How and Why the Hackers Do It

1
How and Why the Hackers Do It

• TSM 352

2
Good Guys vs Bad Guys

• New technologies provide new capabilities for
  both the trustworthy and the un-trustworthy
• As technologies evolve their capabilities must be
  explored on both sides
• The good guys develop techniques for defending
  and the bad guys develop techniques for attacking
• Then they both adjust to compensate for the other
• We see this in all forms of crime when
  fingerprinting was discovered, criminals started
  wearing gloves.

3
Know Thine Enemy

• In order to develop techniques to fight crime,
  the good guys must understand the crimes and how
  they are perpetrated.
• Learn hacking tools in order to learn how to
  defend against them
• Some hacker tools are more complex than the
  defense.
• Hackers continue to evolve their tools. There is
  no defense that is guaranteed against all future
  attacks. The only thing you can do is to adopt a
  solid defense strategy and NOT ASSUME you are
  safe.
• Never become complacent always watch for
  tell-tale signs.

4
A Hackers Mecca

• The Internet was developed in a trusting
  environment it was never intended for the
  masses.
• Obviously, that has changed because...
• It became a way to generate a lot of revenue
  whenever money is involved the masses will come
• It has received a lot of publicity
• Security is behind..
• Rapid deployment of the Internet
• Lack of a governing body
• The Legal profession is even further behind

5
Internet Security gets Attention

• Its every man for himself. So, the Internet
  criminal is living large.
• This is all starting to change. The main reason
  is that the Internet crime is hitting where it
  hurts in the pocketbook of global commerce.
• Network administrators are learning about the
  threats and starting to make adjustments.
• A whole new market niche is appearing for network
  and computer-security products as well as
  professionals.

6
Current Situation

• Security has become a major issue protocols are
  starting to evolve and new, more robust protocols
  are being developed.
• Most systems are easy to break into
• There are a tremendous number of vulnerabilities,
  as well as exploits for those vulnerabilities
  that are easy to get and easy to use
• Companies dont realize they are being attacked
• Companies dont report crimes for fear of
  embarrassment and lost reputation/business
• Companies have no policies which can be
  incorporated into network security
• Security through obscurity is still widely
  employed

7
Changes in the Wind

• Security awareness is climbing
• New defense techniques are emerging
• The security professional of the next 5 years
  will look very good
• There will be big money increases in security
  products and professionals over the next 5 years.
  
• The network security specialist will become a
  profession
• The hardest job of the security specialist will
  not be learning the technology it will be
  convincing the CEOs to spend money on security.

8
What is the Minimum?

• Invest in Prevention and Detection (in that
  order)
• Close the biggest holes first
• Raise the security level to stop the amateurs
• Use logs and examine logs
• Train Employees

9
Word of Caution

• You will be learning to use a number of exploit
  tools in this course.
• These tools should only be used in the lab
  environment not on systems/network for which
  you do not have approval.
• As a side note - it is much easier to learn about
  an exploit in a controlled environment

10
What is an Exploit?

• Gaining Access to a machine for which you do not
  have authorization
• Setting up a system to provide/simplify such
  access
• Taking a system offline
• Desensitizing Sensitive information (dumpster
  diving)

11
The Attack Process
12
Overview of the Attack Process

• Passive Reconnaissance listening/looking
• Active reconnaissance asking/probing
• Exploiting
• Gaining access through..
• OS attacks
• Application-level attacks
• Scripts
• Mis-configuration attacks
• Elevating of privileges
• Denial of Service
• Uploading programs Downloading Data
• Keeping access
• Backdoors
• New accounts
• Covering tracks

13
Passive Reconnaissance

• Information Gathering
• Company Web Sites
• Whois
• DNS Queries
• Chat rooms and BBSs
• Physical presence
• Dumpster Diving
• Sniffing

14
Passive Recon Defense

• Do not underestimate the amount of information
  that can be acquired this way
• The attacker does not really give clues to his
  investigation during passive recon
• The only defense possible at this point is to
  hope that too much information is not available.
• It is important that a company review what
  information is allowed to leak. This is one of
  the places where policy comes in.

15
Active Reconnaissance

• Active Probing
• ICMP Sweeps
• Scanning
• Port Scanning
• OS Fingerprinting
• Service software/version/patch level
  determination
• Network mapping
• This is the stage where the target can begin to
  react since the attacker is actively probing,
  there will be signs. Therefore the target has his
  first evidence

16
Exploiting

• Gaining access
• Elevation of Privileges
• Denial of Service (DoS)

17
Exploiting - Gaining Access

• Operating System Attacks
• Application-level attacks
• Scripts and sample program attacks
• Mis-configuration attacks
• The Key to defense here is to minimize each of
  these weaknesses

18
Operating System Attacks

• Default installs have too much enabled.
• This is a convenience to the software provider
  less calls to the help desk.
• The user does a default install and everything is
  already up and running.
• Even worse when user does an install everything
  which is probably the most common install.
• With improved security awareness, admins at least
  are not taking the full install approach

19
Application-level Attacks

• Take advantage of no/poor security found in most
  of todays application software.
• Programmers are pressed to release working code.
  Until just recently, consumers were not concerned
  with security of code just if it works.
• The most common in-security in a program is
  caused by failure to do two things
• Input Filtering to determine if information
  provided by the user is valid
• Error checking to avoid crashing

20
Scripts and Sample Program Attacks

• Scripts are used to perform minor tasks some
  sort of setup or initialization on a program.
• Sample files are often included on an install
  to provide an example for the user to work from.
  Web servers are notorious for this.
• The scripts and sample files are more of an
  afterthought than a detailed programming
  endeavor. Therefore they almost never consider
  security.
• A hacker can often use these scripts and sample
  files to help gain access to a system.
• Obviously, a secure installation would remove all
  such scripts and files.

21
Misconfiguration Attacks

• Service setup is often difficult
• Admin may make several stabs at it before being
  successful.
• Once working (for whatever reason), the admin is
  often off to another task rather than analyzing
  exactly what he has done, and even starting over
  to get it right.
• Always remove any un-needed services or software
  that way configuration of those items is not an
  issue
• Adequately estimate your time to accomplish an
  install/configure. Insure that you have been
  given adequate time.
• Misconfiguration is often a result of users being
  in a hurry to have something up and working and
  pressuring the network admin to get it up.

22
Elevating Privleges

• This is the technique of increasing your
  capabilities once access has been acquired.
• Often, it is a users account that is
  compromised. The idea is to elevate that user to
  a more capable account.

23
Denial of Service (DoS)

• Often the last resort for a frustrated hacker
• May be used directly to accomplish a couple of
  things
• Remove the system from online in order to pose as
  that system or perform an operation that the
  system wouldnt otherwise allow (if it was
  working properly)
• Prevent the system from offering/accessing
  network services. This is often just a spite or
  vandal action, but could also be used by a
  competitor.
• DoSs are difficult to prevent, but their impact
  can be subdued with proper techniques.

24
Uploading Programs

• Means hacker-to-target
• Provides future access keeping access
• Provides technique for gathering more information
  (like an installed sniffer that reports back to
  you)
• Provides a platform to launch more attacks
  (locally or remotely)

25
Downloading Data

• Means target-to-hacker
• This is the theft category.
• Most often downloaded are password files
• This allows the hacker to work offline

26
Covering Tracks

• At this point the admin is starting to lose any
  chance of discovering the hackers identity or
  even the damage in many cases
• Logging is the key to discovering hacker
  activity. It is one of the first things that a
  good hacker will disable.
• Checksums are a good defense.

27
Types of Attacks
28
Session Hijacking

• It is easier to sneak in as a legitimate user
  than to break in
• Find an established session and take over it
  after user has gained access
• Simple in idea, but complex in practice
  extremely difficult over the Internet a little
  easier on a LAN

29
Spoofing

• The act of impersonating or assuming an identity
• Could be at a number of levels login, MAC
  address, IP address, even service or application
• Used for exploiting trust relationships which
  are often based on something the user has or
  knows. Has would be their IP address for
  example. Knows would be their password or other
  key information. Spoofing is usually reserved for
  the knows.

30
Relaying

• Where an attacker relays or bounces his traffic
  through a third partys machine to disguise the
  attack.
• This could be to indirectly attack the relay
  agent or simply to shield the attack on the end
  point.
• Typical example is email relaying to avoid the
  true return address going in the email.

31
Viruses and Trojan Horses

• Any program that has affects other than those
  expected by the end user is really a virus. A
  Trojan Horse is just a special case of a virus.
• Trojan horses are probably the easiest and one of
  the most powerful exploits to use.
• Require target to run a program on their machine,
  should be detected by AV software. Unfortunately,
  MOST users are quite stupid when it comes to
  this.
• Client web software is a threat Outlook
  Express, for example
• Emphasizes the importance of running AV and
  keeping it current.

32
Sniffing

• One of the most powerful hacking techniques
  available.
• Limited to local traffic.
• Encryption is the only defense for sniffing.
• Sniffing Programs
• Vary from extremely simple, to very advanced.
• Most are also protocol analyzers and/or have
  specific purposes to sniff out a particular
  protocol, character string, or application. For
  example, there are password sniffers that
  simply look for passwords in the traffic.
• The simplest sniffer merely captures the traffic
  bit for bit and puts it into a file. This file
  can then be later analyzed.
• Work on the premise of putting the NIC into
  promiscuous mode. There are anti-sniff
  utilities available, but they do not absolutely
  identify a sniffer. Anti-sniffers generate
  traffic that the promiscuous mode NIC will
  respond to when it shouldnt

33
Broadcasts

• Limited to local networks.
• However, it is possible with some misconfigured
  routers to use one of these types of attacks over
  the Internet.
• The idea is to utilize the function of the
  broadcast address an address to which all
  machines are supposed to respond.
• ping
• The attacker would couple this with a spoof of
  the return address, so that all the replies would
  go to the target machine a type of DoS.
• Most TCP/IP stacks today are set to not respond
  to a ping broadcast address. However, any
  broadcast must be at least processed by all
  machines. Therefore, any broadcast (layer 2 or
  layer 3) will cause some sort of resource usage.

34
Resource Sharing Attacks

• For Windows, this is handled with SMB (server
  message block) protocol. With Linux/Unix it is
  handled with NIS/NFS. The two OSs can share
  together if xNix runs Samba.
• Includes printer sharing as well.
• These file sharing vulnerabilities can be
  exploited over the Internet, but the firewall
  should definitely block those ports which lead to
  file sharing services (135-139, and 445 on
  windows), 111, 513, 600x, etc on linux.
• Normally vulnerable due to poor passwords or IP
  trust relationships

35
Remote Control

• Remote control is just another term used to
  talk about Trojan Horses.
• Remote control programs typically use
  non-standard ports, which means the firewalls
  will block most traffic. On the other hand, most
  remote control exploits allow the attacker to
  specify a port, and he can merely chose a port
  that the firewall has open.

36
Local Attacks

• Shoulder Surfing
• Unlocked terminals
• Written passwords
• Unplugging machines - DoS (either power or
  network)
• Local logon

37
Offline Hacking

• Hackers often do most of their work offline. As
  long as they are offline, there is no chance that
  their activities will be noticed. They can work
  on information and files they have gathered
  during their online time
• Cracking password files (very time consuming)
• Cracking other encrypted files
• Studying the results from information gathering

38
Social Engineering

• Inference channel is a fancy term meaning that
  conclusions have been inferred from observations.
  Author gives a couple of examples, but basically
  it works like this you combine what you observe
  with what you already know to come to
  conclusions.
• Covert channel involves a trusted insider (a
  spy), who is providing the hacker with
  information, and/or access.

39
Three Basic Security Goals

• Confidentiality preventing disclosure of
  information
• Integrity preventing modifications of
  information
• Availability staying online