Chapter 6. Techniques Used by Hackers
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Understand the basic methodology used by hackers
Be familiar with some of the basic hacking tools
Understand the hacking mentality
Introduction
In the preceding five chapters, we have explored computer security and various security breaches. In this chapter we will be exploring the techniques that hackers use to commit computer crimes. Before going any further, it is important to realize that many hackers are not criminals. A hacker is a person who wants to understand a system, often by probing its weaknesses. There are even hackers who work for organizations, testing the organizations’ system security. This is called penetration testing and also sometimes white hat hacking. There are several certifications for penetration testing:
Offensive Security: https://www.offensive-security.com/information-security-certifications/
SANS Institute: http://pen-testing.sans.org/certification
EC-Council’s Certified Ethical Hacker: www.eccouncil.org.
There is also a magazine for white hat hackers called 2600 (www.2600.com). Many computer security professionals attempt to learn hacking techniques either to enhance their security capabilities or to simply satisfy their curiosity. The techniques themselves are not criminal. However, there are people who use hacking techniques to breach systems to steal data, damage systems, or commit other cybercrimes. These people are usually referred to as black hat hackers or crackers.
The techniques presented in this chapter are presented not only to give you an understanding of how black hat hackers work but to show how you can perform penetration testing on your own network. By attempting some of these techniques on your network, you can assess your vulnerability. (It should be pointed out that you should only do this when you are very comfortable with the techniques in this chapter—and only with permission from senior management.)
Basic Terminology
Before we can delve into the world of hacking, we need to discuss the basic terminology used in this community. We have already introduced you to the term white hat hacker, which is used to describe a person who uses hacking techniques for legal/ethical purposes. And we have discussed the terms black hat hacker and cracker, which are used to describe a person who uses hacking techniques for illegal techniques.
There are a few other terms you should be familiar with. A gray hat hacker is one who was previously a black hat hacker and turned into a white hat hacker (basically, a former criminal now turned ethical). With the proliferation of tools on the Internet, there are also a lot of people who download some tools (we will examine some of them in this chapter) and perform some cyber attack without really understanding it. These people are termed script kiddies (also sometimes spelled kiddys). Another important term, phreaking, refers to hacking into phone (which predates hacking into computer systems).
Often penetration testing is conducted to emulate a specific adversary or type of adversary. This is referred to as a red team. For example, if an organization is concerned primarily about nation-state attacks, then a red team can conduct a penetration test utilizing the same techniques that are commonly used in nation-state attacks. In contrast to the red team is the blue team, which is the defensive team attempting to stop the red team’s attack.
The Reconnaissance Phase
Any intelligent/experienced hacker is going to attempt to find out information about a target before actually attempting an attack. Just as a bank robber would want to know about a bank’s alarm systems, number of guards, police response time, and so on, a black hat hacker would want to know about your system’s security. What may surprise you is how much information can be found easily on the Internet without even attaching to the target system.
Passive Scanning Techniques
One of the easiest things a hacker can do is check the target organization’s websites. Businesses commonly post information that can be very useful to an attacker. For example, let’s assume that company XYZ lists John Doe as its IT manager. An enterprising hacker can scan bulletin boards and discussion groups for references to John Doe at XYZ. That attacker might find information useful in spear phishing attacks (that is, phishing targeted at a specific individual or group of individuals), or the attacker might find information useful in social engineering. For example, a number of former employees might have complained online that John Doe is demanding and quick to fire people. An enterprising hacker could call someone at XYZ claiming to be working for John Doe. The hacker might claim that he is trying to log on remotely to that person’s computer to update her system. After a few moments, the hacker tells the person he forgot the password John Doe gave him and is very concerned he will get fired if he doesn’t complete this assignment; then he asks that person for his password. The information the attacker gleaned from the Web gave him enough information to make this social engineering attack plausible.
It is also possible for an attacker to scan bulletin boards, chat rooms, discussion groups, and other places, looking for questions from IT staff at the target organization. For example, if an administrator posts in a discussion group asking about a particular server problem, this can give the attacker valuable information about that target network.
Another way attackers can use the Web to find out information about a target is through job ads. For example, if a company routinely advertises for ASP.NET developers and never for PHP or Perl, then it is likely that the company’s web applications are developed with ASP.NET running on a Windows web server (Internet Information Services). This can allow the attacker to focus only on a small group of possible attacks—those against ASP.NET/Windows.
Information can also be garnered from job ads. For example, if a small company with fewer than 200 employees has an advertisement for a network administrator twice a year, it is likely that the company has recently lost its old administrator because a small company would not need multiple administrators. If the current administrator is new, it means she is probably not as familiar with her own systems as the old admin. Also, if this trend of advertising for new administrators extends over a couple of years, the hacker can guess that the company has high turnover, and there is some problem the attacker may be able to exploit.
There are also specific websites that provide information an attacker may find useful. For example, netcraft.com, shown in Figure 6.1, provides information about websites. For example, you can find out what kind of server a site is running, and in some cases how long it has been since the server was last rebooted.
Another site that can be useful for attackers is https://archive.org. This site, shown in Figure 6.2, archives older versions of websites. The server scours the Web, archiving sites. The frequency with which a site is archived depends on its popularity.
Active Scanning Techniques
The previously mentioned techniques are all considered passive, as they do not require the attacker to connect to the target system. Since the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. Active scans are far more reliable but may be detected by the target system. There are a few types of active scans.
Port Scanning
Port scanning is the process of attempting to contact each network port on the target system and see which ones are open. There are 1024 well-known ports that are usually associated with specific services. For example, port 161 is associated with Simple Network Management Protocol (SNMP). If an attacker detects port 161 open on the target system, he might decide to try SNMP-related attacks. Even more information can be derived from a port scan. For example, ports 137, 138, and 139 are all associated with NetBIOS, a very old Windows method of network communication that is not used in Windows anymore. However, NetBIOS is often used for systems where Windows machines need to communicate with Linux machines, so discovering those ports open reveals something about the target network.
A simple Google search for port scanner will reveal a host of well-known, widely used, and often free port scanners. However, the most popular port scanner in the hacking and security community is the free tool Nmap (https://nmap.org). There is a Windows version of it, called Zenmap, as shown in Figure 6.3.
Nmap allows you to customize your scan to make it more or less stealthy and to target certain systems. The most common types of scans are listed here:
Ping scan: This scan simply sends a ping to the target port. Many network administrators block incoming ICMP packets for the purpose of stopping ping scans.
Connect scan: This is the most reliable scan but also the type most likely to be detected. With this type of scan, a complete connection is made with the target system.
SYN scan: This scan is very stealthy. Most systems accept SYN (synchronize) requests. This scan is similar to the SYN flood DoS attack described in Chapter 4, “Denial of Service Attacks.” In this type of scan, you send a SYN packet but never respond when the system sends a SYN/ACK. However, unlike with a DoS SYN flood, you send only one packet per port. This is also called a half-open scan.
FIN scan: This scan has the FIN (connection finished) flag set. This is not an unusual packet for systems to receive, so it is considered stealthy.
Each of these scans provokes a different response on the target machine and thus provides different information to the port scanner:
With a FIN scan or an XMAS scan, if the target port is closed, the system sends back an RST (reset) flag packet. If it is open, there is no response.
With a SYN scan, if the port is closed, the response is an RST; if it is open, the response is a SYN/ACK.
ACK scans and NULL scans work only on UNIX systems.
Nmap also lets you set a number of flags (either with the command-line version of Nmap or the Windows version) to customize the scan. The allowed flags are listed here:
-O Detects the operating system
-sP Ping scan
-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX Xmas tree scan
-sN NULL scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Windows scan
-sR RPC scan
-sL List/DNS scan
-sI Idle scan
-Po Don’t ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB TCP and ICMP ping
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Timing
-T0 Paranoid
-T1 Sneaking
-T2 Polite
-T3 Normal
-T4 Aggressive
-T5 Insane
As you can see, there are a number of options available to an attacker using Nmap. One can spend a lot of time just learning Nmap. There are, of course, a number of other port scanning tools. We have focused on Nmap because it is free and widely used. It also figures prominently on the EC-Council Certified Ethical Hacker certification, GPEN (from SANS), and the Professional Penetration Tester certification.
The Nmap settings are, for the most part, self-explanatory. Perhaps the timing warrants a bit more discussion, however. Timing involves how quickly to send scanning packets. Essentially, the faster you send packets, the more likely the scan is to be detected.
Here is the most basic Nmap scan:
nmap 192.168.1.1
Here is a scan of a range of IP addresses:
nmap 192.168.1.1-20
The following command scans to detect operating system, use TCP scan, and use sneaky speed:
nmap -O -PT -T1 192.168.1.1
Vulnerability Assessment
Vulnerability assessment involves checking a system to see if it is vulnerable to specific attacks. Although hackers can use vulnerability assessment tools to assess your system, these tools are designed to allow you to assess your system. These tools are not particularly stealthy and thus will probably be detected by an intrusion detection system. In fact, network administrators commonly use vulnerability assessment tools to test their own networks. These tools will be covered in Chapter 11, “Network Scanning and Vulnerability Scanning.”
Enumeration
Another technique that is commonly used before an actual attack is enumeration. Enumeration is simply the process of finding out what is on the target system. If the target is an entire network, the attacker wants to find out what servers, computers, and printers are on that network. If the target is a specific computer, the attacker wants to find out what users and shared folders exist on that system.
A simple Google search will help you find a number of enumeration tools. One of the easiest to use is Cain and Abel, shown in Figure 6.4.
Although we are focusing on enumeration here, Cain and Abel can do a lot more than just enumeration. To use Cain and Able for enumeration, simply click on the Network tab, and you will find all the machines connected to the network you are on. (You obviously need some level of access before you can enumerate the target network.)
The following are a few other enumeration tools that are popular with hackers and can easily be found on the Internet:
Sid2User
Cheops (Linux only)
UserInfo
UserDump
DumpSec
Netcat
NBTDump
This is not an exhaustive list, but it includes some of the most widely used enumeration tools.
To defend against scanning, you should use the following techniques:
Be careful how much information you put on the Internet about your organization and its network.
Create a company policy mandating that technical personnel who use bulletin boards, chat rooms, and so on for technical data not use their real names or reveal the company’s name.
Use an IDS that detects many scans.
Block incoming Internet Control Message Protocol (ICMP) packets.
These techniques won’t make scanning and reconnaissance on your system impossible, but they will significantly reduce the amount of information an attacker can gather.
Shodan
Shodan (see Figure 6.5) is a tool used by attackers and penetration testers alike. The website https://www.shodan.io is essentially a search engine for vulnerabilities. You need to sign up for a free account to use it, but then it can be invaluable to a pen tester trying to identify vulnerabilities. Of course, the site can also be invaluable to attackers.
There are many options you can use in searching with Shodan.io; some are given here:
Search for default passwords, using search terms such as the following:
default password country:US
default password hostname:chuckeasttom.com
default password city:Chicago
Find Apache servers
apache city:“San Francisco”
Find Webcams
webcamxp city:Chicago
OLD IIS
“iis/5.0”
The preceding list are examples of search terms; the filters you can use include
city: Find devices in a specific city
country: Find devices in a specific country
geo: You can pass it coordinates (i.e. latitude and longitude)
hostname: Find values that match a specific hostname
net: Search based on an IP or /x CIDR
os: Search based on operating system
port: Find particular ports that are open
before/after: Find results within a time frame.
For example, Figure 6.6 shows the results of a search for default passwords city:dallas.
When you are performing a penetration test, it is a good idea to search the company domain for anything you can find via Shodan. This can guide your penetration testing efforts, and again you can be sure that would-be attackers will use this tool. You can restrict your search to the hostname or domain name of the client who has hired you to conduct a penetration test. You can use Shodan to seek out default passwords, old web servers, unsecured web cameras, and other vulnerabilities in the target network.
Actual Attacks
Now that we have discussed how attackers scan a target system, let’s look at a few attacks that are commonly used. Obviously this isn’t an exhaustive list, but it provides some insight into the attack methodologies used. In Chapter 4 we discussed denial of service (DoS) attacks and some tools used to perpetrate these attacks. In this section we will look at other sorts of attacks and the techniques and tools used to make them happen.
SQL Script Injection
SQL script injection might be the most popular type of attack on websites. In recent years, more websites have taken steps to ameliorate the dangers of these attacks, but unfortunately, many websites are still susceptible. An SQL script injection attack involves passing Structured Query Language (SQL) commands to a web application and getting the website to execute them.
Before we can discuss SQL injection further, we must talk about SQL and relational databases. Relational databases are based on relations between various tables. The structure includes tables, primary and foreign keys, and relations:
Each row represents a single entity.
Each column represents a single attribute.
Each record is identified by a unique number called a primary key.
Tables are related by foreign keys. A foreign key is a primary key in another table.
You can see an example of these relations in Figure 6.7.
All relational databases use SQL, which includes commands such as SELECT, UPDATE, DELETE, INSERT, and WHERE. At least the basic queries are very easy to understand and interpret.
Most basic SQL injection works like this: Many websites/applications have a page where a user enters a username and password. That username and password will have to be checked against some database to see if they are valid. Regardless of the type of database (Oracle, SQL Server, MySQL), all databases speak SQL. SQL looks and functions a great deal like English. For example, to check a username and password, you might want to query the database to see if there is any entry in the users table that matches the username and password that was entered. If there is such an entry, you have a match. The SQL statement to ask this might look something like this:
'SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'
The problem with this query is that, although it is valid SQL, it hard codes the username and password. For a real website, you would have to take whatever the user entered into the username field and password field and check that. This can be easily done (regardless of what programming or scripting language the website is programmed in). It would look something like this:
'SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" + txtPassword.Text +"'" .
If you enter username 'jdoe' and password 'letmein', this code produces the following SQL command:
SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'
Now if there is a username jdoe in tblUsers, and the password for it is letmein, then this user will be logged on. If not, then an error will occur.
SQL injection works by putting some SQL into the username and password block that is always true. For example, suppose you enter 'OR X=X' into the username and password boxes. This will cause the program to create this query:
SELECT * FROM tblUsers WHERE USERNAME = ''OR X=X' AND PASSWORD = ''OR X=X'
Notice that you start with a single quotation mark (') before the OR X=X. This closes the open quote the attacker knows must be in the code. And if you see '', that essentially is a blank or null, and it tells the database to log you in if the username is blank, or if X=X, and if the password is blank, or if X=X. If you think about this for a second, you will see that X always equals X, so this will always be true.
There is no significance to 'OR X=X'; it is simply a statement that will always be true. Attackers try other similar statements, such as the following:
' or 'a' ='a ' or '1' ='1 ' or (1=1)
The example given here is the most basic version of SQL injection, but this is the most common. You can do far more with SQL injection. The attacker is limited only by her knowledge of SQL and the target database system.
The defense against this attack is to filter all user input before processing it. This process, often referred to as input validation, prevents an attacker from entering SQL commands rather than a username and password. Unfortunately, many sites do not filter user input and are still vulnerable to SQL injection attacks.
Remember that earlier in the text when we first, briefly, mentioned SQL injection, it was suggested that filtering input could prevent such an attack. For example, a programmer creating a website should write the code to first check for any common SQL injection symbols such as the single quote ('), percent sign (%), equal sign (=), or ampersand (&), and if those are found, stop processing and log an error. This would prevent many SQL injection attacks. There are methods to circumvent these security measures, but implementing them would, nonetheless, stop many SQL injection attacks.
Cross-Site Scripting
With cross-site scripting, an attacker injects client-side scripts into web pages viewed by other users. The key is that the attacker enters scripts into an area that other users interact with. When users go to that part of the site, the attacker’s script, rather than the intended website functionality, is executed. For example, say that a shopping site allows users to review products. Rather than typing in a review, an attacker might type in JavaScript that redirects the user to a phishing website. When another user views that “review,” the script executes and takes the user to the new site. Again, such attacks can be prevented by simply filtering all user input. As of this writing, all the major online shopping portals, such as Amazon.com, do filter input and are not susceptible to this attack. However, many smaller sites are still susceptible to cross-site scripting.
Cross-site scripting and SQL injection both illustrate why it is critical that all IT personnel, not just security administrators, be familiar with security. If more web developers were more familiar with security, these two attacks would not be widespread.
Cross-Site Request Forgery
Cross-site request forgery could be viewed as the other side of cross-site scripting. Whereas cross-site scripting attacks the user, based on the user’s trust of a website, cross-site request forgery attacks the website, based on the site’s trust of a user. The trusted user, who is authenticated to the website, is tricked into sending requests to the website. These requests can then be used attack the website.
Directory Traversal
Directory traversal allows attackers to access restricted directories—including those containing application source code, configuration files, and critical system files—and execute commands outside the web server’s root directory.
Attackers can manipulate variables that reference files with “dot-dot-slash (../)” sequences and its variations, as in these examples:
http://www.example.com/process.aspx=../../../../some dir/some file
http://www.example.com/../../../../some dir/some file
Cookie Poisoning
Many web applications use cookies in order to save information (user ID, timestamp, and so on) on the client’s machine. For example, when a user logs in to a site, a login web script may validate his username and password and set a cookie with his numerical identifier.
When the user checks his preferences later, another web script (say, preferences.asp) retrieves the cookie and displays the user information records of the corresponding user. Because cookies are not always encrypted, they can be modified; an attack that includes this type of modification is called cookie poisoning. In fact, JavaScript can modify, write, or read a cookie. So this type of attack can be combined with cross-site scripting.
URL Hijacking
URL hijacking, also called typosquatting, involves a fake URL that is very close to a real one. For example, my website is www.Chuckeasttom.com. Someone might set up the site www.Chuckeastom.com, with only one t in the last name.
Wireless Attacks
A number of wireless attacks are commonly used. For example, with the evil twin attack, a rogue wireless access point (WAP) is set up that has the same SSID as one of your legitimate access points. That rogue WAP might be used to initiate a denial of service attack on your legitimate access point, making it unable to respond to users, so they are redirected to the evil twin.
Another wireless attack is the WPS attack. Wi-Fi Protected Setup (WPS) requires a PIN to connect to the WAP. The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password.
Cell Phone Attacks
There are many ways to attack cell phones; the more common attacks are briefly described here.
Bluesnarfing: Unauthorized access of information from a Bluetooth device.
Blue jacking: The process of using another Bluetooth device that is within range (depending on the version of Bluetooth it could be 10 to 240 meters) and sending unsolicited messages to the target.
Bluebugging: Similar to bluesnarfing, bluebugging accesses and uses all phone features.
Pod slurping: Using a device such as an iPod to illicitly confidential data by directly plugging it into a computer where the data are held.
Password Cracking
Doing password cracking is easiest when one can actually get physical access to a machine. This is not as difficult as it sounds. Many organizations (such as universities) have kiosk machines where someone can use the system with minimal/guest privileges. A skilled hacker can use this access to gain further access.
OphCrack
A very popular tool for cracking Windows passwords is OphCrack. OphCrack can be downloaded from http://ophcrack.sourceforge.net. It is based on an understanding of how Windows passwords work. Windows passwords are stored in a hash file in one of the system directories, usually C:WINDOWSsystem32config in a SAM file. SAM is an acronym for Security Accounts Manager. The passwords are stored as a hash. (Hashes will be discussed in detail in Chapter 8, “Encryption.”) What Windows does is hash the password you type in and compare it to the hash found in the SAM file. If there is a match, then you are logged in. To prevent someone from copying the SAM file and taking it off to try to brute force it, as soon as Windows begins the boot process, the operating system locks the SAM file. What OphCrack does is boot to Linux and then get the SAM file and look up the hashed passwords in a large table of hashed values it has, searching for a match. If it finds one, then the matching text in that table of hashed values is the password. You can see OphCrack in Figure 6.8.
This tool is remarkably easy to use. Just put the OphCrack CD into the machine and reboot. During the boot process you can press F12 for a boot menu and tell the system to boot from CD. You will then start OphCrack. It should be noted that longer passwords (as of this writing, longer than 10 characters) are usually not crackable by OphCrack.
Assuming OphCrack is successful (it isn’t always), what can the attacker do with this? At best she simply got the local machine admin account, and not a domain account. Well, this can be used to then gain domain access. One simple technique is to create a script that will in turn create a domain admin account. The script is simple:
net user /domain /add localaccountname password net group /domain "Domain Admins" /add localaccount
Obviously, if the attacker executes this script, it will not work. One must be a domain admin for it to work. So the attacker saves this script to the All Users startup folder. The next time a domain admin logs on to this system, the script will successfully execute. But the attacker may not want to wait until that happens. In order to speed up the process, the attacker causes some minor problem in the system (changes settings, alters configuration, and so on). In many organizations, the tech support personnel are in the domain admins group. When a tech support person logs on to the system to correct the problem, the script will successfully run.
Malware Creation
In this section we will briefly discuss how easy it is to create malware. In Chapter 5, “Malware,” you saw the tool eLiTeWrap. In this section you will see the methods used to actually create viruses. This is not in any way an encouragement for you to create such viruses. It is meant to educate you on why such malware is so common.
For many years, one needed significant programming skills in order to create a virus. However, in recent years there have been a number of tools developed to create viruses. These tools allow the end user to click a few buttons and create a virus. This is one reason viruses are becoming so prevalent. One such tool is the TeraBIT Virus Maker, shown in Figure 6.9.
Tools like this make it very easy for even a novice to create a virus. When tools like this become prevalent, tools that automate some specific computer attack, then one can expect a great many more such attacks.
You can easily see from the options that TeraBIT Virus Maker can create some rather damaging malware. It is important to realize that this is only one option that a malware creator has. There are a number of tools on the Internet that help create viruses. There are even ransomware development kits.
In addition to these tools, there are websites that contain catalogs of malware code. Anyone with only moderate programming skills can download the code for a virus and modify that malware for his specific needs. You can think of this as a sort of cyber weapons proliferation.
This proliferation of cyber weapons is the primary reason for this section in this chapter. It is critical that security professionals, or aspiring security professionals, be aware of just how easy it is to create a virus. This means we should reasonably expect to see more viruses as time goes on. Of course, there are still custom written viruses, and these are in fact the most effective form of malware. But the proliferation of tools and source code means that even those with only minimal technical skills can create viruses.
Windows Hacking Techniques
Given the ubiquitous nature of Microsoft Windows, it should be no surprise that there are a wide range of attacks specifically aimed at that operating system. In this section, we will briefly look at some of these.
Pass the Hash
We will examine cryptographic hashes at some length in Chapter 8. For now just accept that many systems store passwords as a cryptographic hash. This is done because it is impossible to “unhash” something.
The pass the hash attack essentially realizes that the hash cannot be reversed; rather than trying to find out what the password is, the attacker just sends over the hash. If the attacker can obtain a valid username and user password hashes values (just the hash—the attacker does not know the actual password), then the hacker can use that hash, without ever knowing the actual password.
Windows applications ask users to type in their passwords; then they in turn hash them. Often this can be done with an API like LsaLogonUser, converting the password to either an LM hash or an NT hash. Pass the hash skips around the application and just sends the hash.
Net User Script
This particular exploit first requires access to the target machine with at least guest-level privileges. It is based on the fact that many organizations put the technical support personnel in the domain admin’s group.
The attacker writes the following two-line script (obviously the word localaccountname is replaced with an actual local account name):
net user /domain /add localaccountname password net group /domain "Domain Admins" /add Domain
The attacker saves this script in the All Users startup folder. The next time someone with domain admin privileges logs on to the machine, it will execute, and localaccountname will now be a domain admin. The only problem is that it may be quite some time before someone with such privileges logs onto that machine. To speed up the process, the attacker will cause a problem with the system that would necessitate technical support fixing it, such as disabling the network card. The next user to log in will not be able to access the network or Internet and will call technical support. There is a reasonably good chance that the person in technical support is a member of the domain administrators group. When that person logs on to the computer to fix the problem, unbeknownst to her, the script will execute.
This particular exploit illustrates two different security issues. The first is the concept of least privileges, which means allowing each user only the minimum privileges to do his job. (This concept was discussed briefly in Chapter 1, “Introduction to Computer Security.”) Technical support personnel should not be in the domain admin group, and if they are not, a net user script attack will not succeed.
The second issue is that access to any of your machines should be controlled. This exploit only requires that the attacker have guest-level access and then only for a few minutes. From that minimum access, a skilled attacker can move forward and acquire domain admin privileges.
Login as System
A login as system attack requires physical access to one machine on your network. It does not require domain or even computer login credentials. To understand this attack, think about the last time you logged into any Windows computer, even a Windows server. Next to the login text boxes (Username and Password), there is an accessibility button that allows you to launch various tools to aid those users with disabilities. For example, you can launch the magnifier glass in order to magnify text.
In this attack, the perpetrator will boot the system to any Linux live CD. Then, using the FDISK utility, the attacker will locate the Windows partition. Navigating to the WindowsSystem32 directory, the attacker can first make a backup of magnify.exe, perhaps naming the backup magnify.bak. Then she can rename command.exe (the command prompt) magnify.exe.
Now the attacker reboots to Windows. When the login screen appears, the perpetrator clicks Accessibility and then Magnify. Since command.exe was renamed to magnify.exe, the attacker is actually launching the command prompt. No user has logged in yet, so the command prompt will have system privileges. At this point, the attacker is only limited by her knowledge of commands executed from the command prompt.
This particular attack illustrates the need for physical security. If an attacker can get even 10 minutes alone with your Windows computer, she will likely find a way to breach the network.
Penetration Testing
As mentioned at the beginning of this chapter, the techniques described in this chapter can be conducted as part of penetration testing. However, a penetration test is not simply the random application of a variety of hacking techniques. Usually a penetration test is done along with or subsequent to a vulnerability assessment. (We will discuss vulnerability assessments in detail in Chapter 11.)
A penetration test involves methodical probing of a target network in order to identify weaknesses in the network. The theory behind penetration testing is that the only way to objectively determine the security level of a given network is to have a competent penetration tester attempt to breach security. As described in this section, there are a variety of standards that one can use to guide a penetration test.
NIST 800-115
NIST 800-115 is the National Institute of Standards and Technology guideline for security assessments for Federal Information Systems. Assessments include penetration tests. NIST 800-115 describes security assessments and has four phases:
Planning: During this phase the tester needs to set specific testing goals. Often these will be related to previous risk assessment evaluations of the target network.
Discovery: This phase involves using a variety of tools—including port scanners, vulnerability scanners, and manual techniques—to identify or discover any issues with the target network.
Attack: Now the attacker can attempt to compromise the target network by exploiting the vulnerabilities found during the discovery phase. It is in this phase that the penetration tester applies the hacking techniques we have discussed in this chapter.
Reporting: The final step is to prepare a detailed report and to deliver it to the person who hired the penetration tester. The report should provide details on what vulnerabilities were exploited, how they were exploited, and what remediation steps are recommended.
Even though this approach has only four phases, these are rather broad phases that include many substeps. It is not necessary for our purposes to delve into all the details of NIST 800-115. However, these broad steps provide a framework for penetration testing. Notice that there are two steps prior to the attack phase. Planning and discovery are critical, and you will see similar items in other penetration testing standards.
The NSA Information Assessment Methodology
The National Security Agency (NSA) has primary responsibility for information security throughout the U.S. federal government. The NSA has formulated a methodology to be applied to any information systems assessment that includes security audits, vulnerability tests, and penetration tests. That methodology is briefly described here:
Pre-assessment
Determine and manage the customer’s expectations.
Gain an understanding of the organization’s information criticality.
Determine the customer’s goals and objectives.
Determine the system boundaries.
Coordinate with the customer.
Request documentation.
On-site Assessment
Conduct an opening meeting.
Gather and validate system information (via interview, system demonstration, and document review).
Analyze assessment information.
Develop initial recommendations.
Present an out-brief.
Post-assessment
Give an additional review of documentation.
Get help understanding what you learned.
Report coordination (and writing).
This particular summary of steps is interesting. Managing customer expectations is a critical step. It is important that the customer know what a penetration test can and cannot do. The pre-assessment phase is all about deciding what will be done and what is expected.
The on-site assessment includes the process of examining the system and involves an out-briefing to let the customer know the essence of what you found. Then it culminates with a report that is written and delivered in the third phase. It is also interesting to notice that in the final phase there is a substep involving getting additional expertise. If your penetration test or security audit found items that are outside your expertise, then it is wise to consult with an expert in that area.
PCI Penetration Testing Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards used by companies that process credit cards. We will look at PCI standards in general in Chapter 10, “Security Policies.” In this section we will briefly examine the penetration testing portion of those standards. PCI DSS Requirement 11.3.4 mandates penetration testing to validate that segmentation controls and methods are operational and effective and to ensure that they isolate all out-of-scope systems from systems in the cardholder data environment.
PCI standards recommend testing a separate environment, not the live production environment, during normal business hours.
It is recommended that pen testing include social engineering tests.
Per PCI DSS Requirements 11.3.1 and 11.3.2, penetration testing must be performed at least annually and after any significant change—for example, infrastructure or application upgrade or modification—or new system component installations. As with the previous models we examined, PCI DSS has some specific steps:
Pre-engagement: Defining scope, documents, rules of engagement, success criteria, and review of past issues
The actual penetration test: Applying hacking techniques
Post-engagement: Reporting and recommending remediation steps
It is not critical that you memorize these standards. The point is to understand that hacking techniques are utilized in penetration testing but that penetration testing is more than just random attempts to hack the target network. It is a methodical approach to verifying the security of a target network that happens to include real hacking techniques.
This book is meant to introduce computer security and does not go into detail on penetration testing. For more details, you may want to consider Penetration Testing Fundamentals: A Hands-On Guide to Reliable Security Audits, also from Pearson.
The Dark Web
The Dark Web is an area of the Internet that is accessible only via onion routing. Onion routing essentially routes packets all around the world, bouncing through proxy servers. Each packet is encrypted with multiple layers of encryption, and each proxy can only decrypt one layer, and send the packet to the next proxy. If someone intercepts a packet in transit between two proxies, you can only determine the previous proxy and the next proxy. You cannot determine the actual origin or destination. This is shown in Figure 6.10.
This leads to is a situation in which a user’s location is not easily determined. For example, I used the TOR browser to visit Yahoo.com while sitting in my study in Plano, Texas. In Figure 6.11 you can see the results. As you can see, Yahoo thought I was coming from Sweden, and presented its page in Swedish.
The anonymity provided by TOR is not inherently wrong or unethical. Many people simply do not wish to be monitored when surfing the web. However, this level of anonymity does lend itself to criminal activity, and markets on the Dark Web traffic in a range of illegal products and services.
In the past several years, many Dark Web criminal markets—for example, Silk Road, Silk Road 2, HANSA, and Alpha Bay—have been taken down by law enforcement. But others have popped up. Within minutes of searching the Dark Web, you can readily find drugs, guns, child pornography, and many other illegal products and services on these dark web markets. You can find Jihad training sites, instructions on how to make explosives, hacking services, places to buy and sell malware, and even sites devoted to extreme sexual deviation. As one example of a Dark Web market, Figure 6.12 shows The People’s Drug Store (http://newpdsuslmzqazvr.onion).
Surfing the Dark Web can be a bit dangerous. Many sites are replete with malware. Therefore, you must establish a specific environment for Dark Web activities—a virtual machine that is completely isolated from the host operating system (which means no sharing of the Clipboard or folders). The virtual machine should preferably run a different operating system than the host, making crossing the VM/host barrier even more difficult. Finally, that VM should be used only for the Dark Web activities and for no other purpose. Many Dark Web investigators like to use The Amnesiac Incognito Live System (TAILS) for Dark Web surfing. It is a free download from https://tails.boum.org.
Summary
In this chapter we have examined just a few techniques hackers utilize. These techniques and tools have illustrated the need for a variety of security measures. The scanning techniques illustrate the need for blocking certain traffic at the firewall and for running an IDS. The SQL injection attack demonstrates why security must be part of application development. And the OphCrack tool illustrates why physical security is important and why the principle of least privileges is important. Putting tech support staff into the domain admins group violates the concept of least privileges and makes the privilege escalation script possible. If you wish to delve deeper into hacking and penetration testing, you may wish to read Penetration Testing Fundamentals: A Hands-On Guide to Reliable Security Audits also from Pearson, and from the same author as this current book.
Test Your Skills
Multiple Choice Questions
1. Elizabeth is describing web-based attacks to a group of students in a computer security course. What does an SQL injection attack require?
A. Having database admin privileges
B. Creating an SQL statement that is always true
C. Creating an SQL statement that will force access
D. Understanding web programming
2. Juan is looking for a vulnerability scanner that is specifically tailored to Windows systems. Which of the following is a vulnerability scanner specifically for Windows systems?
A. Nmap
B. ophcrack
C. Nessus
D. MBSA
3. You are responsible for security on an e-commerce system. You want to mitigate as many attacks as you can. How can you prevent cross-site scripting?
A. Filter user input.
B. Use an IDS.
C. Use a firewall.
D. It cannot be prevented.
4. What is an advantage of using Nessus? (Use your favorite search engine to research Nessus to answer this question.)
A. It is free for businesses.
B. It can check for a wide range of vulnerabilities.
C. It is designed for Windows systems.
D. It includes an IDS.
5. Perez is exploring different password cracking tools. A friend has told him about ophcrack. ophcrack depends on the attacker doing what?
A. Getting physical access to the machine
B. Getting domain admin privileges
C. Using social engineering
D. Using a scanning tool
6. If you wish to view items that have been removed from a website, what is the best way to do so?
A. Use Nessus.
B. Use Nmap.
C. Use www.netcraft.com.
D. Use www.archive.org.
7. Malek needs a port scanner so he can scan open ports on his own network. Which of the following is a popular port scanner?
A. Nessus
B. ophcrack
C. MBSA
D. Nmap
8. Jane wants to mitigate as many attacks as she can. A colleague suggested that she block ICMP packets. Blocking incoming ICMP packets will prevent what type of scan?
A. SYN
B. Ping
C. FIN
D. Stealth
9. It is important that you understand cybersecurity terminology, including terms for different actors in cybersecurity. What is the correct term for a person who uses hacking techniques for illegal activities?
A. A hacker
B. A gray hat hacker
C. A phreaker
D. A cracker
10. What is the term for a person who hacks into phone systems?
A. A hacker
B. A gray hat hacker
C. A phreaker
D. A cracker
11. Penelope is teaching an introductory cybersecurity course and is trying to explain the terminology to students. What is the term for a person who uses tools to hack without understanding the underlying technology?
A. A script kiddy
B. A gray hat hacker
C. A novice
D. A white hat hacker
12. What is the name for the process of trying to list all the servers on a network?
A. Port scanning
B. Enumeration
C. Vulnerability scanning
D. Scouting
13. Terrance is trying to enumerate his network resources. Which of the following is a popular enumeration tool?
A. Nessus
B. Nmap
C. MBSA
D. Cheops
14. Jaron is trying to do a port scan of his own company. He wants to test to see if the company’s security systems will be able to detect his scan. Which of the following is considered the most stealthy port scan?
A. SYN
B. Connect
C. Ping
D. Nmap
15. What is the most stealthy way to find out what type of server a website is running?
A. Use Nmap.
B. Use Cain and Abel.
C. Use www.netcraft.com.
D. Use www.archive.org.
Exercises
Exercise 6.1: Using www.archive.org
This exercise gives you practice using www.archive.org. Go to www.archive.org and pull up at least two previous versions of your college’s/university’s website. What information can you find that is no longer on the website?
Exercise 6.2: Using Nmap
This exercise introduces you to the Nmap tool. You should download and install Nmap. Then run at least three different scans on either your own computer or a designated lab computer. (While it is not illegal to scan a computer, it may violate some security policies for some colleges and universities. Make certain you scan only a designated lab computer.)
Exercise 6.3: Using ophcrack
Download ophcrack to a CD. Then reboot your own machine to the ophcrack CD and attempt to crack your own local passwords. (It is critical that you do this only on your own machine or a designated lab machine. Doing this on other machines would probably violate security policies at your college/university/company.)
Exercise 6.4: Using Netcraft.com
Visit www.netcraft.com and do a search on at least three different websites of your choosing. Note what information you are able to gather about each website.
Projects
Project 6.1: Passive Reconnaissance
Select a local organization and conduct passive reconnaissance on it. This should include searching job boards, the organization’s own website, user groups/bulletin boards, social networking sites, www.archive.org, and more. Gather as much information about the target network as you can.
Project 6.2: Port Scanners
Use your favorite search engine to locate at least two other port scanners besides Nmap. Download and install them and then try them on your own machine or a designated lab computer. Compare and contrast these tools to Nmap. Are they easier to use? More informative?
Project 6.3: MBSA
Download and install MBSA and run a vulnerability scan on your own computer or on a designated lab computer. What problems did you find? Was the tool easy to use?