Hacking by Numbers

posted onMay 18, 2002
by hitbsecnews

By: Madirish

Hacking, How's it Done?

I get a lot of questions via email from people that want to know if I
can hack into a website for them, or break into someone's Hotmail
account. At first I didn't really understand why people would be asking
me these sorts of questions (other than the obvious that they couldn't
do it but wanted someone else to break the law on their behalf), but as
I pondered the cause for these emails I began to realize that most
people's understanding of hackers is generated purely by the mass media.
I suppose this fact is true for many occupations and hobbies, but with
hacking it is particularly disturbing. I know a lot of systems
administrators who don't have a deeper understanding of network security
than the evening news' depiction of it. I also get a lot of requests
asking me to teach people how to hack, like its some dark magical art
that you have to be mentored in. The truth is, I don't think many
people outside of the security community understand very well how most
system crackers work.

For those of you trying to learn how to break into systems let me pose a
question: why? The only reason I ask is because if you really want to
learn your answer to that simple question will often determine your
success. It will also help define the course you wish to pursue. I'll
dispense with the B.S. about being a smart person, or knowing
programming, or all the other requirements that were thrown in my face
when I began to learn about hacking and system cracking. None of it is
true. I am a firm believer that even the densest moron can break into
systems. All it takes is dedication, not necesarily intelligence. Now,
don't get me wrong, being smart is a huge advantage, its just not a
requirement.

Methods

How do you hack? Well, to understand hacking we first have to
understand the motives of system crackers. This isn't an easy task by
any stretch of the imagination. People crack systems for all sorts of
reasons. Some people (I am convinced they are the minority) break into
systems to learn, some do it for the glory, some do it for truly
pathetic and selfish reasons like to find a place to store thier excess
MP3 files or to use the computer as a zombie to dDos an IRC server.
Despite thier goals, most crackers will follow a specific pattern
(although this is just a generalization and I realize that with every
generalization there are gross divergances).

Step 1. Find a Vulnerability

While this seems fairly obvious you'd be surprised by the number of
people that don't even make it this far. Finding a vulnerability is the
way in. There are vulnerabilities for tons of different operating
systems out there. The target you choose may make your search for a
vulnerability much more difficult. Most crackers look for a working
vulnerability first, then look for a target (this way at least they know
if they find a computer with the target OS/service, they'll get in). Check out Security Focus for a pretty comprehensive list of
system vulnerabilities.

Finding a vulnerability can be as easy as finding the open services and
brute forcing them, or as hard as tracking down a buffer overflow
exploit. Most people are convinced they need the remote r00t exploit
though, so I'll explore how those are developed. If you follow Bugtraq (for those of you

that don't know, you can follow Bugtraq via NNTP if you want, or sign up for one of the many

Bugtraq mailing lists, just Google for it).
you'll notice that system vulnerabilities crop up every day. Most of
the postings to Bugtraq are responsible, however, and rarely include
exploit code (or if they do you have to be fairly knowledgable to get it
to work). Simply take a look at the number of postings to Bugtraq in a
day, its staggering, and almost every posting describes a possible way
to crack a system. All you need to do is figure out how. Why people
post to Bugtraq is a bit of a mystery. Its probably the same motivation
that drives people to write Linux device drivers, although it could land
you on national TV (w00w00, et. al.) so theres a little more ego draw.
Each Bugtraq posting is the source of a possible exploit code, although
some of the exploits might not need any code. Finding exploit code is
difficult, however, since its hard to write and most people don't want
it floating around the internet for others to misuse.

Most exploit code
writers hold onto their code out of moral stamina, greed, or other
motivation. You can find a lot of exploit code on various websites like Packet Storm. I've heard that IRC is a great

place to find exploit code, but I don't have the patience to chat with the legions of script

kiddies lurking there to find some.
The easiest way to
get exploit code is to write it yourself :) Now, most exploit code that
most people are going to be able to find looks pretty worthless, its
usually old and poorly documented. You would be surprised, however, to
find out just how many old vulnerable systsems are still lingering on
the internet. The trick is simply finding them.

Step 2. Find a target

Ok, so lets say we've managed to find a really old copy of code that
exploits, say for example, fooCode's telnet server. The exploit
overflows the telnet server, crashes it, fires some arbitratry commands
and creates a back door for us (the likelyhood of finding code that cool
and being able to use it are slim to none). Now all we have to do is
find a computer running fooCode telnet. This is going to be a bit of a
problem. Step one is to get a scanner. I've noticed a lot of hype
about some GUI scanners recently and thier ability to show you CGI
vulnerabilities in pretty color with point-and-click hacking, but for
our purposes we need something fast and accurate (we're going to have to
scan a LOT of IP's to find fooCode telnet). So we might decide on NMAP or Nessus.
NMAP is available with a very complete manual with descriptions of all
its different operations and the reasons it works. Thankfully NMAP is a
little more difficult to use than most programs so it keeps the truly
inept at bay. What we would want to do is either fire up NMAP and begin
scanning a large number of systems and logging their characteristics for
later use, or better, begin scans for open port 23's. Using a simple
shell command we can easily compile a text file of IP addresses with
telnet servers running. Simply getting to this stage can take a long
time, which is why the most popular exploits target widespread operating
systems or services. The next step is to find one running fooCode
telnet.

We could run our exploit code against every target system we
have found with an open port 23, but this would take a long time, so
what is better is to write a little simple code (or find some) to log
banners and run it against our list of servers to scan them for the
service they're running. If we can find something distinctive about
fooCode telnet it will be easier to locate a server. Once you've
located a server you need to run the exploit code. Just doing this is
often very difficult. A lot of exploit code is provided as raw C or
Perl.

While Perl isn't too difficult to get running since it isn't
compiled, a lot of exploit code can take days just to get working.
Exploit code usually isn't documented very well, or even if it is
assumes a certain level of skill with programing or at least systems
operation. Most likely what will happen, however, especially with older
code, is that most of the servers we find will be immune to the
vulnerability (they'll be patched in one way or another). The trick is
to keep looking, eventually an unpatched server will present itself.

Step 3. Breaking in

Once a vulnerability and target have been found the next step is to
break in. At this point very few system crackers stop to consider the
legality or reprocussions of thier actions, but this step is the
precipice. Up until this point most of what has been covered has been
legal or at least falls in the gray hazy area of legality. System break
ins are where crackers cross the line. Once you've broken into a system
you can get in big trouble, even if you don't do anything malicious.
Unauthorized computer use is a crime, meaning that even if you log in
using a default username and password, or one easily guessed, you've
already broken the law. In our above example we've found some exploit code for fooCode telnet server. Exploit code is usually spread as C code or Perl code, and isn't usually compiled.

This means, in the case of C, we have to get a working C compiler and put together the code. In the case of Perl, it isn't a compiled language so all you need is a working Perl interpreter. If you need help compiling code, you can usually go to IRC or email to find answers. Once the code is compiled we'll probably have to fire the program at a shell with some optional flags to specify targets, etc. Check out documentation for the xploit or examine the code to find out what to do. Lets say that the fooCode exploit comes as fooCode.c, we compile it into fooCode.exe and fire it at the command line with

fooCode -192.168.0.1 -8080

For purposes of our example we'll say that the first argument ('-192.168.0.1') is the IP address of the target and the second argument ('-8080') is the remote backdoor port we want to spawn. Assuming our exploit works we should be able to telnet to 192.168.0.1:8080 and get a root shell (in our dreams). What happens at this point? We've got access, what to do with it?

Step 4. Covering your tracks

Ok, now that you're on the machine you're going to want to make sure you don't get caught. There are several variants of 'rootkits' out there that you can use to clean up your tracks, but the basic idea is to get tools onto the target machine so that you can clean up log files and bash histories of your activities. You can of course do this by hand, but its tedious work. The problem with putting new programs on a machine is that it increases the likelyhood of notice. Also, if you run the wrong rootkit (say one developed for a Linux Redhat server on a Solaris server) you might end up damaging the server. Needless to say at this point you need to do some checking to make sure what type of server you're on.

You could also grab a list of usernames and begin reading e-mail. Perhaps the most damaging thing to do is to compile and install a sniffer to log passwords traversing the machine's Ethernet card. All of this really depends on why you broke into the server. You could simply 'cd' into the web root and replace the index page, thereby defacing the website. The point is that once you've gotten this far you're pretty much free to do anything.

The thing to remember though is that every keystroke sent to the target is getting used by the target (and possibly logged somewhere), so your IP is flying all over the internet in packets destined for the target.

Step 5. Practicing

The best way to get experience doing this sort of thing is to set up your own LAN. Depending on the available budget you will have to customize this setup. The easiest thing to do is purchase a refurbished computer or two for pretty cheap and download any of the various Linux or Solaris operating systems, burn copies and install them on your testbed computers. Refurbished computers can run anywhere from about $150-$400 for an acceptable machine. You'll want to get at least one hub so you can link the two or more computers, and some Ethernet cable (which is pretty cheap). Simply use reserved IP address space (10.0.0.1-255, 192.168.0.1-255, etc.). The disadvantage to doing this is that you'll have to shell out some money. The big advantage is that you can get some hands on experience with system cracking without breaking the law.

If you've got any old computers laying around you can use those as well. The thing you're going to want to do though is get at least one computer with a server operating system. There is only so much you can do with client computers (Windows 95/98/Me/XP Home) but you can try and hack into those as well. If you can't do this and you're determined to practice on live computers online be sure to realize that if you don't know what you are doing and fire the wrong exploit or compile and run the wrong code, you run a high risk of breaking the target computer. Fixing this sort of damage is time consuming and may be costly in terms of lost data, so be careful. Breaking someone else's server is bound to get their attention and may get you in a lot of trouble.

1.) Dumpster Diving - One Man's Trash - Grifter
2.) Ham Radio: An Introduction - A
3.) Pirate Radio - Manic Velocity
4.) Hacking by Numbers - madirish
5.) Authentication protocols and there weaknesses - Chernobyl Chickun
6.) Remote access and Security - Mark Jorgensen & Neil H Watson
7.) Myths about TCP Spoofing - Grandmaster Plague

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Wednesday, May 8th

Chinese Hackers Deployed Backdoor Quintet to Down MITRE
Apple announces M4 with more CPU cores and AI focus
Boeing says workers skipped required tests on 787 but recorded work as completed
Ransomware mastermind LockBitSupp has been ID’d
OpenAI’s flawed plan to flag deepfakes ahead of 2024 elections

Tuesday, May 7th

Indian police adopt facial recognition despite risk of massive data breaches
Cybersecurity Workforce Sustainability Has a Problem
New Cuckoo macOS malware can take over all Macs and steals your passwords too
Apple’s iPhone Spyware Problem Is Getting Worse
Tesla announces fourth round of layoffs in four weeks
New Microsoft AI model may challenge GPT-4 and Google Gemini
Novel attack against virtually all VPN apps neuters their entire purpose
Hackers discover how to reprogram NES Tetris from within the game

Monday, May 6th

NASA hasn’t landed on the Moon in decades—China just sent its third in six years
Counterfeit Cisco gear ended up in US military bases, used in combat operations
Microsoft plans to lock down Windows DNS like never before. Here’s how.
These dangerous scammers don’t even bother to hide their crimes

Friday, May 3rd

Iranian state-backed cyber spies continue to impersonate media brands, think tanks
Malware attacks on Docker Hub spread millions of malicious repositories
Want to Buy a Decommissioned Supercomputer? Here’s Your Chance
Maximum-severity GitLab flaw allowing account hijacking under active exploitation
Would You Still Use Google if It Didn't Pay Apple $20 Billion to Get on Your iPhone?

Thursday, May 2nd

Nvidia's flagship gaming GPU can crack complex passwords in under an hour
The US Government Is Asking Big Tech to Promise Better Cybersecurity
Email reveals Microsoft's rushed decision to invest in OpenAI
Anthropic releases Claude AI chatbot iOS app
Hacker free-for-all fights for control of home and office routers everywhere

Wednesday, May 1st

Two giants in the satellite telecom industry join forces to counter Starlink
The Dangerous Rise of GPS Attacks
China Has a Controversial Plan for Brain-Computer Interfaces
DEA to reclassify marijuana as a lower-risk drug, reports say

Tuesday, April 30th

Tesla Partners with Baidu for Full Self-Driving Rollout in China
UK becomes first country to ban default passwords on IoT devices
Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets
Apple must open iPadOS to sideloading within 6 months, EU says