Hacking the Hacker. Grimes Roger A.

Hacking the Hacker - Grimes Roger A.


Скачать книгу
someone tricking a user into revealing their private logon information (called phishing). Social engineering has long been in the quiver of attacks used by hackers. Long‐time whitehat hacker, Kevin Mitnick, used to be one of best examples of malicious social engineers. Mitnick is profiled in Chapter 5, and social engineering is covered in more detail in Chapter 4.

      Password Issues

      Passwords or their internally stored derivations can be guessed or stolen. For a long time, simple password guessing (or social engineering) was one of the most popular methods of gaining initial access to a computer system or network, and it still is. But credential theft and re‐use (such as pass‐the‐hash attacks) has essentially taken over the field of password hacking in a big way over the past half decade. With credential theft attacks, an attacker usually gains administrative access to a computer or device and retrieves one or more logon credentials stored on the system (either in memory or on the hard drive). The stolen credentials are then used to access other systems that accept the same logon credentials. Almost every major corporate attack has involved credential theft attacks as a common exploit component, so much so that traditional password guessing isn’t as popular anymore. Password hacks are covered in Chapter 21.

      Eavesdropping/MitM

      Eavesdropping and “man‐in‐the‐middle” (MitM) attacks compromise a legitimate network connection to gain access to or maliciously participate in the communications. Most eavesdropping occurs due to flaws in network or application protocols, but it can also be accomplished due to human error. These days the biggest eavesdropping attacks occur on wireless networks. Network attacks will be covered in Chapter 33, and wireless attacks will be covered in Chapter 23.

      Data Leaks

      Leaks of private information can be an outcome from one of the other forms of hacking or can result from an unintentional (or intentional) human action. Most data leaks occur because of inadvertent (and under‐protected) placement or because some hacker figured out a way to access otherwise private data. But insider attacks where an employee or contractor intentionally steals or uses private information are also a common form of hacking. Several of the chapters in this book apply to preventing data leakages.

      Misconfiguration

      It is also common for computer users and administrators to (sometimes inadvertently) implement very weak security choices. I can’t tell you how many times I’ve gone to a public web site to find that its most critical files are somehow marked with Everyone or World permissions – and those permissions are exactly what they look like. And when you tell the entire world that they can access any file they like, your site or the files stored on it are not going to stay private for very long. Secure operating systems and configurations are covered in Chapter 30.

      Denial of Service

      Even if no one made a single error or had a single piece of unpatched software, it’s still possible to take nearly any web site or computer off the Internet. Even if you are perfect, your computers rely on one or more services, not under your control, that are not perfect. Today, huge distributed denial of service (DDoS) attacks can take down or significantly impact nearly any web site or computer connected to the Internet. These attacks often contain billions of malicious packets per second, which overwhelms the targeted site (or its upstream or downstream neighbors). There are dozens of commercial (sometimes illegal) services that anyone can use to both cause and defend against huge DDoS attacks. DDoS attacks are covered in Chapter 28.

      Insider/Partner/Consultant/Vendor/Third Party

      Even if your network and all its computers are perfect (which they aren’t), you can be compromised by a flaw in a connected partner’s computer or by insider employees. This category is fairly broad and crosses a range of other hacker methods.

      User Error

      This penetration category also crosses a range of other hacker methods. For example, a user can accidentally send private data to an unauthorized user by putting a single mistyped character in an email address. The user can accidentally miss patching a critical server or can accidentally set the wrong permission. A frequent user error is when someone replies to an email thinking they are replying privately to one person or a smaller list of people but they accidentally are actually replying to the larger list or even to a person they are talking disparagingly about. I point out user error separately here only because sometimes mistakes happen and hackers are ready to take advantage of them.

      Physical Access

      Conventional wisdom says that if an attacker has physical access to an asset, they can just steal the whole thing (poof, your cell phone is gone) and destroy it or eventually bypass all protections to access private data. And this perception has proven pretty accurate so far, even against defenses that are explicitly meant to protect against physical attacks. For example, many disk encryption programs can be defeated by the attacker using an electron microscope to identify the protected secret key by identifying the individual electrons that compose the key. Or RAM can be frozen by canned air to reveal the secret encryption key in plaintext because of a fault in the way memory physically stores data.

      Privilege Escalation

      Each hacker uses one of the various penetration methods described in the previous sections to initially exploit a target system. The only question after gaining access is what type of security access they get. If they exploit a software program or service running in the user’s own security context, they initially only have the same access privileges and permissions as the logged on user. Or they may get the Holy Grail on that system and get complete administrative system access. If the attacker only gets regular, non‐privileged access permissions, then they generally execute a second, privilege escalation attack to try and obtain higher privileged access. Privilege escalation attacks run the gamut, essentially duplicating the same approaches as for penetration, but they begin with the higher starting point of already having at least some access. Privilege escalation attacks are generally easier to perform than the initial exploits. And since the initial exploits are almost always guaranteed to succeed, the privilege escalation is just that much easier.

      Guaranteeing Future Easier Access

      Although it’s optional, once an attacker has obtained the initial foothold access, most hackers then work on implementing an additional method to ensure that they can more easily access the same asset or software faster the next time around. For many hackers, this means placing a “listening” backdoor program that they can directly connect to next time. Other times it means cracking passwords or creating new accounts. The attacker can always use the same exploits that worked successfully last time to gain the initial foothold, but usually they want some other method that will work even if the victim fixes the issue that worked the previous time.

      Internal Reconnaissance

      Once most hackers have penetrated the system, they start executing multiple commands or programs to learn more about the target they have gained access to and what things are connected to it. Usually that means looking in memory, on the hard drive, for network connectivity, and enumerating users, shares, services, and programs. All this information is used to better understand the target and also as a launching point for the next attack.

      Movement

      It is the rare attacker or malware program that is content to break into one target. Nearly all hackers and malware programs want to spread their range of influence over more and more targets. Once they gain access to the initial target, spreading that influence within the same network or entity is pretty easy. The hacker penetration methods listed in this chapter summarize the various ways they can do it, but comparing it to the initial foothold efforts, the subsequent movement is easier. If the attacker moves to other similar targets with similar uses, it is called lateral movement. If the attacker


Скачать книгу