Hacking

1
Hacking
2
Objective

• Discuss the practice of hacking in general and
  demonstrate a few of the common methods and
  exploits.
• Mainly a demonstration of some current hacking
  methods.

3
Hack Attacks Costs 1.6 Trillion

• A study covering 30 countries and nearly 5,000
  Information Technology (IT) professionals shows
  that hacker attacks cost the world economy a
  whopping 1.6 trillion (US) this year (2000).
• By Information Week Research, which carried out
  the study for Price WaterhouseCoopers.
• Source E-Commerce Times, July 11, 2000

4
Virus Attack - Statistics
Source ICSA Labs (www.ICSA.net)
5
Hacking's History

• Early 1960s
• The Dawn of Hacking
• The beginnings of the hacker culture as we know
  it today can be conveniently dated to 1961.
• MIT's computer culture seems to have been the
  first to adopt the term hacker'.
• The ARPANET was the first transcontinental,
  high-speed computer network.
• Its electronic highways brought together hackers
  all over the U.S. in a critical mass.

6
Hacking's History

• Early 1970s
• The year of "phreaks"
• John Draper makes a long-distance call for free
  by blowing a precise tone into a telephone that
  tells the phone system to open a line.
• Time sharing operating systems Flexibility,
  powerful and relatively cheap.
• Keep it simple, stupid philosophy.

7
Hacking's History

• 1980
• Hacker Message Boards and Groups
• Usenet newsgroups and e-mail, the boards--with
  names such as Sherwood Forest and Catch-22 become
  the venue of choice for phreaks and hackers to
  gossip, trade tips, and share stolen computer
  passwords and credit card numbers.
• Hacking groups begin to form. Among the first are
  Legion of Doom in the United States, and Chaos
  Computer Club in Germany.

8
Hacking's History

• 1984
• Hacker 'Zines
• The hacker magazine 2600 begins regular
  publication.
• 1986
• Use a Computer, Go to Jail
• Congress passes the Computer Fraud and Abuse Act,
  which makes it a crime to break into computer
  systems.
• 1988
• The Morris Worm
• Robert T. Morris, Jr., a graduate student at
  Cornell University and son of a chief scientist
  at a division of the National Security Agency,
  launches a self-replicating worm on the
  government's ARPAnet to test its effect on UNIX
  systems.

9
Hacking's History

• 1990s
• Hackers break into and deface federal Web sites,
  including the U.S. Department of Justice, U.S.
  Air Force, CIA, NASA and others.
• Report by the General Accounting Office finds
  Defense Department computers sustained 250,000
  attacks by hackers in 1995 alone.
• Hackers pierce security in Microsoft's NT
  operating system to illustrate its weaknesses.

10
Hacking's History

• 2001
• Service Denied
• In one of the biggest denial-of-service attacks
  to date, hackers launch attacks against eBay,
  Yahoo, Amazon, and others.
• Hackers break into Microsoft's corporate network
  and access source code for the latest versions of
  Windows and Office.
• DNS Attack
• Microsoft becomes the prominent victim of a new
  type of hack that attacks the domain name server.
  
• In these denial-of-service attacks, the DNS paths
  that take users to Microsoft's Web sites are
  corrupted.

11
Reasons to hack

• Curiosity.
• Revenge.
• Fame.
• Profit ( or other gain).

12
Hacker methodologies

• Based on systematically exploiting weaknesses in
  your security infrastructures, both physical and
  IT.

13
A common methodology is the following

• Gather target information.
• Identify services offered by target to the public
  (whether intentional or not).
• Research the discovered services for known
  vulnerabilities.
• Attempt to exploit the services.
• Utilize exploited services to gain additional
  privileges from the target.

14

• Common Hacking Tools Techniques

15
Hacking Techniques

• Packet Sniffing
• A "Packet Sniffer" is a utility that sniffs
  without modifying the network's packets in any
  way. Packet sniffers merely watch, display, and
  log this traffic.
• The CommView v2.0 Sniffer
• Tamos Software's CommView v2 is very nice and
  feature-complete packet sniffer which can be
  downloaded and used on a pre-purchase trial
  basis.

16
Hacking Techniques

• Packet Sniffing
• The SpyNet SnifferThis powerful and capable
  sniffing solution consists of two programs
  CaptureNet and PeepNet
• It can be readily downloaded and used on a
  pre-purchase trial basis.
• Works reliably and robustly on all 32-bit Windows
  platforms. It provides excellent display
  formatting and log saving and exporting features
  and it offers very useful "packet filtering" to
  specify which packets to capture and which to
  ignore.

17
Hacking Techniques

• IP Spoofing
• A technique used to gain unauthorized access to
  computers, whereby the intruder sends messages to
  a computer with an IP address indicating that the
  message is coming from a trusted host.
• Services Vulnerable to IP Spoofing
• Remote Procedure Calling Service (RPC)
• Any service that uses IP address authentication
• The X Window system

18
How RPC Works
111
Where is cmsd?
2049
Its at port 32801
Hacker
635
Exploit!!!
32801
32807
Hacker must first find port with
portmapper/rpcbind. Needs target-based profiling
to know which ports are RPC.
19
Hacking Techniques

• TCP Connection Hijacking
• TCP hijacking is the spoofing of TCP packets in
  order to disconnect someone from his or her TCP
  connection.  This can be done easily in a couple
  of ways due to the inherent properties of TCP
  packets.  Two such ways involve using the Reset
  (RST) flag and the Finished (FIN) flag in the TCP
  header.
• Sniff for packets being sent from the
  to-be-disconnected client to the server.
• Next we reached some level of synchronization
  with the Acknowledgement numbers from the
  packets.  (ACK flag is set.)
• Now we can spoof the Reset packet using the IP
  addresses and ports from step 1 and the Sequence
  number from step 2.

20
Hacking Techniques

• TCP Connection Hijacking

http//cs.baylor.edu/donahoo/NIUNet/hacking/hijac
k/sniffer.c http//cs.baylor.edu/donahoo/NIUNet/h
acking/hijack/sniper-fin.html
21
Hacking Techniques

• Trojans
•  
• A Trojan is a rogue program pretending to be a
  legitimate one. It can be inserted into a machine
  using an already compromised user account, or it
  can be sent as an executable e-mail attachment
  which the unsuspecting user will run. A typical
  Trojan will do any or all of the following
• Capture passwords
• Open up control functions of the machine to a
  remote user using a spare Port with Internet
  access
• Vandalize or erase system file
• Trojan programs are widespread on Windows and
  UNIX systems, and many are freely and easily
  available.

22
Trojan Infection

• Post trojan
• Victim downloads/runs
• Trojan posts msg to chatroom
• Hacker logs onto chatroom and finds victim
• Hacker connects to victim and controls machine

NNTP Usenet
119
Downloads
Posts
Hacker
victim
connects
Queries
Notifies
6667
IRC
23
Hacking Techniques

• Port Scanning
•  
• Port Scanning is one of the most popular
  techniques attackers use to discover services
  they can break into.
• By port scanning the attacker finds which ports
  are available (i.e., being listened to by a
  service). 
• Essentially, a port scan consists of sending a
  message to each port, one at a time. The kind of
  response received indicates whether the port is
  used and can therefore be probed further for
  weakness.
• http//www.insecure.org/nmap/nmap_doc.html

24
Hacking Techniques

• Bounce Scans
• The ability to hide their tracks is important to
  attackers. Therefore, attackers search the
  Internet looking for systems they can bounce
  their attacks through.
• FTP bounce scanning takes advantage of a
  vulnerability of the  FTP protocol itself.  It
  requires support for proxy ftp connections. 
• This bouncing through an FTP server hides where
  the attacker comes from. This technique is
  similar to IP spoofing in that it hides where the
  attacker comes from.

25
Hacking Techniques

• Logic bomb
•  
• Also known as Slag Code and commonly associated
  with Disgruntled Employee Syndrome, a Logic Bomb
  is a piece of program code buried within another
  program, designed to perform some malicious act.
  Can be operated in two ways
• Triggered Event
• Still Here

26
Hacking Techniques

• Computer Virus Worms
• Virus
• Malignant software that attempts to affect your
  computer without your permission. Viruses do not
  spontaneously generate they are written by
  someone for a specific purpose
• http//www.cknow.com/vtutor/vthistory.htm
• Worm
• A computer program that replicates itself and is
  self-propagating. Worms, as opposed to viruses,
  are meant to spawn in network environments.
• http//www.cexx.org/loveletter.htm
• http//www.62nds.co.nz/cgi-bin/x/e4015.html
• http//securityresponse.symantec.com/

27
Hacking Techniques

• DENIAL OF SERVICE ATTACKS(DOS) "SMURFING"
•  
• The "smurf" attack, named after its exploit
  program, is one of the most recent in the
  category of network-level attacks against hosts.
  
• Hacker sends a large amount of ICMP echo (ping)
  traffic at IP broadcast addresses, all of it
  having a spoofed source address of a victim.
• If the routing device delivering traffic to those
  broadcast addresses performs the IP broadcasts.
• Most hosts on that IP network will take the ICMP
  echo request and reply to it with an echo reply
  each, multiplying the traffic by the number of
  hosts responding.
• On a multi-access broadcast network, there could
  potentially be hundreds of machines to reply to
  each packet. 

28
Hacking Techniques
Subnet 192.0.2.xxx
victim
Internet
Hacker
ping 192.0.2.255 Or UDP port 7 Or other UDP
ports Spoof victim
Router uses MAC address FFFFFFFFFFFF for IP
address 192.0.2.255
29

• Code Red and the Chinese Worm

30
The Chinese Worm
1. Hacker infects Solaris server with exploit 2
years old !!


2. Solaris server scans DNS for IIS Web Servers
3. Then launches Unicode exploit with script and
defaces web site
31
The New Generation of Attacks


With the recent Code Red Worm over 225,000
sites were compromised in hours !!!
32
The Next Generation of Attacks
1. Hacker automatically infects Web servers with
Trojan


3. At set time, ALL Trojans infected target a
massive Distributed Denial of Service Attack on
Target
33
The Next Generation of Attacks

• The recent Code Red used a similar system once
  site was defaced a simple DDOS agent was set to
  attack www.whitehouse.gov.
• In a matter of hours 225,000 sites were infected.
• It took just aprox. 150 computers to DDOS E-bay
  for 22 hours.
• Think what 225,000 could do !!

34
Web Defacing

• Web Defacing
• Another popular form of attack by the hackers,
  where in the hackers illegally enter an
  organizations Web site and change the contents.
• http//www.paybackproductions.com/hackedsites/

Jurassic Park Hacked on 5/27/97 Hacker Unknown
35
Web Defacing
CIA Hacked on 9/20/96 Hacker Power through
Resistance


LAPD Hacked on 5/29/97 Hacker P.A.R.A
36
Hacking Windows 95/98/ME

• Win 9x Remote Exploits
• Direct connection to a share resource
• Hacking Win 9x file print sharing
• Use of brute force
• The damage that intruders can do depends on the
  directory that is mounted. Critical files my
  exist in the directory, or some users my have
  shared their entire root partition, making the
  life of hacker easy indeed. Hackers can plant
  devious executable into the systemroot\start
  menu\programs\startup. At the next reboot this
  code will be launched.
• Remote hacking the win 9X registry.

37
Hacking Windows 95/98/ME

• Win 9x Remote Exploits
• Installation of backdoor server Trojens
• Back Orifice
• One of the most celebrated Win 9x hacking tools
  to date is Back Orifice (BO).
• BO allows near complete remote control of the Win
  9X systems, including the ability to add delete
  registry keys, reboot the system, send and
  receive files, view cashed passwords, spawn
  processes, and create file shares.
• Second version - BO2K.
• http//www.cultdeadcow.com/tools/bo.html
• SubSeven Server Sniper 1.0

38
Hacking Windows 95/98/ME

• Win 9x Local Exploits
• Bypassing Win 9x security Reboot!
• Revealing the Win 9x passwords in Memory
• Assume that hackers have defeated the screen
  saver and have some time to spend they could
  employ on screen password- revealing tools to
  unhide other system passwords.
• One of the most well-known password revealers is
  ShoWin
• http//www.foundstone.com/knowledge/free_tools.htm
  l

39
Hacking Windows 95/98/ME

• PWL Cracking
• Attackers dont have to sit down long at a
  terminal to get what they want.
• They can dump the required information to a
  floppy and decrypt it later at their leisure.
• Copy c\Windows\.pwl a
• A pwl file is really only a cached list of
  password used to access the network resources.
• http//www.webdon.com/vitas/pwltool.asp

40
Hacking Windows NT

• Getadmin
• This program can get administrator rights without
  any special privileges. Simply run GetAdmin or
  GetAdmin account_name from the command line.
• Getadmin.exe works because of a problem in a
  low-level kernel routine that causes a global
  flag to be set which allows calls to
  NtOpenProcessToken to succeed regardless of the
  current users permissions.
• This in turn allows a user to attach to any
  process running on the system, including a
  process running in the system's security context,
  such as WinLogon. Once attached to such a
  process, a thread can be started in the security
  context of the process.
• http//cmp.phys.msu.su/ntclub/pub/code.htm

41
Hacking Windows NT

• Cracking the SAM
• Having gained administrator, attackers will most
  likely make a beeline to the NT security Accounts
  Manager (SAM).
• The SAM contains the usernames and encrypted
  passwords of all users on the local system or the
  domain if the machine in question is a domain
  controller.
• NT stores the SAM data in a file called SAM in
  the systemroot\system32\config directory
• This directory is locked as long as the OS is
  running.
• http//www.l0pht.com/research/lc3/download.html
• Remote on-line password cracker
• http//www.hoobie.net/brutus/

42
Hacking Windows NT

• Remote Shells via Netcat Listeners
• Netcat can be configured to listen on a certain
  port and launch an executable when a remote
  system is connected to that port.
• Ability to run in the background without a
  console window
• Ability to restart as a single-threaded server to
  handle a new connection
• You can even get Netcat to listen on the NETBIOS
  ports that are probably running on most NT
  machines. Bypass port filtering enabled in the
  TCP/IP Security Network control panel.
• http//www.l0pht.com/research/tools/index.html
• http//www.l0pht.com/research/tools/nc11nt.txt

43

• Hackers Hall
• of
• Fame

44
Hackers Hall of Fame

• Dennis Ritchie and Ken ThompsonThe driving
  creative force behind Bell Labs' legendary
  computer science operating group, Ritchie and
  Thompson created UNIX in 1969.
• John DraperFigured out how to make free phone
  calls using a plastic prize whistle he found in a
  cereal box.
• Mark AbeneInspired thousands of teenagers around
  the country to "study" the internal workings of
  our nation's phone system.
• Robert MorrisThis Cornell University graduate
  student accidentally unleashed an Internet worm
  in 1988

45
Hackers Hall of Fame

• Kevin MitnickThe first hacker to have his face
  immortalized on an FBI "Most Wanted" poster.
• Kevin PoulsenIn 1990 Poulsen took over all
  telephone lines going into Los Angeles area radio
  station KIIS-FM to win a call-in contest.
• Johan HelsingiusOperated the world's most
  popular anonymous remailer, called penet.fi,
  until he closed up shop in September 1996.
• Vladimir LevinThis mathematician allegedly
  masterminded the Russian hacker gang that tricked
  Citibank's computers into spitting out 10
  million.

46
Hackers Hall of Fame

• Steve WozniakThe co-founder of Apple Computer
  got his start making devices for phone phreaking.
  
• Tsutomu ShimomuraShimomura outhacked and
  outsmarted Kevin Mitnick, the nation's most
  infamous cracker/phreaker, in early 1994.
• Linus TorvaldsTorvalds was a computer science
  student at the University of Helsinki when he
  wrote the operating system Linux in 1991.
• Links http//tlc.discovery.com/convergence/hacker
  s/bio/bio.html

47
References

• Hacking Exposed by Joel Scambray, Stuart McClure
  George Kurtz
• Links
• http//www.tamos.com/products/commview/
• http//www.l0pht.com/research/tools/index.ht
  ml
• http//cmp.phys.msu.su/ntclub/pub/code.htm
• http//www.l0pht.com/research/lc3/download.html
• http//www.paybackproductions.com/hackedsites/
• http//securityresponse.symantec.com/

48

• Thank You