Hands On HackingHands On Hacking

Professional Development for Professional Development for North Carolina Computer North Carolina Computer

InstructorsInstructors

OutlineOutline

Brief History of HackingBrief History of Hacking Recent Trends: DDoS, Spam, Viruses, Identity TheftRecent Trends: DDoS, Spam, Viruses, Identity Theft What is a Hacker?What is a Hacker? What is Ethical Hacking?What is Ethical Hacking? Anatomy of an Attack:Anatomy of an Attack:

ReconnaissanceReconnaissance ScanningScanning Gaining accessGaining access Maintaining accessMaintaining access Covering tracksCovering tracks

Web Sites for Hacking ToolsWeb Sites for Hacking Tools

Brief History of HackingBrief History of HackingPREHISTORY (before 1969)PREHISTORY (before 1969) 1960s: The Dawn of Hacking1960s: The Dawn of Hacking

Original meaning of the word Original meaning of the word "hack" started at MIT; meant "hack" started at MIT; meant elegant, witty or inspired way elegant, witty or inspired way of doing almost anything; of doing almost anything; hacks were programming hacks were programming shortcutsshortcuts

ELDER DAYS (1970-1979)ELDER DAYS (1970-1979) 1970s: Phone Phreaks and 1970s: Phone Phreaks and

Cap'n Crunch: Cap'n Crunch: One phreak, One phreak, John Draper (aka "Cap'n John Draper (aka "Cap'n Crunch"), discovers a toy Crunch"), discovers a toy whistle inside Cap'n Crunch whistle inside Cap'n Crunch cereal gives 2600-hertz signal, cereal gives 2600-hertz signal, and can access AT&T's long-and can access AT&T's long-distance switching system.distance switching system.

Steve WozniakSteve Wozniak and Steve Jobs, and Steve Jobs, future founders of Apple future founders of Apple Computer, make and sell blue Computer, make and sell blue boxes.boxes.THE GOLDEN AGE (1980-THE GOLDEN AGE (1980-1991)1991)

1983: Kids' Games1983: Kids' GamesMovie "War Games" introduces Movie "War Games" introduces public to hacking. public to hacking. THE GREAT THE GREAT HACKER WARHACKER WAR

Legion of DoomLegion of Doom vs Masters of vs Masters of Deception; Deception;

1984: Hacker 'Zines1984: Hacker 'ZinesCRACKDOWN (1986-1994)CRACKDOWN (1986-1994)

1986: 1986: Computer Fraud and Computer Fraud and Abuse ActAbuse Act

11988: The Morris Worm988: The Morris Worm

1989: THE GERMANS , THE KGB AND KEVIN 1989: THE GERMANS , THE KGB AND KEVIN MITNICKMITNICK

German HackersGerman Hackers breaking into U.S. computers; breaking into U.S. computers; sold information to Soviet KGB.sold information to Soviet KGB.

Hacker "The Mentor“Hacker "The Mentor“publishes Hacker's publishes Hacker's Manifesto. Manifesto.

Kevin MitnickKevin Mitnick arrested. arrested. 1993: Why Buy a Car When You Can Hack 1993: Why Buy a Car When You Can Hack

One?One?Call-in contest; Kevin Poulsen crack phone; get Call-in contest; Kevin Poulsen crack phone; get two Porsches, $20,000 cash, vacation trips; two Porsches, $20,000 cash, vacation trips; Poulsen now covering computer crime. Poulsen now covering computer crime. http://www.securityfocus.comhttp://www.securityfocus.com

ZERO TOLERANCE (1994-1998)ZERO TOLERANCE (1994-1998) 1995: The Mitnick Takedown:1995: The Mitnick Takedown: Arrested again. Arrested again.

•1995: Russian Hackers Siphon $10 million from Citibank.•Oct 1998 teenager hacks into Bell Atlantic phone system; disabled communication at airport disables runway lights.•1999 hackers attack Pentagon, MIT, FBI web sites.•1999: E-commerce company attacked; blackmail threats followed by 8 million credit card numbers stolen. (www.blackhat.info; www.h2k2.net; www.slais.ubc.ca/; www.sptimes.com; www.tlc.discovery.com)

PhishingPhishing: Attackers coined term “phishing” 1996 – : Attackers coined term “phishing” 1996 – swindling AOL customers into giving up their swindling AOL customers into giving up their passwords. (passwords. (www.zdnet.comwww.zdnet.com) Email fraud epidemic; ) Email fraud epidemic; 1100 phishing campaigns in April; 178% increase 1100 phishing campaigns in April; 178% increase from previous month; 4000% increase since from previous month; 4000% increase since November 2003. Gartner Group study: 40% of all November 2003. Gartner Group study: 40% of all online users received phishing email; legit looking online users received phishing email; legit looking email and asked for information; visit a site that email and asked for information; visit a site that installs spyware or Trojan program allowing backdoor. installs spyware or Trojan program allowing backdoor. ((www.technewsworld.comwww.technewsworld.com))

““Warspammers”Warspammers” drive by spamming; compromises drive by spamming; compromises wireless LANs to send spam; estimated 60-80% corp. wireless LANs to send spam; estimated 60-80% corp. wireless networks unsecured; war driving and war wireless networks unsecured; war driving and war chalking also on the rise. (www.zdnet.com)chalking also on the rise. (www.zdnet.com)

Recent Trends: DDoS, Spam, Viruses, Recent Trends: DDoS, Spam, Viruses, Identity Theft, Phishing, PharmingIdentity Theft, Phishing, Pharming

Advanced Fee Fraud: Advanced Fee Fraud: Speculated that terrorists and organized crime Speculated that terrorists and organized crime make money through use of advanced fee fraud (Nigerian-style) and make money through use of advanced fee fraud (Nigerian-style) and pirated software. Victims “hired”; sent PC to ship to buyer; victim sent pirated software. Victims “hired”; sent PC to ship to buyer; victim sent cashier's check; told to deduct salary and mail back remainder; checks cashier's check; told to deduct salary and mail back remainder; checks are counterfeit; PCs purchased with stolen credit cards.(are counterfeit; PCs purchased with stolen credit cards.(www.securityfocus.comwww.securityfocus.com))

• Virus GangsVirus Gangs - trying to control their "turf“; gained access with Trojans; - trying to control their "turf“; gained access with Trojans; launch a DDoS; sell to spammers who use them anonymously to send launch a DDoS; sell to spammers who use them anonymously to send spoofed spam; three gangs: three groups: MyDoomers, Bagles, spoofed spam; three gangs: three groups: MyDoomers, Bagles, Netskys. (www.zdnet.com)Netskys. (www.zdnet.com) Recent arrest Recent arrest Netsky / SasserNetsky / Sasser author Sven, author Sven, 18 yr old in Germany; responsible for 70% viruses in 2004; virus deletes 18 yr old in Germany; responsible for 70% viruses in 2004; virus deletes “MyDoom” from PCs; after Microsoft offered ¼ million reward, his friend “MyDoom” from PCs; after Microsoft offered ¼ million reward, his friend turned him in. (turned him in. (www.zdnet.comwww.zdnet.com))

Six men chargedSix men charged with DDoS attack against with DDoS attack against business rival; hired hackers; victims suffer business rival; hired hackers; victims suffer $2 million loss. (www.zdnet.com)$2 million loss. (www.zdnet.com)

Gathering DDoS Storm:Gathering DDoS Storm: Estimated 90% of all home PCs Estimated 90% of all home PCs infected by spyware and Trojans; suggests potential for largest infected by spyware and Trojans; suggests potential for largest DDoS attack "on a scale never before experienced;" attackers DDoS attack "on a scale never before experienced;" attackers who own zombies sell them to spammers. (who own zombies sell them to spammers. (www.networkmagazine.comwww.networkmagazine.com))

Google being used by hackersGoogle being used by hackers to see what people photocopy; to see what people photocopy; search engines cache or index everything on the Internet. (search engines cache or index everything on the Internet. (www.ZDNet.comwww.ZDNet.com))

PharmersPharmers “poison” DNS server redirecting Web requests “poison” DNS server redirecting Web requests somewhere else; browser appears to be connected to the right somewhere else; browser appears to be connected to the right site and user is unaware. (site and user is unaware. (www.ZDNet.comwww.ZDNet.com))

Cell Phone Virus:Cell Phone Virus: codenamed "Cabir codenamed "Cabir ," attacks Nokia phone ," attacks Nokia phone enabled with Bluetooth technology. (www.eweek.com)enabled with Bluetooth technology. (www.eweek.com)

2005: Paris Hilton smartphone 2005: Paris Hilton smartphone hackedhacked; celebrity phone numbers ; celebrity phone numbers listed on Internet. listed on Internet. (www.cnet.com)(www.cnet.com)

What is a Hacker?What is a Hacker?

Old School Hackers:Old School Hackers: 1960s style Stanford or MIT 1960s style Stanford or MIT hackers. Do not have malicious intent, but do have lack hackers. Do not have malicious intent, but do have lack of concern for privacy and proprietary information. They of concern for privacy and proprietary information. They believe the Internet was designed to be an open system.believe the Internet was designed to be an open system.

Script Kiddies or Cyber-Punks:Script Kiddies or Cyber-Punks: Between 12-30; Between 12-30; predominantly white and male; bored in school; get predominantly white and male; bored in school; get caught due to bragging online; intent is to vandalize or caught due to bragging online; intent is to vandalize or disrupt systems.disrupt systems.

Professional Criminals or Crackers:Professional Criminals or Crackers: Make a living by Make a living by breaking into systems and selling the information.breaking into systems and selling the information.

Coders and Virus Writers:Coders and Virus Writers: See themselves as an elite; See themselves as an elite; programming background and write code but won’t use it programming background and write code but won’t use it themselves; have their own networks called “zoos”; themselves; have their own networks called “zoos”; leave it to others to release their code into “The Wild” or leave it to others to release their code into “The Wild” or Internet. Internet. (www.tlc.discovery.com)(www.tlc.discovery.com)

Hacker classesHacker classes Black hatsBlack hats – highly skilled, – highly skilled,

malicious, destructive “crackers”malicious, destructive “crackers” White hatsWhite hats – skills used for – skills used for

defensive security analystsdefensive security analysts Gray hatsGray hats – offensively and – offensively and

defensively; will hack for different defensively; will hack for different reasons, depends on situation.reasons, depends on situation.

HaXorHaXor – want to be hackers for wrong reasons, and lack the – want to be hackers for wrong reasons, and lack the skill (www.cnet.com)skill (www.cnet.com)

HactivismHactivism – hacking for social and political cause. – hacking for social and political cause. Ethical hackersEthical hackers – determine what attackers can gain access to, – determine what attackers can gain access to,

what they will do with the information, and can they be detected.what they will do with the information, and can they be detected. Any computerAny computer connected to Internet scanned several times a day connected to Internet scanned several times a day

as a general rule. as a general rule.

What is Ethical Hacking?What is Ethical Hacking? Ethical hackingEthical hacking – defined “methodology adopted by ethical – defined “methodology adopted by ethical

hackers to discover the vulnerabilities existing in information hackers to discover the vulnerabilities existing in information systems’ operating environments.”systems’ operating environments.”

Anatomy of an attack:Anatomy of an attack: ReconnaissanceReconnaissance – attacker gathers information; can include – attacker gathers information; can include

social engineering.social engineering. ScanningScanning – searches for open ports (port scan) probes target – searches for open ports (port scan) probes target

for vulnerabilities.for vulnerabilities. Gaining accessGaining access – attacker exploits vulnerabilities to get inside – attacker exploits vulnerabilities to get inside

system; used for spoofing IP.system; used for spoofing IP. Maintaining accessMaintaining access – creates backdoor through use of Trojans; – creates backdoor through use of Trojans;

once attacker gains access makes sure he/she can get back in.once attacker gains access makes sure he/she can get back in. Covering tracksCovering tracks – deletes files, hides files, and erases log files. – deletes files, hides files, and erases log files.

So that attacker cannot be detected or penalized. So that attacker cannot be detected or penalized. (www.eccouncil.org)(www.eccouncil.org)

ReconnaissanceReconnaissance Reconnaissance:Reconnaissance: attacker seeks to gather information attacker seeks to gather information Footprinting:Footprinting: blueprinting of the security profile of blueprinting of the security profile of

organization or target system undertaken in a organization or target system undertaken in a methodological manner.methodological manner. Locate network range, active machines, open Locate network range, active machines, open

ports/access points, determine operating systemsports/access points, determine operating systems Hacking Tool: NS LookupHacking Tool: NS Lookup - get host name, IP - get host name, IP

address (online www.zoneedit.com/lookup.html)address (online www.zoneedit.com/lookup.html) Hacking Tool: Tracert Hacking Tool: Tracert (command prompt)(command prompt) Hacking Tool: TroutHacking Tool: Trout Hacking Tool: VisualWareHacking Tool: VisualWare

  ScanningScanning Attacker builds attack plan;Attacker builds attack plan; finds limits of network; finds limits of network;

assesses perimeter defenses; uses war dialers and assesses perimeter defenses; uses war dialers and ping.ping.

War dialersWar dialers exploit unsecured modem to gain access; exploit unsecured modem to gain access; pingping detects current state detects current state

Hacking Tool: Hacking Tool: Ping (command prompt)Ping (command prompt) Hacking Tool: Hacking Tool: Genius (Genius (

www.indiesoft.com/genius322.exewww.indiesoft.com/genius322.exe)) Hacking Tool: Hacking Tool: LanNetScanLanNetScan Hacking Tool: Hacking Tool: NMap NMap Hacking Tool:Hacking Tool: THC-Scan, THC-Scan, Hacking Tool:Hacking Tool: IPEye/IPSECSCAN IPEye/IPSECSCAN

    Gaining AccessGaining Access

Includes Includes password guessing and crackingpassword guessing and cracking, password , password sniffing, vulnerability scanning, keystroke logging.sniffing, vulnerability scanning, keystroke logging.

Password attacks:Password attacks: dictionary attack – taking list of dictionary attack – taking list of words; brute force attack – all possible passwords.words; brute force attack – all possible passwords.

Places Places backdoor with a Trojanbackdoor with a Trojan; removes evidence from ; removes evidence from event system logs; disables antivirus.event system logs; disables antivirus.

Hacking Tool: Hacking Tool: LegionLegion Hacking Tool: Hacking Tool: BrutusBrutus Hacking Tool: Hacking Tool: Sam SpadeSam Spade Hacking Tool: Hacking Tool: Spector ProSpector Pro Hacking Tool: Hacking Tool: eBlastereBlaster Hacking Tool: Hacking Tool: John the RipperJohn the Ripper Hacking Tool:Hacking Tool: Attacker Attacker Hacking Tool:Hacking Tool: SuperScan SuperScan

Using Sniffers and KeyloggersUsing Sniffers and Keyloggers

SnifferSniffer is software that captures network traffic; is software that captures network traffic; listens in; does not intercept or interfere; used for listens in; does not intercept or interfere; used for retrieving passwords and user names.retrieving passwords and user names.

Hacking Tool:Hacking Tool: Ethereal Ethereal Hacking Tool:Hacking Tool: Snort Snort Hacking Tool:Hacking Tool: Cain & Abel Cain & Abel Hacking Tool:Hacking Tool: Iris Iris Hacking Tool:Hacking Tool: HomeKeylogger HomeKeylogger Hacking Tool:Hacking Tool: PerfectKeylogger PerfectKeylogger

Crashing ServersCrashing Servers Denial of Service (DoS): Denial of Service (DoS): renders system unusable or renders system unusable or

significantly ties up resources and slows network. significantly ties up resources and slows network. Distributed Denial of Service (DDoS) attack: Distributed Denial of Service (DDoS) attack: breaking breaking

into many machines to launch coordinated DOS attack into many machines to launch coordinated DOS attack by installing DDoS software on them.by installing DDoS software on them.

Ping of death: Ping of death: DoS whereby attacker sends IP packet DoS whereby attacker sends IP packet larger than 65,536 bytes normally allowed; causes buffer larger than 65,536 bytes normally allowed; causes buffer overflow, freezes, reboots.overflow, freezes, reboots.

Hacking Tool:Hacking Tool: Ping of Death Ping of Death Hacking Tool:Hacking Tool: Trinoo Trinoo Hacking Tool:Hacking Tool: Smurf Smurf Viruses Hacking Tool:Viruses Hacking Tool: Senna Spy Senna Spy Wireless Hacking Tool:Wireless Hacking Tool: AirSnort AirSnort

Maintaining AccessMaintaining Access

Trojan typically unauthorized program within Trojan typically unauthorized program within legitimate program;legitimate program; can be altered legitimate program; or can be altered legitimate program; or any program that appears to perform desirable but also any program that appears to perform desirable but also performs functions unknown to user.performs functions unknown to user.

Different types of Trojans:Different types of Trojans: remote access, password remote access, password sending, keyloggers, destructive, denial of service, ftp, sending, keyloggers, destructive, denial of service, ftp, software detection killers.software detection killers.

Trojans gain and retain access;Trojans gain and retain access; can alter registry; allow can alter registry; allow administrator access.administrator access.

Hacking Tool: Hacking Tool: TiniTini Hacking Tool: Hacking Tool: SubSevenSubSeven Hacking Tool: Hacking Tool: BackOrificeBackOrifice Hacking Tool: Hacking Tool: LokiLoki Hacking Tool:Hacking Tool: Whack A Mole Whack A Mole

Covering TracksCovering Tracks

SteganographySteganography: art and science of hiding information : art and science of hiding information by embedding message within other objects; cannot be by embedding message within other objects; cannot be detected; objects include: audio or video files, graphics, detected; objects include: audio or video files, graphics, “white spaces” within documents. “white spaces” within documents.

Hacking Tool:Hacking Tool: Image Hide Image Hide www.dancemammal.comwww.dancemammal.com Hacking Tool:Hacking Tool: Snow Snow Hacking Tool:Hacking Tool: Camera/Shy Camera/Shy Hacking Tool:Hacking Tool: StegDetect StegDetect

Web Sites for Hacking ToolsWeb Sites for Hacking Tools

http://www.foundstone.comhttp://www.foundstone.com http://www.thenetworkadministrator.com/top2004hackertools.htmhttp://www.thenetworkadministrator.com/top2004hackertools.htm http://www.hackingexposed.com/tools/tools.htmlhttp://www.hackingexposed.com/tools/tools.html http://www.insecure.org/tools.htmlhttp://www.insecure.org/tools.html