Anatomy of a Hack

Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."

How to protect your Windows Network

[casings]

Shut it off.

For Some, it just isn't worth it.

[Quentusrex]

For all too many business owners and managers out there it just isn't worth it for them to learn to secure computers. They have enough trouble learning and keeping up with the business they have. Normally it isn't until they are breached that they realize that security is a need.

But that's what America is for. They need something, but don't have the time to do it. So you learn how to provide for their need, and sell it to them.

hey beavis!

[sycotic]

heh heh heh, he said "penetration testing", heh heh heh

Raising the bar

[lheal]

A lot of people will post on this story about how weak Windows is, or how great OpenBSD is, or whatever.

The keys to secure computing are

1. Deciding what you value.
2. Finding your comfort level - how "secure" do you need to feel?
3. Creating a multi-layer system to make it more diffificult to attack your network than the next one.

The use of multiple layers is crucial. Never depend on just a firewall, encrypted transmissions, or just on password protection. Never depend on your vendor to secure your data - it's your data, not your vendor's. Read your EULA, and you'll note how little they care.

Difference between hacking and cracking...

[Krankheit]

Isn't hacking more about the creation of something than the destruction of something? This sounds more like cracking. Anyone can open up a locked car with a coat hanger and hot wire it, but that doesn't make them equal with the skill of the engineers that created the car.

Article has a good page on cleaning systems

[billstewart]

About page 10 of the article, the author gets to a discussion of what you can do to clean up a compromised system, and uses the analogy of cleaning a swimming pool with undesirable liquids in it - you can't just clean the water, you've got to drain the whole thing and start over. He lists a large number of things you can no longer trust on a compromised system, and explains how each of a number of successively more difficult approaches won't work.

• You can't just patch the hole the attacker used - he installed a bunch more new holes one he got in.
• You can't just reinstall from backup, because you don't know if your backup files are compromised too.
• You can't look in your log files to figure out when you got compromised, because any good cracker knows to wipe his traces out of the log file.
• You can't just reinstall the operating system over the existing one - too many dangerous files may still be there, including things left in the data and application directories.
• 3... 4... 5. DON'T PROFIT! 6...
• You're stuck reinstalling the OS and applications from known-good media onto a clean disk, and hoping you can salvage some of the data, depending on whether your applications make this possible.

What he doesn't really go into his how to build your production systems in a way that *ASSUMES* you're going to get attacked, maintains a clean environment for developing them in, and gives you the tools to rebuild rapidly from trustable versions. On the other hand, he does show how his example's victim's system was thoroughly broken into, getting from the production system to the development system, because it really *is* hard to do a good job of separating them adequately in a real environment, so even if you think you have a clean-room, you might not.

Re:Article has a good page on cleaning systems

[bombshelter13]

I don't think this isn't really what the author meant about the backups being compromised.

If you were a hacker, and had just broken into someone's computer/network, would you start playing around and messing things up as soon as you got in?

Hell no. Only a moron would do that. You would (very quietly) install another backdoor or two, to make sure you can still get in, and then you'd wait five or six months, maybe a year or so, and ~then~ start causing trouble.

If you start making a mess right away, there's a good chance you'll get detected, and they'll do something about it to lock you out, maybe even going back to those backups and restoring them. That's no good.

On the other hand, if you wait, then by the time you start causing noticeable damage, they've already made new backups several times. With your exploits already in them. So they can restore the backups, and you can log right back in. The only way to get uncompromized backups will to use very old ones, from before you got in in the first place.

Patience is a virtue, in hacking just as in everything else.

No new news here

[michaelaiello]

Quick overview of the meat of the article

1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.

Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P

Sad to see

[Knights+who+say+'INT]

Slashdot surrendering to the mainstream, negative meaning of "hack".

I though it was supposed to be a hacker forum :~

Oh noes!!

[satanami69]

It's got wake on lan.

strange definitions of warez, xss, etc.

[lonedroid]

I just read the whole FA (yup, I'm new here as my user ID can tell ;) and I'm not sure what to think about it.

The metodology used is not extraordinary: setting up a purposedly insecure network then hacking (sic) it themselves using the known holes is kind of cheesy. It helps to show how it works, but I prefer the honeynet approach: setting up boxes with known (or not) security holes, then analysing how a real intruder creates havoc.

Then there's some strange (re)definition of words.

For example, straight from TFA:

There are several techniques for getting our tools (often called "warez") onto the database server.

Then, as a side note:

Warez is a hacker/attacker colloquialism. It comes from the term "software," but is now used varyingly to mean either "attack tools" or "bootlegged software." In this chapter, we use it in the former context.

I think it's the first time I see the term "warez" used to describe "attack tools" (sic). I used to live in ancient times where "warez" weren't yet called "warez", then "warez" became "warez". Now what? "warez" aren't "warez" anymore? As it changed? (then a great many online dictionaries definition should be updated btw.).

The definition of XSS is also interesting:

In Figure 2-5, we see that not only do we get logged on, but the application also displayed the fake username we sent it on the home page. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (XSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first. We will not use it in the following attack, but it is interesting to note that it is there.

This definition of XSS is wrong: it's not because we see what was typed that the input weren't sanitized (sic). And it's certainly not because we see what was entered that this could lead to code being executed on another user's computer. Moreover I find the last sentence of this paragraph misleading: We will not use it in the following attack, but it is interesting to note that is is there. Of course they're not using it: they're "hacking" the server(s), not joe random visitor's box.

Then there are quite a lot half-truth, that can also be misleading:

A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.

If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.

Then at the end of TFLA (the 'L' stands for "Long") they explain, in a very windowish style, how to recover from a "hack": reinstall everything, because there's nothing you can trust (besides Windows's installation medium?)

So is it about the anatomy of a "hack" or how to recover from a "hack"? Both? Then why not a single word about how to configure an IDS?

Speaking of IDS, from TFA: Once we took over an entire network through an intrusion detection system.

WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System ;)

The article could be summarized like this (like others already pointed out i