17-06-2014, 10:37 AM
How Hackers Do It:
Tricks, Tools, and Techniques
How Hackers.pdf (Size: 127.82 KB / Downloads: 12)
Tricks
A trick is a “mean crafty procedure or practice...designed to deceive, delude, or
defraud.1” Hackers use tricks to find short cuts for gaining unauthorized access to
systems. They may use their access for illegal or destructive purposes, or they may
simply be testing their own skills to see if they can perform a task.
Given that most hackers are motivated by curiosity and have time to try endless
attacks, the probability is high that eventually they do find a sophisticated method
to gain access to just about any environment. However, these aren’t the types of
attacks we address in this article, because most successful intrusions are
accomplished through well-known and well-documented security vulnerabilities
that either haven’t been patched, disabled, or otherwise dealt with. These
vulnerabilities are exploited every day and shouldn’t be.
Finding Access Vulnerabilities
What generally happens is that an advanced or elite hacker writes a scanning tool
that looks for well-known vulnerabilities, and the elite hacker makes it available
over the Internet. Less experienced hackers, commonly called “script kiddies,” then
run the scanning tool 24 x 7, scanning large numbers of systems and finding many
systems that are vulnerable. They typically run the tool against the name-spaces
associated with companies they would like to get into.
The script kiddies use a list of vulnerable IP addresses to launch attacks, based on
the vulnerabilities advertised by a machine, to gain access to systems. Depending on
the vulnerability, an attacker may be able to create either a privileged or nonprivileged
account. Regardless, the attacker uses this initial entry (also referred to as
a “toe-hold”) in the system to gain additional privileges and exploit the systems the
penetrated system has trust relationships with, shares information with, is on the
same network with, and so on.
Finding Operating System Vulnerabilities
As mentioned previously, hackers first look for vulnerabilities to gain access. Then
they look for operating system (OS) vulnerabilities and for scanning tools that report
on those vulnerabilities.
Finding vulnerabilities specific to an OS is as easy as typing in a URL address and
clicking on the appropriate link. There are many organizations that provide “fulldisclosure”
information. Full disclosure is the practice of providing all information
to the public domain so that it isn’t known only to the hacker community.
Attacking Solaris OE Vulnerabilities
Let’s use Solaris 2.6 OE as an example. A well-known vulnerability, for which
patches are available, is the sadmind exploit. Hackers frequently use this
vulnerability to gain root access on Solaris 2.6 OE systems.
Using only a search engine and the CVE number, found by searching through the
Mitre site listed previously, it is possible to find the source code and detailed
instructions on how to use it. The entire process takes only a few minutes. The
hacker finds the source code on the SecurityFocus web site and finds detailed
instructions on the SANS site.
Attacks From Employees
In this scenario, an employee has user access privileges to the system, however, the
employee is not authorized to have root access privileges. This scenario is very
common. It usually occurs when accounts are left logged on and systems are
insecure, thus providing an intruding employee the opportunity to perform
unauthorized actions.
The ability of malicious internal users to gain additional privileges on Solaris OE
systems is a very real security issue. Unfortunately, it is frequently overlooked or
ignored by administrators and managers who say, “That could never happen here”
or “We have to trust all of our employees.” Serious security incidents occur in
situations like these.
Most systems have different types of users. Authorized individuals are systems
administrators, operators, database administrators, hardware technicians, and so
forth. Each class of user has permissions and privileges defined by user ID and
group IDs on the system. Most of these users do not have a root password or
permission to use it.
Switched Networks
No evaluation of network sniffing is complete without covering network switches.
Network switches connect multiple systems to the same network segment in much
the same manner as a network hub. The major difference is in the switch’s ability to
forward packets on a per-port basis. In this manner, only network traffic destined for
a port is forwarded to it, instead of the port seeing all network traffic. With this
configuration, even if a network interface is in the promiscuous mode, it does not
see the traffic destined for another port on the same system.
Terminal Servers
Many organizations use terminal servers to manage and administer headless
systems (systems without a local display, keyboard, or mouse, and are managed
remotely via remote consoles). While effective in leveraging datacenter space and
“lights-out” datacenter environments, recognize that terminal servers can have
many of the same vulnerabilities as systems. For example, the terminal servers
shipped with Sun™ Cluster 3.0 software are normally 8-port Bay Annex servers.
These terminal servers are accessed through Telnet.