Lesson 3-Hacker Techniques

Overview

Hacker’s motivation.

Historical hacking techniques.

Advanced techniques.

Malicious code.

Methods used by untargeted hacker.

Methods used by targeted hacker.

Hacker’s Motivation

The term “hacker” was originally coined for an individual

who could make computers work.

A hacker currently refers to an individual who breaks into

computers.

Studies show that hackers are most often male, between 16

and 35 years old, loners, intelligent, and technically

proficient.


The most common motivation for hacking into computer

systems is the challenge of doing so.

The challenge motivation is usually associated with an

untargeted hacker.

An untargeted hacker is one who hacks just for the fun of it.

The greed motivation includes desire for gain in the form of

money, goods, services, or information.


Sites having something of value (software, money,

information) are primary targets for hackers motivated by

greed.

Malicious attacks focus on particular targets.

The hacker motivated by malicious intent aims at damaging,

and not gaining access to the system.

The risk of a hacker being caught and convicted is low. Hence,

the potential gain from hacking is high.

Historical Hacking Techniques

Open sharing:

When the Internet was originally created, most systems were

configured to share information.

The Network File System (NFS) used by UNIX allowed one

computer to mount the drives of another computer across a

network.

Hackers used NFS to read the information by mounting remote

drives.


Open sharing (continued):

Many operating systems were shipped out with the root file

system exportable to the world.

Anyone could mount the system’s root file and change

anything they wanted if the default configuration was not

changed.

Hackers can get into a system with remote access, by

identifying one user or administrator account on the system.


Weak passwords:

Weak passwords are the most common method used by

hackers to get into systems.

A two-character password is easier to guess than an eight-

character one.

Easy to guess passwords allow hackers a quick entry into the

system.


Programming flaws and social engineering:

Hackers have used programming flaws such as back doors in a

program for accessing systems that use the program.

Many shopping Websites store information entered by the buyer on a

URL, which can be modified before checking out.

Social engineering is the use of non-technical means to gain

unauthorized access to information or systems.

The ability to lie and a kind voice are the most powerful tools used by

a hacker using the social engineering technique.


Buffer overflow:

Buffer overflow is an attempt to store too much information

into an allocated space in a computer’s memory.

Buffer overflows allow hackers to run a command on the target

system.

A hacker can exploit a buffer overflow to overwrite the return

address to point to a new instruction.


Denial-of-Service (DoS):

DoS attacks are malicious acts to deny legitimate users access

to a system, network, application, or information.

Most DoS attacks originate from fake addresses.

In a single-source DoS attack, a single system is used to attack

another system.

The SYN flood and the Ping of Death are some of the single-

source DoS attacks that have been identified.


Distributed Denial-of-Service (DDoS):

DDoS attacks originate from a large number of systems.

Trinoo, Tribal Flood Network, Mstream, and Stacheldraht are

some of the new DDoS attack tools.


Distributed Denial-of-Service (DDoS) (continued):

A hacker talks to a master or server that has been placed on a

compromised system.

The master talks to the slave or client processes that have

been placed on other compromised systems. The slaves, also

called zombies, perform the actual attack against the target

system.


The architecture of DDoS attacks.

Advanced Techniques

Sniffing switch networks.

IP spoofing.

Sniffing Switch Networks

Hackers use sniffers to gather passwords and other system-

related information after a system is compromised.

On shared media networks, sniffers use network interface

cards (NIC) to access information.

In a switched environment, the hacker must cause the

switch to redirect all traffic to the sniffer, or send all traffic

to all ports.


Redirecting traffic:

A switch directs traffic to ports based on the Media Access

Control (MAC) address of the Ethernet frame.

Address Resolution Protocol (ARP) is used to get the MAC

address associated with a particular IP address.

When a system wants to send traffic to another system, it will

send an ARP request for the destination IP address.


Redirecting traffic (continued):

A sniffer may respond to an ARP request with its own MAC

address, causing traffic to be sent to itself.

This is called ARP spoofing.

The sniffer must send on the traffic to the correct destination,

or it will cause a denial of service on the network.

ARP spoofing is possible only on local subnets as the ARP

messages do not go outside the local subnet.


Redirecting traffic (continued):

Duplicating the MAC address of the target system is another way of

getting the switch to redirect the traffic to the sniffer.

In a DNS Spoofing attack, a sniffer responds to the sending system’s

DNS requests.

The sniffers response provides its own IP address as that of the

system being requested.

DNA Spoofing is possible if the sniffer is in the network path from the

sending system to the DNS server.


Sending all traffic to all ports:

When the memory used by switches to store the mappings

between MAC addresses and physical ports is full, some

switches will fall “open.”

That means that the switch will send all traffic to all ports

instead of sending traffic for specific MACs to specific ports.

Sniffing requires that the hacker have a system on the local

switch.

IP Spoofing

Details of IP spoofing

IP Spoofing

Using IP spoofing in the real world

Malicious Code

Malicious codes include three types of programs:

Computer viruses.

Trojan horse programs.

Worms.

Computer Viruses

Computer viruses are not structured to exist by themselves.

Virus codes execute when the programs to which they are

attached are executed.

Malicious viruses may delete files or cause systems to

become unstable.

Some viruses just spread themselves to other systems

without performing any malicious acts.

Trojan Horse Programs

A Trojan horse is a complete and self-contained program.

It hides its malicious intent behind a facade of something

useful or interesting.

Most Trojan horse programs contain a mechanism to spread

themselves to new victims.

Worms

A worm is a program that crawls from system to system

without any assistance from its victims.

The Morris Worm was the first known example of a worm.

CodeRed and Slapper Worm are recent examples of worms.

Hybrid is the combination of two types of malicious codes

into a single program.

Methods Used by Untargeted Hacker

Internet reconnaissance:

Untargeted hackers look for any vulnerable system they can find.

The hacker may perform a stealth scan, sometimes in

conjunction with a ping sweep.

A stealth scan is an attempt to identify systems within an

address range.

A ping sweep is an attempt to ping each address and see if a

response is received.


Stealth scanning


Reset scans


Telephone and wireless reconnaissance:

Wardialing is a method of telephone reconnaissance to identify

systems that have modems and that answer calls.

Wardriving and Warchalking are methods of wireless

reconnaissance.

An untargeted hacker will use reconnaissance methods to

identify systems. They will look for systems that may be

vulnerable to the available exploits.


Use of Compromised Systems:

Hackers normally place a back door entry to compromised

systems to access them again.

The back door entries are put together in a rootkit.

Hackers may close vulnerabilities they used to gain access, so

that no other hacker can gain access to “their” system.

A compromised system may be used to attack other systems

or for reconnaissance purposes.

Methods Used by Targeted Hacker

A targeted hacker aims at penetrating or damaging a

particular organization.

A targeted hacker is motivated by a desire to gain

something the organization has.

The skill level of targeted hackers tends to be higher than

that of untargeted hackers.


Reconnaissance:

Address reconnaissance is the identification of the address

space used by the target organization.

Addresses can be identified through DNS, the American

Registry of Internet Numbers (ARIN) or through text searches

at Network Solutions.

Phone number reconnaissance is inaccurate and more difficult

than identifying network addresses.


Reconnaissance (continued):

The hacker can perform wireless reconnaissance by walking or

driving around the organization’s building.

System reconnaissance is used to identify the existing systems,

operating systems, and their vulnerabilities.

Ping sweeps, stealth scans, or port scans may be used to identify

systems.

Stealth scans, mail systems, or Web servers may be used to identify

the operating system.



Attacking or examining the system for indications of vulnerabilities

can identify vulnerabilities.

Vulnerabilities scanners will provide information, but may alert the

target organization about the hacker’s presence.

The hacker may gain access to the organization through its remote

offices.

Business reconnaissance will help the hacker identify the type of

damage that will hurt the target the most.



Studying the employees of the organization may prove

valuable for the purpose of social engineering.

Targeted hackers use physical reconnaissance extensively.

Weaknesses in physical security may be used to gain access to

the site.

The hacker may also find information by searching a dumpster

if trash and paper to be recycled is dumped into it.


Electronic attack methods:

The hacker may attempt to hide the attack from the intrusion

detection system by breaking the attack into packets.

The hacker must make the system appear as normal as

possible if the attack is successful.

The hacker will establish back door entries to allow repeated

access to a compromised system.


Electronic attack methods (continued):

Systems with remote access control or administration systems

are prime targets for attacks via dial-in access.

The hacker may send a virus or a Trojan horse program to an

employee’s home system.

Wireless networks provide the easiest access path.

In many cases, the wireless network is part of the organization’s

internal network. Hence, it may have fewer security devices.


Physical attack methods:

Social engineering is the safest physical attack method.

It may lead to electronic information.

Checking the dumpster or following an employee into the

building are other methods of physical attack.

Summary

A hacker may be motivated by the challenge of breaking in,

greed, or malicious intent.

Open file sharing, weak passwords, programming flaws,

and buffer overflows were exploited by hackers to break

into systems.

In social engineering, the hacker uses human nature and

the ability to lie, to access information.

Summary

In Denial-of-Service attacks, legitimate users are denied

access to the system, network, information, or applications.

In Distributed Denial-of-Service attacks, many systems are

coordinated to attack a single target.

Sniffing switch networks involves getting the switch to

either redirect traffic to the sniffer or send all traffic to all

ports.

Summary

ARP spoofing, MAC duplicating, and DNS spoofing are the

three methods of redirecting traffic.

IP spoofing involves modifying the source address to make

the packet appear to appear as if coming from elsewhere.

Viruses, Trojan horse programs, and worms are the three

types of malicious codes.

Summary

Untargeted hackers do not aim at accessing particular

information or organizations, but look for any system that

can be compromised.

Targeted hackers have a reason for attacking a

organization.

Lesson 3-Hacker Techniques

Documents

Transcript of Lesson 3-Hacker Techniques