Thinking Like A Hacker

1
Thinking Like A Hacker

• Presented By
• Justin M Leapline, CISSP
• Senior Security Consultant

2
Background

• What are we covering?
• Profile of a hacker
• Hacking Methodology
• Tools of the trade
• Corrective Actions
• Questions/Answers

3
Sun Tzu On The Art Of War

• Sun Tzu on The Art of War
• If you know the enemy and know yourself, you
  need not fear the result of a hundred battles. If
  you know yourself but not the enemy, for every
  victory gained you will also suffer a defeat. If
  you know neither the enemy nor yourself, you will
  succumb in every battle.
• How well do you know your enemy?
• How well do you know yourself?

4
Responsibilities of the Security Officer

• Keep the Bad Guys Out
• Let the Good Guys In
• Keep the Wheels On

• Regulatory Compliance
• CIPA / COPA
• FERPA
• Sarbanes-Oxley
• GLBA
• HIPAA
• CA SB1386

John Pescatore, Gartner VP Research Fellow
5
Primary Reasons for Compromise

• Unsupported or missing governance and
  accountability
• Lack of on-going security assessments and/or
  audits
• Inadequate segmentation
• Lack of intrusion detection and/or prevention
  capability
• Excessive privileges for end-user computers
• Lack of end-user awareness
• Rogue and/or misconfigured wireless access points
• Unpatched or misconfigured hosts (i.e. routers,
  switches, servers, etc.)
• Default or weak passwords and policy
• Non-existent or misconfigured firewalls

6
Why Hack Yourself?

• If you dont hack your network, a hacker will
  first
• You need to find your vulnerabilities before the
  hacker does
• Without discovering your current vulnerabilities,
  you cannot reasonably measure your current risk
  against current threats
• Enumerating and counting vulnerabilities, you
  cannot reasonably measure your current risk
  against current threats
• Enumerating and counting vulnerabilities allows
  companies to establish metrics and baselines,
  that can be used to measure risk mgmt success

7
Where are the threats coming from?
Internal threats, such as internal attacks or
code vulnerabilities
External threats, such as social engineering or
viruses
8
External Attacks Most Frequent

• Greater use of Internet
• Tools techniques evolve to enable new
  opportunities for attack

Source 2000 CSI/FBI Computer Crime and Security
Survey
9
20-Year Trend Stronger Attack Tools
packet forging / spoofing
Hacking Tools
sniffer / sweepers
exploiting known vulnerabilities
back doors
GUI
Relative Technical Complexity
stealth diagnostics
hijacking sessions
self-replicating code
disabling audits
Average Intruder
password cracking
password guessing
1980 1985 1990
1995
Source GAO Report to Congress, 1996
10
Trend Has Continued
Hacking Tools
DDoS Insertion Tools
Trinoo
Windows Remote Control
?
PrettyPark
Relative Technical Complexity
Stacheldraht
Melissa
Kiddie Scripter
1998
1999
2000
2001
11
Who are they?
National Interest
Spy
Personal Gain
Thief
Trespasser
Personal Fame
Curiosity
Author
Vandal
Script-Kiddy
Undergraduate
Expert
Specialist
SOURCE Microsoft and Accenture
12
Approaches

• The different profiles characteristics
• Spy - Slow, careful, precise, invasive
• Thieves - Fast, careful, precise, sometimes
  invasive
• Script Kiddies - Slow, reckless, imprecise,
  obvious
• Defacers - Fast, reckless, precise, mildly
  invasive

13
Hacking Methodology

• Long-term, successful penetration testers and
  hackers follow a series of methodical steps when
  attacking targets

14
Hacking Methodology

• Information Gathering
• Port Scan
• Fingerprint
• Enumerate
• Penetrate
• Privilege Escalation (if needed)
• Host Manipulation
• Cleanup

15
Hacking Methodology

• Information Gathering
• IP addresses, computer names, social engineering
  info
• Port Scan
• Finding Active TCP/IP ports
• Fingerprinting
• What OS?
• What service?
• What application?

16
Hacking Methodology

• Enumerate
• Learn more about the host
• Users
• Active, Unused, Old accounts
• Groups
• Especially higher privileged groups
• Shares (NetBIOS, etc.)
• Trusts
• Password/Lockout policy
• Auditing
• Defense systems

17
Hacking Methodology

• Penetrate-Major Methods
• Physical Attack
• Password Guessing
• Eavesdropping/Keylogging/Sniffing
• Buffer Overflow
• Exploit OS or App Vulnerability
• Take Advantage of a Misconfiguration
• Malformed Data Input
• Client-side Attacks
• Social Engineering

18
Hacking Methodology

• Privilege Escalation (if needed)
• Usually want to be root or administrator
• Can be done by
• Local buffer overflow
• Adding self to privileged group
• Installing trojan
• Pillaging and plundering to find passwords to
  more privileged accounts
• Sniffing for admin passwords

19
Hacking Methodology

• Host Manipulation - What do hackers do now?
• Get interactive
• Pillage and plunder
• Steal information
• Upload and hide more hacking tools
• Install back door for future break-ins
• May close or patch original penetration hole
• Install rootkit, bot, or other malware
• Install sniffer
• Use victim as new base

20
Tools of the Trade
21
Tools - Information Gathering

• Tools like
• Whois, dig (nslookup)
• Dnsstuff.com
• Samespade.org
• Google Hacking

22
Tools - Probe

• Scan the hosts
• Search sweeping rages of ports with a postscan
  (nmap)
• Grab details such as service versions from the
  discovered ports - aka banner grabbing (netcat)
• Windows Connect to and enumerate information
  from NETBios (enum)
• Search theInter for vulnerabilities based on
  versions of software found on targets.

23
Tools - Probe

• Notable Tools
• NMAP
• Superscan
• Nessus
• Whisker
• Netcat
• Nitko

24
Probe

• Most often, professional ethical hackers utilize
  Vulnerability Scanners initially assess their
  targets.
• MBSA
• NetIQ Vulnerability Manager
• Nessus
• eTrust Vulnerability Manager
• Internet Security Systems Internet Scanner
• Retina Network Security Scanner
• Core Impact

25
nmap
Nmap is used to scan the ports of the target
system. Using the O option would also report the
Operating System of the target.
26
nmap
Nmaps guess at the operating system type
27
Attack

• Gather compatible exploits
• Compile exploits (if required)
• Launch exploits against targets
• Modify parameters, re-launch exploits (if
  required)

28
Exploitation Frameworks

• Metasploit Framework
• Open-source project created in mid-2003 by H.D.
  Moore
• Created for pen-testing and research a free
  alternative to others
• Widely used by hacking community since it is free
• CANVAS
• Offered by Immunity Inc., started by Dave Aitel
  in 2002
• Aimed at promoting exploit development and
  providing a penetration testing platform
• Core Impact
• Core Impact was developed by CORE Security
  Technologies in 1996
• Dubbed as the first fully automated penetration
  testing product
• Expensive product used mainly by corporations

29
Metasploit
30
Attack

• There are many different types of attacks which
  can be broken down into several classifications.
• The attacks are performed from one of two
  perspectives
• Local The attacker has access to a command
  prompt or has gained the ability to execute
  commands on the target
• Remote The attacker exploits the target box
  without first gaining access to a command shell

31
Attacks Buffer Overflow

• Boundary Condition Error Stuff more data into
  a buffer than it can handle. The resulting
  overflowed data falls into a precise location
  and is executed by the system
• Local overflows are executed while logged into
  the target system
• Remote overflows are executed by processes
  running on the target that the attacker
  connects to
• Result Commands are executed at the privilege
  level of the overflowed program

32

33
Attacks Input validation

• An process does not strip input before
  processing it, ie special shell characters such
  as semicolon and pipe symbols
• An attacker provides data in unexpected fields,
  ie SQL database parameters

34
Attacks Weak password

• Accounts with weak passwords are guessed by a
  remote attacker
• Accounts with weak passwords are cracked by
  attacker with access to a password database

35
Attacks Exploit Sites

• SecurityFocus (http//www.securityfocus.com)
• Packetstorm (http//packetstormsecurity.org)
• New Order (http//neworder.box.sk/)
• Hack in the Box (http//www.hackinthebox.org/)
• phreak.org (http//www.phreak.org/archives/exploit
  s/unix/)

36

37
Locating Exploits
38
Obtaining and modifying Exploits
39
A Typical Hack
Level IV Data
Firewall
Firewall
40
10 Steps to a Better Security Posture

1. Establish governance and accountability
2. Know your mission-critical assets
3. Identify and manage your threats
4. Initiate and perform on-going security
   assessments
5. Implement and monitor an intrusion detection
   solution
6. Create and implement a realistic Information
   Security Policy
7. Tighten perimeter security controls (IPS, IDS,
   firewall rules, etc)
8. Segment and leverage resources to increase
   internal security controls
9. Develop and deploy internal programs to promote
   awareness
10. Stay proactive and maintain diligence

41
Sum up

• Initial entry is everything
• Its very easy for someone to exploit something
  with all the free programs out there now.
• Most networks are designed like egg shells
• Hard and crunchy on the outside
• Soft and chewy on the inside
• Once an attacker is inside the network, they can
  usually do whatever they want!
• Key to prevention is to mitigate the holes before
  someone else does.

42
Question and Answer
?
?

• QA