SE 4C03 Simon Tai 9812650 HACKERS AND HACKING 1. Introduction Hacking can be easily associated with invasion of privacy. Because hacking allows the hackers to gain information that was previously not authorized to them, the action of hacking can instantaneously grant more power to the hackers. After all, information equals power in the computing world. We human can be easily drawn by such temptation, and so are most hackers. In an original context, hacking is regarded as dedication or passion towards certain interests or habits. Hence, a hacker is referred as an individual who is passionate in what he or she does. Since the information revolution, the word hacking became a buzzword and is generally recognized as illegal or destructive use of computer systems due to misinformation by the media. To distinguish the true hackers from the destructive computer users, they are sometimes referred as crackers. The terms are mere technicalities, thus for the rest of paper, the term hackers will be referring to destructive computer users. 2. Tools of the Trade Much alike the unauthorized entry in real life, hacking allows hackers to gain access to others’ private information. The range of actions that a hacker can take may range from mere learning to complete deletion or alteration of the information. The following section will only provide a brief overview of some of the popular tools and methods of hacking. Enumerating them will be outside of the scope of this report. 2.a Reconnaissance The first step of hacking is to interrogate the targeted network and to discover the number and types of machines connected to the network. whois is a free UNIX program used to search network of machines. It looks up information through a public registry server called InterNIC. From the network interrogation, a hacker can quickly determine the server IP addresses for further interrogation. Once the targeted server IP address is acquired, one can use nslookup to perform a zone transfer. A zone transfer will allow a hacker to obtain a complete list of computers or networks connected to the targeted server. To further investigate the hosts of a sub-network, nmap can be used to search a range of IP addresses within the sub-network. nmap does this by sending ping commands to each IP address in the specified range. Finally, when the targeted host is located, one can use strobe, netcat, or nmap to accurately determine what types of services are running on the targeted host.SE 4C03 Simon Tai 9812650 After a plausible target system is successfully identified without tripping any security measures, the next step is to enumerate valid users or resources of the targeted host. The techniques of enumerations are specific to operating systems. Windows 2000 and Novell system both share the same vulnerability of null session. A hacker can easily create a null session remotely, and practically gain completely control of the entire system. On UNIX system, one can easily count on the classic tool, finger. finger can give almost all the information regarding users on a system. 2.b Windows 2000 Denial of service attacks are often accomplished by causing buffer overflows on the target systems. In comparison to Windows 2000’s predecessor, Windows NT4, Windows 2000 is much more robust in handling buffer overflows, but no defense is perfect. One method of causing buffer overflows on Windows 2000 is to send massive IP or SYN fragment packets to the target system such that the amount of the packets overwhelms the target system’s ability to reassemble the packets. Once a hacker successfully caused buffer overflows on a system, the system is practically vulnerable to all types of attacks. Once an attacker has gained a valid user account on a Windows 2000 system, one can take the advantage of privilege escalation, a system inherited problem in most operating systems today, to obtain the password hash of the administrator account. For instance, an attacker is able to execute a program as SYSTEM on the target system to trick the system to dump the password hash of the administrator. The attacker then is able to crack the password elsewhere. Some famous tools to obtain password hashes on Windows 2000 systems include pwdump2 and chntpw. 2.c UNIX As mentioned earlier, a buffer overflow can result in denial of service. In the case of UNIX systems, the consequence can be much more severe. For example, a hacker can simply send a large string to a known buffer, such as one in the sendmail, with /bin/sh embedded in the string. Because sendmail is running as root on the UNIX system, when the buffer overflows occur, sendmail will blindly process the large string as a system command and thus giving the attacker a shell access with root privileges. Besides the typical buffer overflowing attacks, one can also exploit programs that deal with input validations, such as web servers. The most infamous one is the PHF vulnerability. This attack is rather dated, but it perfectly demonstrates how input validation attacks functions. PHF is a CGI script that came standard with earlySE 4C03 Simon Tai 9812650 versions of Apache server. The program did not properly parse the input strings, and consequently, it accepted system commands and allowed it to be executed on the server via the web server service which is typically run with root privilege. Though PHF is no longer insecure, other CGI scripts still inherit the same problem today due to bad programming practice or improper installations of the web servers. 3. Prevention and Counter Measures Understanding the methods of hacking is the first step to prevent hacking. As discussed in the previous section, hackings are very specific. Instead of preventing specific types of attacks, it is more effective to have general provision for preventing attacks. Most firewall programs or routers are proven highly secure these days. They are part of the necessities in almost every network as most operating systems do not provide sufficient network security. Proxy servers should be used whenever possible as it provides good barriers to the inside network. Information regarding the details and structures of the sub-networks should not be publicly accessible. Operating systems can be as secure as possible, such as SE Linux, but with current design model of software, most operating systems allow privilege escalations.