lyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en
.
Content 5.1 Thinking Like a Hacker
5.1.4 Step 3: Manipulate Users to Gain
Access There are countless cases of unsuspecting employees
providing information to unauthorized people simply because the
requesters appear innocent or to be in a position of authority.
Hackers find names and telephone numbers on websites or domain
registration records (footprints). Hackers then contact these
people directly by phone and convince them to reveal passwords.
Hackers do this without raising any concern or suspicion. When
hackers know some basic information about their target, they
attempt to masquerade as authorized users. The first thing that
hackers need is a password. There are two common ways to get
that password: through social engineering or password cracking
attacks. Social Engineering
Our natural human
willingness to accept people at their word leaves many of us
vulnerable to attack. As a general statement, this trait is the
weakest link in the security chain. Social engineering is a way
to manipulate people inside the network to provide the
information needed to access the network. A computer is not
required. Here are some social engineering techniques:
- Help desks have responded to calls for forgotten
passwords. Help desk operators sometimes feel that their job is
to help and not ask questions to verify the identity of the
caller. By playing telephone tricks, hackers can appear to be
calling from inside the company.
- Dumpster diving
means exactly what it says. People actually search through
company dumpsters or trash cans looking for information. Phone
books, organization charts, manuals, memos, charts, and other
documentation can provide a valuable source of information for
hackers. There have even been cases where hackers have found
very sensitive information such as system manuals, printouts of
sensitive data or login names and passwords, printouts of
source code, disks and tapes, company letterhead and memo
forms, and outdated hardware to use in their attacks.
- Reverse social engineering is an interesting twist on the
theme. In this case, the hacker appears to be in a position of
authority and employees actually ask the hacker for
information. Consider a situation in which a hacker causes
problems by sabotaging the network. The hacker then appears as
the person to fix the problem and, in so doing, requests, and
receives, important bits of information from the people the
hacker has come to help. The hacker appears to solve the
problem and everyone is happy. A well-developed reverse social
engineering plan can offer hackers almost limitless chances to
find the key information that they need—valuable data from the
employees. However, this strategy requires a great deal of
preparation, research, and “prehacking” to be successful.
Password Cracking
Hackers use many tools and
techniques to crack passwords: - Word lists:
These programs use lists of words, phrases, or other
combinations of letters, numbers, and symbols that computer
users often use as passwords. Hackers enter word after word, at
high speed, until they find a match.
- Brute
force: This approach relies on power and repetition. It
compares every possible combination and permutation of
characters until it finds a match. Using brute force will
eventually crack any password, but it may take a long, long
time. Using brute force is an extremely slow process because it
uses every conceivable character combination.
-
Hybrid crackers: Some password crackers mix the two
techniques. This combines the best of both methods and is
highly effective against poorly constructed passwords.
Password cracking attacks any application or service that
accepts user authentication, including those listed here:
- Network basic I/O system (NetBIOS) over TCP (TCP
139)
- Direct host (TCP 445)
- FTP (TCP
21)
- Telnet (TCP 23)
- Simple Network
Management Protocol (SNMP) (UDP 161)
- Point-to-Point
Tunneling Protocol (PPTP) (TCP 1723)
- Terminal
services (TCP 3389)
Content 5.1
Thinking Like a Hacker 5.1.5 Step 4:
Escalate Privileges After they secure a password for a user
account and user-level privileges to a host, hackers attempt to
escalate their privileges. The first thing they do is to review
all the information on the host that the hacker has collected;
for example, files containing usernames and passwords and
registry keys containing application or user passwords. (Any
available documentation, including e-mails and other documents,
may also be of assistance.) If this step does not succeed, the
hacker may launch a Trojan horse attack. This type of attack
usually means copying malicious code to the user system and
giving it the same name as a frequently used piece of
software. A simple example might have the hacker replace the
Microsoft Notepad application (notepad.exe) of the victim with
a doctored Trojan horse Notepad. This happened in 2000 when a
large corporation experienced an attack by the W32/QAZ, a
Trojan horse and an Internet worm that acts as a back door.
When it is running, it listens on TCP port 7597 for
instructions from a client component. The Trojan horse also
communicated with an external IP address physically located in
a foreign country. The back door allows the remote user to
upload and run any program. At this point in the attack, the
hacker can install a more complex back door or
password-stealing program. As a worm, W32/QAZ browses network
connections to spread to other machines that allow write access
with no passwords to their Microsoft Windows folders over
NetBIOS. W32/QAZ copies itself as “notepad.exe” and renames the
existing notepad.exe to note.com. W32/QAZ can give access to
the host system that allows a hacker or group of hackers to
install other malicious software programs if desired. When the
victim opens the Microsoft Notepad application, the Trojan
horse makes the victim an administrator on the system before
the program launches Microsoft Notepad. This is transparent to
the victim, but by logging in as the victim, the hacker now has
administrator privileges. Figure summarizes these points.
Content 5.1 Thinking Like a Hacker
5.1.6 Step 5: Gather Additional Passwords and
Secrets After the hacker has higher network administrator
privileges, the next task is to gather more passwords and other
sensitive data. Figure lists some of the things hackers will do
to improve their success. The targets now include such things
as the local security accounts manager database or the active
directory of a domain controller, where hackers use legitimate
tools including pwdump and lsadump applications.
By cross-referencing username and password combinations, the
hacker is able to obtain administrative access to all computers
in the network.
Content 5.1 Thinking
Like a Hacker 5.1.7 Step 6: Install Back Doors
and Port Redirectors Legitimate users enter systems through
the “front door” and abide by the rules assigned to their
privilege level. Hackers often build “back doors” to avoid any
impediments in their quest to control the network. Hackers also
use port redirectors to get around security mechanisms you
might have in place. Figure summarizes these approaches.
Back Doors
Back doors provide hackers with a way