Hacker Techniques310/16/2018
Chapter 3 Study Outline
I.The Profile and Motivation of a Hacker
A.Profile of a Hacker
1.A hacker is an intruder who breaks into computers.
B.Motivations of a hacker
1.Challenge
2.Greed
3.Malicious intent
II.Historical Hacking Techniques
A.Open Sharing
1.Hackers used this open file sharing to access information that they were not authorized to access.
a)In the case of UNIX systems, the Network File System (NFS) was used. NFS allows one computer to mount the drives of another computer across a network.
2.Hackers also exploit vulnerabilities in system configurations to gain access to systems.
B.Bad Passwords
1.The most common method used by hackers to get into systems is through weak passwords.
2.Weak passwords include
a)Short passwords (less than four characters) that allow a hacker to brute-force the password.
b)Passwords that are easy to guess.
C.Programming Flaw
1.Hackers use programming flaws to gain unauthorized access to information or systems.
2.Programming flaws include
a)Back door entries in a program for later access to the system.
b)Lack of validations and verifications that allow the hacker to attack information.
D.Social Engineering
1.Social engineering is the use of non-technical means to gain unauthorized access to information or systems.
2.Instead of using vulnerabilities and exploit scripts, the hacker uses human nature.
E.Buffer Overflows
1.Buffer overflow is an attempt to stuff too much information into a space in a computer’s memory.
2.When a buffer overflow is exploited, the hacker places instructions in a local variable that is then stored on the stack.
a)The information placed in the local variable is large enough to place an instruction on the stack and overwrite the return address to point at this new instruction.
b)These instructions allow the hacker access to the system in one of the following ways:
(1)By causing a shell program to run (providing interactive access).
(2)By causing another application to start.
(3)By changing a configuration file (such as inetd.conf).
3.Buffer overflows can be prevented by the programmer if he checks the size of the user data before placing it in the predefined variable.
F.Denial of Service
1.Single-source denial-of-service attacks
a)Single-source attacks are DoS attacks in which a single system was used to deny access to a system, network, application, or information to a legitimate user.
(1)The source system sends a large number of TCP SYN packets to the target system.
(2)It ignores the TCP SYN ACK packet received from the target system and continues to send SYN packets.
(3)The source system does not send the final TCP ACK packet.
(4)Eventually, the target’s pending connection buffer fills up and it can no longer respond to new connection requests.
(5)The easiest solution to prevent a SYN flood attack is to put a timer on all pending connections and have them expire after some amount of time. Several network devices have the capability to identify SYN floods. However, both these solutions are not always successful in protecting systems from a SYN Flood attack.
b)Ping of Death attack was another single-source denial-of-service attack.
(1)The Ping of Death attack caused a ping packet containing a large amount of data to be sent to a target system. Normally, a ping packet does not contain any data.
2.Distributed denial-of-service attacks
a)Distributed DoS attacks (DDoS) are simply DoS attacks that originate from a large number of systems.
b)DDoS attacks are usually controlled from a single master system and a single hacker.
c)A Smurf attack is a simple DDoS in which
(1)The hacker sends a ping packet to the broadcast address of a large network while spoofing the source address to direct all responses at a target.
d)The more advanced DDoS attacks use attack tools like Trinoo, Tribal Flood Network, Mstream, and Stacheldraht.
III.Advanced Hacking Techniques
A.Sniffing Switched Networks
1.Sniffers generally work well on shared media networks such as network hubs.
a)The sniffer causes the network interface card (NIC) to gather all packets on the network rather than only packets addressed to that NIC (or system).
2.It is difficult for sniffers to sniff traffic on a switched network.
a)In a switched environment, most packets are not broadcast to all systems but instead are only transmitted to the destination system.
3.In order to sniff traffic in a switched environment, the hacker must do one of two things:
a)Convince the switch that the traffic of interest should be directed to the sniffer.
b)Cause the switch to send all traffic to all ports.
4.The following are methods that can be used to cause the switch to send the traffic to the sniffer:
a)ARP spoofing
b)MAC duplicating
c)DNS spoofing
5.The hacker can also use a sniffer if he can cause the switch to act like a hub.
a)A switch uses a limited amount of memory to store the mappings between MAC address and physical port on the switch.
b)The hacker can cause switch to send traffic for specific MAC addresses to all ports by causing the switch’s memory to be full.
6.The hacker must be directly attached to the switch in question for ARP spoofing, MAC duplicating, or MAC flooding. In the case of DNS spoofing, such a connection would certainly help as well.
B.IP Spoofing
1.Hackers often modify the IP addresses in a packet to hide their location.
2.It is difficult to establish a TCP connection with a spoofed IP address because the return packets (such as the SYN ACK packet in a TCP connection) will not return to the sending machine.
3.IP spoofing is possible because the IP protocol does not verify the source address when the packet is created.
4.Details of an IP Spoofing Attack
a)The hacker determines the increment used in the ISNs by making a series of legitimate connections to the target and noting the ISNs that are returned.
5.Using IP Spoofing in the Real World
a)If a system can be found that has a trust relationship with another system and that is in a network that a hacker can reach, IP spoofing may be used to gain access to a system.
IVMalicious Code
A.Types of Malicious Code
1.The term “malicious code” actually covers three different types of programs:
a)Computer viruses
(1)Computer viruses are programs that piggyback on other executable programs.
(2)When the program that a virus is attached to is executed, the virus code is also executed and performs its actions.
(3) These actions normally include spreading itself to other programs or disks.
(4)Some viruses are malicious and delete files or cause systems to become unusable. Other viruses do not perform any malicious act except to spread themselves to other systems.
b)Trojan horse programs
(1)A Trojan horse is a complete and self-contained program that is designed to perform some type of malicious action.
(2)It presents itself as something that the user may have some interest in, such as a new capability or an e-mail the user wants to read.
(3)Most Trojan horse programs also contain mechanisms to spread themselves to new victims.
c)Worms
(1)A worm is a program that crawls from system to system without any assistance from its victims.
(2)The worm spreads on its own and replicates on its own.
d)Hybrids
(1) Hybrids are a combination of two types of malicious code in a single program. In other words, we are beginning to see programs that act like both worms and Trojan horses.
V.Methods of the Untargeted Hacker
A.Untargeted Hackers are individuals who are not looking for access to particular information or organizations, but instead are looking for any system that they can compromise.
1.The primary motivation of untargeted hackers appears to be the challenge of gaining access to systems.
B.Targets
1.Untargeted hackers look for any system they can find. There are not normally any pre-identified targets.
C.Reconnaissance
1.Some perform no reconnaissance and just begin the attack without even determining if the systems that are being attacked are actually on the network.
2.Internet Reconnaissance
a)The untargeted hacker will perform a stealth scan (also called an IP half scan) against a range of addresses to identify which systems are up and the services being offered on the system.
(1)A ping sweep is simply an attempt to ping each address and see if a response is received.
b)The hacker may also use a reset scan instead to identify the systems on the network. However, a reset scan cannot identify the services running on a system.
c) The hacker may also perform the reconnaissance in several steps.
(1)The hacker may choose a domain name (usually at random) and attempt to perform a zone transfer of DNS against this domain. A zone transfer lists all of the systems and IP addresses that DNS knows about in the domain.
(2)Taking this list, the hacker may then run a tool such as Queso or Nmap to identify the operating system of the potential targets.
(3)A stealth scan may be used to identify the services on the targets, and the final list may be used for the actual attacks.
3.Telephone Reconnaissance
a)Wardialing is a method used by hackers to identify potential victims and identifies systems that have modems and that answer incoming calls.
(1)A hacker will use a computer to dial a large number of phone numbers looking for a modem carrier.
(2)Once the modems are identified, a hacker may return to each in turn to see what program is answering.
4.Wireless Reconnaissance
a)Wardriving and warchalking are used to identify wireless networks.
(1)Wardriving means driving around with a computer and a wireless network adapter for the express purpose of identifying wireless networks. This usually includes the use of a GPS receiver to record the locations.
(2)Warchalking means that the hacker uses chalk marks on the curb or sidewalk outside of a building to indicate that an open wireless network exists at the location
b)Once the wireless network is identified, the hacker can use the Internet connectivity to attack other sites.
c)This type of attack shields the hacker from being easily traced.
D.Attack Methods
1.The untargeted hacker will have a single exploit or a small group of exploits available.
2.Using the reconnaissance methods identified above, the hacker will look for systems that may be vulnerable to the available exploits.
3.When the systems are found, the exploits are used.
E.Use of Compromised Systems
1.Once a system is compromised, hackers normally place back doors on the system so they can access it again later.
2.Some hackers will close the vulnerabilities that they used to gain initial access to the system so that no other hacker can gain control of “their system.”
3.Hackers may copy the system’s password file back to some other system so that the passwords can be cracked. They will usually also load a password sniffer to capture passwords for other systems.
4.Once compromised, a system may be used to attack other systems or for reconnaissance probes.
VI.Methods of the Targeted Hacker
A.The Targeted Hacker
1.Targeted hackers are hackers who target a specific organization. They are motivated by a desire for something that organization has (usually information of some type).
2.In some cases, the hacker is choosing to do damage to a particular organization for some perceived wrong.
3.The skill level of targeted hackers tends to be higher than that for untargeted hackers.
B.Targets
1.The target of the attack is chosen for a reason.
a)The target might have information that is of interest to the hacker.
b)The target might be of interest to a third party who has hired the hacker to get some information.
2.The target is the organization, not necessarily just one system within the organization.
C.Reconnaissance
1.Address reconnaissance is simply the identification of the address space in use by the target organization.
2.Phone number reconnaissance
a)Directory assistance and contact information on the organization’s Web site can be used to identify the primary number for the target.
3.Wireless reconnaissance
a)The hacker may use wardriving or warchalking to determine if the target is using wireless technology.
4.System reconnaissance
a)System reconnaissance is used to identify which systems exist, what operating system they are running, and what vulnerabilities they may have.
5.Business reconnaissance
a)Understanding the business of the target is very important for the hacker.
b)The hacker wants to understand how the target makes use of computer systems and where key information and capabilities reside.
c)The hacker may use information about employees to use social engineering techniques.
6.Physical reconnaissance
a)Targeted hackers use physical reconnaissance extensively.
b)Often physical means allow the hacker to gain access to the information or system that he wants without the need to actually compromise the computer security of the organization.
D.Attack Methods
1.Electronic attack methods
a)The hacker first gathers information on all external systems and all connections to internal systems.
b)During the reconnaissance of the site, the hacker identifies likely system vulnerabilities.
c)Using known attack methods could trigger the intrusion detection system the organization might have, so the hacker tries to avoid to detection in a number of ways.
2.Physical attack methods
a)Physical attack methods that might be used by the hacker include
(1)Searching the organization’s trash for information.
(2)Social engineering attacks.
(3)Physical penetration of the site.
E.Use of Compromised Systems
1.The targeted hacker will use the compromised systems for his purpose while hiding his tracks as best he can.
2.Such hackers do not brag about their conquests.
3.The hacker may use one compromised system as a jumping-off point to gain access to more sensitive internal systems.
4.All of these attempts will be performed as quietly as possible so as to not alarm administrators.
093-23-1