Transcript Historical Hacking Techniques

Lesson 3-Hacker Techniques
Overview
 Hacker’s motivation.
 Historical hacking techniques.
 Advanced techniques.
 Malicious code.
 Methods used by untargeted hacker.
 Methods used by targeted hacker.
Hacker’s Motivation
 The term “hacker” was originally coined for an individual
who could make computers work.
 A hacker currently refers to an individual who breaks into
computers.
 Studies show that hackers are most often male, between
16 and 35 years old, loners, intelligent, and technically
proficient.
Hacker’s Motivation
 The most common motivation for hacking into computer
systems is the challenge of doing so.
 The challenge motivation is usually associated with an
untargeted hacker.
 An untargeted hacker is one who hacks just for the fun of
it.
 The greed motivation includes desire for gain in the form of
money, goods, services, or information.
Hacker’s Motivation
 Sites having something of value (software, money,
information) are primary targets for hackers motivated by
greed.
 Malicious attacks focus on particular targets.
 The hacker motivated by malicious intent aims at
damaging, and not gaining access to the system.
 The risk of a hacker being caught and convicted is low.
Hence, the potential gain from hacking is high.
Historical Hacking Techniques
Open sharing:
 When the Internet was originally created, most systems were
configured to share information.
 The Network File System (NFS) used by UNIX allowed one
computer to mount the drives of another computer across a
network.
 Hackers used NFS to read the information by mounting remote
drives.
Historical Hacking Techniques
Open sharing (continued):
 Many operating systems were shipped out with the root file
system exportable to the world.
 Anyone could mount the system’s root file and change
anything they wanted if the default configuration was not
changed.
 Hackers can get into a system with remote access, by
identifying one user or administrator account on the system.
Historical Hacking Techniques
Weak passwords:
 Weak passwords are the most common method used by
hackers to get into systems.
 A two-character password is easier to guess than an eightcharacter one.
 Easy to guess passwords allow hackers a quick entry into the
system.
Historical Hacking Techniques
Programming flaws and social engineering:
 Hackers have used programming flaws such as back doors in a
program for accessing systems that use the program.
 Many shopping Websites store information entered by the
buyer on a URL, which can be modified before checking out.
 Social engineering is the use of non-technical means to gain
unauthorized access to information or systems.
 The ability to lie and a kind voice are the most powerful tools
used by a hacker using the social engineering technique.
Historical Hacking Techniques
Buffer overflow:
 Buffer overflow is an attempt to store too much information
into an allocated space in a computer’s memory.
 Buffer overflows allow hackers to run a command on the target
system.
 A hacker can exploit a buffer overflow to overwrite the return
address to point to a new instruction.
Historical Hacking Techniques
Denial-of-Service (DoS):
 DoS attacks are malicious acts to deny legitimate users access
to a system, network, application, or information.
 Most DoS attacks originate from fake addresses.
 In a single-source DoS attack, a single system is used to
attack another system.
 The SYN flood and the Ping of Death are some of the singlesource DoS attacks that have been identified.
Historical Hacking Techniques
Distributed Denial-of-Service (DDoS):
 DDoS attacks originate from a large number of systems.
 Trinoo, Tribal Flood Network, Mstream, and Stacheldraht are
some of the new DDoS attack tools.
Historical Hacking Techniques
Distributed Denial-of-Service (DDoS) (continued):
 A hacker talks to a master or server that has been placed on a
compromised system.
 The master talks to the slave or client processes that have
been placed on other compromised systems. The slaves, also
called zombies, perform the actual attack against the target
system.
Historical Hacking Techniques
The architecture of DDoS attacks.
Advanced Techniques
 Sniffing switch networks.
 IP spoofing.
Sniffing Switch Networks
 Hackers use sniffers to gather passwords and other systemrelated information after a system is compromised.
 On shared media networks, sniffers use network interface
cards (NIC) to access information.
 In a switched environment, the hacker must cause the
switch to redirect all traffic to the sniffer, or send all traffic
to all ports.
Sniffing Switch Networks
Redirecting traffic:
 A switch directs traffic to ports based on the Media Access
Control (MAC) address of the Ethernet frame.
 Address Resolution Protocol (ARP) is used to get the MAC
address associated with a particular IP address.
 When a system wants to send traffic to another system, it will
send an ARP request for the destination IP address.
Sniffing Switch Networks
Redirecting traffic (continued):
 A sniffer may respond to an ARP request with its own MAC
address, causing traffic to be sent to itself.
 This is called ARP spoofing.
 The sniffer must send on the traffic to the correct destination,
or it will cause a denial of service on the network.
 ARP spoofing is possible only on local subnets as the ARP
messages do not go outside the local subnet.
Sniffing Switch Networks
Redirecting traffic (continued):
 Duplicating the MAC address of the target system is another
way of getting the switch to redirect the traffic to the sniffer.
 In a DNS Spoofing attack, a sniffer responds to the sending
system’s DNS requests.
 The sniffers response provides its own IP address as that of
the system being requested.
 DNA Spoofing is possible if the sniffer is in the network path
from the sending system to the DNS server.
Sniffing Switch Networks
Sending all traffic to all ports:
 When the memory used by switches to store the mappings
between MAC addresses and physical ports is full, some
switches will fall “open.”
 That means that the switch will send all traffic to all ports
instead of sending traffic for specific MACs to specific ports.
 Sniffing requires that the hacker have a system on the local
switch.
IP Spoofing
Details of IP spoofing
IP Spoofing
Using IP spoofing in the real world
Malicious Code
Malicious codes include three types of programs:
 Computer viruses.
 Trojan horse programs.
 Worms.
Computer Viruses
 Computer viruses are not structured to exist by
themselves.
 Virus codes execute when the programs to which they are
attached are executed.
 Malicious viruses may delete files or cause systems to
become unstable.
 Some viruses just spread themselves to other systems
without performing any malicious acts.
Trojan Horse Programs
 A Trojan horse is a complete and self-contained program.
 It hides its malicious intent behind a facade of something
useful or interesting.
 Most Trojan horse programs contain a mechanism to spread
themselves to new victims.
Worms
 A worm is a program that crawls from system to system
without any assistance from its victims.
 The Morris Worm was the first known example of a worm.
 CodeRed and Slapper Worm are recent examples of worms.
 Hybrid is the combination of two types of malicious codes
into a single program.
Methods Used by Untargeted
Hacker
Internet reconnaissance:
 Untargeted hackers look for any vulnerable system they can
find.
 The hacker may perform a stealth scan, sometimes in
conjunction with a ping sweep.
 A stealth scan is an attempt to identify systems within an
address range.
 A ping sweep is an attempt to ping each address and see if a
response is received.
Methods Used by Untargeted
Hacker
Stealth scanning
Methods Used by Untargeted
Hacker
Reset scans
Methods Used by Untargeted
Hacker
Telephone and wireless reconnaissance:
 Wardialing is a method of telephone reconnaissance to identify
systems that have modems and that answer calls.
 Wardriving and Warchalking are methods of wireless
reconnaissance.
 An untargeted hacker will use reconnaissance methods to
identify systems. They will look for systems that may be
vulnerable to the available exploits.
Methods Used by Untargeted
Hacker
Use of Compromised Systems:
 Hackers normally place a back door entry to compromised
systems to access them again.
 The back door entries are put together in a rootkit.
 Hackers may close vulnerabilities they used to gain access, so
that no other hacker can gain access to “their” system.
 A compromised system may be used to attack other systems
or for reconnaissance purposes.
Methods Used by Targeted
Hacker
 A targeted hacker aims at penetrating or damaging a
particular organization.
 A targeted hacker is motivated by a desire to gain
something the organization has.
 The skill level of targeted hackers tends to be higher than
that of untargeted hackers.
Methods Used by Targeted
Hacker
Reconnaissance:
 Address reconnaissance is the identification of the address
space used by the target organization.
 Addresses can be identified through DNS, the American
Registry of Internet Numbers (ARIN) or through text searches
at Network Solutions.
 Phone number reconnaissance is inaccurate and more difficult
than identifying network addresses.
Methods Used by Targeted
Hacker
Reconnaissance (continued):
 The hacker can perform wireless reconnaissance by walking or
driving around the organization’s building.
 System reconnaissance is used to identify the existing
systems, operating systems, and their vulnerabilities.
 Ping sweeps, stealth scans, or port scans may be used to
identify systems.
 Stealth scans, mail systems, or Web servers may be used to
identify the operating system.
Methods Used by Targeted
Hacker
Reconnaissance (continued):
 Attacking or examining the system for indications of
vulnerabilities can identify vulnerabilities.
 Vulnerabilities scanners will provide information, but may alert
the target organization about the hacker’s presence.
 The hacker may gain access to the organization through its
remote offices.
 Business reconnaissance will help the hacker identify the type
of damage that will hurt the target the most.
Methods Used by Targeted
Hacker
Reconnaissance (continued):
 Studying the employees of the organization may prove
valuable for the purpose of social engineering.
 Targeted hackers use physical reconnaissance extensively.
 Weaknesses in physical security may be used to gain access to
the site.
 The hacker may also find information by searching a dumpster
if trash and paper to be recycled is dumped into it.
Methods Used by Targeted
Hacker
Electronic attack methods:
 The hacker may attempt to hide the attack from the intrusion
detection system by breaking the attack into packets.
 The hacker must make the system appear as normal as
possible if the attack is successful.
 The hacker will establish back door entries to allow repeated
access to a compromised system.
Methods Used by Targeted
Hacker
Electronic attack methods (continued):
 Systems with remote access control or administration systems
are prime targets for attacks via dial-in access.
 The hacker may send a virus or a Trojan horse program to an
employee’s home system.
 Wireless networks provide the easiest access path.
 In many cases, the wireless network is part of the
organization’s internal network. Hence, it may have fewer
security devices.
Methods Used by Targeted
Hacker
Physical attack methods:
 Social engineering is the safest physical attack method.
 It may lead to electronic information.
 Checking the dumpster or following an employee into the
building are other methods of physical attack.
Summary
 A hacker may be motivated by the challenge of breaking in,
greed, or malicious intent.
 Open file sharing, weak passwords, programming flaws,
and buffer overflows were exploited by hackers to break
into systems.
 In social engineering, the hacker uses human nature and
the ability to lie, to access information.
Summary
 In Denial-of-Service attacks, legitimate users are denied
access to the system, network, information, or applications.
 In Distributed Denial-of-Service attacks, many systems are
coordinated to attack a single target.
 Sniffing switch networks involves getting the switch to
either redirect traffic to the sniffer or send all traffic to all
ports.
Summary
 ARP spoofing, MAC duplicating, and DNS spoofing are the
three methods of redirecting traffic.
 IP spoofing involves modifying the source address to make
the packet appear to appear as if coming from elsewhere.
 Viruses, Trojan horse programs, and worms are the three
types of malicious codes.
Summary
 Untargeted hackers do not aim at accessing particular
information or organizations, but look for any system that
can be compromised.
 Targeted hackers have a reason for attacking a
organization.