No Text Content!
hacking If a user notices the pattern, they can easily figure out that they can circumvent the web form for user interface and simply type their search terms into the URL scheme that they observed. This sort of URL manipulation is, of course, fairly innocuous when used on services like search engines. However, in the early days of web commerce, these sorts of simple URL semantics were actually used to submit product orders. It wasn’t long before hackers figured out how to manipulate the payment amount as well as the type and number of products that they were ordering. Although most online merchants now have a more secure process, there are still many types of websites and services that have vulnerabilities which can be exploited through URL manipulation. CROSS-SITE SCRIPTING AND REQUEST FORGERY Some websites may allow users to interact with the site in such a way that the user’s input becomes part of the website content. One of the best examples of this are websites that feature comments (on photos, articles, etc.) from users. Those comments are normally submitted by users through the use of a web form or similar interface. If an attacker is able to enter something other than a comment - either by URL manipulation or direct input into the form fields - it could become part of the website code that is accessed by other users. Hackers have learned how to inject malicious code into websites through these form fields by exploiting servers that do not safeguard against this type of attack. The injected code can be written in such a way that other users don’t even know that their browser is running the injected code. This activity has become known as cross-site scripting (XSS), and can be used by hackers to implant malicious code onto user machines or to co-opt user identities in order to login to a target machine. When a user logs in to a secure website, that website grants access to resources on its server. Typically, this access is only granted to that particular user for that single login session. Once the user either logs out or closes the website, they will have to login again and begin a new session for access. Session information is stored on the user’s system through the use of cookies, which are small files containing useful information about the state of a particular session. Session cookies, or authentication cookies, let the server know that a user is currently logged in. If a hacker is able to intercept an insecure session cookie, they can duplicate it on their own machine and use it to gain access to a target system while the user is in their current session. For example, if a user is logged into their banking account, a session cookie placed on their computer by the bank lets the bank server know that it is okay to continue allowing the user access to the account. If a hacker is able to obtain that particular session cookie on their own machine, then they can fool the bank server into allowing them access to that account. Hackers achieve this by setting up a fake website that they believe many users will want to visit. Since users quite often use the web with multiple tabs or browser windows open simultaneously, the hacker is hoping that users will be logged in to some secure account while also logged in to be their malicious website. When users are interacting with the hacker website, they are unknowingly executing scripts through their own browser that send commands to the secure website. Since the secure site (for instance, the bank) is allowing access during that session it has no way of knowing that the request is not legitimate. This attack is known as cross-site request forgery (CSRF). A common way to execute a CSRF attack is to inject a false server request into something relatively innocent such as a link to an image or some other website element. This keeps the code hidden from the view of the user. In the cases illustrated above, for SQL injection, URL manipulation, cross-site scripting, and cross-site request forgery, the vulnerabilities which are being exploited can be mitigated fairly easily by checking user input for suspicious content before executing it. Website programmers have caught on to many of these attack methods, and are trying to make their sites less vulnerable while at the same time still providing access and services to users. This is why it is so important to understand the nature of hacking and the different types of attacks. CHAPTER 6. MALICIOUS ACTIVITY AND CODE The Latin root word “mal” means, simply, “bad”. Malicious activity is thus characterized by the intent to do harm. In hacking, that harm might take the form of the theft of money, property, or reputation. It may also simply amount to sabotage for its own sake or to serve some other cause. Because so many vital systems are now digitized, interconnected, and online, hackers have the potential to do damage on small and large scales. DENIAL-OF-SERVICE ATTACKS When we see somebody on the street, whether friend or stranger, that we wish to speak to, we typically don’t just walk up to them and begin speaking about whatever topic is on our mind. The general protocol for human communication is to first execute some sort of greeting. One might say “hello” (or some variant) and say the person’s name, and perhaps give a quick handshake - then when the other party responds, the conversation begins. The same sort of procedure is expected when initiating a telephone call, in which case it serves more of a practical purpose because both participants in the conversation generally want to be sure that they know with whom they are speaking. The first few words in the conversation serve to acknowledge the identity of both parties. This protocol is also used in computer network communications. Rather than simply blasting out requests, commands, or data haphazardly, one node in a network will attempt to first acknowledge the presence and readiness of the node with which it is attempting to communicate. In normal network conversation, typically through TCP protocol, a three way handshake procedure is expected to occur. During this handshake, a synchronization (SYN) packet is first sent from the initiator of the conversation to the receiver. This packet contains the IP address of the sender and a flag within the packet indicates to the receiver that it is indeed an SYN packet. If the SYN packet is successfully delivered, and the recipient is ready for communication, it will send an acknowledgment (ACK) packet back to the sender containing its own IP address as well as a flag indicating that it is an ACK packet. Finally, the original sender will send an ACK packet to the recipient and then normal communication can commence. Sometimes, packets are lost in delivery between network nodes for one reason or another. This can occur because of high traffic, because of malfunctions in the network hardware, electrical or electromagnetic interference, and other reasons. Therefore if a sender does not receive an ACK packet from the intended recipient within a prescribed period of time, it will send out another synchronization request. Likewise, a recipient will continue to transmit an ACK packet indefinitely until it receives an acknowledgment from the original sender. A normal handshake, without the interruptions that result from loss packets, is summarized as follows: 1) Sender: SYN → Recipient 2) Recipient: ACK → Sender 3) Sender: ACK → Recipient 4) Sender ⇄ Recipient Any given network node only has the capacity to communicate with a finite number of other nodes. When a hacker is able to disrupt the handshake process by causing the repeated transmission of SYN and ACK packets, legitimate communication can be significantly slowed down or even stopped entirely. This type of attack is known as a denial-of-service (DoS) attack. BASIC DOS The essential idea behind a denial-of-service attack is to forge the flags within an IP packet header in order to trick a server into transmitting repeated ACK requests. The simplest way to do this is to disrupt the traditional handshake process between steps two and three above. When the recipient sends an ACK request back to the original sender it is expecting another ACK packet in return so that communication can commence. However, if the sender responds with another SYN request, the recipient is forced to respond with another ACK packet. If this back-and-forth continues, it ties up network resources and ports on the server machine. The situation is analogous to a “knock-knock” joke that never ends… (“knock-knock”, “who’s there?”, “knock-knock”, “who’s there?”, “knock-knock”, “who’s there?”, etc.). This type of simple DoS attack is known as SYN flooding. There are multiple methods of executing a DoS attack, most of which take advantage of vulnerabilities within the TCP/IP protocol itself. DISTRIBUTED DOS A distributed denial-of-service (DDoS) attack is one in which a hacker or a group of hackers is able to execute a coordinated DoS attack from a large number of machines. Working together, the machines transmitting the attack packets can simply overwhelm a target system to the point where the server is unreachable by legitimate users, or so slow in response to user requests that it is virtually unusable. In most cases, the machines that are transmitting the attack-related packets are not even in the possession of the hackers that are executing the attack. When hackers are preparing for a large DDoS attack, they implant malicious code on as many machines as possible that belong to users who are not knowing participants in the attack. Often, these machines are spread out over a large geographic area and multiple networks, sometimes even worldwide, making it difficult for authorities or the security personnel of a victimized system to cut off the attack. MALWARE The word malware is a portmanteau describing malicious software. The term covers many different kinds of software that might be implanted on a target machine by hackers to either cause damage or seize control of all or a part of the target. Malware is a widespread and serious problem throughout the internet. There are myriad ways in which malware can behave once activated on a host machine. Some are designed to spread themselves to other machines and others remain covertly on a host machine to either gather confidential information for the hacker, tie up computer resources, or cause damage to the system. Sometimes malware is placed on a machine in order to later control that machine for use in attacks, such as DDoS, in coordination with other machines that have been taken over en masse. VIRUSES Viruses are the oldest and most commonly known type of malware. Like their biological namesakes, viruses are designed to spread from machine to machine, infecting large number of users, and sometimes entire self-contained networks in the process. These malicious devices are segments of code that attach themselves (just like biological viruses) to other programs that have otherwise legitimate purposes. When the legitimate program is activated by an unsuspecting user, the virus code is executed and can run without ever being noticed. When a virus is activated it makes a copy of itself and attempts to attach itself to other legitimate programs within the system or domain to which it has access. This allows the virus to spread throughout an individual node and also to other nodes on the network. A virus is not usually written by a hacker to simply spread itself around, however. Typically, the hacker has a specific task in mind for the virus to complete when it reaches its destination. Since it is designed to remain hidden, a virus can perform any number of actions on its host machine. It can collect personal and financial information and covertly use the computer’s own communications capabilities to relay the information back to the hacker. Other viruses are designed to delete information or cause disruptions in a computer’s operation or communication. A virus can even be written to cause physical damage to a computer system. For example, one particular virus that was widespread in the 1990’s was designed to cause the motor-controlled armature on the host’s optical hard drive to rapidly move back and forth until the motor failed. This sort of virus can do a great deal of damage to computer-controlled machinery that has network connectivity. WORMS Worms are similar to viruses in that they are designed to replicate and spread throughout a system or network. However, since viruses are part of larger programs, they must be downloaded by the user and their host program must be launched before the malicious code can be executed. Conversely, a worm is its own self-contained program. Worms also differ from viruses in that they do not require a user to open another program in order for them to execute. Once a worm infects a machine, it can replicate itself and then spread to another system through the network. Rather than causing damage or gaining access to systems, the purpose of a worm is normally to consume system and network resources in order to slow down or halt that system’s operation by occupying memory and network bandwidth. Occasionally, a worm may be used to gather information as well. BEWARE OF “GEEKS” BEARING GIFTS Legend has it that the epic war between the Achaeans (ancient Greeks) and the Trojans ended when the crafty hero Odysseus fashioned a giant wooden horse and left it at the gates of Troy as an apparent offering to the city. Unbeknownst to the grateful Trojans, who wheeled the large gift into their city and behind their notoriously secure walls, there was a contingent of Greek soldiers hiding inside the hollow belly of the horse. The soldiers emerged that night under cover of darkness to open the gates for the rest of the Achaean army ,who entered and subsequently sacked the city. For thousands of years, whether true or not, this story has served as a cautionary tale - reminding us to be vigilant and that sometimes things which might seem harmless or innocent can lead to our downfall. In computer hacking, a Trojan horse is a piece of malware that appears to be legitimate or desirable software. It may even function normally in whatever purpose for which the user downloaded it. The typical purpose of a Trojan horse, often just called a “Trojan” is to give a hacker remote access and control of the target system. Any malware that is written to give a hacker surreptitious control over the processes of a user’s machine is known as a rootkit. Viruses, worms, and Trojans, as well as the various payloads that they deliver to target systems take a good bit of programming skill in their creation to be successful. Computer security professionals as well as anti-malware products focus a great deal of effort on thwarting these malicious programs. Hackers that deal in malware are constantly honing their skills and their creations are evolving in complexity. CHAPTER 7. WIRELESS HACKING The proliferation of readily available Wi-Fi networks has made Wi-Fi one of the most common network mediums. Wi-Fi is in many ways superior to traditional copper wire physically connected networks. Aside from the convenience of connectivity and the flexibility of network configurations that wireless networks afford the users, the lack of physical infrastructure needed to complete the network makes it much cheaper and easier to implement than Ethernet. With this convenience, however, comes certain security concerns that are not associated with traditional hardwired networks. With a copper or fiber-based network, a physical connection is needed for a new machine to join the network. A hacker would normally have difficulty accessing the physical space of a target network and would likely arouse suspicion attempting to connect their own hardware to network cabling. Although the range of Wi-Fi is limited, it is omnidirectional and the radiofrequency signals admitted by the server and the various nodes on a wireless network traverse walls and other barriers and can be intercepted by anyone in range. This gives the hacker much more freedom to conduct a network intrusion without being detected. HACKING WI-FI Most Wi-Fi networks consist of a wireless router, or a group of wireless routers, that are connected to a modem which is delivering internet access to some physical location. The routers broadcast and receive radio signals on specific channels that carry the appropriate TCP/IP packets to and from other machines and devices that have similar wireless connectivity. All nodes communicating at any given time on the channels associated with the router or routers that are connected to the modem at that location comprise a Wi-Fi network. By nature, Wi-Fi networks are very dynamic and fluid. Especially in commercial settings, like coffee shops or office buildings that provide wireless access, the number and nature of the nodes on that particular network are in constant flux. In these public settings, it is easy for a hacker to hide in plain sight and attempt to intrude into any of the nodes on the network. Once the hacker is successfully on the network itself, they can scan the network for all connected machines and probe for vulnerabilities. Many networks have both wireless and wired subnetworks that are interconnected. When a hacker gains access to a wireless network they can conceivably use that to leverage access to all of the nodes on the wired portion of the network. This makes Wi-Fi hacking a very popular goal for modern hackers. WI-FI ENCRYPTION PROTOCOLS Since Wi-Fi signals are broadcast into the air as opposed to being confined within wires, it is important for the information contained in the signals to be encrypted. Otherwise, anyone could passively receive and view any information being sent between the nodes on the network. The encryption protocols used in Wi-Fi have necessarily evolved since wireless networks began gaining popularity. Moreover, as technology has improved and resulted in increased bandwidth and data rates, a great density of information can be broadcast from a wireless network in a very short period of time, making it especially important for it to be encrypted and kept out of the hands of malicious hackers. The oldest and most common Wi-Fi encryption protocol is Wired Equivalent Privacy (WEP). The goal of the WEP standard, as the name implies, was to give network users the same amount of security that they would have on a physically connected network. Unfortunately, over time WEP has become the least secure of all of the existing encryption protocols and it is quite easily hacked by even the most inexperienced hackers. WEP is so insecure in fact, that many Wi-Fi router manufacturers no longer provide that type of encryption as an option on their hardware. Most security professionals recommend that router owners do not use WEP when other options are available. Step-by-step instructions and coding examples for attacking WEP protected Wi-Fi networks are freely and readily available on the internet. Although the level of encryption has increased from 64 bit to 128 bit to 256 bit, the underlying flaws in WEP remain easily exploitable by even the most green of neophyte hackers. The biggest problem with WEP is that a password can be quickly and easily deciphered simply through the passive “sniffing” (receiving and viewing network packets) of network traffic. A significant step up from WEP Wi-Fi encryption is the Wi-Fi Protected Access (WPA) standard of encryption. This new protocol fixed many of the problems in WEP, but remained vulnerable to attack because it was still based on some of the same underlying encryption algorithms. Furthermore, WPA- protected routers were deployed with a feature that was designed to make it more convenient for home users to connect new devices to their network. This feature proved to be an additional vulnerability in systems that employed WPA. It wasn’t long before an update to WPA was needed to keep Wi-Fi networks more secure. A new encryption standard being used in other secure applications, the Advanced Encryption Standard (AES), became mandatory in the new Wi-Fi encryption protocol which became known as WPA-2. WPA-2 with AES encryption has become the recommended setting for wireless routers on which it is available because of its significant improvement in security over its preceding standards. Cracking WPA and WPA-2 requires more intrusive hacking techniques than the simple passive sniffing that can be used to attack WEP-protected networks. WI-FI ATTACKS In order to conduct a Wi-Fi attack a hacker needs, at a minimum, a computer (normally a laptop) that can run scripts which are used to decipher the Wi-Fi password. They also must acquire a special Wi-Fi adapter that can be purchased relatively cheaply. A list of suitable Wi-Fi adapters can be found on hacker resource websites, but in general the adapter must have a feature known as “monitor mode” in order to be able to execute a Wi-Fi attack. It is important to note that not all Wi-Fi adapters that can be found at retail computer supply stores have this feature, and most internal laptop adapters are not appropriate. In general, hackers prefer to use some sort of Linux distribution, usually Kali, to conduct a Wi-Fi attack because most of the readily available tools were written for the Linux OS and come preinstalled on Kali. It is also possible with some configuration to run Linux on a virtual machine within another OS to mount a successful attack. Although attacks from other operating systems are possible, it is much easier for the beginner to conduct them from either a native Linux distribution or a virtual machine. A hacker-friendly distribution like Kali is recommended. The detailed procedures and recommended programs for conducting Wi-Fi attacks against the various encryption protocols changes over time, although the general principles are the same. For the simplest attack, which is against WEP encryption, the general steps are as follows: 1) monitor and view all Wi-Fi traffic in the range of the adapter while in “monitor mode” (set by a program called airmon-ng) using a program called airodump-ng. Live W-Fi Traffic on Several Routers (aircrack-ng.org) 2) choose a target Wi-Fi network that is using WEP encryption and make a note of the name (ESSID) and network address (BSSID in the form XX:XX:XX:XX:XX:XX)