In this lesson, we present the hacking methodology for systematically,
exploit the vulnerability on the target systems,
and understanding the hackers mentality.
Here we show the hacking methodology presented in the back cover of hacking
expose textbooks by Mcclure et al.
In the middle we see the steps,
in the right we see the example of the tool and command they use.
Hacker will start by surveying and gathering information about
the organization they intend to penetrate and hack into.
This step is called footprinting.
The right column here show the command we
use to obtain those related information in the internet about the organizations.
We have whois you can type in most of the nicknacks system and it will return
those critical organization information about
administrator and the technical contact information,
how many server, name server,
are serving that particular domain.
And we also see the netscraft as one of the command.
Actually one of the website that provide a query,
allow you to type in a domain name,
and it track all of the Web servers they've used for that organization,
over the years; including the operating system and the version.
And we were able to find that information very valuable.
Next steps, the second step is scanning.
Here we use and Nmap command or one of the famous tool called nexus.
It allows us to find out what other machines within that domain or subnet range,
network adjust range, how many machine are active,
how many server are active and what are
the ports which represent the specific service that are open.
The Nexus too can even instructed
it to gather and analyze the operating system and package
and identify the vulnerability listed and even tried to launching the malicious attack.
Next, step three is enumerations.
It is a process of gathering the information about the target machine
by actually actively connect to it.
And here the hacker try to identify user, system,
admin kind of accounts and try to find out what the active directory,
shared directory that may be open.
And if there's a web server they will try find out what are the web page that is
available for potential injection attacks.
Step four, wiretap.
We can wiretap the network or using
the legitimate account to analyze the network traffics and
explore the web page to see if they have command or unsecure injection vulnerability.
This is so called low hanging fruit and
has demonstrated in the last few lesson we have done.
Step five called escalating privilege.
With the privilege we established in number four,
we then- a hacker will then perform treasure hunting.
We do that by exporting variable directory within the attackers system.
For example, the passport file, the script,
server site script file,
which may have embedded with some credential information,
maybe some configuration file.
And try to gather
additional credential passport information and we
search directory and see whether they can read or write or even execute.
And see whether we can even modify the access right
or its security token if they are using secure index more for protection.
In case the passport file is readable and
the passport maybe encrypted we can read it out and offline.
We use password cracking tool such as,
johntheripper showing here to break into the additional account.
Step six, by gathering the information on
identify the Mackays to allow access to the trops system.
This including examining the configurations of various network services.
And often they include commands and showing how they are configured.
All they actually contains the credential credit card,
passport information such as,
server connection information or very typical for intrusion detection system.
They might including database account for access and
deposit detecting malicious information.
Step seven, covering the track.
System may including logs or intrusion detection system that monitor and
knew your access or modification of critical, file and directory.
Such law breakers, the hacker may attempt to modify,
to hide their track if that is possible.
Note that from previous lesson some operating system
will prevent this from happening by only allow a pen right to the lock.
Step eight, create a
backdoor to allow re-entry sometime in the future.
The hacker may create scripts to be excecute by the Cron job,
or At job, in a regular interval.
And when they are execute it will examine
the remote executable they have deposit and see whether they still exists.
If they are wiped out by
the anti-virus quarantine these At job and Cron job will put it back.
And therefore, that's a reason why,
from time to time we see the quarantined virus reappear.
And these also show why a back door attack is very important.
A Trojan kind of attack is very important to detect.
Make sure we search.
Once we got attack,
make sure we search the start up folder,
registry entry and those At/Cron type and
the configuration file to see we have those dangerous Script there.
And sometimes they will hide those file,
those script with the DOT prefix widget.
That's called hidden directory or hidden file.
Step nine,denial of service. Maybe after the weakened machine has
been explored with all the treasure and no longer useful.
Sometime we launching the denial of service attack to shut down the system.
And that can also happen when we can't actually, we cannot penetrate.
And then we use this kind of proof for denial of service attack.
And this can be done from outside or from inside by modifying
the configuration of network routing table
and confusing the system interior and resulting in incorrect routing or database access.
And in this case it's very important for the vendor to backup the file and images.
But at the same time the hacker will try to,
if they can get access to this backup up file and images,
restore image, they will try to modify and resulting in failed disaster recovery process.
So pick up in multiple places that's important steps.
We will illustrate some example of these steps in the next few lesson.