How to Hack -- An Introduction
What is hacking? From an online dictionary (www.dictionary.com), the definition is:
a. To write or refine computer programs skillfully.
b. To use one's skill in computer programming to gain illegal or unauthorized access to a file or network: hacked into the company's intranet.
An earlier term for gaining unauthorized access to computers was cracking (as in safe cracking), whereas hacking applied to people that pushed computers and software to their limits (and beyond). Over time, the media has bastardized the term hacking, leaving cracking to pedantic geeks and the history books. The term hacker is now applied equally to people like Linus Torvalds (father of Linux) or Tim Berners-Lee (father of the modern WWW), and criminals that steal information or execute attacks on network sites.
What is a hacker (ignoring the law-abiding definition)? It's anyone who tries to intrude into other computers and networks. This definition covers almost anything modern -- from corporate networks to the phone system and power grid. Anything remotely complex in the modern world is invariably controlled by computers, and people have discovered that networked computers are more useful and easier to manage then standalone computers.
The first thing to realize is that the majority of hackers possess very little expertise. Teenagers have managed to take major online companies (like Yahoo and CNN) offline with network-based attacks. How can it be that they are not geniuses? To put it bluntly, because the state of computer security, on average, is terrible. The fundamental protocols used for communicating on networks were designed a long time ago in a less hostile environment, and in many cases, these protocols were not meant to survive this long. The majority of computers placed on networks are insecure, because securing a modern OS takes a significant amount of effort. In most cases, you must disable services, remove unneeded software, upgrade and patch the system, make sure the OS is hardened, and then worry about users running foreign content sent to them in emails labeled I love you. Most admins don't have the time or resources to properly secure their infrastructure, and far too many projects (especially online e-commerce ones) are rushed to completion.
Classes of Attackers
The first class of attackers probably forms more than 95% of the population, and are often referred to as script-kiddies. Beyond being able to use a computer and having a very basic knowledge of networks and operating systems, script-kiddies do not have much skill. They typically download packaged software (and in some cases, precompiled software) that they then use to attack other computers. Often, they do not even know how the software works, other than it will allow them to gain access to other computers, or deny use of remote services (by crashing the machine or simply flooding the link it is on).
The next group is more skilled, having a knowledge of UNIX (most often Linux or other free variants) and/or Windows. They may have knowledge of networks, protocols, and services, which they can leverage to direct their attacks, and usually have a higher success rate then script-kiddies because of this. Most cannot program or identify new weaknesses in software and networks. Like script-kiddies, they are followers rather than leaders. This group is much smaller than script-kiddies, but significantly larger than expert attackers.
The last group are the skilled people who have managed to learn a significant amount, either on their own, or through work and training. These are the people who will download software and test it for new problems, and figure how to exploit the weaknesses they find. Often they will write programs (referred to as scripts) that can exploit these weaknesses, usually releasing them to their friends and associates, and sometimes publicly. These scripts eventually filter into the public domain where they are used by the first two groups of attackers. Many people in this group are white hats -- they do not break the law, but they feel it is necessary to release the scripts they write in order to get vendors to fix problems (proof of concept). The ethical debate surrounding this matter would easily fill a book.
Anatomy of a Hack
The first thing attackers will do is decide on their objectives. This is usually a conscious process, but sometimes attackers only know that they want to attack an organization, for whatever reason. This decision is also influenced by the amount of risk attackers are willing to take during the attack. However, attackers are sometimes unaware of the actual risk involved and will bite off more than they can chew. Mafiaboy, for example, attacked CNN.com, which guaranteed there would be a lot of press coverage and that action would be taken to track down the attacker.
The least risky attack is usually a denial of service attack. Launched from insecure computers, it is often easy to do and the results are immediate and gratifying to the attacker -- preventing access to a Web server, for example. However, a denial of service attack will only go so far, and generally speaking, will not gain the attacker anything financially.
A penetration attack can provide attackers with credit card numbers or access to additional resources that they can use to continue their attacks on other sites. Attackers are usually caught when they get overly confident and continue to attack a site over a period of days or weeks. If attackers know when to cut and run, catching them can be very difficult.
The less skill an attacker has, the more obvious and clumsy any attack will be. Script-kiddies might not even bother to reconnoiter your network; instead, they might just download exploits and try them at random. This type of activity should set off many alarms on your firewall and your intrusion detection systems, and should not work if you keep software up to date. A skilled attacker will do a basic analysis of your network, typically using tools like traceroute and DNS information. For example, I did a reverse DNS lookup on 65,000 IPs at the local university in a few hours and never received a complaint or inquiry. You cannot easily prevent these probes because they can imitate legitimate network requests. Unfortunately, the only methods of logging these probes will result in a huge amount of data. Other areas to probe are a company's phonelines, since most companies have modems attached to computers that may not be properly secured. Expert attackers might try social engineering. This is rare for the first two groups, because it requires a high degree of interaction with people and is reasonably difficult to do well. The more skilled an attacker, the more focused the attack will be -- like a scalpel instead of a blunt object.
Where can you find all these scripts and information on exploits? There are numerous Web sites devoted to the topic, and IRC is used for real-time discussions and trading of software by many hackers. The following is a catalog of sites commonly used by hackers:
http://www.antionline.com/ -- This is one of the most comprehensive sites; it's nicely formatted, and easy to navigate. There are hundreds of exploits for almost anything that can be attached to a computer network (Cisco, Windows, BSD, AIX, etc.). There are also a number of network scanners, password generators, keyloggers, and other tools that can be used to assist a person committing illegal acts (or running a legitimate penetration test).
http://www.rootshell.com/ -- This site was once the definitive site for exploits. However, activity has slowed down significantly in recent months. The site can be browsed by month (useful for finding the latest exploits), and there is a search engine available. Plug in your favorite OS or network software, and if this doesn't convince you that upgrades are necessary, nothing will.
http://packetstorm.securify.com/ -- This is by far the largest archive of exploits, going back several years.
The following are tools that can be used to probe networks, determine their structures, and so forth:
http://www.nmap.org/ -- The best port scanner around, and it's free. Scanning your network from internal trusted hosts to find out what is running is a good idea (since sometimes people add servers without mentioning it), and also from an external untrusted host, so you can see what an attacker would see.
http://www.nessus.org/ -- One of the better intrusion scanners, and Open Source. It has a client/server architecture, for both UNIX and Windows, with several hundred tests. The reports it generates are complete and some include information on how to fix the problem. It also has denial of service tests, which should be run with caution since they might crash machines.
Scanning a company for modems will usually result in discovery of at least one modem that can be used to gain access to the network. There are four methods to deal with this problem. The first method is a physical inspection of computers for modems. However, the user may have an external modem that is not always attached. The second method is to scan your phone lines for modems. Again, the user's modem may not always be attached or turned on. The third method is to prevent users from using their com ports. In UNIX, you can set permission on /dev/ appropriately, and for Windows there is a product called SecureNT. The fourth and last method is to firewall your phone lines. Currently, the only available product for these firewalls is TeleWall.
http://www.hackers.co.za/archive/hacking/wardialers/ -- The best selection of free wardialers like THC (The Hackers Choice) for scanning phones. Remember to disable caller ID display when using a tool like this.
http://www.securelogix.com/ -- SecureLogix makes the TeleWall, a firewall for phone systems. Place it in front of your PBX. It handles up to 24 lines, and you can use as many as you need. It can filter incoming and outgoing calls based on origin, destination, time, and type of call. SecureLogix also makes TeleSweep, an industrial-strength wardialer.
http://www.securewave.com/ -- SecureNT is a product that allows you to control access to com and LPT ports, as well as removable media such as floppy drives, CD-ROMs, and zip drives in Windows. You can use this to lock down Windows 9x, NT, and 2000 machines. It features nice central management.
There are specific defenses against these attacks, however the list is rather huge. Having a good security policy and enforcing it, a solid IT/IS team, and procedures to deal with problems is generally your best defense. Specifically, you should keep software up-to-date, install vendor patches where possible, and restrict access to services. Physical security is also important -- consider buying lockable cases. Controlling access to workstations is almost impossible with cleaning staff and other people circulating around offices. Encrypt network traffic where possible, and consider using one-time password schemes (such as SecureID for services that require a higher degree of assurance). Filtering and scanning content is a must. This can be as simple as a packet-level firewall, all the way up to virus scanning proxy servers and intrusion detection systems. Since an attacker will usually have to modify binaries and configuration files on the system to create a back door for further access, tools like TripWire are invaluable. For UNIX and NT, the attacks and defenses vary significantly, and will be covered in later articles.
Wadlow, T. 2000. The Process of Network Security. Addison-Wesley. This book discusses how to handle incidents, how to build a team, etc. It's invaluable.
Winkler, I. 1997. Corporate Espionage. Prima Publishing. This book is more policy/procedure focused than technology. However, it will give you the mindset of a skilled attacker, and best practices that any company would be advised to use.
Unfortunately, many OS vendors have little or no useful security documentation online, but there are a few exceptions:
http://docs.sun.com/ -- Sun Documentation site.
http://www.cisco.com/ -- Click on Technical Documents for Cisco's information.
http://www.microsoft.com/technet/security/ -- Microsoft's collection of security information.
About the Author
Kurt Seifried is senior analyst for SecurityPortal and somewhat confused as to what that actually means. His primary interests are security, crypto, privacy, and sushi. He may be reached at: firstname.lastname@example.org.