Introduction to Ethical Hacking
Straightening Out the Terminology
Most people have heard of hackers and malicious users. Many have even suffered the consequences of their criminal actions. So who are these people? And why do you need to know about them? The next few sections give you the lowdown on these attackers.
- Hackers (or external attackers) try to compromise computers, sensitive information, and even entire networks for ill-gotten gains – usually from the outside – as unauthorized users. Hackers go for almost any system they think they can compromise. Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.
- Malicious users (or internal attackers) try to compromise computers and sensitive information from the inside as authorized and “trusted” users. Malicious users go for systems they believe they can compromise for ill-gotten gains or revenge.
- Ethical hackers (or good guys) hack systems to discover vulnerabilities to protect against unauthorized access, abuse, and misuse. Information security researchers, consultants, and internal staff fall into this category.
Understanding the Need to Hack Your Own Systems
To catch a thief, you must think like a thief. That’s the basis for ethical hacking. Knowing your enemy is absolutely critical. The law of averages works against security. With the increased number of system vulnerabilities and other unknowns, eventually all computer systems and applications will be hacked or compromised in some way. Protecting your systems from the bad guys – and not just the generic vulnerabilities that everyone knows about – is absolutely critical. When you know hacker tricks, you find out how vulnerable your systems really are.
Firewalls, encryption, and passwords can create a false feeling of safety. These security systems often focus on high-level vulnerabilities, such as basic access control, without affecting how the bad guys work. Attacking your own systems to discover vulnerabilities -especially the low-hanging fruit that gets so many people into trouble – helps make them more secure. Ethical hacking is a proven method of greatly hardening your systems from attack. If you don’t identify weaknesses, it’s only a matter of time before the vulnerabilities are exploited.
Passwords
Password hacking is one of the easiest and most common ways attackers obtain unauthorized network, computer, or application access. You often hear about it in the headlines, and study after study as such as the Verizon Data Breach Investigations Report reaffirms that weak passwords are at the root of many security problems. I have trouble wrapping my head around the fat that I’m still taking about (and businesses are suffering from) weak passwords, but it’s a reality – and as information security testing professional, you can certainly do your part to minimize the risks.
Although strong passwords – ideally, longer and stronger passphrases that are difficult to crack (or guess) – are easy to create and maintain, network administrators and users often neglect this. Therefore, passwords are one of the weakest links in the information security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. That’s when accountability goes out the window and bad things start happening.
External attackers and malicious insiders have many ways to obtain passwords. They can glean passwords simply by asking form them or by looking over the shoulders of users (shoulder surfing) while they type their passwords. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, attackers can use remote cracking utilities, keyloggers, or network analyzers.
This chapter demonstrates how easily the bad guys can gather password information from your network and computer systems. I outline common password vulnerabilities and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems. If you perform the tests and implement the countermeasures outlined in this chapter, you’ll be well on your way to securing your system’s passwords.
Cracking Passwords
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their sense of exploration and desire to figure out a problem. You might have not have a burning desire to explore everyone’s passwords, but it helps to approach password cracking with this mindset. So where should you start testing the passwords on your systems? Generally, any user’s password works. After you obtain one password, you can often obtain others – including administrator or root passwords.
Cracking passwords the old-fashioned way
A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques such as phishing, shoulder surfing, and simply guessing passwords from information that he knows about the user.
Social engineering
The most popular low-tech method for gathering passwords is social engineering. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but is happens all the time.
Techniques
To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him/her that he has some important-looking e-mails stuck in the mail queue, and you need his/her password to log in and free them up. This is often how hackers and rogue insiders try to get the information!
Countermeasures
User awareness and consistent security training are great defenses against social engineering. Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the host-level, network perimeter, or in the cloud. Train users to spot attacks (such as suspicious phone calls or deceitful phishing e-mails) and respond effectively.
Cracking passwords with high-tech tools
High-tech password cracking involves using a program that tries to guess a password by determining all possible password combinations. These high-tech methods are mostly automated after you access the computer and password database files.
The main password-cracking methods are dictionary attacks, brute-force attacks, and rainbow attacks. You find out how each of these work in the following sections.
Dictionary attacks
Dictionary attacks quickly compare a set of known dictionary-type words – including many common passwords – against password database. This database is a text file with hundreds if not thousands of dictionary words typically listed in alphabetical order. For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the following list. The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st … all the way to zygote.
Many password-cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:
- www.outpost9.com/files/WordLists.html
Brute-force attacks
Brute-force attacks can crack practically any password, given sufficient time. Brute-force attacks try every combination of numbers, letters, and special characters until the password is discovered. Many password cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a “mask” attack). Sample Proactive Password Auditor brute-force password-cracking options are shown in figure below.
Rainbow attacks
A rainbow password attacks uses rainbow cracking to crack various password hashes for LM, NTLM, Cisco PIX, and MD5 much more quickly and with extremely high success rates (near 100 percent). Password cracking speed is increased in a rainbow attack because the hashes are pre-calculated and thus don’t have to be generated individually on the fly as they are with dictionary and brute-force cracking methods.
If you have a good set of rainbow tables, such as those offered via the ophcrack site and Project RainbowCrack (http://project-rainbowcrack.com/), you can crack passwords in seconds, minutes, or hours versus the days, weeks, or even years required by dictionary and brute-force methods.
Cracking Windows passwords with pwdump3 and John the Ripper
The following steps use two of my favorite utilities to test the security of current passwords on Windows systems:
- pwdump3 (to extract password hashes from the Windows SAM database)
- John the Ripper (to crack the hashes of Windows and Linux/UNIX passwords)
The following test requires administrative access to either your Windows standalone workstation or the server:
- Create a new directory called passwords from the root of your Windows C: drive.
- Download and install a decompression tool if you don’t already have one.
- Download, extract, and install the following software into the passwords directory you created, if you don’t already have it on your system:
- pwdump3: Windows PWDUMP tools
- John the Ripper: John the Ripper password cracker
Network Infrastructure Systems
To have secure operating systems and applications, you need a secure network. Devices such as routers, firewalls, and even generic network hosts (including servers and workstations) must be assessed as part of the security testing process.
There are thousands of possible network vulnerabilities, equally as many tools, and even more testing techniques. You probably don’t have the time or resources available to test your network infrastructure systems for all possible vulnerabilities, using every tool and method imaginable. Instead, you need to focus on tests that will produce a good overall assessment of your network – and the tests I describe in this chapter produce exactly that.
You can eliminate many well-known, network-related vulnerabilities by simply patching your network hosts with the latest vendor software and firmware updates. Because many network infrastructure systems aren’t publicly accessible, odds are good that your network hosts will not be attacked from the outside. You can eliminate many other vulnerabilities by following some solid security practices on your network, as described in this chapter. The tests, tools and and techniques outlined in this chapter offer the most bang for your security assessment buck.
Understanding Network Infrastructure Vulnerabilities
Network infrastructure vulnerabilities are the foundation for most technical security issues in your information systems. These lower-level vulnerabilities affect practically everything running on your network. That’s why you need to test for them and eliminate them whenever possible.
Your focus for security tests on your network infrastructure should be to find weakness that others can see in your network so you can quantify and treat your network’s level of exposure.
When you assess your company’s network infrastructure security, you need to look at the following:
- Where devices, such as a firewall or an IPS, are placed on the network and how they’re configured.
- What external attackers see when they perform port scans and how they can exploit vulnerabilities in your network hosts.
- Network design, such as Internet connections, remote access capabilities, layered defenses, and placement of hosts on the network.
- Interaction of installed security devices, such as firewalls, intrusion prevention systems (IPSs) antivirus, and so.
- What protocols are in use, including known vulnerable ones such as Secure Sockets Layer (SSL).
- Commonly attacked ports that are unprotected.
- Network host configurations.
- Network monitoring and maintenance.
If someone exploits a vulnerability in one of the items in the preceding list or anywhere in your network’s security, bad things can happen:
- An attacker can launch a denial of service (DoS) attack, which can take down your Internet connection – or your entire network.
- A malicious employee using a network analyzer can steal confidential information in e-mails and files sent over the network.
- A hacker can set up back-door access into your network.
- A contractor can attack specific hosts by exploiting local vulnerabilities across the network.
- Test your systems from the outside in, and the inside in (that is, on and between internal network segments and demilitarized zones [DMZs]).
- Obtain permission from partner networks to check for vulnerabilities on their systems that can affect your network’s security, such as open ports, lack of a firewall, or a misconfigured router.
Choosing Tools
As with all security assessments, your network security tests require the right tools – you need port scanners, protocol analyzers, and vulnerability assessment tools. Great commercial, shareware, and freeware tools are available. I describe a few of my favorite tools in the following sections. Just keep in mind that you need more than one tool because no tool does everything you need.
Scanners and analyzers
These scanners provide practically all the port scanning and network testing you need:
- Legacy Products – SmartWhois and Essential NetTools for a wide variety of network scanning functionality.
- NetScanTools® Network Engineering Tools for dozens of network security assessment functions, including ping sweeps, port scanning, and SMTP relay testing.
- NMapWin download | SourceForge.net the happy-clicky-GUI front end to Nmap – for host-port probing and operating system fingerprinting.
Vulnerability assessment
This vulnerability assessment tool, among others, allow you to test your network hosts for various known vulnerabilities as well as potential configuration issues that could lead to security exploits:
- GFI LanGuard for port scanning and vulnerability testing.
Scanning, Poking, and Prodding the Network
Performing the ethical hacks described in the following sections on your network infrastructure involves following basic hacking steps:
- Gather information and map your network.
- Scan your systems to see which ones are available.
- Determine what’s running on the systems discovered.
- Attempt to penetrate the systems discovered if you choose to.