Mastering the Dark Art - A little about hacking.

This article is a very basic introduction to hackers, exploits and hacking concepts.

Contents 

---

• Introduction 
• The World Of Hacking
• The Theory Of Hacking
• Exploits
• Finding Backdoors
• Defending Hacking Attempts
• References

1. Introduction. 

---

Hacking is often used as a buzzword to indicate the activity of intruding into restricted areas by negotiating the security settings. Hacker is someone who is able to manipulate the inner workings of computers, information, and technology – by some means. The word "hacker" started out in the 14th century to mean somebody who was inexperienced or unskilled at a particular activity (such as a golf hacker). In the 1970s, computer enthusiasts to refer to them used the word “hacker”. This reflected the way enthusiasts approach computers - they eschew formal education and play around with the computer until they can get it to work. Later, this term became generalized for referring people who try several ways to manipulate information and technology, often by compromising safety measures. Since normal people have no clue as to how computers work, they often view hackers with suspicion and awe (as magicians and witches). This suspicion leads to the word "hacker" having the connotation of someone up to no good.

Serious hacking professionals have significant job opportunities as security analysts and specialists all around the world. At this point, it is important to mention that serious hacking experts are the ones who find pitfalls in security systems to strengthen them further, and not for destroying them. Any kind of hacking attempt with out a genuine reason is a serious offence by the standards of cyber law all around the world. 

However, these days, another type of hacking is also getting popular. This type of hacking refers to manipulating and modifying the code of open-source programs, to make them more reliable, mostly for the good of the public. For example, Linux Kernel is developed by a group of (second type of) hackers. This concept of hacking is somewhat different from the hacking concept we saw earlier. In this article, we will deal with the first type of hacking (or intrusion hacking), and ways to prevent such intrusion attempts. Learning (about) hacking techniques is a wonderful way to understand networking concepts and security issues.

Top ^

2. The World Of Hacking

---

The world of hacking consists of a wide rage of people – from security experts and programmers who develop reliable security systems, hackers who create tools to break in to these systems (often to prove the fickleness of them), and script kiddies who use (or misuse) these tools to break down the boxes (read ‘computers’) of their friends and enemies for no reason.

Real hackers break in to the systems using exploits of existing software or hardware. An exploit is a technique of breaking into a system, or a tool that implements the technique. An exploit takes advantage of a weakness or vulnerability in a system in order to hack it. Exploits are the key to hacker culture. Hackers gain fame by discovering exploits. Others gain fame by writing scripts (or programs) for them. Legions of script-kiddies apply the exploit to millions of systems, defacing web pages and gaining fame. Finding vulnerabilities is a big part of the hacker culture. Finding vulnerabilities is way of proving that a hacker is "elite". Often these elite hackers join to form groups. The world’s major hacking sites list such an elite group of hackers, and the most well known groups are ‘The Cult Of Dead Cow’ group and the ‘The Raven’.

Hackers break into systems mostly using the vulnerabilities of computer systems. In the security community, the word "vulnerability" describes a problem (such as a programming bug or common misconfiguration) that allows a system to be attacked or broken into. The buffer overflow exploit is such a vulnerability that is found in many systems. This causes mainly because programmers often forget to validate input. They (rightly) believe that a legal username is less than 32 characters long, and (wrongly) reserve more than enough memory for it, typically 200 characters. The assume that nobody will enter in a name longer than 200 characters, and don't verify this. Malicious hackers exploit this condition by purposely entering in user names 1000 characters long.

The average system on the Internet is vulnerable to various well-known buffer overflow attacks. For instance, Many Windows NT servers have IIS web services vulnerable to a buffer overflow in ".htr" handler, many Solaris servers have vulnerable RPC services like ‘cmsd’, ‘ToolTalk’, and ‘statd’; many Linux boxes have vulnerable IMAP4, POP3, or FTP services. Programs written in C are most vulnerable, and C++ is somewhat less vulnerable. The reason is that C requires the programmer to check buffer lengths himself.

Top ^

3. The Theory Of Hacking

---

In Internet, computers communicate between themselves by sending data packets, packed in a specific format. All data sent is broken up into packets, sent individually across the network, and reassembled back into the original data at the other end (using a protocol named TCP/IP). All computers in the Internet have a unique IP Internet address. A port is an extension of an Internet address that tells which program is to receive the data. Often, Internet ports are also termed as sockets. If a computer ‘A’ needs to contact ‘B’, then A should know the IP address of ‘B’, and also to which port it can send a request to ‘B’. If ‘B’ acknowledges the request from ‘A’, a connection is established. One or more ports in ‘B’ should be in listening mode to accept connection requests from computers like ‘A’. Then, according to the direction of control and data flow, one computer is called the server and the other one the client. Various Internet services have pre-defined ports. For example, most web servers run on 80th port. If we request a web page from Yahoo using our browser, then our computer will place a request to the 80th port of yahoo.com. The IP of yahoo.com is fetched from the so called ‘name servers’, or computers designed to keep the IP-URL tables. If the (yahoo) server acknowledges the connection, then another random port is opened in yahoo’s computer to connect it with ours. The listening socket in Yahoo server will continue listening for further connections.

Internet has various services like the World Wide Web (WWW), E-Mail, and Chat etc. Most of these services have pre-defined listening ports. A web server may have its 80th port in listening mode, while a chat server listens to the 6667th port. It is possible to access different ports at the same time, between different computers. For example, let us assume that there is a server with IP address 192.0.2.111. If we send data to IP 192.0.2.111, port 6667, then we are talking to the Internet Relay Chat (IRC) service. However, if we send something to port 80 on the same machine, then we are talking to the web server on that machine. Various programs are used to implement these services. For instance, Apache and Microsoft IIS as programs that can work as web servers (by listening and handle connection requests o the 80th port). Most hackers to intrude in to the target system use the vulnerabilities in such server programs. If an exploit is present in the web server that is running on the 80th port, then a hacker in the outer world may use these exploits to intrude in to the system, to deface the website or to run arbitrary code.

Other than using such exploits in servers, hackers may use Trojan viruses to intrude in to the system. The word ‘Trojan’ refers to the classic Trojan horse from the Iliad. In this story, after giving up on sieging the fortified city of Troy, the Greeks left behind a present. This consisted of a large wooden horse left at the outskirts of the town. After seeing the Greeks sail off, the citizens brought the wooden horse into town. The horse contained Greek warriors, who promptly jumped out, killed a bunch of people, and opened the city gates, letting in the Greek army who had actually been hiding rather than sailing off with the ships. In a similar way, hackers send Trojan programs through e-mails and by such means. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, news group, or even from unsolicited e-mail, then the program is likely trojaned (infected with a Trojan) with some subversive purpose. It might contain a virus, a password-grabber, or consist of a remote admin Trojan designed to allow remote control over your machine. Back Orifice is such a famous remote access Trojan released in 1998 by the Cult of the Dead Cow group. By promulgating this through their well-oiled propaganda machine, they succeeded in making Back Orifice the archetype for all such programs. In 1999, they released a newer version called BO2K - Back Orifice 2000 (Available from http://www.bo2k.com). 

Once a Trojan is installed in the system, it will open a port and may act as a server, to host hacking attempts. A hacker may use a port scanner to find such a vulnerable port. In hacker reconnaissance, a port scan attempts to connect to all 65536 ports on a machine (the maximum number of ports possible) in order to see if anybody is listening on those ports. Ports scans are not illegal in many places; those laws have yet to be written on the subject. Full port scans of all 65536 ports are rarely seen, especially since they are so obvious. Instead, hackers will strobe for just the ports he/she is interested in. These strobes are for typically fewer than 10 ports. Also, the hacker will often sweep thousands (or millions) of machines rather than a single machine looking for any system that might be vulnerable. The best tool for doing port scans is ‘nmap’ from http://www.insecure.org/nmap (In the last film of the Matrix Trilogy, ‘Trinity’ uses nmap to scan and find a vulnerable SSH server). If a port is found open, then the hacker may detect the program running on this port, and test whether this program has any known vulnerability with it. If so, this vulnerability is used for intruding in to the system.

Another common type of hacking method is the ‘trial and error’ method. In this technique, the hacker connects to a server through various means like Telnet and NetBIOS, and tries to log in to the system by guessing the username and password. Often, utility programs are used to help the hacker to do this. The hackers use jargon ‘grind’ for continuously guessing passwords to find the right one. In hacker’s chat rooms, you will often hear about ‘grinding a box’ (read ‘trying to get in to a computer’). Secure systems (UNIX, Windows NT) lock out accounts (deny further log in attempts) after a certain number of unsuccessful tries. These lockouts can either be temporary (and restore themselves automatically), or permanent until an administrator intervene and unlocks the account. Non-secure systems (Win9x and many software applications) do not lock out accounts. For example, if you have Win9x "File and Print Sharing" turned on and protected with a password, a hacker can try continuously and invisibly to gain access to your machine. 

Top ^

4. Exploits

---

Hackers learn about exploits from other hackers and from various security sites. An exploit just found is termed as 0th day exploit. The term 0-day exploit describes an exploit that is not publicly known. It describes tools by elite hackers who have discovered a new bug and shared it only with close friends. It also describes some new exploit for compromising popular services (the usual suspects: BIND, FTP services, Linux distros, Microsoft IIS, Solaris servers). Many 0-day exploits are discovered by the victims when hackers use them, or by honey pots. 

The term "0-day" describes the fact that the value of exploits quickly goes down as soon as they are announced. The next day they are half as valuable. The 2nd day they are a 1/4 as valuable. Ten days later they are 1/1000 as valuable as on day 0. This is because script-kiddies quickly use the exploits on computers throughout the Internet, compromising systems before anybody else can get to them. Once an exploit is made public, it will be announced in various security sites for alerting the administrators to fix the problems of their systems. Some sites even provide scripts to check the problem (which may be miss-used by script kiddies) and updates or patches (programs for administrators to fix the problem). Here are few sites that keep various ‘hot lists’ of recent exploits.

• Packet Storm Security - http://www.packetstormsecurity.com/
• Security Focus - http://www.securityfocus.com/
• Security Team - http://www.securiteam.com
  

Top ^

5. Finding Backdoors

---

Hacking techniques vary much, based on the operating system used by the victim, tools available etc. Hackers commonly refer finding a channel to the victim system as ‘opening a back door’. A back door is a secret entry to a computer, often challenging its security settings. Finding back doors by using the known security exploits is the common method. The story of how hackers find these exploits is very interesting. Some times it happens by accident, and some times, it will be a guess made by an intelligent brain. For instance, let us have a look at an appealing real world example. Microsoft Internet Information Server is Microsoft’s web server (for hosting web sites). Whenever you pay a reputed Internet Service Provider to host your website, chances are that they are using Microsoft IIS for hosting your website.

Interestingly, IIS has a famous exploit named the Unicode exploit. . As we know computers just deal with numbers. It stores letters and other characters by assigning a number for each one. Unicode provides a unique number for every character. Unicode forms a single character set across all languages. Unicode is a character-coding scheme, much like ASCII. ASCII is eight bit while Unicode is 16 bit. As it can accommodate more character codes, Unicode has support for more languages, while ASCII supports only English language. Unicode extensions are installed by default with Microsoft Internet Information Server (IIS) version 4.0 and 5.0. This is to allow characters that are not used in the English language to be recognized by web servers. The IIS Unicode Exploit allows users to run arbitrary commands on the web server. IIS servers with the Unicode extensions loaded are vulnerable unless they are running current patches

The IIS Unicode exploit uses malformed URLs to traverse directories and execute arbitrary commands on the vulnerable web servers. A URL (Uniform Resource Locator) is a string, which tells the browser the server name, and file name it should access. For instance, ‘http://www.yahoo.com’ (with out quotes) is the URL of Yahoo website, and ‘http://www.yahoo.com/index.html’ represents a file named ‘index.html’ in the root directory of Yahoo’s web server. The IIS Unicode exploit uses a Unicode representation of a directory delimiter (/) to fool IIS. Because the exploit uses http, it works right from the address bar of a browser. In other words, a hacker can use his browser to hack into the server!!

For example, consider a site www.somesite.com is running IIS as its web server. To understand the actual attack we will closely examine a sample of the exploit. The user can type the following URL to the location bar of his browser (with out quotes), to enable IIS to execute cmd.exe (command shell for Windows) to list the directory of C drive.

“http://www.somesite.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\”

We notice that the URL calls something from the /scripts directory on the server www.somesite.com. For this particular version of exploit the scripts directory must exist and the path to the executable cmd.exe must be correct. The next string we see is “..%c0%af ”. This string of characters “%c0%af” is an overlong Unicode representation for ' / '. If this Unicode exploit is loaded on the server, the URL will be interpreted to be: 

“http://www.somesite.com/scripts/../../winnt/system32/cmd.exe?/c+dir+c: ” 

The URL backs out of the web root, to the root directory of the server, then calls winnt\system32\cmd.exe. We are using the command interpreter (cmd.exe) to execute the command 'dir c:\' You can also try running other commands too. Thus, a hacker can execute his own commands in the remote system. Various hackers and script kiddies uses this security problem of IIS to steal data and to deface websites. Windows, Unix and Linux boxes all around the world have various such known and unknown backdoors. 

Another infamous back door in Windows XP is the UPNP back door. If you are running Windows XP, chances are that you are already vulnerable due to the UPNP (Universal Plug and Play) service, which can be used to detect and integrate with UPNP aware devices. Windows XP comes with default UPNP installation. UPNP has several issues, which causes the hacker to intrude in to the system running UPNP services. By sending a malicious spoofed UDP packet containing an SSDP (Simple Service Discovery Protocol) advertisement, an attacker can force the XP/ME client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request.

An example session:

NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1
LOCATION: URL
NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: ANOOP/2001 UPnP/1.0 PASSITON/1.1
USN: uuid:ANOOP

The above packet data needs to be sent as a UDP packet to port 1900 of the XP/ME machine. UDP (Universal Datagram Protocol) is essentially just a lightweight version of TCP. Whereas TCP will automatically retransmit lost packets, UDP doesn't care about lost packets. An easy way to do send UDP packet is by writing a simple shell script to send the data to the 1900th port of the victim. When the XP machine receives this request, it will interpret the URL following the LOCATION header entity. With no sanitizing of the URL it is passed on to the functions in the Windows Internet Services API. The string is broken down and the new session is created.

Top ^

6. Defending Hacking Attempts

---

These days, most hacking attempts can be easily traced (theoretically). No matter whether the hacker is using a Dial-up connection or a wireless connection, either the computer the hacker used or the exact position of the hacker can be detected. But often, this is of no use because hackers has better methods to fool the authorities, like using third party systems (like a computer in a Cyber Café) for intruding into other systems. In case of wireless connections, the hacker’s physical position can be easily traced. But wise hackers who use the wireless connections often change their locations (like attempting intrusions while he is in a moving train).

Defending hacking is a tough job even for experienced administrators, because various hackers and third parties discover new exploits in existing programs frequently. Known vulnerabilities should be ‘patched’ (or fixed) rapidly, in order to prevent hackers from using them to intrude in to the system. To prevent intrusion attempts, organizations may use intrusion detection systems and firewalls. A firewall is a device or software that isolates a network from the Internet. The word is derived from construction, where "firewalls" isolate areas of a building in order to stop a fire from spreading. All packets between the organization and the Internet flow through the firewall. It acts as a "gate" with virtual guards that examines the traffic, and decided whether to allow it or block it. Some organizations use Intrusion detection systems that pretend to be valid systems, possibly even one that can easily be exploited in order to break into the system. Such systems for detecting hackers are termed as ‘honey pots’.

A common misunderstanding is that firewalls recognize attacks and block them. This is not true. It simply restricts access to the designated points. In contrast an IDS (Intrusion Detection System) is much more of that dynamic system. An ‘IDS’ does recognize attacks against the network that firewalls are unable to see. Some handy ways to prevent Intrusion to the Windows systems include.

• Install the latest patches from Microsoft – See http://www.microsoft.com/security/
• Install some firewalls, like the Zone Lab ( http://www.zonelabs.com)
• Turn off print sharing. When print sharing is turned on, the system creates a PRINTER$ share that allows remote systems to access printer drivers from the local system32 directory. Unfortunately, this allows remote systems to access non-driver files, such as the Win9x password file (combined with other Win9x bugs). 
• Turn off file sharing. If you must share files, make sure that you choose a strong password, and only turn it on for brief moments while you need to share the files, then turn it off again. 
• Rename ‘administrator’ account and disable the "guest" account from control panel for Windows NT systems
• Enable lockout of the "administrator" account for remote access
• For Windows XP systems, disable Remote Assistant Service and UPNP service from the administration section in control panel.

Top ^

7. References

---

• The intrusion tech tips- ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist
• See Common Vulnerabilities And Exploits checklist - http://www.cve.mitre.org/
• Microsoft basic security analyzer - http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp
• Hackers Dictionary – http://www.robertgraham.com
• The Advanced Hackers Guide (Do a search in Yahoo/ Google or MSN)
• Back Orifice – http://www.bo2k.com
• Insecure Web Site – http://www.insecure.org