- Discuss the current state of hacking. Identify at least four classes of motivations for hackers including (http://www.sans.org/critical-security-controls/) nation-state funded as one of the four. Identify their generally required skill levels and why each may represent a different level of threat to systems. Identify their major goals and objectives and motivators. Discuss how they are similar and how they contrast one another. Describe.
The term hacking initially just referred to ethical hacking – the act of learning about computer systems, their working, detecting problems in it and eventually writing new programs to solve these problems. However, over the years the concept of hacking has been exploited to give way to cyberwar, cyberterror and cybercrime . The Internet has become a medium for data and network exposure, and this has made any organization’s internal secrets a target for many criminal-minded hackers with skill in their hands. In the latest years, cybercriminals are increasing by targeting not only new platforms, but also online transaction related activities as a means to commit corporate espionage, push political agendas or cause reputational damage. Targeting of mobile phone users, privatization of financial banking Trojans, account takeovers and increased use of manual-assisted cyber attacks are some of the trends that show that cybercrime grows sophisticated every year . Classes of Hacker Motivations include the following:
- White Hat Hackers: These hackers are professional computer experts or engineers who perform penetration tests and hack their own organization’s system to discover the vulnerabilities in the system and how that can be used by a potential hacker. Their aim is to protect their organization.
- Black Hat Hackers: These are hackers who break into a system or a network in an unlawful manner, or create a computer virus to incite public nuisance or if some company pays them.
- Cyber Terrorists: These hackers are by far the most dangerous, because they have political or religious goals to create terror by disrupting a critical system and have the skills to match it. Their ultimate motivation is to spread fear and terror.
- Hacktivists: Hacktivists, or hacker activists are activists who have some protest or a goal from a political or religious point of view and use hacking systems and networks as a tool.
- Spy Hackers: As the names suggests, Spy Hackers are spies who are placed in an organization by an opponent organization to glean critical information or steal trade secrets. It is a method to commit corporate espionage, where the spy may join as an employee in the target organization and take advantage of his/her employment status .
- Discuss how the process of footprinting, fingerprinting, enumeration, research, escalation/attack (privilege escalation, session high jacking), enabling repeat visits and covering tracks create a methodology for a system compromise? Do hackers/attackers really follow this model?
Footprinting is a systematic and methodical technique that involves the profiling of all the aspects of an organization by an attacker. Using a combination of tools and techniques, attackers can extract a specific range of domain names, network blocks and individual IP addresses of systems that are directly connected to the Internet . Stack fingerprinting uses discrete fluctuations in the TCP stack implementation to determine the type of a remote operating system. The tools used for fingerprinting are Queso and Nmap.
Enumeration is the first step to targeting a system. It involves active connections to the system and directed queries. Enumeration techniques tend to be platform-specific and are therefore heavily dependent on information gathered through Scanning. The information that an attacker seeks via enumeration includes user account names (to inform subsequent password-guessing attacks), oft-misconfigured shared resources (unsecured file shares), and an older version of software with known security vulnerabilities (such as web servers with remote buffer overflows). Once a service is enumerated, the system is all but ready to be compromised .
The hacker also needs to keep up with the most recently discovered vulnerabilities and other exploits through vulnerability research to gain an advantage and knowledge to attack the system. It includes discovering system design faults and weaknesses and checking out for new security related products . Once attackers have obtained a user account on a system, they set about in obtaining Administrator or System equivalent privileges. This is called as privilege escalation attacks. However, privilege escalation attacks aren’t very effectives if the attackers have logon to the server already, because they already have access to everything that they want .
Session hijacking describes a variety of hacking techniques by which an attacker can effectively steal or share a session with a legitimate host. The objective of session hijacking is generally to try to hijack an interactive login session (Telnet, FTP session), to gain unauthorized access to a system, or to capture file or session data .
- Describe what network mapping and enumeration accomplishes for the hacker. (Tell me about the network discovery process and enumeration that can lead to a successful access.) Discuss tools that can be used for SNMP, Windows, UNIX, and SMTP.
Before gaining unauthorized access to a network, an attacker must know the topology of the network. An attacker can specifically scan the target network to obtain a list of live hosts, and begin mapping the target to understand its architecture and the kind of traffic it allows. The goal of discovery is to start with no information and then gather as much data as possible about the target network and systems. The process of discovering this information is called as network enumeration.
Having completed some initial network and IP reconnaissance (information gathering) using Internet whois databases and the Domain Name Systems, the progress of an attack will require the presence of live IP targets through ICMP port sweeps and ping sweeps. Using ICMP (Internet Control Message Protocol), an attacker can both validate networked systems and map out the topology of the network on which the target reside, including gateways, routers, firewalls, and intrusion detection systems. This may have a significant bearing on how an attack proceeds or leads to the identification of addition, vulnerable targets. Network Mapping is generally accomplished by tools that use the ICMP. The utility of ICMP for this type of activity is that it was essentially designed to troubleshooting of routing and connectivity issues in IP networks, and therefore incorporates features that make it useful for network mapping .
Network Enumeration Tools for:
- SNMP: SNMPUtil, IP Network Browser
- Windows: NBTScan, DumpSec
- UNIX: Smbclient, Nmblookup
- SMTP: Metaspoilt, Nmap, smpt-user-enum
- Discuss the vulnerabilities of Sendmail and how you would test for vulnerabilities against Sendmail.
Sendmail is a mail router program that was designed to route email between peers on a network and between networks. Unlike an application which a user would use to format and send messages, sendmail accepts formatted messages from an email program, and then sends them to the appropriate recipients. The message is sent using the Simple Mail Transfer Protocol (SMTP). Its vulnerabilities are listed out by the MITRE CVE as follows.
- Authentication bypass vulnerability
CVE 2009-4565: Sendmail before version 8.14.4 does not properly handle the null character in the Common Name field of an X.509 certificate. An attack could result in spoofing arbitrary SSL-based SMTP servers.
- Heap based Buffer Overflow vulnerability
CVE 2009-1490: Sendmail before version 8.13.2 has a buffer overflow vulnerability that allows remote attackers to cause a denial of service or possibly execute arbitrary code via a long X-header.
- Long Header Denial of Service
CVE 2006-4434: Sendmail before version 8.13.8 has a denial of service (crash) vulnerability which can be exploited by a long header line. This long header line causes a dangling pointer, where data that has already been freed is referenced.
- MIME Recursion Denial of Service
CVE 2006-1173: Sendmail is affected by a denial-of-service vulnerability caused by excessive recursion while delivering a distorted MIME message. An attacker could cause messages in the queue to fail to be delivered.
- SMTP Timeout Buffer Overflow vulnerability
CVE 2006-0058: There is a race condition vulnerability which may potentially result in a buffer overflow in the Sendmail Mail Transfer Agent. It may result in arbitrary code execution.
Critical Security Controls for Effective Cyber Defense. Web.n.d.
E.C.Counil. Ethical Hacking and Countermeasures: Attack Phases. NY: Cengage Learning, 2010.Print.
EMC2. "The Current State of Cybercrime 2013." White Paper. n.d.
Erickson, Jon. Hacking: The Art of Exploitation. San Francisco: William Pollock, 2008. Print.
Jordon, Tim. Hacking: Digital Media and Technological Determinism. Cambridge: Polity Press, 2008. Print.
Klevinsky, T. J., Scott Laliberte and Ajay Gupta. Hack I.T.: Security Through Penetration Testing. Boston: Pearson Education, 2002. Print.
McClure, Stuart, Joel Scambray and George Kurtz. Hacking Exposed 6. New Delhi: Tata McGraw Hill Education Pvt Ltd., 2009. Print.
Pankaj, S. Hacking. APH Publishing, 2005. Print.
Siciliano, Robert. McAfee Blog Central. Web. n.d.
Young, Susan and Dave Aitel. The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks. New York: Auerbach Publications, 2005. Print.