: At ta ck
Gather compatible exploits Compile exploits (if required) Launch exploits against targets Modify parameters, re-launch exploits (if required)
Old Sc hool: At ta ck There are many different types of attacks which can be broken down into several classifications. The attacks are performed from one of two perspectives: Local: The attacker has access to a command prompt or has gained the ability to execute commands on the target Remote: The attacker exploits the target box without first gaining access to a command shell
At tacks: Bu ffer Overflo w Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system Local overflows are executed while logged into the target system Remote overflows are executed by processes running on the target that the attacker “connects” to
Result: Commands are executed at the privilege level of the overflowed program Example: SNMPXDMID overflow (Solaris 6-8) http://www.securityfocus.com/bid/2417
At tacks: I nput Va lid ation An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols An attacker provides data in unexpected fields, ie SQL database parameters
At tacks: I nput Va lid ation Example: Trillian IRC Module Format String Vulnerability ( http://online.securityfocus.com/bid/5388) “A format string vulnerability has been reported in the Trillian IRC module. An attacker can exploit this vulnerability by enticing a user to join a channel with a malicious channel name (e.g. #%n%n%n). An attacker in control of a malicious server may exploit vulnerable clients who have connected.”
At tacks: Ra ce Co nditio ns An attacker forces an action during a sensitive time window between two operations A program checks to make sure output file “/tmp/temp_output” does not exist The program wanders off and does other stuff… An attacker quickly creates a symlink from “/tmp/temp_output” to “/etc/shadow” The program writes to the “/tmp/temp_output” which clobbers “/etc/shadow” Example: RedHat Linux diskcheck ( http://online.securityfocus.com/bid/2050 )
At tacks: Enviro nme nt Er rors An attacker makes a change to a program’s environment that was not expected For example, a program relies on the UNIX environment variable $USER to determine who is running the program An attacker changes this value to “root” before executing the program
Attacks: Weak Passwords accounts with weak passwords are guessed by a remote attacker Accounts with weak passwords are cracked by attacker with access to a password database THC-HYDRA Login Hacker (http://www.thehackerschoice.com/releases.php)
At tack: Ex plo it Sit es SecurityFocus: (http://www.securityfocus.com) Packetstorm: (http://packetstormsecurity.org) New Order: (http://neworder.box.sk/) Hack in the Box: (http://www.hackinthebox.org/ ) phreak.org (http://www.phreak .org/archives/exploits/unix/)
Old Sc hool: At ta ck phase s The Attack is most often broken into several phases (perhaps running cyclically) Locating Exploits Getting Exploits Modification of Exploits Building Exploits Testing Exploits Running Exploits
Old Sc hool: L ocatin g exploit s
Old Sc hool: L ocatin g exploit s
Old Sc hool: Ge tting Ex ploits
The ‘wget’ program downloads the exploit to the attacker’s machine
Old Sc hool: Mo difyi ng exploit
(-lsocket won’t work)
Most exploits will not work across all platforms, so modifications generally need to be made. In this case, -lsocket is removed for running on out RedHat 7.2 attack box.
Old Sc hool: Bu il din g Ex ploit
Some exploits come complete with a Makefile, so a simple ‘make’ command is all that’s required to build the exploit.
Old Sc hool: Bu il din g Ex ploit
The make command successfully produces the exploit, in this case ‘automountdexp’
Old Sc hool: Te st ing Ex ploit
The ‘–h’ parameter shows the usage for this exploit.
Old Sc hool: At ta ck Ru nnin g Explo it
This attack executes commands on the target (a Solaris 2.5.1 box) as root. In this case, the attacker drops a line into /etc/inet/inetd.conf and a line into /etc/services. When the system is restarted (or inet is restarted) a listening root shell is opened on port 31337.
Old Sc hool: At ta ck Su ccess!
The attacker connects to the 31337 port on the target and is greeted with a root prompt.
Old Sc hool: Ad vancement (optio nal)
If needed, gain further access to targets by further exploitation Trojans Local Exploits
The advancement phase will somewhat mirror the Attack phases unless the attacker has already tested the exploits
Old Sc hool: En trenchme nt Modify targets to ensure future access
Backdoors Rootkits
En trenchme nt: Ba ckdoors Linux Non-listening backdoor programs = No listening port! SAdoor (http://cmn.listprojects.darklab.org/) Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)
NT/2K Fake GINA Username and password interceptor ( http://www.rootkit.com/projects/ginatroj/ )
NTKap Removes NT ACL protection ( http://www.rootkit.com/projects/ntkap/ )
En trenchme nt: Ro otkits Linux
LRK5: (http://online.securityfocus.com/data/tools/lrk5.src.tar.gz) ADORE: (http://online.securityfocus.com/tools/1490 ) KNARK (http://online.securityfocus.com/tools/1163 )
NT NT Rootkit (http://www.rootkit.com/projects/ ntroot/) NULL.SYS ( http://www.rootkit.com/projects/nullsys/ )
Old Sc hool: Infilt ration/E xtr action Install sniffers to monitor network traffic, gather usernames/passwords Extract data from compromised systems Compromise neighboring targets based on captured data or trust relationships
Pr ofessio nals Professional hackers, or ethical hackers, tend to follow the following methodologies:
Information Gathering Probe Attack Advancement Infiltration/Extraction
Pr ofessio nals Most often, professional ethical hackers rely on “Vulnerability Scanners” to perform their jobs.
Nessus Retina by eeye Network Associates CyberCop H.E.A.T. Internet Security Systems Internet Scanner
(see http://www.networkcomputing.com/1201/1201f1b1.html)
Pr ofessio nals
Vulnerability Scanner Demo
“ Sk rip t Kiddies”
Sk rip t Ki ddie s Skript Kiddies, named for their annoying ability to (sometimes) successfully compromise a system using pre-written scripts, generally follow a very simple non-cyclical methodology. (See http://project.honeynet.org/papers/enemy/ for an interesting writeup on the topic) Exploit Selection Target Selection Attack
Sk rip t Ki ddie s: Ex ploit Se le ctio n Nearly identical to the “Old School” method of locating exploits, skript kiddies generally use Search engines to locate exploits Skript Kiddies are generally not a technically savvy lot, so exploit selection is made based on attack platforms available (generally Windows-based) and ease of use.
Sk rip t Ki ddie s: Ta rget Se le ctio n Most target selection involves noisy scanners, often launched from Windows platforms An increasing number of Skript Kiddies, however, are gaining familiarity with Linux and use fairly standard tools such as nmap.
Sk rip t Ki ddie s: At tack! Unlike old-school attacks, Skript Kiddies tools are generally pre-compiled, or written in interpretive languages such as PERL If an exploit needs to be built, most kiddies will not be able to get them working If a built exploit fails, a skript kiddie usually moves along to another target instead of fixing the exploit. This makes the process noncyclical.
“ De facer s”
Web De facers While “old school” methods are still in use, web defacers statistically own the hacking landscape http://www.alldas.org
Pr ofil e o f a we b defa cer Handle: intrud3rm4n Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass defacements My favorite defacement:
http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/
Country of Origin: Brazil Language: Portuguese Favorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Metallica =) Favorite exploit: whacking LINUX boxen Reason for defacing: FUN
De faced: Ca p Ge mini
Follo win g we b defa cers http://www.alldas.org
Follo win g we b defahttp://www.zone-h.com/en/defacements cers
Follo win g we b defa cers
http://www.delta5.com.br/mirror/
Common Me thodol
Web Def acement ogy
Web Defacers, for the most part, have a slightly different methodology. Instead of basing the exploit on the target, the target is selected based on it’s vulnerability to the exploit! The web defacement methodology (again, often cyclical) is generally as follows: Exploit Selection Target Selection Attack Defacement
Web De facement Amateur defacers usually stick with one exploit and one target platform,,,
De facer’s Ex plo it Se le ctio n
An attacker’s level of comfort with an Operating System will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for perl-based remote overflows, visual basic tools, or command-line “net” commands Attackers with only browser-based experience or simplistic attackers seeking privacy through proxies will opt for URLbased attacks such as UNICODE or DECODE, Front Page exploits, or PHP-Nuke attacks
De facer’s Se arch for Ex ploits
Often an amateur defacer will monitor popular security sites (such as securityfocus) to select exploits
De facer’s Ta rget Se le ctio n Armed with an exploit, most web defacers now seek for vulnerable targets using various methods Web searching
Netcraft Netstat Google
Host scanning Nmap Custom scanners
Defacer’ s Target Sele ctio n: Web Searches http://www.netcraft.com
Defacer’ s Target Sele ctio n: Web Searches Using search engines to locate vulnerable servers is a very interesting and fruitful technique which hasn’t been explored in great detail. http://johnny.ihackstuff.com/security/googledorks.shtml
Defacer’ s Target Sele ctio n: Web Searches Google query: intitle:”Index of” “Apache 1.3.11”
Here, Apache 1.3.11 servers are located through creative use of the Google search engine.
Defacer’ s Target Sele ctio n: Web Searches
http://www.netstat.ru
De facer’s Ta rget Se le ctio n: Host Sc annin g Nmap’s OS detection feature (-O) provides a decent guess as to the operating system of the target
De facer’s Ta rget Se le ctio n: Host Sc annin g http://packetstormsecurity.com provides a great resource for custom vulnerability scanners.
De facer’s At tack Once the target and the exploit are selected, the attacker launches the attack against the server. If the attack fails, the attacker will often modify the attack and try again.
Qu estio ns?
Va rie d Ap proaches “Old School”: Slow, careful, precise, invasive “Pros”: Fast, careful, precise, sometimes invasive “Skript Kiddies”: Slow, reckless, imprecise, invasive “Defacers”: Fast, reckless, precise, mildly invasive
Old sc hool For years, information security pundits have followed and believed in a “hacking methodology” which described the steps a hacker classically followed when performing an attack. That methodology followed the following basic steps:
Information Gathering Probe Attack Advancement Entrenchment Infiltration/Extraction
Ol d School : Inf ormat ion Gatheri ng Decide and discover which targets to attack Often begin with a specific network or a specific company
Whois, nslookup queries samspade.org Search engines (“googlescanning”)
Old Sc hool: Pr obe Scan specific targets for vulnerabilities Search sweeping ranges of ports with a portscan (nmap) Grab details such as service versions from the discovered ports aka “banner grabbing” (netcat) NT: Connect to and enumerate information from NETBios (enum) Search the Internet for vulnerabilities based on versions of software found on targets
Old Sc hool: Pr obe
NMAP ( http://www.insecure.org/nmap) Superscan (http://www.webattack.com/get/ superscan.shtml) Nessus: (http://www.nessus.org) Whisker: (http://sourceforge.net/projects/whisker/) Netcat: (http://www.atstake.com/research/tools/) Enum (http://razor.bindview.com/tools/index.shtml) THC-Probe ( http://www.thehackerschoice.com/download.php?t=r&d= )
Old Sc hool: Pr obe
Nmap is used to scan the ports of the target system. Using the –O option would also report the Operating System of the target.
Old Sc hool: Pr obe
Nmap’s guess at the operating system type
Old Sc hool: Pr obe
some services listen behind RPC. rpcinfo can give us this info.
Old Sc hool: At ta ck
Gather compatible exploits Compile exploits (if required) Launch exploits against targets Modify parameters, re-launch exploits (if required)
Old Sc hool: At ta ck There are many different types of attacks which can be broken down into several classifications. The attacks are performed from one of two perspectives: Local: The attacker has access to a command prompt or has gained the ability to execute commands on the target Remote: The attacker exploits the target box without first gaining access to a command shell
At tacks: Bu ffer Overflo w Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system Local overflows are executed while logged into the target system Remote overflows are executed by processes running on the target that the attacker “connects” to
Result: Commands are executed at the privilege level of the overflowed program Example: SNMPXDMID overflow (Solaris 6-8) http://www.securityfocus.com/bid/2417
At tacks: I nput Va lid ation An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols An attacker provides data in unexpected fields, ie SQL database parameters
At tacks: I nput Va lid ation Example: Trillian IRC Module Format String Vulnerability ( http://online.securityfocus.com/bid/5388) “A format string vulnerability has been reported in the Trillian IRC module. An attacker can exploit this vulnerability by enticing a user to join a channel with a malicious channel name (e.g. #%n%n%n). An attacker in control of a malicious server may exploit vulnerable clients who have connected.”
At tacks: Ra ce Co nditio ns An attacker forces an action during a sensitive time window between two operations A program checks to make sure output file “/tmp/temp_output” does not exist The program wanders off and does other stuff… An attacker quickly creates a symlink from “/tmp/temp_output” to “/etc/shadow” The program writes to the “/tmp/temp_output” which clobbers “/etc/shadow” Example: RedHat Linux diskcheck ( http://online.securityfocus.com/bid/2050 )
At tacks: Enviro nme nt Er rors An attacker makes a change to a program’s environment that was not expected For example, a program relies on the UNIX environment variable $USER to determine who is running the program An attacker changes this value to “root” before executing the program
Attacks: Weak Passwords accounts with weak passwords are guessed by a remote attacker Accounts with weak passwords are cracked by attacker with access to a password database THC-HYDRA Login Hacker (http://www.thehackerschoice.com/releases.php)
At tack: Ex plo it Sit es SecurityFocus: (http://www.securityfocus.com) Packetstorm: (http://packetstormsecurity.org) New Order: (http://neworder.box.sk/) Hack in the Box: (http://www.hackinthebox.org/ ) phreak.org (http://www.phreak .org/archives/exploits/unix/)
Old Sc hool: At ta ck phase s The Attack is most often broken into several phases (perhaps running cyclically) Locating Exploits Getting Exploits Modification of Exploits Building Exploits Testing Exploits Running Exploits
Old Sc hool: L ocatin g exploit s
Old Sc hool: L ocatin g exploit s
Old Sc hool: Ge tting Ex ploits
The ‘wget’ program downloads the exploit to the attacker’s machine
Old Sc hool: Mo difyi ng exploit
(-lsocket won’t work)
Most exploits will not work across all platforms, so modifications generally need to be made. In this case, -lsocket is removed for running on out RedHat 7.2 attack box.
Old Sc hool: Bu il din g Ex ploit
Some exploits come complete with a Makefile, so a simple ‘make’ command is all that’s required to build the exploit.
Old Sc hool: Bu il din g Ex ploit
The make command successfully produces the exploit, in this case ‘automountdexp’
Old Sc hool: Te st ing Ex ploit
The ‘–h’ parameter shows the usage for this exploit.
Old Sc hool: At ta ck Ru nnin g Explo it
This attack executes commands on the target (a Solaris 2.5.1 box) as root. In this case, the attacker drops a line into /etc/inet/inetd.conf and a line into /etc/services. When the system is restarted (or inet is restarted) a listening root shell is opened on port 31337.
Old Sc hool: At ta ck Su ccess!
The attacker connects to the 31337 port on the target and is greeted with a root prompt.
Old Sc hool: Ad vancement (optio nal)
If needed, gain further access to targets by further exploitation Trojans Local Exploits
The advancement phase will somewhat mirror the Attack phases unless the attacker has already tested the exploits
Old Sc hool: En trenchme nt Modify targets to ensure future access
Backdoors Rootkits
En trenchme nt: Ba ckdoors Linux Non-listening backdoor programs = No listening port! SAdoor (http://cmn.listprojects.darklab.org/) Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)
NT/2K Fake GINA Username and password interceptor ( http://www.rootkit.com/projects/ginatroj/ )
NTKap Removes NT ACL protection ( http://www.rootkit.com/projects/ntkap/ )
En trenchme nt: Ro otkits Linux
LRK5: (http://online.securityfocus.com/data/tools/lrk5.src.tar.gz) ADORE: (http://online.securityfocus.com/tools/1490 ) KNARK (http://online.securityfocus.com/tools/1163 )
NT NT Rootkit (http://www.rootkit.com/projects/ ntroot/) NULL.SYS ( http://www.rootkit.com/projects/nullsys/ )
Old Sc hool: Infilt ration/E xtr action Install sniffers to monitor network traffic, gather usernames/passwords Extract data from compromised systems Compromise neighboring targets based on captured data or trust relationships
Pr ofessio nals Professional hackers, or ethical hackers, tend to follow the following methodologies:
Information Gathering Probe Attack Advancement Infiltration/Extraction
Pr ofessio nals Most often, professional ethical hackers rely on “Vulnerability Scanners” to perform their jobs.
Nessus Retina by eeye Network Associates CyberCop H.E.A.T. Internet Security Systems Internet Scanner
(see http://www.networkcomputing.com/1201/1201f1b1.html)
Pr ofessio nals
Vulnerability Scanner Demo
“ Sk rip t Kiddies”
Sk rip t Ki ddie s Skript Kiddies, named for their annoying ability to (sometimes) successfully compromise a system using pre-written scripts, generally follow a very simple non-cyclical methodology. (See http://project.honeynet.org/papers/enemy/ for an interesting writeup on the topic) Exploit Selection Target Selection Attack
Sk rip t Ki ddie s: Ex ploit Se le ctio n Nearly identical to the “Old School” method of locating exploits, skript kiddies generally use Search engines to locate exploits Skript Kiddies are generally not a technically savvy lot, so exploit selection is made based on attack platforms available (generally Windows-based) and ease of use.
Sk rip t Ki ddie s: Ta rget Se le ctio n Most target selection involves noisy scanners, often launched from Windows platforms An increasing number of Skript Kiddies, however, are gaining familiarity with Linux and use fairly standard tools such as nmap.
Sk rip t Ki ddie s: At tack! Unlike old-school attacks, Skript Kiddies tools are generally pre-compiled, or written in interpretive languages such as PERL If an exploit needs to be built, most kiddies will not be able to get them working If a built exploit fails, a skript kiddie usually moves along to another target instead of fixing the exploit. This makes the process noncyclical.
“ De facer s”
Web De facers While “old school” methods are still in use, web defacers statistically own the hacking landscape http://www.alldas.org
Pr ofil e o f a we b defa cer Handle: intrud3rm4n Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass defacements My favorite defacement:
http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/
Country of Origin: Brazil Language: Portuguese Favorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Metallica =) Favorite exploit: whacking LINUX boxen Reason for defacing: FUN
De faced: Ca p Ge mini
Follo win g we b defa cers http://www.alldas.org
Follo win g we b defahttp://www.zone-h.com/en/defacements cers
Follo win g we b defa cers
http://www.delta5.com.br/mirror/
Common Me thodol
Web Def acement ogy
Web Defacers, for the most part, have a slightly different methodology. Instead of basing the exploit on the target, the target is selected based on it’s vulnerability to the exploit! The web defacement methodology (again, often cyclical) is generally as follows: Exploit Selection Target Selection Attack Defacement
Web De facement Amateur defacers usually stick with one exploit and one target platform,,,
De facer’s Ex plo it Se le ctio n
An attacker’s level of comfort with an Operating System will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for perl-based remote overflows, visual basic tools, or command-line “net” commands Attackers with only browser-based experience or simplistic attackers seeking privacy through proxies will opt for URLbased attacks such as UNICODE or DECODE, Front Page exploits, or PHP-Nuke attacks
De facer’s Se arch for Ex ploits
Often an amateur defacer will monitor popular security sites (such as securityfocus) to select exploits
De facer’s Ta rget Se le ctio n Armed with an exploit, most web defacers now seek for vulnerable targets using various methods Web searching
Netcraft Netstat Google
Host scanning Nmap Custom scanners
Defacer’ s Target Sele ctio n: Web Searches http://www.netcraft.com
Defacer’ s Target Sele ctio n: Web Searches Using search engines to locate vulnerable servers is a very interesting and fruitful technique which hasn’t been explored in great detail. http://johnny.ihackstuff.com/security/googledorks.shtml
Defacer’ s Target Sele ctio n: Web Searches Google query: intitle:”Index of” “Apache 1.3.11”
Here, Apache 1.3.11 servers are located through creative use of the Google search engine.
Defacer’ s Target Sele ctio n: Web Searches
http://www.netstat.ru
De facer’s Ta rget Se le ctio n: Host Sc annin g Nmap’s OS detection feature (-O) provides a decent guess as to the operating system of the target
De facer’s Ta rget Se le ctio n: Host Sc annin g http://packetstormsecurity.com provides a great resource for custom vulnerability scanners.
De facer’s At tack Once the target and the exploit are selected, the attacker launches the attack against the server. If the attack fails, the attacker will often modify the attack and try again.
Qu estio ns?
