Know The Hacker Methodology

The Hacker Methodology

Performing Reconnaissance

Good reconnaissance is critical to great hacking. In general, a good hacker will recon for about 2 to 3 times longer than he/she would performing the actual hack. It's not unusual to spend weeks or months gathering information before even beginning to attempt an exploit.

Most exploits are dependent on operating systems, applications, ports, and services, so you need to gather this information before you start hacking. If you don't, you will likely fail, get caught, or both. I can't emphasize this enough. Newbie hackers are always so anxious to get to the exploit that they often ignore this phase of the attack.

Recon can be broken into at least two categories, passive and active.

Passive Reconnaissance

Passive reconnaissance can be defined as gathering information about the target without actually "touching" the target, or in a way that looks like normal traffic.

I have already shown you how to use Netcraft to gather info about websites, such as the web server, operating system, last reboot, and other technologies. All of this information is critical before starting the hack. Most recently, I gave a lesson on how to use FOCA to gather metadata from documents on a website.

In addition, passive reconnaissance can include DNS and SNMP mining, dumpster diving, social engineering, using social media such as Facebook and LinkedIn, and of course, Google hacking, among other techniques.

Active Reconnaissance

Active reconnaissance is information gathered about the target by actually sending packets to the target and evaluating the response. The results of active recon are much more specific and reliable, but also much riskier. Anytime we send a packet to a site, our IP address is left behind.

Nmap, Hping, Netdiscover, P0f, and Xprobe2 are among the many tools we can use to gather info on remote targets that can be useful in revealing open ports, running services, and operating systems.

Active recon can also include enumeration of the network. Techniques such as banner grabbing and the use of vulnerability assessment tools such as Nessus, Nikto, and Retina are also often a part of this phase.

Exploitation

Exploitation is defined as using a vulnerability identified during by our recon phase and using it to gain access to the intended machine. As you can see from the above example machine we have a TON of ports and services available. Each of these services are potential entry ways into our victims network because they are open lines of communication to the outside world. A popular framework for exploitation is metasploit. Metasploit is too large of a topic to cover here and will be covered in future lessons. If you’re interested in looking further now I suggest reading Metasploit: The Penetration Tester’s Guide.  Another method would be sending a phishing email to one of your targets identified during the recon phase that had a call back to a listener you had running on your attack box

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include viewing and editing files, or modifying system files.

Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:

• Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.)
• Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)

 Establish Persistence (setting up backdoor)

At this point we would drop in a backdoor or Remote Access tool. This allows us persistence in the machine, or the ability for us to come and go as we please in the event we get disconnected from our victim. it will be necessary to leave behind a listener or rootkit. This listener, ideally, will persist beyond when the system is rebooted and will be there when we want to come back to the system and continue to use/exploit/extract.

This listener can take many forms, such as Netcat, a command shell, VNC, Meterpreter, etc.

Keeping access to a computer system is a pressing exercise that demands to be explained and explicitly disclosed to the client. Many businesses are engaged in begetting a penetration test completed but are suspicious of providing the penetration testing firm to take control of backdoors. Most companies or people are nervous that these backdoors will be found and utilized by an illegal third party.

Extracting Data

Now that we have established persistence lets get to the real stuff, data ex filtration. This is the point where you set up some kind of tunnel to your attack platform or to a dead-drop on some server that you will be using as an intermediary. You pull off any data that you may consider important. Usually in a *nix system this will comprise of at LEAST the /etc/shadow and /etc/passwd files, in Windows it will be the SAM file and registry. E-mails are often good to go for as people send out lots of information such as passwords, phone numbers etc.

This can be credit card data, personally identifiable information (PII), intellectual property, or other valuable information.

To do so, we need a way to remove the data in a way that is not readily noticeable by the sysadmin, and ideally, encrypted. Recub and Cryptcat are two tools that can remove data stealthily.

Covering Your Tracks

The big one, how not to get caught. We could spend forever talking about covering your tracks and ways to do this but for the purpose of this lesson it means system log and tool clean-up. You need to restore the machine back to the way you found it. If you exploit a vulnerability in a machine you want that vulnerability to stay there so you may use it again later. To make certain that our exploits don't lead back to us, we need to cover our tracks. This can take many forms such clearing log files, removing any software we uploaded, removing our command history, etc. Metasploit's Meterpreter has a killav script to disable antivirus software, as well as a clearev command that removes the event logs on Windows systems.

Reporting

Like every other phase we have mentioned in this post, drafting a sound ethical hacking report is crucial. Many ethical hackers wrongly think that they can just present the immature output from the tools that they use.

Correct or incorrect, your status as a ethical hacker will have a linear association with the nature of the reports that you submit. Mastering to put a well-written report is important for getting clients and getting a prospective job. It is eternally a solid plan to have a specimen report available. Many promised customers will demand a specimen report before reaching a conclusive judgment.