Chapter 6. Techniques Used by Hackers
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Understand the basic methodology used by hackers
Be familiar with some of the basic hacking tools
Understand the hacking mentality
Introduction
In the preceding five chapters, we have explored computer security and various security breaches. In this chapter we will be exploring the techniques that hackers use to commit computer crimes. Before we go any further, it is important that you realize that many hackers are not criminals. A hacker is a person who wants to understand a system, often by probing its weaknesses. There are even hackers that work for organizations, testing the organization’s system security. This is called penetration testing. This is also often referred to as white hat hacking. There are several certifications for penetration testing:
Offensive Security has several penetration testing certifications: https://www.offensive-security.com/information-security-certifications/
SANS Institute has a penetration testing certification: http://pen-testing.sans.org/certification
The EC Council (www.eccouncil.org) has a certification for this: the Certified Ethical Hacker.
And there is the Professional Penetration Tester certification: www.professionalpentester.com/
There is also a magazine for such people called 2600 (www.2600.com). Many computer security professionals attempt to learn hacking techniques either to enhance their security capabilities or to simply satisfy their curiosity. The techniques themselves are not criminal. However, there are people who use hacking techniques to breach systems to steal data, damage systems, or commit other cyber crimes. These people are usually referred to as black hat hackers or crackers.
The techniques presented in this chapter are not only presented to give the reader an understanding of how black hat hackers work, but also provide a method whereby a network administrator can perform a penetration test on his own network. By attempting some of these techniques on your network, you can assess your vulnerability. It should be pointed out that you should only do this once you are very comfortable with the techniques in this chapter, and only with permission from senior management.
Basic Terminology
Before we can delve into the world of hacking, we need to discuss the basic terminology used in this community. We have already introduced you to the term white hat hacker, one who uses hacking techniques for legal/ethical purposes. And we have discussed the term black hat hacker or cracker, one who uses hacking techniques for illegal techniques.
There are a few other terms you should be familiar with. A gray hat hacker is one who was previously a black hat hacker and turned into a white hat hacker (basically, a former criminal now turned ethical). With the proliferation of tools on the Internet, there are also a lot of people who download some tools (we will examine some of these in this chapter) and perform some cyber attack, without really understanding it. These people are termed script kiddies (also sometimes spelled kiddy’s). Another important term is phreaking. This refers to hacking into phone systems. Hacking of phone systems actually predates hacking computer systems.
The Reconnaissance Phase
Any intelligent/experienced hacker is going to attempt to find out information about a target before actually attempting an attack. Just as a bank robber would want to know about a bank’s alarm systems, number of guards, police response time, and so on, a black hat hacker will want to know about your system’s security. What may surprise you is how much information can be found easily on the Internet, without even attaching to the target system.
Passive Scanning Techniques
One of the easiest things a hacker can do is check the target organization’s websites. It is common for businesses to put information up that can be very useful to an attacker. For example, let’s assume company XYZ lists John Doe as its IT manager. An enterprising hacker scans bulletin boards and discussion groups for references to John Doe at XYZ. That attacker might find information useful in spear phishing attacks (phishing targeted at a specific individual or group of individuals), or the attacker might find information useful in social engineering. For example, a number of former employees complain that John Doe is demanding and quick to fire people. Then an enterprising hacker could call someone at XYZ claiming to be working for John Doe. The hacker claims he is trying to log on remotely to that person’s computer to update that person’s system. After a few moments, the hacker tells the person he forgot the password John Doe gave him and is very concerned he will get fired if he doesn’t complete this assignment; then he asks that person for his password. The information the attacker gleaned from the Web gave him enough information to make this social engineering attack plausible.
It is also possible for an attacker to scan bulletin boards, chat rooms, discussion groups, and more looking for questions from IT staff at the target organization. For example, if an administrator posts in a discussion group asking about a particular server problem, this can give the attacker valuable information about that target network.
Another way attackers can use the Web to find out information about a target is through job ads. For example, if a company routinely advertises for ASP.NET developers and never for PHP or Perl, then it is likely that the company’s web applications are developed with ASP.NET running on a Windows web server (Internet Information Services). This can allow the attacker to focus only on a small group of possible attacks (those against ASP.NET/Windows). Other information can be garnered from job ads. For example, if a small company, less than 200 employees, has an advertisement for a network administrator twice a year, it is more likely that the last administrator is no longer with them. A small company would not need multiple administrators. Knowing the current administrator is new means she is not as familiar with her own systems. Also, if this trend of advertising for new administrators extends over a couple of years, it means the company has high turnover and there is some problem the attacker may be able to exploit.
There are also specific websites that provide information an attacker may find useful. The first such website is netcraft.com, shown in Figure 6.1. This website provides information about websites. For example, you can find out what kind of server a site is running, and in some cases how long it has been since it was last rebooted.
FIGURE 6.1 www.netcraft.com.
Another site that can be useful for attackers is https://archive.org. This site, shown in Figure 6.2, archives older versions of websites. The server scours the Web archiving sites. The frequency with which a site is archived depends on its popularity.
FIGURE 6.2 www.archive.org.
Active Scanning Techniques
The previously mentioned techniques are all considered passive, as they do not require the attacker to connect to the target system. Since the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. Active scans are far more reliable but may be detected by the target system. There are a few types of active scans.
Port Scanning
Port scanning is the process of attempting to contact each network port on the target system and see which ones are open. There are 1,024 well-known ports that are usually associated with specific services. For example, port 161 is associated with Simple Network Management Protocol. If an attacker detects port 161 open on the target system, he might decide to try SNMP-related attacks. Even more information can be derived from a port scan. For example, ports 137, 138, and 139 are all associated with NetBIOS, a very old Windows method of network communication, not used in Windows anymore. However, NetBIOS is often used for systems where Windows machines need to communicate with Linux machines. So discovering those ports open reveals something about the target network.
A simple Google search for port scanner will reveal a host of well-known, widely used, and often free port scanners. However, the most popular port scanner in the hacking and security community is the free tool Nmap (https://nmap.org/). There is a Windows version of it, shown in Figure 6.3.
Nmap allows you to customize your scan making it more or less stealthy, and targeting certain systems. The most common types of scans are listed here:
Ping scan: This scan simply sends a ping to the target port. Many network administrators block incoming ICMP packets for the purpose of stopping ping scans.
Connect scan: This is the most reliable scan, but also the most likely to be detected. With this type of scan a complete connection is made with the target system.
SYN scan: This scan is very stealthy. Most systems accept SYN (Synchronize) requests. This scan is similar to the SYN flood DoS attack described in Chapter 4, “Denial of Service Attacks.” In this scan you send a SYN packet but never respond when the system sends a SYN/ACK. However, unlike the DoS SYN flood, you only send one packet per port. This is also called the half-open scan.
FIN scan: This scan has the FIN flag, or connection finished flag set. This is also not an unusual packet for systems to receive, so it is considered stealthy.
Each of these scans provokes a different response on the target machine and thus provides different information to the port scanner:
With a FIN scan or an XMAS scan, if the target port is closed, the system sends back an RST flag packet (RST means reset). If it is open, there is no response.
With a SYN scan, if the port is closed, the response is an RST; if it is open, the response is a SYN/ACK.
ACK scans and NULL scans only work on UNIX systems.
Nmap also lets you set a number of flags (either with the command-line version of Nmap or the Windows version) that customize your scan. The allowed flags are listed here:
-O
Detects operating system
-sP
Is a ping scan
-sT
TCP connect scan
-sS
SYN scan
-sF
FIN scan
-sX
Xmas tree scan
-sN
NULL scan
-sU
UDP scan
-sO
Protocol scan
-sA
ACK scan
-sW
Windows scan
-sR
RPC scan
-sL
List/DNS scan
-sI
Idle scan
-Po
Don’t ping
-PT
TCP ping
-PS
SYN ping
-PI
ICMP ping
-PB
TCP and ICMP ping
-PM
ICMP netmask
-oN
Normal output
-oX
XML output
-oG
Greppable output
-oA
All output
-T
Timing
Paranoid
-T 1
Sneaking
-T 2
Polite
-T 3
Normal
-T 4
Aggressive
-T 5
Insane
As you can see there are a number of options available to an attacker using Nmap. One can spend a lot of time just learning Nmap. There are, of course, a number of other port scanning tools. We have focused on Nmap because it is free and it is so widely used. It also is prominently figured on the EC Council Certified Ethical Hacker certification, GPEN (from SANS), and the Professional Penetration Tester Certification.
The settings are, for the most part, self-explanatory. Perhaps the timing warrants a bit more discussion. Timing involves how quickly to send scanning packets. Essentially, the faster you send packets, the more likely the scan is to be detected.
Here is the most basic Nmap scan:
nmap 192.168.1.1
Scan a range of IP addresses:
nmap 192.168.1.1-20
Scan to detect operating system, use TCP scan, and use sneaky speed:
nmap -O -PT -T1 192.168.1.1
Vulnerability Assessment
Vulnerability assessment is checking a system to see if it is vulnerable to specific attacks. These tools can be used by attackers to assess your system; however, they are designed to allow you to assess your system. These tools are not particularly stealthy and thus will probably be detected by an intrusion detection system. In fact, vulnerability assessment tools are commonly used by network administrators to test their own networks. These tools will be covered in Chapter 11, “Network Scanning and Vulnerability Scanning.”
Enumeration
Another technique that is popular before the actual attack is enumeration. Enumeration is simply the process of finding out what is on the target system. If the target is an entire network, then the attacker is trying to find out what servers, computers, and printers are on that network. If the target is a specific computer, then the attacker is trying to find out what users and shared folders exist on that system.
A simple Google search will help you find a number of enumeration tools. One of the easiest to use is Cain and Abel, shown in Figure 6.4.
Cain and Abel can do a lot more than just enumeration, but for our purposes that is what we are focusing on here. For enumeration, simply click on the Network tab and you will find all machines connected to the network you are on. This obviously requires some level of access before you can enumerate the target network.
A few other enumeration tools that are popular with hackers and can easily be found on the Internet are
Sid2User
Cheops (Linux only)
UserInfo
UserDump
DumpSec
Netcat
NBTDump
This is not an exhaustive list, but it includes some of the most widely used enumeration tools.
To defend against scanning, you should use the following techniques:
Be careful how much information you put on the Internet about your organization and its network.
Make it a company policy that technical personnel who use bulletin boards, chat rooms, and so on for technical data must not use their real name or reveal the company’s name.
Use an IDS that detects many scans.
Block incoming Internet Control Message Protocol (ICMP) packets.
These won’t make scanning and reconnaissance impossible on your system, but they will make certain the attacker gathers significantly less information.
Actual Attacks
Now that we have discussed how attackers scan a target system, let’s look at a few attacks that are commonly used. Obviously this won’t be an exhaustive list, but it will provide you some insight into the attack methodologies used. In Chapter 4 we discussed denial of service (DoS) attacks and some tools used to cause these attacks. In this section we will look at other sorts of attacks and the techniques and tools used to make them happen.
SQL Script Injection
This may be the most popular attack on websites. In recent years, more websites have taken steps to ameliorate the dangers of this attack; unfortunately, all too many websites are susceptible. This attack is based on passing structured query language commands to a web application and getting the website to execute them.
Before we can discuss SQL injection, we must talk about SQL and relational databases. Relational databases are based on relations between various tables. The structure includes tables, primary and foreign keys, and relations. A basic description can be summarized with the following points:
Each row represents a single entity.
Each column represents a single attribute.
Each record is identified by a unique number called a primary key.
Tables are related by foreign keys. A foreign key is a primary key in another table.
You can see these relations in Figure 6.5.
All relational databases use Structured Query Language (SQL). SQL uses commands such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others. At least the basic queries are very easy to understand and interpret.
The way the most basic SQL injection works is this. Many websites/applications have a page where users enter their username and password. That username and password will have to be checked against some database to see if they are valid. Regardless of the type of database (Oracle, SQL Server, MySQL), all databases speak SQL. SQL looks and functions a great deal like English. For example, to check a username and password, you might want to query the database and see if there is any entry in the users table that matches that username and password that was entered. If there is, then you have a match. The SQL statement might look something like this:
'SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'
The problem with this, while it is valid SQL, is that we have hard coded the username and password. For a real website, we would have to take whatever the user entered into the username field and password field and check that. This can be easily done (regardless of what programming or scripting language the website is programmed in). It would look something like this:
'SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" +
txtPassword.Text +"'" .
If you enter username 'jdoe' and password 'letmein', this code produces the following SQL command:
SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'
Now if there is a username jdoe in tblUsers, and the password for it is letmein, then this user will be logged on. If not, then an error will occur.
SQL injection works by putting some SQL into the username and password block that is always true. For example, suppose you enter 'OR X=X' into the username and password boxes. This will cause the program to create this query:
SELECT * FROM tblUsers WHERE USERNAME = ''OR X=X' AND PASSWORD = ''OR X=X'
Notice that we start with a single quotation mark (') before the OR X=X. This is to close the open quote the attacker knows must be in the code. And if you see '', that essentially is a blank or null. So what we are telling the database is to log us in if the username is blank, or if X=X, and if the password is blank, or if X=X. If you think about this for a second, you will see that X always equals x, so this will always be true.
There is no significance to 'OR X=X'; it is simply a statement that will always be true. Attackers try other similar statements, such as the following:
' or 'a' ='a
' or '1' ='1
' or (1=1)
This is only one example of SQL injection; there are other methods, but this is the most common. The defense against this attack is to filter all user input before processing it. This is often referred to as input validation. This prevents an attacker from entering SQL commands rather than a username and password. Unfortunately, many sites do not filter user input and are still vulnerable to this attack.
The example given here is the most basic version of SQL injection. You can do far more with SQL injection. The attacker is limited only by her knowledge of SQL and the target database system.
Remember that earlier in the text when we first, briefly, mentioned SQL injection, it was suggested that filtering input would prevent this. For example, the programmer creating the website should write the code to first check for any common SQL injection symbols such as the single quote (‘), percent sign (%), equal sign (=), or ampersand (&), and if those are found, stop processing and log an error. This would prevent many SQL injection attacks. There are methods to circumvent these security measures, but implementing them would stop many SQL injection attacks.
Cross-Site Scripting
With cross-site scripting, an attacker injects client-side script into web pages viewed by other users. The key is that the attacker enters scripts into an area that other users interact with. When they go to that part of the site, the attacker’s script is executed rather than the intended website functionality. For example, assume a shopping site allows users to review products. Rather than typing in a review, the attacker types in JavaScript that redirects the user to a phishing website. When another user views that “review,” the script will execute and take him to the new site. Again, this can be prevented by simply filtering all user input. As of this writing, all the major online shopping portals, such as Amazon.com, do filter input and are not susceptible to this attack. However, many smaller sites are still susceptible.
This attack, as well as SQL injection, illustrates why it is critical that all IT personnel be familiar with security, not just security administrators. If more web developers were more familiar with security, these two attacks would not be widespread.
Password Cracking
Doing password cracking is easiest when one can actually get physical access to a machine. This is not as difficult as it sounds. Many organizations (such as universities) have kiosk machines where someone can use the system with minimal/guest privileges. A skilled hacker can use this access to gain further access.
OphCrack
A very popular tool for cracking Windows passwords is OphCrack. OphCrack can be downloaded from http://ophcrack.sourceforge.net. It is based on an understanding of how Windows passwords work. Windows passwords are stored in a hash file in one of the system directories, usually C:WINDOWSsystem32config in a SAM file. SAM is an acronym for Security Accounts Manager. The passwords are stored as a hash. (Hashes will be discussed in detail in Chapter 8, “Encryption.”) What Windows does is hash the password you type in and compare it to the hash found in the SAM file. If there is a match, then you are logged in. To prevent someone from copying the SAM file and taking it off to try to brute force it, as soon as Windows begins the boot process, the operating system locks the SAM file. What OphCrack does is boot to Linux and then get the SAM file and look up the hashed passwords in a large table of hashed values it has, searching for a match. If it finds one, then the matching text in that table of hashed values is the password. You can see OphCrack in Figure 6.6.
This tool is remarkably easy to use. Just put the OphCrack CD into the machine and reboot. During the boot process you can press F12 for a boot menu and tell the system to boot from CD. You will then start OphCrack. It should be noted that longer passwords (as of this writing, longer than 10 characters) are usually not crackable by OphCrack.
Assuming OphCrack is successful (it isn’t always), what can the attacker do with this? At best she simply got the local machine admin account, and not a domain account. Well, this can be used to then gain domain access. One simple technique is to create a script that will in turn create a domain admin account. The script is simple:
net user /domain /add localaccountname password
net group /domain "Domain Admins" /add localaccount
Obviously, if the attacker executes this script it will not work. One must be a domain admin for it to work. So the attacker saves this script to the All Users startup folder. The next time a domain admin logs on to this system, the script will successfully execute. But the attacker may not want to wait until that happens. In order to speed up the process, the attacker causes some minor problem in the system (changes settings, alters configuration, and so on). In many organizations, the tech support personnel are in the domain admins group. When a tech support person logs on to the system to correct the problem, the script will successfully run.
Malware Creation
In this section we will briefly discuss how easy it is to create malware. Previously in Chapter 5, “Malware,” you saw the tool eLiTeWrap. In this section you will see the methods used to actually create viruses. This is not in any way an encouragement for you to create such viruses. It is meant to educate you on why such malware is so common.
For many years, one needed significant programming skills in order to create a virus. However, in recent years there have been a number of tools developed that create viruses. These tools allow the end user to click a few buttons and create a virus. This is one reason viruses are becoming so prevalent. One such tool is the TeraBIT Virus Maker, shown in Figure 6.7.
Tools like this make it very easy for even a novice to create a virus. When tools like this become prevalent, tools that automate some specific computer attack, then one can expect a great many more such attacks.
You can easily see from the options that TeraBIT Virus Maker can create some rather damaging malware. It is important to realize that this is only one option that a malware creator has. There are a number of tools on the Internet that help create viruses. There are even ransomware development kits.
In addition to these tools, there are websites that contain catalogs of malware code. Anyone with only moderate programming skills can download the code for a virus and modify that malware for his specific needs. You can think of this as a sort of cyber weapons proliferation.
This proliferation of cyber weapons is the primary reason for this section in this chapter. It is critical that security professionals, or aspiring security professionals, be aware of just how easy it is to create a virus. This means we should reasonably expect to see more viruses as time goes on. Of course, there are still custom written viruses, and these are in fact the most effective form of malware. But the proliferation of tools and source code means that even those with only minimal technical skills can create viruses.
Windows Hacking Techniques
Given the ubiquitous nature of Microsoft Windows, it should be no surprise that there are a wide range of attacks specifically aimed at that operating system. In this section, we will briefly look at some of these.
Pass the Hash
We will examine cryptographic hashes at some length in Chapter 8. For now just accept that many systems store passwords as a cryptographic hash. This is done because it is impossible to “unhash” something.
The pass the hash attack essentially realizes that the hash cannot be reversed; rather than trying to find out what the password is, the attacker just sends over the hash. If the attacker can obtain a valid username and user password hashes values (just the hash—the attacker does not know the actual password), then the hacker can use that hash, without ever knowing the actual password.
Windows applications ask users to type in their passwords; then they in turn hash them. Often this can be done with an API like LsaLogonUser, converting the password to either an LM hash or an NT hash. Pass the hash skips around the application and just sends the hash.
Net User Script
This particular exploit first requires access to the target machine with at least guest-level privileges. It is based on the fact that many organizations put the technical support personnel in the domain admin’s group.
The attacker writes the following two-line script (obviously the word localaccountname is replaced with an actual local account name.):
net user /domain /add localaccountname password
net group /domain "Domain Admins" /add Domain
Save that script in the All Users startup folder. The next time someone with domain admin privileges logs on to the machine, it will execute and that localaccountname will now be a domain admin. The only problem is that it may be quite some time before someone with such privileges logs onto that machine. To make this happen, the attacker will cause a problem with the system that would necessitate technical support fixing it, such as by disabling the network card. The next user to log in will not be able to access the network or Internet and will call technical support. There is a reasonably high chance that the person in technical support is a member of the domain administrators group. When that person logs on to the computer to fix the problem, unbeknownst to her the script will execute.
This particular exploit illustrates two different security issues. The first is the concept of least privileges. This means each user has the minimum privileges to do his job. This concept was discussed briefly in Chapter 1, “Introduction to Computer Security.” Therefore, technical support personnel should not be in the domain admin group.
The second issue is that access to any of your machines should be controlled. This exploit only requires that the attacker have guest-level access and then only for a few minutes. From that minimum access, a skilled attacker can move forward and acquire domain admin privileges.
Login as System
This particular attack requires physical access to one machine on your network. It does not require domain or even computer login credentials. To understand this attack, think about the last time you logged into any Windows computer, even a Windows server. Next to the login text boxes (Username and Password), there is an accessibility button that allows you to launch various tools to aid those users with disabilities. For example, you can launch the magnifier class in order to magnify text.
In this attack, the perpetrator will boot the system to any Linux live CD. Then, using the FDISK utility, the attacker will locate the Windows partition. Navigating to the WindowsSystem32 directory, the attacker can first take magnify.exe and make a backup, perhaps naming the backup magnify.bak. Then she can take command.exe (the command prompt) and rename it magnify.exe.
Now the attacker reboots to Windows. When the login screen appears, the perpetrator clicks Accessibility and then Magnify. Since command.exe was renamed to magnify.exe, this will actually launch the command prompt. No user has logged in yet, so the command prompt will have system privileges. At this point the attacker is only limited by her knowledge of commands executed from the command prompt.
This particular attack illustrates the need for physical security. If an attacker can get even 10 minutes alone with your Windows computer, she will likely find a way to breach the network.
Penetration Testing
As was mentioned at the beginning of this chapter, these techniques can also be conducted as part of a penetration test. However, a penetration test is not simply the random application of a variety of hacking techniques. Usually a penetration test is done along with or subsequent to a vulnerability assessment. We will discuss vulnerability assessments in detail in Chapter 11.
The process is a methodical probing of a target network in order to identify weaknesses in the network. The theory behind penetration testing is that the only way to objectively determine the security level of a given network is to have a competent penetration tester attempt to breach security. There are a variety of standards that one can use to guide a penetration test.
NIST 800-115
NIST 800-115 is the National Institute of Standards and Technology guideline for security assessments for Federal Information Systems. Assessments include penetration tests. NIST 800-115 describes security assessments and has four phases:
Planning: During this phase the tester needs to set specific testing goals. Often these will be related to previous risk assessment evaluations of the target network.
Discovery: This phase involves using a variety of tools, including port scanners, vulnerability scanners, and manual techniques to identify or discover any issues with the target network.
Attack: Now the attacker can attempt to compromise the target network by exploiting the vulnerabilities found during the discovery phase. It is in this phase that the penetration tester applies the hacking techniques we have discussed in this chapter.
Reporting: The final step is to prepare a detailed report and to deliver it to the person who hired the penetration tester. The report should provide details on what vulnerabilities were exploited, how they were exploited, and what remediation steps are recommended.
Even though this approach has only four phases, these are rather broad phases that include many substeps. It is not necessary for our purposes to delve into all the details of NIST 800-115. However, these broad steps provide a framework for penetration testing, even without delving into the details. Notice that there are two steps prior to the attack phase. Planning and discovery are critical, and you will see similar items in other penetration testing standards.
National Security Agency Information Assessment Methodology
The National Security Agency (NSA) has primary responsibility for information security throughout the United States Federal government. For this reason, it formulated a methodology to be applied to any information systems assessment to include security audits, vulnerability tests, and penetration tests. That methodology is briefly described here:
Determine and manage the customer’s expectations.
Gain an understanding of the organization’s information criticality.
Determine customer’s goals and objectives.
Determine the system boundaries.
Coordinate with customer.
Request documentation.
On-Site Assessment
Conduct opening meeting.
Gather and validate system information (via interview, system demonstration, and document review).
Analyze assessment information.
Develop initial recommendations.
Present out-brief.
Post-Assessment
Give additional review of documentation.
Get help understanding what you learned.
Report coordination (and writing).
This particular summary of steps is interesting. Let’s begin with the pre-assessment. Managing customer expectations is a critical step. It is important that the customer know what a penetration test can and cannot do. Notice that this phase is all about deciding what will be done and what is expected.
The on-site assessment includes the process of examining the system and culminates in an out briefing to let the customer know the essence of what you found. Then it culminates with a report that is written and delivered in the third phase. It is also interesting to notice that in the final phase there is the substep to get additional expertise. If your penetration test or security audit found items that are outside your expertise, then it is wise to consult with an expert in that area.
PCI Penetration Testing Standard
The Payment Card Industry Data Security Standards (PCI DSS) are standards used by companies that process credit cards. We will look at PCI standards in general in Chapter 10, “Security Policies.” In this section we will briefly examine the penetration testing portion of those standards. PCI DSS Requirement 11.3.4 mandates penetration testing to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the cardholder data environment.
PCI standards recommend testing a separate environment, not on the live production environment during normal business hours.
It is recommended that pen testing include social engineering tests.
Per PCI DSS Requirements 11.3.1 and 11.3.2, penetration testing must be performed at least annually and after any significant change—for example, infrastructure or application upgrade or modification—or new system component installations. As with the previous models we examined, PCI DSS has some specific steps:
Pre-engagement: Defining scope, documents, rules of engagement, success criteria, and review of past issues
The actual penetration test: Where you apply the hacking techniques
Post-Engagement: Reporting and recommending remediation steps
It is not critical that you memorize these standards. The point is to understand that hacking techniques are utilized in penetration testing, but that penetration testing is more than just random attempts to hack the target network. It is a methodical approach to verifying the security of a target network that happens to include real hacking techniques.
Summary
In this chapter we have examined just a few techniques hackers utilize. But these techniques and tools have illustrated the need for a variety of security measures. The scanning techniques illustrate the need for blocking certain traffic at the firewall and for running an IDS. The SQL injection attack demonstrates why security must be part of application development. And the OphCrack tool illustrates why physical security is important and why the principle of least privileges is important. Putting tech support staff into the domain admins group violates the concept of least privileges and makes the privilege escalation script possible.
A. Having database admin privileges
B. Creating an SQL statement that is always true
C. Creating an SQL statement that will force access
D. Understanding web programming
2. Which of the following is a vulnerability scanner specifically for Windows systems?
A. Nmap
B. OphCrack
C. Nessus
D. MBSA
3. How can you prevent cross-site scripting?
A. Filter user input.
B. Use an IDS.
C. Use a firewall.
D. It cannot be prevented.
4. What is an advantage of using Nessus? Use your favorite search engine to research Nessus to answer this question.
A. It is free for businesses.
B. It has a wide range of vulnerabilities it can check for.
C. It is designed for Windows systems.
D. It includes an IDS.
5. OphCrack depends on the attacker doing what?
A. Getting physical access to the machine
B. Getting domain admin privileges
C. Using social engineering
D. Using a scanning tool
6. If you wish to view items that have been removed from a website, what is the best way to do that?
A. Use Nessus.
B. Use Nmap.
C. Use www.netcraft.com.
D. Use www.archive.org.
7. Which of the following is a popular port scanner?
A. Nessus
B. OphCrack
C. MBSA
D. Nmap
8. Blocking incoming ICMP packets will prevent what type of scan?
A. SYN
B. Ping
C. FIN
D. Stealth
9. A person who uses hacking techniques for illegal activities is referred to as what?
A. A hacker
B. A gray hat hacker
C. A phreaker
D. A cracker
10. A person who hacks into phone systems is referred to as what?
A. A hacker
B. A gray hat hacker
C. A phreaker
D. A cracker
11. A person who uses tools to hack without understanding the underlying technology is called what?
A. A script kiddy
B. A gray hat hacker
C. A novice
D. A white hat hacker
12. Trying to list all the servers on a network is referred to as what?
A. Port scanning
B. Enumeration
C. Vulnerability scanning
D. Scouting
13. Which of the following is a popular enumeration tool?
A. Nessus
B. Nmap
C. MBSA
D. Cheops
14. Which of the following is considered the most stealthy port scan?
A. SYN
B. Connect
C. Ping
D. Nmap
15. What is the most stealthy way to find out what type of server a website is running?
A. Use Nmap.
B. Use Cain and Abel.
C. Use www.netcraft.com.
D. Use www.archive.org.
Exercises
EXERCISE 6.1: Using www.archive.org
This exercise gives you practice in using www.archive.org. Go to www.archive.org and pull up at least two previous versions of your college/university’s website. What information can you find that is no longer on the website?
This exercise introduces you to the Nmap tool. You should download and install Nmap. Then run at least three different scans on either your own computer or on a designated lab computer.
While it is not illegal to scan a computer, it may violate some security policies for some colleges and universities. Make certain you only scan a designated lab computer.
Download OphCrack to a CD. Then reboot your own machine to OphCrack and attempt to crack your own local passwords.
It is critical that you only use this on your own machine or a designated lab machine. Using it on other machines will probably violate security policies at your college/university/company.
EXERCISE 6.4: Using Netcraft.com
Visit www.netcraft.com and do a search on at least three different websites of your choosing. Note what information you are able to gather about the website.
Projects
PROJECT 6.1: Passive Reconnaissance
Select a local organization and conduct a passive reconnaissance. This should include searching job boards, the organization’s own website, user groups/bulletin boards, social networking sites, www.archive.org, and more. Gather as much information about the target network as you can.
PROJECT 6.2: Port Scanners
Use your favorite search engine to locate at least two other port scanners. Download and install them, and then try them on your own machine or a designated lab computer. Compare and contrast these tools to Nmap. Are they easier to use? More informative?
PROJECT 6.3: MBSA
Download and install MBSA and run a vulnerability scan on your own computer or on a designated lab computer. What problems did you find? Was the tool easy to use?