Unformatted text preview: PA R T O N E Hacker Techniques and Tools Hacking: The Next Generation
TCP/IP Review 23
Physical Security 81 50 2 CHAPTER 1 Hacking: The Next Generation T HIS BOOK WILL COVER A WIDE RANGE of techniques and technologies that hackers can use to compromise a system in one way or another. Before you go further, it is important to fi rst understand what hackers are and where they come from.
The fi rst generation of hackers who emerged in the 1960s were individuals who would be called “geeks” or technology enthusiasts today. These early hackers would go on to create the foundation for technologies such as the ARPANET, which paved the way for the Internet. They also initiated many early software-development movements that led to what is known today as open source. Hacking was motivated by intellectual curiosity; causing damage or stealing information was “against the rules” for this small number of people.
In the 1980s, hackers started gaining more of the negative connotations by which the public now identifi es them. Movies such as War Games and media attention started altering the image of a hacker from a technology enthusiast to a computer criminal. During this time period, hackers engaged in activities such as theft of service by breaking into phone systems to make free phone calls. The publishing of books such as The Cuckoo’s Egg and the emergence of magazines such as Phrack cast even more negative light on hackers. In many respects, the 1980s formed the basis for what a hacker is today.
Over the past two decades, the defi nition of what a hacker is has evolved dramatically from what was accepted in the 1980s and even the 1990s. Current hackers defy easy classifi cation and require categorization into several groups to better match their respective goals. Here is a brief look at each of the groups to better understand what the information technology industry is dealing with: 2 1
Hacking: The Next
Generation • Script kiddies—These hackers occupy the lowest level of the hacker hierarchy. They typically possess very basic skills and rely upon existing tools that they can locate on the Internet. These hackers are the beginners and may or may not understand the impact of their actions in the larger scheme of things. It is important, however, not to underestimate the damage these individuals can cause; they can still do a great deal of harm.
• White-hat hackers—These individuals know how hacking works and the danger it poses, but use their skills for good. They adhere to an ethic of “do no harm.” White-hat hackers are sometimes also referred to as ethical hackers, which is the name most widely known by the general public.
• gray-hat hackers—Hackers in this class are “rehabilitated” hackers or those who once were on “the dark side,” but are now reformed. For obvious reasons, not all people will trust a gray-hat hacker.
• Black-hat hackers—A black-hat hacker has, through actions or stated intent, indicated that his or her hacking is designed to break the law, disrupt systems or businesses, or generate an illegal fi nancial return. Hackers in this class should be considered to be “up to no good,” as the saying goes. They may have an agenda or no agenda at all. In most cases, black-hat hackers and outright criminal activity are not too far removed from one another. The purpose of this book is to teach you how to ensure the security of computers and networks by learning and understanding the mindset of individuals out to compromise those systems. To defend information technology assets, you need to understand the motivations, tools, and techniques that attackers commonly use. Chapter 1 Topics
This chapter covers the following topics and concepts: • What the profi les of hackers, crackers, and cybercriminals are
• What a look back at the history of computer hacking shows
• What ethical hacking and penetration testing are
• What common hacking methodologies are
• How to perform a penetration test
• What the roles of ethical standards and the law are 3 Chapter 1 Goals
When you complete this chapter, you will be able to:
• Describe the history of hacking
• Explain the evolution of hacking • Explain why information systems and people are vulnerable to manipulation • Differentiate between hacking, ethical hacking, penetration testing, and auditing • Relate the motivations, skill sets, and primary attack tools used by hackers • Compare the steps and phases of a hacking attack to those of a penetration test • Explain the difference in risk between inside and outside threats and attacks • Review the need for ethical hackers
• State the most important step in ethical hacking • Identify important laws that relate to hacking Proﬁles of Hackers, Crackers, and Cybercriminals
In today’s world, organizations have quickly learned that they can no longer afford to
underestimate or ignore the threat attackers pose. Organizations of all sizes have learned
to reduce threats through a combination of technological, administrative, and physical
measures designed to address a specific range of problems. Technological measures include
devices and techniques such as virtual private networks (VPNs), cryptographic protocols,
intrusion detection systems (IDS), intrusion prevention systems (IPS), access control
lists (ACLs), biometrics, smart cards, and other devices. Administrative controls include People who break the law or break into systems without authorization are more correctly known as “crackers.” The press does not usually make this distinction, because “hacker” has become such a universal term. However, there are many experienced hackers who never break the law, and who defi ne hacking as producing an outcome the system designer never anticipated. In that respect, Albert Einstein can be considered to have “hacked” Newtonian physics. In the interest of simplicity, this book will use the term “hacker” to describe those who are either good or evil. No offense is intended to either group. 4 1
policies, procedures, and other rules. Physical measures
include devices such as cable locks, device locks, alarm systems,
and other similar devices. Keep in mind that each of these
devices, even if expensive, can be cheaper and more effective
than cleaning up the aftermath of an intrusion.
While discussing attacks and attackers, security professionals
must be thorough in assessment and evaluation of the threat
by also considering where it comes from. When evaluating
the threats against an organization and possible sources of
attack, always consider the fact that attackers can come from
both outside and inside the organization. A single disgruntled
employee can cause tremendous amounts of damage because
he or she is an approved user of the system. In just about any
given situation, the attacks originating from outside the firewall
will greatly outnumber the attacks that originate from the inside.
However, an insider may go unnoticed longer and also have
some level of knowledge of how things work ahead of time,
which can result in a more effective attack.
Because the risk to any organization is very real, it is up to
each organization to determine the controls that will be most
effective in reducing or mitigating the threats it faces. When
considering controls, you can examine something called the TAP
principle of controls. TAP is an acronym for technical, administrative, and physical, the three types of controls you can use in
risk mitigation. Here’s a look at each type with a few examples: 5 NOTE
Never underestimate the damage
a determined individual can do
to computer systems. For example,
Michael Calce, commonly known
as MafiaBoy, was an individual
who in February 2000 launched
a series of denial of service (DoS)
attacks that were responsible
for causing damages estimated
upwards of $1.2 billion. NOTE
Both insiders and outsiders
rely on exploits of some type.
Remember that an exploit refers
to a piece of software, a tool, or
a technique that targets or takes
advantage of a vulnerability—
leading to privilege escalation,
loss of integrity, or denial of
service on a computer system. • Technical—Technical controls take the form of software or hardware
such as firewalls, proxies, intrusion detection systems (IDS), intrusion
prevention systems (IPS), biometric authentication, permissions, auditing,
and similar technologies.
• Administrative—Administrative controls take the form of policies and
procedures. An example is a password policy that defines what makes a good
password. In numerous cases, administrative controls may also fulfill legal
requirements, such as policies that dictate privacy of customer information.
Other examples of administrative policy include the rules governing the
hiring and firing of employees.
• Physical—Physical controls are those that protect assets from traditional
threats such as theft or vandalism. Mechanisms in this category include
locks, cameras, guards, lighting, fences, gates, and other similar devices. Hacking: The Next
Generation CHAPTER 1 | Hacking: The Next Generation PART 1 | Hacker Techniques and Tools 6 The Hacker Mindset NOTE Like many criminals, black-hat hackers do not consider their activities to be illegal or
even morally wrong. Depending on whom you ask, you can get a wide range of responses
from hackers on how they view their actions. It is also not unheard of for hackers or
criminals to have a code of ethics that they hold sacred, but seem more than a little
skewed to others. In defense of their actions, hackers have been
known to cite all sorts of reasons, including the following: Although it is true that the mere
act of writing a computer virus
is not illegal, releasing it into
the “wild” is illegal. NOTE
Although it is true that
applications or data can be
erased or modified, worse
scenarios can happen under the
right circumstances. For example,
consider what could happen
if someone broke into a system
such as a 911 emergency
service and then maliciously
or accidentally took it down. • The no-harm-was-done fallacy—If one enters a system,
even in an unauthorized manner, it is OK as long as
nothing is stolen or damaged in the process.
• The computer game fallacy—If the computer or system
did not take any action or have any mechanism to stop
the attack, it must be OK.
• The law-abiding citizen fallacy—Writing a virus
is not illegal, so it must be OK.
• The shatterproof fallacy—Computers cannot do any
real harm. The worst that can happen is a deleted file
or erased program.
• The candy-from-a-baby fallacy—If it is so easy to copy
a program or download a song, how can it be illegal?
• The hacker fallacy—Information should be free. No one
should have to pay for books or media. Everyone should
have free access. Another example of attempting to explain the ethics applied to hackers is known as
the hacker ethic. This set of standards dates to Steven Levy in the 1960s. In the preface
of his book, Hackers: Heroes of the Computer Revolution, Levy stated the following:
• Access to computers and anything that might teach you something about
the way the world works should be unlimited and total.
• All information should be free.
• Authority should be mistrusted, and decentralization should be promoted.
• Hackers should be judged by their hacking, not criteria such as degrees,
age, race, gender, or position.
• You can create art and beauty on a computer.
• Computers can change your life for the better. 1
Ethics are an important component in understanding what makes a hacker, but far
from the only component. One must also consider motivation. Anyone who has watched
a police drama or is a fan of detective stories knows that there are three things needed
to commit a crime:
• Means—Does the attacker possess the ability to commit the crime in question?
• Motive—Does the attacker have a reason to engage in the commission of the crime?
• Opportunity—Does the attacker have the necessary access and time to commit
the crime? Focusing on the second point—motive—helps better understand why an attacker might
engage in hacking activities. The early “pioneers” of hacking engaged in those activities
out of curiosity. Today’s hackers can have any number of motives, many of which are
similar to those for traditional crimes:
• Monetary—Attacks committed with the intention of reaping financial gains.
• Status—Attacks committed with the intention of gaining recognition and, by
extension, increased credibility within a given group (for example, a hacking group).
• Terrorism—Attacks designed to scare, intimidate, or otherwise cause panic
in the victim or target group.
• Revenge or grudge—Attacks conceived and carried out by individuals who are
angry at an organization. Attacks of this nature are often launched by disgruntled
employees or customers.
• Hacktivism—Attacks that are carried out to bring attention to a cause, group,
or political ideology.
• Fun—Attacks that are launched with no specific goal in mind other than to just
carry out an attack. These attacks can be indiscriminate in their execution. No matter what the hackers’ motivations are, any of them might result in the commission
of a computer-based crime. For example, attackers may hack a game server to boost their
stats in an online game against their friends, but they still have entered a server without
A relatively new form of hacking is the idea of hacking in behalf of a cause. In the past,
hacking was done for a range of different reasons that rarely included social expression.
Over the past decade, however, there have been an increasing number of security incidents
with roots in social or political activism. Examples include defacing Web sites of public
officials, candidates, or agencies that an individual or group disagrees with, or performing
DoS attacks against corporate Web sites. 7 Hacking: The Next
Generation CHAPTER 1 | Hacking: The Next Generation 8 PART 1 | Hacker Techniques and Tools
A sampling of common attacks that fit the definition of computer crime include
• Theft of access—Stealing passwords, stealing usernames, and subverting access
mechanisms to bypass normal authentication. In a number of situations, the very
act of possessing stolen credentials such as passwords may be enough to bring
• Network intrusions—Accessing a system of computers without authorization.
Intrusions may not even involve hacking tools; the very act of logging into
a guest account may be sufficient to be considered an intrusion.
• Emanation eavesdropping—Sniffing devices for intercepting radio frequency (RF)
signals generated by computers or terminals. Years ago, the U.S. Department of
Defense established a classified program codenamed TEMPEST that was designed
to shield or suppress electronic emanations to protect sensitive and classified
• Social engineering—Basically, telling lies to manipulate people into divulging
information they otherwise would not provide. Information such as passwords,
PINs (personal identification numbers), or other details can be used to attack
computer-based systems. Although not necessarily a crime in every specific
situation, social engineering methods such as pretexting (tricking an individual
to reveal information under false pretenses) are often illegal.
• Posting and/or transmitting illegal material—Distributing pornography to minors
is illegal in numerous jurisdictions, as is possessing or distributing child pornography.
• Fraud—Intentional deception designed to produce illegal financial gain or to damage
• Software piracy—The possession, duplication, or distribution of software
in violation of a license agreement, or the act of removing copy protection
or other license-enforcing mechanisms.
• Dumpster diving—Gathering material that has been discarded or left in unsecured
or unguarded receptacles. Dumpster diving often enables discarded data to be pieced
together to reconstruct sensitive information.
• Malicious code—Software written with a deliberate purpose to cause damage, destruction, or disruption. Examples include viruses, worms, spyware, and Trojan horses.
• Denial of service (DoS) and distributed denial of service (DDoS) attacks—
Overloading a system’s resources so it cannot provide the required services.
Both DoS and DDoS have the same effect, except that distributed denial of service
(DDoS) is launched from large numbers of hosts that have been compromised and
act after receiving a particular command.
• IP address spoofing—Substituting a forged IP address for a valid address in network
traffic or a message to disguise the true location of the message or person. This
attack method may also be used as a component of other larger attacks such as
DoS or DDoS attacks. 1
• Unauthorized destruction or alteration of information—Modifying, destroying,
or tampering with information without appropriate permission. This can involve
manual or automated tools that have been developed for this purpose to change
information at rest or in motion.
• Embezzlement—A form of financial fraud that involves theft or redirection
of funds as a result of violating a position of trust.
• Data-diddling—The unauthorized modification of data used to forge or counterfeit
information. Examples include changing performance review marks, adjusting
expense account limits, or “tweaking” reports after the fact.
• Logic bomb—A piece of code designed to cause harm, a logic bomb is intentionally
inserted into a software system and will activate upon the occurrence of some
predetermined data, time, or event. A Look Back at the History of Computer Hacking
Typical early hackers were technology enthusiasts who were curious about the new
technology of networks and computers and wanted to see just how far they could push
its capabilities. In the decades since, hacking has changed quite a bit—getting more
advanced and cleverer as the technology advanced. For example, in the 1970s, when
mainframes were more common in corporate and university environments, hacking was
mostly confined to those systems. The 1980s saw the emergence of personal computers
(PCs), which meant every user had a copy of an operating system. As these systems were
very similar, a hack that worked on one machine would work on nearly every other PC
as well. Although the first Internet worm in November 1988 exploited a weakness in the
UNIX sendmail command, worm and virus writers moved their attention to the world
of PCs, where most infections occur today.
As hackers evolved so did their attacks as their skills and creativity increased. The
first World Wide Web browser, Mosaic, was introduced in 1993. By 1995, hackers began
defacing Web sites. Some of the earliest hacks were quite funny, if not somewhat offensive
or vulgar. In August 1995, hackers hacked The MGM Web site for the movie “Hackers”
suggesting readers attend the DEFCON hacker conference instead. A 1996 hack of the
Department of Justice Web site replaced Attorney General Janet Reno’s picture with that
of Adolf Hitler. The next month, hackers defaced the CIA Web site, and later that year
the Air Force Web site featured a link to Area 51, a secret government site in Nevada,
long linked in the popular mind to UFOs. By May 2001, Web sites were being hacked at
such a rate that the group that documented them gave up trying to keep track (see http://
By the turn of the century, hacks started to progress from pranks to maliciousness.
DoS attacks took out companies’ Internet access, affecting stock prices and causing
financial damage. As Web sites began to process more credit card transactions,
their back-end databases became prime targets for attacks. As computer-crime laws
came into being, the bragging rights for hacking a Web site became less attractive—
sure, a hacker could show off to friends, but that didn’t produce a financial return. 9 Hacking: The Next
Generation CHAPTER 1 | Hacking: The Next Generation 10...
View Full Document