You are on page 1of 61

Ha cking

Me thodolo gie s

An overview of historical hacking


Johnny Long
Va rie d Ap proaches
 “Old School”: Slow, careful, precise,
 “Pros”: Fast, careful, precise, sometimes
 “Skript Kiddies”: Slow, reckless,
imprecise, invasive
 “Defacers”: Fast, reckless, precise, mildly
Old sc hool

For years, information security pundits have followed and believed in a

“hacking methodology” which described the steps a hacker classically
followed when performing an attack.

That methodology followed the following basic steps:

 Information Gathering
 Probe
 Attack
 Advancement
 Entrenchment
 Infiltration/Extraction
Ol d School : Inf ormat ion
Gatheri ng
 Decide and discover which targets to
 Often begin with a specific network or a
specific company

 Whois, nslookup queries

 Search engines (“googlescanning”)
Old Sc hool: Pr obe
 Scan specific targets for vulnerabilities
 Search sweeping ranges of ports with a portscan
 Grab details such as service versions from the
discovered ports aka “banner grabbing” (netcat)
 NT: Connect to and enumerate information from
NETBios (enum)
 Search the Internet for vulnerabilities based on
versions of software found on targets
Old Sc hool: Pr obe
 NMAP (
 Superscan (
 Nessus: (
 Whisker: (
 Netcat: (
 Enum (
 THC-Probe (
Old Sc hool: Pr obe

Nmap is used to scan the

ports of the target system.
Using the –O option would
also report the Operating
System of the target.
Old Sc hool: Pr obe

Nmap’s guess at
the operating
system type
Old Sc hool: Pr obe

some services
listen behind RPC.
rpcinfo can give us
this info.
Old Sc hool: At ta ck

 Gather compatible exploits

 Compile exploits (if required)
 Launch exploits against targets
 Modify parameters, re-launch exploits (if
Old Sc hool: At ta ck
 There are many different types of attacks
which can be broken down into several
 The attacks are performed from one of two
 Local: The attacker has access to a command
prompt or has gained the ability to execute
commands on the target
 Remote: The attacker exploits the target box
without first gaining access to a command shell
At tacks: Bu ffer
Overflo w
 Aka the “Boundary Condition Error”: Stuff more data
into a buffer than it can handle. The resulting
overflowed data “falls” into a precise location and is
executed by the system
 Local overflows are executed while logged into the target
 Remote overflows are executed by processes running on the
target that the attacker “connects” to
 Result: Commands are executed at the privilege level
of the overflowed program
 Example: SNMPXDMID overflow (Solaris 6-8)
At tacks: I nput
Va lid ation
 An process does not “strip” input before
processing it, ie special shell characters
such as semicolon and pipe symbols
 An attacker provides data in unexpected
fields, ie SQL database parameters
At tacks: I nput
Va lid ation
 Example: Trillian IRC Module Format String
Vulnerability (

 “A format string vulnerability has been reported

in the Trillian IRC module. An attacker can
exploit this vulnerability by enticing a user to
join a channel with a malicious channel name
(e.g. #%n%n%n). An attacker in control of a
malicious server may exploit vulnerable clients
who have connected.”
At tacks: Ra ce
Co nditio ns
 An attacker forces an action during a sensitive time
window between two operations

 A program checks to make sure output file

“/tmp/temp_output” does not exist
 The program wanders off and does other stuff…
 An attacker quickly creates a symlink from
“/tmp/temp_output” to “/etc/shadow”
 The program writes to the “/tmp/temp_output” which
clobbers “/etc/shadow”
 Example: RedHat Linux diskcheck ( )
At tacks: Enviro nme nt
Er rors
 An attacker makes a change to a program’s
environment that was not expected

 For example, a program relies on the UNIX

environment variable $USER to determine who
is running the program
 An attacker changes this value to “root” before
executing the program
Attacks: Weak Passwords

 accounts with weak passwords are

guessed by a remote attacker
 Accounts with weak passwords are
cracked by attacker with access to a
password database
 THC-HYDRA Login Hacker
At tack: Ex plo it Sit es
 SecurityFocus: (
 Packetstorm: (
 New Order: (
 Hack in the Box: (
 (http://www.phreak
Old Sc hool: At ta ck
phase s
 The Attack is most often broken into several
phases (perhaps running cyclically)

 Locating Exploits
 Getting Exploits
 Modification of Exploits
 Building Exploits
 Testing Exploits
 Running Exploits
Old Sc hool: L ocatin g
exploit s
Old Sc hool: L ocatin g
exploit s
Old Sc hool: Ge tting
Ex ploits

The ‘wget’ program downloads

the exploit to the attacker’s
Old Sc hool: Mo difyi ng

(-lsocket won’t work)

Most exploits will not work across all

platforms, so modifications generally
need to be made. In this case, -lsocket
is removed for running on out RedHat
7.2 attack box.
Old Sc hool: Bu il din g
Ex ploit

Some exploits come complete with a

Makefile, so a simple ‘make’ command
is all that’s required to build the exploit.
Old Sc hool: Bu il din g
Ex ploit

The make command

successfully produces the
exploit, in this case
Old Sc hool: Te st ing
Ex ploit

The ‘–h’ parameter shows the

usage for this exploit.
Old Sc hool: At ta ck
Ru nnin g Explo it

This attack executes commands

on the target (a Solaris 2.5.1
box) as root. In this case, the
attacker drops a line into
/etc/inet/inetd.conf and a line
into /etc/services. When the
system is restarted (or inet is
restarted) a listening root shell is
opened on port 31337.
Old Sc hool: At ta ck
Su ccess!

The attacker connects to the

31337 port on the target and is
greeted with a root prompt.
Old Sc hool:
Ad vancement
(optio nal)
 If needed, gain further access to targets
by further exploitation
 Trojans
 Local Exploits

 The advancement phase will somewhat

mirror the Attack phases unless the
attacker has already tested the exploits
Old Sc hool:
En trenchme nt
 Modify targets to ensure future access
 Backdoors
 Rootkits
En trenchme nt:
Ba ckdoors

 Linux Non-listening backdoor programs = No

listening port!
 SAdoor (
 Cd00r (
 NT/2K
 Fake GINA Username and password interceptor ( )
 NTKap Removes NT ACL protection ( )
En trenchme nt:
Ro otkits
 Linux
 LRK5: (
 ADORE: ( )
 KNARK ( )
 NT
 NT Rootkit (
 NULL.SYS ( )
Old Sc hool:
Infilt ration/E xtr action
 Install sniffers to monitor network traffic,
gather usernames/passwords
 Extract data from compromised systems
 Compromise neighboring targets based
on captured data or trust relationships
Pr ofessio nals

Professional hackers, or ethical hackers, tend to follow the following


 Information Gathering
 Probe
 Attack
 Advancement
 Infiltration/Extraction
Pr ofessio nals
 Most often, professional ethical hackers rely on
“Vulnerability Scanners” to perform their jobs.
 Nessus
 Retina by eeye
 Network Associates CyberCop
 H.E.A.T.
 Internet Security Systems Internet Scanner
Pr ofessio nals

 Vulnerability Scanner Demo

“ Sk rip t Kiddies”
Sk rip t Ki ddie s
 Skript Kiddies, named for their annoying ability
to (sometimes) successfully compromise a
system using pre-written scripts, generally
follow a very simple non-cyclical methodology.
for an interesting writeup on the topic)

Exploit Selection
Target Selection
Sk rip t Ki ddie s: Ex ploit
Se le ctio n
 Nearly identical to the “Old School” method of
locating exploits, skript kiddies generally use
Search engines to locate exploits

 Skript Kiddies are generally not a technically

savvy lot, so exploit selection is made based
on attack platforms available (generally
Windows-based) and ease of use.
Sk rip t Ki ddie s: Ta rget
Se le ctio n
 Most target selection involves noisy
scanners, often launched from Windows

 An increasing number of Skript Kiddies,

however, are gaining familiarity with
Linux and use fairly standard tools such
as nmap.
Sk rip t Ki ddie s: At tack!
 Unlike old-school attacks, Skript Kiddies tools
are generally pre-compiled, or written in
interpretive languages such as PERL

 If an exploit needs to be built, most kiddies will

not be able to get them working

 If a built exploit fails, a skript kiddie usually

moves along to another target instead of fixing
the exploit. This makes the process non-
“ De facer s”
Web De facers
While “old school” methods
are still in use, web defacers
statistically own the hacking
Pr ofil e o f a we b
defa cer
 Handle: intrud3rm4n
 Age: 21
 Group: Leader of ISOTK (In Search of the Knowledge!)
 Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass
 My favorite defacement:
 Country of Origin: Brazil
 Language: Portuguese
 Favorite Hacking food: Hamburgers and Fries
 Favorite Hacking Music: Metallica =)
 Favorite exploit: whacking LINUX boxen
 Reason for defacing: FUN
De faced: Ca p Ge mini
Follo win g we b
defa cers
Follo win g we b
Follo win g we b
defa cers
Common Web Def acement
Me thodol ogy
Web Defacers, for the most part, have a slightly different
methodology. Instead of basing the exploit on the
target, the target is selected based on it’s vulnerability
to the exploit!

The web defacement methodology (again, often cyclical)

is generally as follows:

Exploit Selection
Target Selection
Web De facement

Amateur defacers
usually stick with
one exploit and
one target
De facer’s Ex plo it
Se le ctio n
 An attacker’s level of comfort with an Operating
System will often decide the types of exploits used
 UNIX-based attackers often opt for C-based remote overflows
 Windows-based attackers often opt for perl-based remote
overflows, visual basic tools, or command-line “net”
 Attackers with only browser-based experience or simplistic
attackers seeking privacy through proxies will opt for URL-
based attacks such as UNICODE or DECODE, Front Page
exploits, or PHP-Nuke attacks
De facer’s Se arch for
Ex ploits

Often an amateur defacer

will monitor popular
security sites (such as
securityfocus) to select
De facer’s Ta rget
Se le ctio n
 Armed with an exploit, most web defacers now
seek for vulnerable targets using various
 Web searching
 Netcraft
 Netstat
 Google
 Host scanning
 Nmap
 Custom scanners
Defacer’ s Target
Sele ctio n: Web Searches
Defacer’ s Target
Sele ctio n: Web Searches
 Using search engines to locate
vulnerable servers is a very interesting
and fruitful technique which hasn’t been
explored in great detail.

Defacer’ s Target
Sele ctio n: Web Searches
Google query: intitle:”Index of” “Apache 1.3.11”

Here, Apache 1.3.11

servers are located
through creative use of
the Google search
Defacer’ s Target
Sele ctio n: Web Searches
De facer’s Ta rget
Se le ctio n: Host
Sc annin g
Nmap’s OS
detection feature
(-O) provides a
decent guess as to
the operating
system of the
De facer’s Ta rget
Se le ctio n: Host
Sc annin g
provides a great resource for
custom vulnerability scanners.
De facer’s At tack

 Once the target and the exploit are

selected, the attacker launches the
attack against the server.

 If the attack fails, the attacker will often

modify the attack and try again.
Qu estio ns?