Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anatomy of a Hack

Posted by Zonk on from the illegal-dissection dept.

Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."

6 of 98 comments (clear)

  1. For Some, it just isn't worth it. by Quentusrex · · Score: 5, Insightful

    For all too many business owners and managers out there it just isn't worth it for them to learn to secure computers. They have enough trouble learning and keeping up with the business they have. Normally it isn't until they are breached that they realize that security is a need.

    But that's what America is for. They need something, but don't have the time to do it. So you learn how to provide for their need, and sell it to them.

  2. hey beavis! by sycotic · · Score: 5, Funny

    heh heh heh, he said "penetration testing", heh heh heh

    --
    -- If I were a fish, I'd be wet
  3. No new news here by michaelaiello · · Score: 5, Informative

    Quick overview of the meat of the article

    1. Do a WHOIS lookup of the IP range the network is on.
    2. Search newsgroups for previous network internals that the SA has posted somewhere.
    3. Do a port scan and fingerprint.
    4. If there is a vulnerable service running, use a common exploit.
    5. A quick description of how sql injection attack works on a web-application login.
    6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
    7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.

    Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P

  4. Re:Article has a good page on cleaning systems by bombshelter13 · · Score: 5, Insightful

    I don't think this isn't really what the author meant about the backups being compromised.

    If you were a hacker, and had just broken into someone's computer/network, would you start playing around and messing things up as soon as you got in?

    Hell no. Only a moron would do that. You would (very quietly) install another backdoor or two, to make sure you can still get in, and then you'd wait five or six months, maybe a year or so, and ~then~ start causing trouble.

    If you start making a mess right away, there's a good chance you'll get detected, and they'll do something about it to lock you out, maybe even going back to those backups and restoring them. That's no good.

    On the other hand, if you wait, then by the time you start causing noticeable damage, they've already made new backups several times. With your exploits already in them. So they can restore the backups, and you can log right back in. The only way to get uncompromized backups will to use very old ones, from before you got in in the first place.

    Patience is a virtue, in hacking just as in everything else.

  5. Oh noes!! by satanami69 · · Score: 5, Funny

    It's got wake on lan.

    --
    I really hate Dan Patrick.
  6. strange definitions of warez, xss, etc. by lonedroid · · Score: 5, Interesting

    I just read the whole FA (yup, I'm new here as my user ID can tell ;) and I'm not sure what to think about it.

    The metodology used is not extraordinary: setting up a purposedly insecure network then hacking (sic) it themselves using the known holes is kind of cheesy. It helps to show how it works, but I prefer the honeynet approach: setting up boxes with known (or not) security holes, then analysing how a real intruder creates havoc.

    Then there's some strange (re)definition of words.

    For example, straight from TFA:

    There are several techniques for getting our tools (often called "warez") onto the database server.

    Then, as a side note:

    Warez is a hacker/attacker colloquialism. It comes from the term "software," but is now used varyingly to mean either "attack tools" or "bootlegged software." In this chapter, we use it in the former context.

    I think it's the first time I see the term "warez" used to describe "attack tools" (sic). I used to live in ancient times where "warez" weren't yet called "warez", then "warez" became "warez". Now what? "warez" aren't "warez" anymore? As it changed? (then a great many online dictionaries definition should be updated btw.).

    The definition of XSS is also interesting:

    In Figure 2-5, we see that not only do we get logged on, but the application also displayed the fake username we sent it on the home page. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (XSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first. We will not use it in the following attack, but it is interesting to note that it is there.

    This definition of XSS is wrong: it's not because we see what was typed that the input weren't sanitized (sic). And it's certainly not because we see what was entered that this could lead to code being executed on another user's computer. Moreover I find the last sentence of this paragraph misleading: We will not use it in the following attack, but it is interesting to note that is is there. Of course they're not using it: they're "hacking" the server(s), not joe random visitor's box.

    Then there are quite a lot half-truth, that can also be misleading:

    A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.

    If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.

    Then at the end of TFLA (the 'L' stands for "Long") they explain, in a very windowish style, how to recover from a "hack": reinstall everything, because there's nothing you can trust (besides Windows's installation medium?)

    So is it about the anatomy of a "hack" or how to recover from a "hack"? Both? Then why not a single word about how to configure an IDS?

    Speaking of IDS, from TFA: Once we took over an entire network through an intrusion detection system.

    WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System ;)

    The article could be summarized like this (like others already pointed out i