Hacking the Hacker E-Book

Table of Contents

Cover

Title Page

Foreword

Introduction

1 What Type of Hacker Are You?

Most Hackers Aren’t Geniuses

Defenders Are Hackers Plus

Hackers Are Special

Hackers Are Persistent

Hacker Hats

2 How Hackers Hack

The Secret to Hacking

Hacking Ethically

3 Profile: Bruce Schneier

For More Information on Bruce Schneier

4 Social Engineering

Social Engineering Methods

Social Engineering Defenses

5 Profile: Kevin Mitnick

For More Information on Kevin Mitnick

6 Software Vulnerabilities

Number of Software Vulnerabilities

Why Are Software Vulnerabilities Still a Big Problem?

Defenses Against Software Vulnerabilities

Perfect Software Won’t Cure All Ills

7 Profile: Michael Howard

For More Information on Michael Howard

8 Profile: Gary McGraw

For More Information on Gary McGraw

9 Malware

Malware Types

Number of Malware Programs

Mostly Criminal in Origin

Defenses Against Malware

10 Profile: Susan Bradley

For More Information on Susan Bradley

11 Profile: Mark Russinovich

For More on Mark Russinovich

12 Cryptography

What Is Cryptography?

Why Can’t Attackers Just Guess All the Possible Keys?

Symmetric Versus Asymmetric Keys

Popular Cryptography

Hashes

Cryptographic Uses

Cryptographic Attacks

13 Profile: Martin Hellman

For More Information on Martin Hellman

14 Intrusion Detection/APTs

Traits of a Good Security Event Message

Advanced Persistent Threats (APTs)

Types of Intrusion Detection

Intrusion Detection Tools and Services

15 Profile: Dr. Dorothy E. Denning

For More Information on Dr. Dorothy E. Denning

16 Profile: Michael Dubinsky

For More Information on Michael Dubinsky

17 Firewalls

What Is a Firewall?

18 Profile: William Cheswick

For More Information on William Cheswick

19 Honeypots

What Is a Honeypot?

Interaction

Why Use a Honeypot?

Catching My Own Russian Spy

Honeypot Resources to Explore

20 Profile: Lance Spitzner

For More Information on Lance Spitzner

21 Password Hacking

Authentication Components

Hacking Passwords

Password Defenses

22 Profile: Dr. Cormac Herley

For More Information on Dr. Cormac Herley

23 Wireless Hacking

The Wireless World

Types of Wireless Hacking

Some Wireless Hacking Tools

Wireless Hacking Defenses

24 Profile: Thomas d’Otreppe de Bouvette

For More Information on Thomas d’Otreppe de Bouvette

25 Penetration Testing

My Penetration Testing Highlights

How to Be a Pen Tester

26 Profile: Aaron Higbee

For More Information on Aaron Higbee

27 Profile: Benild Joseph

For More Information on Benild Joseph

28 DDoS Attacks

Types of DDoS Attacks

DDoS Tools and Providers

DDoS Defenses

29 Profile: Brian Krebs

For More Information on Brian Krebs

30 Secure OS

How to Secure an Operating System

Security Consortiums

31 Profile: Joanna Rutkowska

For More Information on Joanna Rutkowska

32 Profile: Aaron Margosis

For More Information on Aaron Margosis

33 Network Attacks

Types of Network Attacks

Network Attack Defenses

34 Profile: Laura Chappell

For More Information on Laura Chappell

35 IoT Hacking

How Do Hackers Hack IoT?

IoT Defenses

36 Profile: Dr. Charlie Miller

For More Information on Dr. Charlie Miller

37 Policy and Strategy

Standards

Policies

Procedures

Frameworks

Regulatory Laws

Global Concerns

Systems Support

38 Profile: Jing de Jong‐Chen

For More Information on Jing de Jong‐Chen

39 Threat Modeling

Why Threat Model?

Threat Modeling Models

Threat Actors

40 Profile: Adam Shostack

For More Information on Adam Shostack

41 Computer Security Education

Computer Security Training Topics

Training Methods

42 Profile: Stephen Northcutt

For More Information on Stephen Northcutt

43 Privacy

Privacy Organizations

Privacy‐Protecting Applications

44 Profile: Eva Galperin

For More Information on Eva Galperin

45 Patching

Patching Facts

Common Patching Problems

46 Profile: Window Snyder

For More Information on Window Snyder

47 Writing as a Career

Computer Security Writing Outlets

Professional Writing Tips

48 Profile: Fahmida Y. Rashid

For More Information on Fahmida Y. Rashid

49 Guide for Parents with Young Hackers

Signs Your Kid Is Hacking

Not All Hacking Is Bad

How to Turn Around Your Malicious Hacker

50 Hacker Code of Ethics

Hacker Code of Ethics

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

iv

v

vii

ix

xi

xiii

xxxi

xxxiii

1

2

3

4

5

6

7

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

32

33

34

35

36

38

39

40

41

42

43

45

46

47

48

49

51

52

53

54

55

56

57

58

59

61

62

63

65

66

67

68

69

70

71

72

73

75

76

77

78

79

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

101

102

103

104

105

107

108

109

110

111

112

113

115

116

117

118

119

120

121

122

123

124

125

127

128

129

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

147

148

149

151

152

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

175

176

177

178

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

201

202

203

204

205

206

207

208

209

211

212

213

214

215

217

218

219

220

221

222

223

224

225

227

228

229

230

231

232

233

235

236

237

239

240

241

242

243

245

246

247

249

250

251

252

253

254

255

256

257

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

Hacking the Hacker

Learn from the Experts Who Take Down Hackers

Foreword

Roger Grimes has worked in the computer security industry for nearly three decades, and I’ve had the pleasure of knowing him for roughly half that time. He’s one of a select few professionals I’ve met who clearly has security in his bones—an intuitive grasp of the subject that, coupled with his deep experience catching bad guys and rooting out weaknesses in security defenses, makes him uniquely qualified to write this book.

Roger first began writing for InfoWorld in 2005 when he sent an email criticizing the work of a security writer, a critique that carried so much weight we immediately asked him to contribute to the publication. Since then he has written hundreds of articles for InfoWorld, all of which exhibit a love of the subject as well as a psychological understanding of both malicious hackers and the people who defend against them. In his weekly “Security Adviser” column for InfoWorld, Roger shows a unique talent for focusing on issues that matter rather than chasing ephemeral threats or overhyped new technologies. His passion for convincing security defenders and their C‐suite bosses to do the right thing has been steadfast, despite the unfortunate inclination of so many organizations to neglect the basics and flock to the latest shiny new solution.

In this book, Roger identifies the ethical hackers in this industry who have made a difference. Their tireless efforts help hold the line against a growing hoard of attackers whose objectives have shifted over the years from destructive mischief to the ongoing theft of precious intellectual property and millions of dollars from financial institutions and their customers. We owe these people an enormous debt. In providing a forum for the likes of Brian Krebs, Dr. Dorothy Denning, and Bruce Schneier, Roger pays tribute to their efforts while delivering a fascinating compendium that entertains as well as informs. It’s essential reading for anyone interested in computer security and the people who strive against all odds to keep us safe.

Eric KnorrEditor‐in‐chief, InfoWorld

Introduction

The intent of this book is to celebrate the world of computer security defenders by profiling some of the world’s best whitehat hackers, defenders, privacy protectors, teachers, and writers. It’s my hope that you’ll walk away with a greater appreciation of the behind‐the‐scene efforts it took to give us the fantastic world of computers we live in today. Without all the good people on our side fighting against those who would do us harm, computers, the Internet, and everything connected to them would not be possible. This book is a celebration of the defenders.

I want to encourage anyone contemplating a career in computers to consider a career in computer security. I also want to encourage any budding hackers, especially those who might be struggling with the ethics of their knowledge, to pursue a career in computer security. I’ve made a good life fighting malicious hackers and their malware creations. I’ve been able to explore every single hacking interest I’ve had in an ethical and law‐abiding way. So, too, do tens of thousands of others. Computer security is one of the hottest and best paying careers in any country. It has been very good to me, and it can be for you, too.

For most of this book, I provide a chapter that summarizes how a particular style of hacking is accomplished, and then I follow it with one or more profiles of computer security defenders lauded in that field. I’ve tried to pick a variety of representative industry legends, luminaries, and even some relatively unknowns who are brilliant for what they have accomplished even if they are obscure outside their industry. I tried to choose a good cross‐section of academics, corporate vendors, teachers, leaders, writers, and private practitioners located in the United States and around the world. I hope readers interested in computer security careers can find the same motivation I did to help to make computing significantly safer for all of us.

Go fight the good fight!

1What Type of Hacker Are You?

Many years ago, I moved into a house that had a wonderful attached garage. It was perfect for parking and protecting my boat and small RV. It was solidly constructed, without a single knot in any of the lumber. The electrical work was professional and the windows were high‐quality and rated for 150 mph winds. Much of the inside was lined with aromatic red cedar wood, the kind that a carpenter would use to line a clothing chest or closet to make it smell good. Even though I can’t hammer a nail straight, it was easy for me to see that the constructor knew what he was doing, cared about quality, and sweated the details.

A few weeks after I moved in, a city official came by and told me that the garage had been illegally constructed many years ago without a permit and I was going to have to tear it down or face stiff fines for each day of non‐compliance. I called up the city to get a variance since it had been in existence for many years and was sold to me as part of my housing purchase. No dice. It had to be torn down immediately. A single day of fines was more than I could quickly make selling any of the scrap components if I took it down neatly. Financially speaking, the sooner I tore it down and had it hauled away, the better.

I got out a maul sledge hammer (essentially a thick iron ax built for demolition work) and in a matter of a few hours had destroyed the whole structure into a heap of wood and other construction debris. It wasn’t lost on me in the moment that what had taken a quality craftsman probably weeks, if not months, to build, I had destroyed using my unskilled hands in far less time.

Contrary to popular belief, malicious hacking is more maul slinger than craftsman.

If you are lucky enough to consider a career as a computer hacker, you’ll have to decide if you’re going to aspire to safeguarding the common good or settle for pettier goals. Do you want to be a mischievous, criminal hacker or a righteous, powerful defender? This book is proof that the best and most intelligent hackers work for the good side. They get to exercise their minds, grow intellectually, and not have to worry about being arrested. They get to work on the forefront of computer security, gain the admiration of their peers, further human advancement in the name of all that is good, and get well paid for it. This book is about the sometimes unsung heroes who make our incredible digital lives possible.

NOTE

Although the terms “hacker” or “hacking” can refer to someone or an activity with either good or bad intentions, the popular use is almost always with a negative connotation. I realize that hackers can be good or bad, but I may use the terms without further qualification in this book to imply either a negative or a positive connotation just to save space. Use the whole meaning of my sentences to judge the intent of the terms.

Most Hackers Aren’t Geniuses

Unfortunately, nearly everyone who writes about criminal computer hackers without actual experience romanticizes them all as these uber‐smart, god‐like, mythical figures. They can guess any password in under a minute (especially if under threat of a gun, if you believe Hollywood), break into any system, and crack any encryption secret. They work mostly at night and drink copious amounts of energy drinks while littering their workspaces with remnants of potato chips and cupcakes. A school kid uses the teacher’s stolen password to change some grades, and the media is fawning on him like he’s the next Bill Gates or Mark Zuckerberg.

Hackers don’t have to be brilliant. I’m living proof of that. Even though I’ve broken into every single place where I’ve ever been hired to do so, I’ve never completely understood quantum physics or Einstein’s Theory of Relativity. I failed high school English twice, I never got higher than a C in math, and my grade point average of my first semester of college was 0.62. That was composed of five Fs and one A. The lone A was in a water safety class because I had already been an oceanfront lifeguard for five years. My bad grades were not only because I wasn’t trying. I just wasn’t that smart and I wasn’t trying. I later learned that studying and working hard is often more valuable than being born innately intelligent. I ended up finishing my university degree and excelling in the computer security world.

Still, even when writers aren’t calling bad‐guy hackers super‐smart, readers often assume they are because they appear to be practicing some advanced black magic that the rest of the world does not know. In the collective psyche of the world, it’s as if “malicious hacker” and “super intelligence” have to go together. It’s simply not true. A few are smart, most are average, and some aren’t very bright at all, just like the rest of the world. Hackers simply know some facts and processes that other people don’t, just like a carpenter, plumber, or electrician.

Defenders Are Hackers Plus

If we do an intellectual comparison alone, the defenders on average are smarter than the attackers. A defender has to know everything a malicious hacker does plus how to stop the attack. And that defense won’t work unless it has almost no end‐user involvement, works silently behind the scenes, and works perfectly (or almost perfectly) all the time. Show me a malicious hacker with a particular technique, and I’ll show you more defenders that are smarter and better. It’s just that the attacker usually gets more press. This book is an argument for equal time.

Hackers Are Special

Even though I don’t classify all hackers as super‐smart, good, or bad, they all share a few common traits. One trait they have in common is a broad intellectual curiosity and willingness to try things outside the given interface or boundary. They aren’t afraid to make their own way. Computer hackers are usually life hackers, hacking all sorts of things beyond computers. They are the type of people that when confronted with airport security are silently contemplating how they could sneak a weapon past the detectors even if they have no intention of actually doing so. They are figuring out whether the expensive printed concert tickets could be easily forged, even if they have no intention of attending for free. When they buy a television, they are wondering if they can access its operating system to gain some advantage. Show me a hacker, and I’ll show you someone that is questioning status quo and exploring at all times.

NOTE

At one point, my own hypothetical scheme for getting weapons past airport security involved using look‐alike wheelchairs with weapons or explosives hidden inside the metal parts. The wheelchairs are often pushed past airport security without undergoing strong scrutiny.

Hackers Are Persistent

After curiosity, a hacker’s most useful trait is persistence. Every hacker, good or bad, knows the agony of long hours trying and trying again to get something to work. Malicious hackers look for defensive weaknesses. One mistake by the defender essentially renders the whole defense worthless. A defender must be perfect. Every computer and software program must be patched, every configuration appropriately secure, and every end‐user perfectly trained. Or at least that is the goal. The defender knows that applied defenses may not always work or be applied as instructed, so they create “defense‐in‐depth” layers. Both malicious hackers and defenders are looking for weaknesses, just from opposite sides of the system. Both sides are participating in an ongoing war with many battles, wins, and losses. The most persistent side will win the war.

Hacker Hats

I’ve been a hacker my whole life. I’ve gotten paid to break into places (which I had the legal authority to do). I’ve cracked passwords, broken into networks, and written malware. Never once did I break the law or cross an ethical boundary. This is not to say that I haven’t had people try to tempt me to do so. Over the years, I’ve had friends who asked me to break into their suspected cheating spouse’s cellphone, bosses who asked me to retrieve their boss’s email, or people who asked to break into an evil hacker’s server (without a warrant) to try to stop them from committing further hacking. Early on you have to decide who you are and what your ethics are. I decided that I would be a good hacker (a “whitehat” hacker), and whitehat hackers don’t do illegal or unethical things.

Hackers who readily participate in illegal and unethical activities are called “blackhats.” Hackers who make a living as a whitehat but secretly dabble in blackhat activities are known as “grayhats.” My moral code is binary on this issue. Grayhats are blackhats. You either do illegal stuff or you don’t. Rob a bank and I’ll call you a bank robber no matter what you do with the money.

This is not to say that blackhats can’t become whitehats. That happens all the time. The question for some of them is whether they will become a whitehat before having to spend a substantial amount of time in prison. Kevin Mitnick (https://en.wikipedia.org/wiki/Kevin_Mitnick), one of the most celebrated arrested hackers in history (and profiled in Chapter 5), has now lived a long life as a defender helping the common good. Robert T. Morris, the first guy to write and release a computer worm that took down the Internet (https://en.wikipedia.org/wiki/Morris_worm), eventually became an Association for Computing Machinery Fellow (http://awards.acm.org/award_winners/morris_4169967.cfm) “for contributions to computer networking, distributed systems, and operating systems.”

Early on the boundary between legal and illegal hacking wasn’t as clearly drawn as it is today. In fact, most early illegal hackers were given superhero cult status. Even I can’t help but be personally drawn to some of them. John Draper (a.k.a. “Captain Crunch”) used a toy whistle from a box of Cap’n Crunch cereal to generate a tone (2600 Hz) that could be used to steal free long‐distance phone service. Many hackers who released private information for “the public good” have often been celebrated. But with a few exceptions, I’ve never taken the overly idealized view of malicious hackers. I’ve had a pretty clear vision that people doing unauthorized things to other people’s computers and data are committing criminal acts.

Years ago, when I was first getting interested in computers, I read a book called Hackers: Heroes of the Computer Revolution by Steven Levy. In the dawning age of personal computers, Levy wrote an entertaining tale of hackers, good and mischievous, embodying the hacker ethos. Most of the book is dedicated to people who improved the world through the use of computers, but it also covered the type of hackers that would be arrested for their activities today. Some of these hackers believed the ends justified the means and followed a loose set of morals embodied by something Levy called “hacker ethics.” Chief among these beliefs were the philosophies that any computer could be accessed for any legitimate reason, that all information should be free, and to distrust authority. It was a romanticized view of hacking and hackers, although it didn’t hide the questionable ethical and legal issues. In fact, it centered around the newly pushed boundaries.

Steven Levy was the first author I ever sent a copy of his own book to and asked him to autograph my copy and send it back (something others have done to me a few times now that I’m the author of eight previous books). Levy has gone on to write or become the technical editor for several major magazines, including Newsweek, Wired, and Rolling Stone, and he has written six other books on computer security issues. Levy continues to be a relevant technology writer to this day. His book, Hackers, introduced me to the wonderful world of hacking in general.

Later on, other books, like Ross Greenberg’s Flu‐Shot (long out of print) and John McAfee’s Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System (https://www.amazon.com/Computer‐viruses‐diddlers‐programs‐threats/dp/031202889X) introduced me to fighting malicious hackers. I read these books and got excited enough to make a lifelong career out of combating the same threats.

Along the way, I’ve learned that the defenders are the smartest hackers. I don’t want to paint all malicious hackers with the same brush of mediocrity. Each year, a few rogue hackers discover something new. There are a few very smart hackers. But the vast majority of malevolent hackers are fairly average and are just repeating something that has worked for twenty years. To be blunt, the average malicious hacker doesn’t have enough programming talent to write a simple notepad application, much less discover on their own how to break into some place, crack encryption, or directly successfully guess at passwords—not without a lot of help from other hackers who previously did the real brain work years before.

The irony is that the uber‐smart people I know about in the computer world aren’t the malicious hackers, but the defenders. They have to know everything the hacker does, guess at what they might do in the future, and build a user‐friendly, low‐effort defense against it all. The defender world is full of PhDs, master’s degree students, and successful entrepreneurs. Hackers rarely impress me. Defenders do all the time.

It is common for defenders to discover a new way of hacking something, only to remain publicly silent. It’s the job of defenders to defend, and giving malicious hackers new ways to hack something before the defenses are in place won’t make anyone else’s life easier. It’s a way of life for defenders to figure out a new hack and to help with closing the hole before it gets discovered by the outside world. That happens many more times than the other way around (such as the outside hacker discovering a new hole).

I’ve even seen defenders figure out a new hack, but for cost efficiency or timing reasons, the hole didn’t get immediately fixed, and later on, some outside hacker gets credit as the “discoverer.” Unfortunately, defenders don’t always get immediate glory and gratification when they are doing their day jobs.

After watching both malicious hackers and defenders for nearly three decades, it’s clear to me that the defenders are the more impressive of the two. It’s not even close. If you want to show everyone how good you are with computers, don’t show them a new hack. Show them a new, better defense. It doesn’t require intelligence to find a new way of hacking. It mostly just takes persistence. But it does take a special and smart person to build something that can withstand constant hacking over a long period of time.

If you want to impress the world, don’t tear down the garage. Instead, build code that can withstand the hacker’s mauling axe.

2How Hackers Hack

The most enjoyable career activity I do is penetration testing (also known as pen testing). Pen testing is hacking in its truest sense. It’s a human against a machine in a battle of wits. The human “attacker” can use their own ingenuity and new or existing tools as they probe for weaknesses, whether they be machine‐ or human‐based. In all my years of pen testing, even though I am usually given weeks to conduct a test, I have successfully hacked my target the majority of the time in around one hour. The longest it has ever taken me is three hours. That includes every bank, government site, hospital, and corporate site that has ever hired me to do so.

I’m not even all that good as a pen tester. On a scale 1 to 10, with 10 being the best, I’m about a 6 or a 7. On the defender side, I feel like I’m the best person in the world. But as an attacker, I’m very average. I’ve been surrounded by awesome pen testers—men and women who think nothing of writing their own testing tools or who don’t consider their testing a success unless they did not generate a single event in a log file that could have caused an alert. But even the people I consider to be 10s usually think of themselves as average and admire other pen testers that they think are tens. How good must those hackers be?

But you don’t have to be extremely good to be a very successful hacker. You don’t even have to actually break in for the customer that hired you (I’m assuming you’re being paid for a lawful assignment to pen test) to be happy with your work. In fact, the customer would absolutely be thrilled if you were not successful. They could brag that they hired some hackers and their network withstood the attack. It’s a win‐win for everyone involved. You get paid the same and they get to brag that they are impenetrable. It’s the only job I know where you cannot have a bad outcome. Unfortunately, I know of no pen tester who has ever not successfully broken into all of their targets. I’m sure there must be hackers who fail, but the vast majority of pen testers “capture their prize.”

NOTE

If your pen testing doesn’t find any weaknesses and soon afterward your client is compromised by real attackers, you aren’t going to look good. If this happens several times, word will get around and you’ll probably be looking for a new career. The weaknesses are there. Find them.

Usually pen testers will do something extra to impress their target’s senior managers, such as taking a clandestine picture of the CEO at his desk using his own computer’s camera or embedding the domain administrator’s password in the picture of a pirate flag that shows up on the security administrator’s screensaver. A picture is worth a thousand words. Never underestimate how much one goofy picture can increase your customer’s satisfaction with your job. They’ll be talking about the picture (and bragging about you) years after you’ve finished the job. If you can, always finish with a flourish. I’m giving you “consultant gold” with this recommendation.

The Secret to Hacking

If there is a secret to how hackers hack, it’s that there is no secret to how they hack. It’s a process of learning the right methods and using the right tools for the job, just like an electrician, plumber, or builder does. There isn’t even one way to do it. There is, however, a definitive set of steps that describe the larger, encompassing process, and that includes all the steps that a hacker could possibly have to perform. Not all hackers use all the steps. Some hackers only use one step. But in general, if you follow all the steps, you’re likely to be very successful at hacking. You can skip one or more of the steps and still be a successful hacker. Malware and other hacking tools often allow hackers to skip steps, but at least one of the steps, initial penetration foothold, is always required.

Regardless of whether you’re going to make a career out of being a (legal) hacker, if you’re going to fight malicious hackers, you have to understand the “hacking methodology” or whatever it is being called by the person or document describing it. The models can vary, including the number of steps involved, the names of the steps, and the specific details of each step, but they all contain the same basic components.

The Hacking Methodology

The hacking methodology contains the following progressive steps:

Information Gathering

Penetration

Optional: Guaranteeing Future Easier Access

Internal Reconnaissance

Optional: Movement

Intended Action Execution

Optional: Covering Tracks

Information Gathering

Unless a hacker tool is helping the hacker to randomly access any possible vulnerable site, the hacker usually has a destination target in mind. If a hacker wants to penetrate a specific company, the first thing the hacker does is start researching everything they can about the company that might possibly help them break in. At the very least, this means accessible IP addresses, email addresses, and domain names. The hacker finds out how many potential sites and services they can access that are connected to the company. They use the news media and public financial reports to find out who the senior executives are or to find other employee names for social engineering. The hacker looks up news stories to see what big software the target has bought recently, what mergers or divestitures are happening (these are always messy affairs often accompanied by relaxed or missed security), and even what partners they interact with. Many companies have been compromised through a much weaker partner.

Finding out what digital assets a company is connected to is the most important part of information gathering in most hacker attacks. Not only are the main (public) sites and services usually identified, but it’s usually more helpful to the attacker to find the less popular connected sites and services, like employee and partner portals. The less popular sites and servers are more likely to have a weakness compared to the main sites that everyone has already beat on for years.

Then any good hacker starts to gather all the software and services hosted on each of those sites, a process generally known as fingerprinting. It’s very important to learn what operating systems (OS) are used and what versions. OS versions can tell a hacker what patch levels and which bugs may or may not be present. For example, they might find Windows Server 2012 R2 and Linux Centos 7.3‐1611. Then they look for software programs and versions of those software versions (for the same reason) running on each OS. If it’s a web server, they might find Internet Information Server 8.5 on the Windows server and Apache 2.4.25 on the Linux server. They do an inventory of each device, OS, application, and version running on each of their intended targets. It’s always best to do a complete inventory to get an inclusive picture of the target’s landscape, but other times a hacker may find a big vulnerability early on and just jump into the next step. Outside of such a quick exploit, usually the more information the hacker has about what is running, the better. Each additional software and version provides additional possible attack vectors.

NOTE

Some hackers call the general, non‐technical, information gathering footprinting and the OS and software mapping fingerprinting.

Sometimes when a hacker connects to the service or site it helpfully responds with very detailed version information so you don’t need any tools. When that isn’t the case, there are plenty of tools to help with OS and application fingerprinting. By far the number one used hacker fingerprinting tool is Nmap (https://nmap.org/). Nmap has been around since 1997. It comes in several versions including Windows and Linux and is a hacker’s Swiss Army knife tool. It can perform all sorts of host scanning and testing, and it is a very good OS fingerprinter and an okay application fingerprinter. There are better application fingerprinters, especially when they are focused on a particular type of application fingerprinting, such as web servers, databases, or email servers. For example, Nikto2 (https://cirt.net/Nikto2) not only fingerprints web servers better than Nmap, but also performs thousands of penetration tests and lets you know which vulnerabilities are present.

Penetration

This is the step that puts the “hack” in “hacker”—gaining initial foothold access. The success of this step makes or breaks the entire cycle. If the hacker has done their homework in the fingerprinting stage, then this stage really isn’t all that hard. In fact, I’ve never not accomplished this stage. There is always old software being used, always something left unpatched, and almost always something misconfigured in the collection of identified software.

NOTE

One of my favorite tricks is attacking the very software and devices that the defenders use to defend their networks. Often these devices are appliances, which is simply another word for running a computer with harder‐to‐update software. Appliances are notorious for being years out of patch compliance.

If by chance all the software and devices are perfectly secured (and they never are), then you can attack the human element, which is always the weakest part of the equation. But without the initial penetrating foothold, all is lost for the hacker. Fortunately for the hacker, there are lots of ways to penetrate a target. Here are the different techniques a hacker can use to break into a target:

Zero‐days

Unpatched software

Malware

Social engineering

Password issues

Eavesdropping/MitM

Data leaks

Misconfiguration

Denial of service

Insider/partner/consultant/vendor/third party

User error

Physical access

Privilege escalation

Zero‐days

Zero‐day (or 0‐day) exploits are rarer than every‐day vulnerabilities, which vendors have usually long ago patched. A zero‐day exploit is one for which the targeted software is not yet patched against and the public (and usually the vendor) isn’t aware of. Any computer system using software with a zero‐day bug is essentially exploitable at‐will, unless the potential victim uninstalls the software or has put in place some sort of other mitigation (for example a firewall, an ACL list, VLAN segmentation, anti‐buffer overflow software, and so on).

Zero‐days are not as common as known exploits because they can’t be widely used by an attacker. If an attacker overused a zero‐day, the coveted exploit hole would be discovered and patched by vendors and placed in anti‐malware signatures. These days most vendors can patch new exploits within a few hours to a few days after discovery. When zero‐days are used, they are either used very broadly against many targets all at once for maximum exploitation possibility or used “low and slow,” which means sparingly, rarely, and only used when needed. The world’s best professional hackers usually have collections of zero‐days that they use only when all else has failed and even then in such a way that they won’t be especially noticed. A zero‐day might be used to gain an initial foothold in an especially resistant target, and then all traces of it will be removed and more traditional methods used from that point onward.

Unpatched Software

Unpatched software is always among the top reasons why a computer or device is exploited. Each year there are thousands (usually between 5000 and 6000, or 15 per day) of new publicly announced vulnerabilities among all popularly used software. (Check out the stats reported in each issue of Microsoft’s Security Intelligence Report, http://microsoft.com/sir.) Vendors have generally gotten better at writing more secure code and finding their own bugs, but there are an ever‐increasing number of programs and billions of lines of code, so the overall number of bugs has stayed relatively stable over the last two decades.

Most vendors do a fairly good job of patching their software in a timely manner, especially after a vulnerability becomes publicly known. Unfortunately, customers are notoriously slow in applying those patches, even often going so far as disabling the vendor’s own auto‐patching routines. Some moderate percentage of users never patch their system. The user either ignores the multiple patch warnings and sees them as purely annoying or is completely unaware that a patch needs to be applied. (For example, many point‐of‐sale systems don’t notify cashiers that a patch needs to be applied.) Most software exploits happen to software that has not been patched in many, many years.

Even if a particular company or user patches critical vulnerabilities as quickly as they are announced, a persistent, patient hacker can just wait for a patch to be announced that is on their target’s fingerprint inventory list and launch the related attack before the defender has time to patch it. (It’s relatively easy for a hacker to reverse engineer patches and find out how to exploit a particular vulnerability.)

Both zero‐days and regular software vulnerabilities come down to insecure software coding practices. Software vulnerabilities will be covered in Chapter 6.

Malware

Malicious programs are known as malware, and the traditional types are known as viruses, Trojan horse programs, and worms, but today’s malware is often a hybrid mixture of multiple types. Malware allows a hacker to use an exploit method to more easily attack victims or to reach a greater number of victims more quickly. When a new exploit method is discovered, defenders know that malware writers will use automated malware to spread the exploit faster in a process known as “weaponization.” While any exploit is something to be avoided, it is often the weaponization of the exploit that creates the most risk to end‐users and society. Without malware, an attacker is forced to implement an attack one victim at a time. With malware, millions of victims can be exploited in minutes. Malware will be covered in more detail in Chapter 9.

Social Engineering

One of the most successful hacking strategies is social engineering. Social engineering, whether accomplished manually by a human adversary or done using automation, is any hacker trick that relies upon tricking an end‐user into doing something detrimental to their own computer or security. It can be an email that tricks an end‐user into clicking on a malicious web link or running a rogue file attachment. It can be something or someone tricking a user into revealing their private logon information (called phishing). Social engineering has long been in the quiver of attacks used by hackers. Long‐time whitehat hacker, Kevin Mitnick, used to be one of best examples of malicious social engineers. Mitnick is profiled in Chapter 5, and social engineering is covered in more detail in Chapter 4.

Password Issues

Passwords or their internally stored derivations can be guessed or stolen. For a long time, simple password guessing (or social engineering) was one of the most popular methods of gaining initial access to a computer system or network, and it still is. But credential theft and re‐use (such as pass‐the‐hash attacks) has essentially taken over the field of password hacking in a big way over the past half decade. With credential theft attacks, an attacker usually gains administrative access to a computer or device and retrieves one or more logon credentials stored on the system (either in memory or on the hard drive). The stolen credentials are then used to access other systems that accept the same logon credentials. Almost every major corporate attack has involved credential theft attacks as a common exploit component, so much so that traditional password guessing isn’t as popular anymore. Password hacks are covered in Chapter 21.

Eavesdropping/MitM

Eavesdropping and “man‐in‐the‐middle” (MitM) attacks compromise a legitimate network connection to gain access to or maliciously participate in the communications. Most eavesdropping occurs due to flaws in network or application protocols, but it can also be accomplished due to human error. These days the biggest eavesdropping attacks occur on wireless networks. Network attacks will be covered in Chapter 33, and wireless attacks will be covered in Chapter 23.

Data Leaks

Leaks of private information can be an outcome from one of the other forms of hacking or can result from an unintentional (or intentional) human action. Most data leaks occur because of inadvertent (and under‐protected) placement or because some hacker figured out a way to access otherwise private data. But insider attacks where an employee or contractor intentionally steals or uses private information are also a common form of hacking. Several of the chapters in this book apply to preventing data leakages.

Misconfiguration

It is also common for computer users and administrators to (sometimes inadvertently) implement very weak security choices. I can’t tell you how many times I’ve gone to a public web site to find that its most critical files are somehow marked with Everyone or World permissions—and those permissions are exactly what they look like. And when you tell the entire world that they can access any file they like, your site or the files stored on it are not going to stay private for very long. Secure operating systems and configurations are covered in Chapter 30.

Denial of Service

Even if no one made a single error or had a single piece of unpatched software, it’s still possible to take nearly any web site or computer off the Internet. Even if you are perfect, your computers rely on one or more services, not under your control, that are not perfect. Today, huge distributed denial of service (DDoS) attacks can take down or significantly impact nearly any web site or computer connected to the Internet. These attacks often contain billions of malicious packets per second, which overwhelms the targeted site (or its upstream or downstream neighbors). There are dozens of commercial (sometimes illegal) services that anyone can use to both cause and defend against huge DDoS attacks. DDoS attacks are covered in Chapter 28.

Insider/Partner/Consultant/Vendor/Third Party

Even if your network and all its computers are perfect (which they aren’t), you can be compromised by a flaw in a connected partner’s computer or by insider employees. This category is fairly broad and crosses a range of other hacker methods.

User Error

This penetration category also crosses a range of other hacker methods. For example, a user can accidentally send private data to an unauthorized user by putting a single mistyped character in an email address. The user can accidentally miss patching a critical server or can accidentally set the wrong permission. A frequent user error is when someone replies to an email thinking they are replying privately to one person or a smaller list of people but they accidentally are actually replying to the larger list or even to a person they are talking disparagingly about. I point out user error separately here only because sometimes mistakes happen and hackers are ready to take advantage of them.

Physical Access

Conventional wisdom says that if an attacker has physical access to an asset, they can just steal the whole thing (poof, your cell phone is gone) and destroy it or eventually bypass all protections to access private data. And this perception has proven pretty accurate so far, even against defenses that are explicitly meant to protect against physical attacks. For example, many disk encryption programs can be defeated by the attacker using an electron microscope to identify the protected secret key by identifying the individual electrons that compose the key. Or RAM can be frozen by canned air to reveal the secret encryption key in plaintext because of a fault in the way memory physically stores data.

Privilege Escalation

Each hacker uses one of the various penetration methods described in the previous sections to initially exploit a target system. The only question after gaining access is what type of security access they get. If they exploit a software program or service running in the user’s own security context, they initially only have the same access privileges and permissions as the logged on user. Or they may get the Holy Grail on that system and get complete administrative system access. If the attacker only gets regular, non‐privileged access permissions, then they generally execute a second, privilege escalation attack to try and obtain higher privileged access. Privilege escalation attacks run the gamut, essentially duplicating the same approaches as for penetration, but they begin with the higher starting point of already having at least some access. Privilege escalation attacks are generally easier to perform than the initial exploits. And since the initial exploits are almost always guaranteed to succeed, the privilege escalation is just that much easier.

Guaranteeing Future Easier Access

Although it’s optional, once an attacker has obtained the initial foothold access, most hackers then work on implementing an additional method to ensure that they can more easily access the same asset or software faster the next time around. For many hackers, this means placing a “listening” backdoor program that they can directly connect to next time. Other times it means cracking passwords or creating new accounts. The attacker can always use the same exploits that worked successfully last time to gain the initial foothold, but usually they want some other method that will work even if the victim fixes the issue that worked the previous time.

Internal Reconnaissance

Once most hackers have penetrated the system, they start executing multiple commands or programs to learn more about the target they have gained access to and what things are connected to it. Usually that means looking in memory, on the hard drive, for network connectivity, and enumerating users, shares, services, and programs. All this information is used to better understand the target and also as a launching point for the next attack.

Movement

It is the rare attacker or malware program that is content to break into one target. Nearly all hackers and malware programs want to spread their range of influence over more and more targets. Once they gain access to the initial target, spreading that influence within the same network or entity is pretty easy. The hacker penetration methods listed in this chapter summarize the various ways they can do it, but comparing it to the initial foothold efforts, the subsequent movement is easier. If the attacker moves to other similar targets with similar uses, it is called lateral movement. If the attacker moves from devices of one privilege to a higher or lower privilege, it’s called vertical movement.

Most attackers move from lower to high levels of privilege using vertical movement techniques (again, using the hacker penetration methods described in this chapter). For example, a very common hacker methodology is for the attacker to first compromise a single, regular end‐user workstation. They use that initial foothold to search for and download local administrative account passwords. Then, if those local administrative credentials are shared among more machines (which they often are), they then move horizontally and repeat the process until they can capture very privileged account access. Sometimes this is done immediately during the first break‐in because the logged on user or system already has very high privileges. They then move to the authentication server and capture every user’s logon credentials. This is the standard modus operandi for most hacker groups these days, and moving from the initial compromise to complete network ownership (or pwning in hacker terminology) can be less than an hour.

In my personal experience, and remember I’m just an average hacker, it usually takes me about one hour to gain the initial foothold and another hour to capture the centralized authentication database. So for me, an average hacker, it takes about two hours to completely own a company. The longest it has taken me is three hours.

Intended Action Execution

After access is guaranteed and asset ownership is taken, hackers then accomplish what they intended to do (unless the action of breaking in revealed something new to do). Every hacker has intent. A legitimate penetration tester has a contractual obligation to do one or more things. A malicious hacker might spread malware, read or steal confidential information, make a malicious modification, or cause damage. The whole reason for the hacker to compromise one or more systems is to do something. In the old days (two or three decades ago), simply showing off that they had hacked a system would have been enough for most hackers. Today, hacking is 99% criminally motivated, and the hacker is going to do something malicious to the target (even if the only damage they do is to remain silently infiltrated for some potential, future action). Unauthorized access without any direct damage is still damage.

Covering Tracks