NETWORK HACKING

Footprinting  

Footprinting is the act of gathering information about a computer system and the companies it belongs to. Footprinting is the first step hackers take in their hacking process. Footprinting is important because to hack a system the hacker must first know everything there is to know about it. Below I will give you examples of the steps and services a hacker would use to get information from a website.

1. First, a hacker would start gathering information on the targets website. Things a hacker would look for are e-mails and names. This information could come in handy if the hacker was planning to attempt a social engineering attack against the company.
2. Next the hacker would get the IP address of the website. By going tohttp://www.selfseo.com/find_ip_address_of_a_website.php and inserting the web site URL, it will spit out its IP address.  

3. Next the hacker would Ping the server to see if it is up and running. There’s no point in trying to hack an offline server. http://just-ping.com pings a website from 34 different locations in the world. Insert the website name or IP address and hit “Ping”. If all packets went through, then the server is up.

4. Next the hacker would do a Whois lookup on the company website. Go to http://whois.domaintools.com and put in the target website. As you can see this gives a HUGE amount of information about the company. You see the company e-mails, address, names, when the domain was created, when the domain expires, the domain name servers, and more!
5. A hacker can also take advantage of search engines to search sites for data. For example, a hacker could search a website through Google by searching “site:www.the-target-site.com” this will display every page that Google has of the website. You could narrow down the number of results by adding a specific word after. For example the hacker could search “site:www.thetarget-site.com email”. This search could list several emails that are published on the website. Another search you could do in Google is “inurl:robots.txt this would look for a page called robots.txt. If a site has the file “robots.txt”, it displays all the directories and pages on the website that they wish to keep anonymous from the search engine spiders. Occasionally

you might come across some valuable information that was meant to be kept private in this file.

Now that the basics of footprinting have been explained, we will move on to port scanning.

                              Port Scanning

The point of port scanning a server is to detect its open ports the port’s listening services. Once a hacker knows all the services running on your server, he could search for possible vulnerabilities they may have and exploit them to take control of your website. In the port scanning example we will use the most popular port scanner: Nmap. The Nmap Security Scanner is available for both Mac and Windows users: http://nmap.org/download.html . The example will be shown using the Nmap GUI (Graphical User Interface). Otherwise known as Zenmap.

1. First the hacker would choose a target and place it in the target box. As you can see the “Command:” section gets updated as well. This is what the command would look like if you were running the CLI version.

2. Next the hacker would choose the “Profile:”, or in other words, the scan type. A smart hacker would go with a quick and quiet scan. Full version detection scans are very loud and could raise suspicion on the other end. Stay away from those options because as you will see later on, there are other ways to get that information.

3. A sample scan result may look like the following:

4. As you can see it found a few open ports and listed the services that are run on them. Below I have a list of some of the most popular ports/services on the internet.

20. FTP data (File Transfer Protocol)  
21. FTP (File Transfer Protocol)  
22. SSH (Secure Shell)  
23. Telnet  

25 SMTP (Send Mail Transfer Protocol)  

43 whois  

53 DNS (Domain Name Service)  

68 DHCP (Dynamic Host Control Protocol)  

80 HTTP (HyperText Transfer Protocol)  

110 POP3 (Post Office Protocol, version 3)  

137. NetBIOS-ns  
138. NetBIOS-dgm  
139. NetBIOS  

143 IMAP (Internet Message Access Protocol)  

161 SNMP (Simple Network Management Protocol)  

194 IRC (Internet Relay Chat)  

220 IMAP3 (Internet Message Access Protocol 3)  

443 SSL (Secure Socket Layer)  

445 SMB (NetBIOS over TCP)  

1352 Lotus Notes  

1433 Microsoft SQL Server  

1521 Oracle SQL  

2049 NFS (Network File System)  

3306 MYSQL  

4000 ICQ

5800 VNC  

5900 VNC  

8080 HTTP  

5. Along with finding out what ports are running, the hacker needs to also find out what operating system the server is running. There are always a lot of operating system vulnerabilities out there to choose from. So by knowing the operating system, the hacker’s chances of taking over the server go up.    As you can see, there is an option on Nmap to detect the operating system, but this scan is very loud and easily detected so it is better to avoid it if possible. A simple way to determine what the server is running is by getting a 404 error page. You can get there by going to a page that doesn’t exist. For example the hacker would put in

“www.targetsite.com/asdlfjasl.php” this page will most likely not exist and bring him to the 404 page. On most sites the 404 error page displays the server operating system along with its version. Many sites nowadays don’t display this by putting up custom 404 pages so this may not always work.

6. If you are planning on using the CLI version of Nmap, or want a more in depth look at all the commands take a look at the Nmap manual:

http://nmap.org/book/man.html .  

7. Now that the hacker has got all the running services and open ports on the targets system, he will now have to find out what versions the server is running. This is where “Banner Grabbing” comes in.

Banner Grabbing

Now that the hacker has a full list of services running on the target system, to be able to exploit them, he has to first figure out what software and version the service is. One way the hacker can get this information, is to telnet into service port. In the example below, we will use command prompt on Windows (Start -> Run -> Type “cmd” -> Enter). If you are on a Mac, you will be using the terminal. Note: If you are using Windows Vista, then telnet is not installed by default. You can install it by doing the following simple steps.

• Click Start then select Control Panel.
• Select Programs and Features.  o Select Turn Windows features on or off. o Select the Telnet Client option and click OK. o A box will appear to confirm installation. The telnet command should now be installed

1. First, the hacker would choose one of the open ports that were revealed in the Nmap scan to continue with and attempt to exploit. Let’s say that when the hacker scanned his target, he found the port 21 open. As you can see on the chart above, port 21 is FTP. To find out what FTP software is running he would use telnet by running the command: telnet www.targetsite.com 21

As you can see above, I ran this against my computer (localhost). So a hacker would insert a target URL in place of localhost.

2. Next, it would connect to the target and display a banner telling the hacker the software and its version as shown below. This is the information the hacker needs to continue and begin searching for vulnerabilities for the software discovered.

If the above method doesn’t work for you, then simply use Nmap’s full version detection option to get the information.

Searching for Vulnerabilities

Now that the hacker has the name of the software being used and its version number, he would take that information and search a couple vulnerability databases for an exploit. If there’s an exploit available, he will run it against the server and take complete control. If there isn’t any, he would move onto another open port and try again on a different service.  

Some of the most popular exploit databases are:

• Milw0rm
• SecurityFocus
• osvdb

By searching “filezilla” on milw0rm, fortunately the hacker won’t find any exploits for my current version of the FTP software. Now most people would move on to another port to try and find another possible vulnerability, but this doesn’t mean every hacker will. If a skillful hacker is determined, he may try to locate a vulnerability in the current software version and develop an exploit for it. In the hacker community, this new vulnerability would be called a “0-day”. 0-day vulnerabilities are very valuable in the hacker community for a few reasons.

• No one knows about the vulnerability, so the hacker could start hacking hundreds of websites before the vulnerability is discovered and patched.
• The hacker could sell the vulnerability for thousands of dollars.
• Discovering vulnerabilities and creating an exploit for it shows that the hacker is very skillful and raises his ranks in the hacker community.

You might be wondering why 0-days are worth so much. It’s very simple. I’ll explain it with a simple equation.

Hacker + 0-Day + Company Servers = Bad Reputation = Loss of Money

Now before we get into the actual penetrations, I will discuss a couple of the common type of attacks used against discovered vulnerabilities.

Denial-of-Service (DoS) – There are many types of DoS attacks, but they all have one purpose: to make the target server unavailable for legitimate users. The most common type of DoS attack is when the hacker sends a flood of information to the target server causing it to use up all of its resources, and in return pushing it offline, or causing it to deny requests from legitimate users trying to access it.

Buffer Overflow (BoF) – A buffer overflow happens when a program attempts to store more data into a buffer, or a data storage area, then it was meant to hold. Because the buffer was only meant to hold a certain amount of data, the extra information overflows into other buffers causing them to be overwritten with malicious code  created by the hacker. Once this code is executed, the hacker can receive full control of the server.

If you search the Milw0rm exploit database, you will see that in many exploit titles it reads local exploit or remote exploit. Below are their definitions:

Local Exploit – To run a local exploit, you must first have access and privileges on the machine. Local exploits are usually used to escalate ones privileges to admin or root. In other words, it allows an ordinary user to gain root privileges.

Remote Exploit – A remote exploit is pretty much the same thing as a local exploit except that it isn’t run locally, but launched from anywhere across the internet.

A hacker usually has to use a combination of both remote and local exploits to gain full control of a system. For example, the hacker may have been able to gain regular privileges with a remote exploit attack, and then be able to escalate to root privileges with the help of a local exploit.

Penetrating

So now you might be wondering: Once the hacker finds the right exploit, how does he go about running it against the target and penetrating the server? This will all be explained in this chapter.

As you search Milw0rm or any of the other couple exploit database websites provided in this chapter, you will notice that the exploits are created in many different types of programming languages. Below I will list a few of the most common programming languages used, and how a hacker would compile and run them against a server.

PHP

PHP exploits are very common. PHP exploit code usually starts with <?php and ends in ?> . Let’s say the hacker wanted to do some temporary damage to a server running FTP Server 0.9.20. If he was to search milw0rm he would come up with the following DOS exploit: http://milw0rm.com/exploits/2901 and run it against the server. Below are the steps the hacker would take.

1. First the hacker would need to install PHP onto his computer. WAMP is a free web server that comes with PHP. If you are using a Mac then you must install MAMP . Next, paste the PHP exploit into notepad or any word processor and save it as “exploit.php”.  

You will have to know a little PHP to edit the target address. On line 13 of this exploit you will see:

$address = gethostbyname(‘192.168.1.3’); here you will have to edit in the IP address of the target. Every exploit is different. Some you have to know what to edit and some have runtime instructions. Save this edited file into the PHP directory on your server that contains the PHP executable file. In WAMP the directory would be C:\wamp\bin\php\php5.2.5 , of course the last directory version number changes with newer versions.

2. Next open up the command prompt or terminal if you are using a Mac, and go to the PHP directory by using the CD (change directory) command followed by the directory location.  

3. Now it’s time to run the exploit. To run it simple type in “php exploit.php” and hit enter. You should get a couple errors.

4. When skilled hackers create exploits, they sometimes insert mistakes or extra code so that script kiddies with no programming knowledge wouldn’t be able to use them. The above is a simple example. If you go to line 18 of this exploit , will see the line  

                                $junk.=”../../../sun-tzu/../../../sun-tzu/../../../sun-tzu”;

This line was inserted to throw off the script kiddies and by simply removing it, the error will disappear. Just another reason why it’s helpful to learn how to program.

Also every now and then you will receive other errors such as the one the second picture shows above. These errors have to do with the server configurations. Now as a hacker, you have to learn a lot on your own. By going around asking simple questions like this all the time will make you look bad and the most common response you will receive: www.google.com . Google is your friend, so take advantage of it! So starting now, begin to use Google, and if you are still stuck, then you can ask help on community forums.

5. Once the errors are fixed and the program is running, a DoS attack will be launched the target website up until you exit the command screen. If the target server can’t handle much, you may be able to see the affect of your exploit by going to the site and clicking around. If it is working, the site will begin to lag and it’ll take a long time to load pages. Eventually the server may go down completely.  

Perl

Running Perl exploit scripts is just as easy as running PHP scripts.  

1. Download and install the appropriate version of ActivePerl.
2. Next the hacker would find an exploit for vulnerability. In this example we will use the following example: http://milw0rm.com/exploits/6581 for WinFTP Server 2.3.0. This is also a Denial of Service (DoS) exploit.
3. Edit the options like the target server and others as needed. Then save the file as “exploit.pl”. As you can see Pearl exploits begin with “!/usr/bin/perl”.
4. Open CMD or Terminal and change into the directory with the exploit using the CD (change directory command). Then run the exploit by typing:  “perl exploit.pl”. The attack has begun. Simple, eh?

Python

Python is also a common programming language used in creating exploits. You can download python from http://www.python.org/download/. The steps to running a Python exploit are just as easy as the ones for Perl. See if you can get the exploit: http://milw0rm.com/exploits/3523 up and running. Hint: Python files end with .py .

C/C++

C/C++ are the most popular programming languages used in developing exploit code. Some C/C++ code can be compiled with any compiler and on any operating system. There are also C/C++ scripts that are made to be compiled by a particular compiler, or in a particular operating system. You can usually find this information commented in the top of the script. Below is a list of the most popular compilers for each operating system.

                                    

                          

Windows

• Microsoft Visual C++
• Borland C++
• Dev-C++

Mac

• MrC/MrCpp
• Xcode

Linux

• GCC           

Most C/C++ exploit code is made to be compiled in Linux. If you wish to run one them but you’re only option is Windows, then you can use Cygwin . Cygwin is a Linux-like environment that runs in Windows and acts as a Linux emulation layer, allowing you to run Linux scripts in windows. Although many Linux C/C++ exploit scripts will work with Cygwin, there are also many may not. I will show you how you can use Cygwin right after I give you an example of compiling and running a C/C++ script in Ubuntu Linux. If you aren’t already using Linux, I would recommend following along using VirtualBox from the Linux post.

1. Open up Terminal.

2. Go to http://milw0rm.com/exploits/269 and copy the remote root exploit.
3. Open up the VI editor in the terminal by typing in “vi” and hitting <Enter>. You should see the following screen:

4. To get into typing mode type in I (Shift + I).
5. You are now in insert mode. Right click and paste in the exploit.
6. The script should have pasted in. Now it’s time to save it. Hit the <ESC> key and then type in “:wq exploit.c” . This quits and saves the document as exploit.c .
7. Now type in the command: ls. This command lists all the files in the current directory. You should see your newly made file in the list.

8. Now we will compile the script using the GCC compiler, but before we compile this script we need to first install a development package of all the libraries and headers needed to compile C/C++ scripts. It’s a very easy process. In the terminal type in the following command:

sudo apt-get install build-essential

9. This command downloads the package and then asks you if you would like to continue with installing. Type in a “y” and hit enter. It automatically will install the package.
10. Now to compile the script type in the command “gcc exploit.c” , it will quickly compile. If there was no error displayed, then it was successful. By using the “ls” command you can now see there’s a new file named “a.out” this is the compiled script.
11. To run the new file type in the command “./a.out”. This will display a little note telling you how to run the exploit against a server. The below image shows all of these steps together.

12. The last line of the picture shows the proper way a hacker would use the script against a server.
13. Once the hacker ran the script against a vulnerable server running BeroFTPD 1.3.4 and the script worked, the hacker would now have root access to the server. Below is an image of what the root account on Ubuntu would look like.

As you can see the “whoami” command tells you who you are on the system. In this case I am root.

Cygwin

If you only have access to a Windows machine, and you come across a C/C++ script that is only meant to be compiled in Linux, then you can use Cygwin to make it possible in Windows. Let’s get right into it!

1. Download Cygwin from http://www.cygwin.com/.
2. Run the installer.
3. Choose to install from the internet.

4. Continue on until it asks you to choose a mirror to download from. Choose any.

5. Next you must select packages to download. Click View “+” under Devel to expand the category. Expand the window so that you can see all of the columns. Under the package column, search for gcccore and click on “Skip” to select it and click next.
6. If it tells you that you haven’t selected a couple packages that you need, agree to install them and click next.
7. It will begin to install the packages
8. Once it is installed, double click the desktop icon and a command prompt should come up.  

9. Using the same exploit as the last example, save and move it into the “C:\cygwin” directory as “exploit.c”.
10. Now it’s time to run the exploit. First you must change the directory to the home directory (C:\cygwin) by using the command “cd /”. Next use the “ls” command to display all the files in the current directory. You should see “exploit.c”.
11. Now to compile the script we use the same command as we did in Ubuntu: “gcc exploit.c –o exploit”. Here you see that we added a new parameter “-o”. This simply tells the compiler to name the output exe “exploit.exe”. Hit <ENTER> and if no error messages came up, then it was successful. If you use the “ls” command again, you should see a new file “exploit.exe” in the directory.
12. To run the exploit, simply type “./exploit”. It will now display the scripts runtime directions. Put in the right options and parameters and run the script again. The picture below shows all of these steps being done.

13. Once a hacker runs this script against a vulnerable machine and the script works, he will have root access to the target computer.

The more exploits you run, the more you will notice that half of them may not work. Many exploits are created and tested in specific environments and the expected outcome only happens when the exploit is run in the exact same environment. That is another reason why programming knowledge is needed, so you could edit the exploit script to work for you.

Once a skilled hacker gains root to a server he has the ability to do a lot of damage.  Some of the things a hacker might do with a rooted server is:

• Add himself as a permanent user for future access.
• Add the server into his botnet collection so he could use it as a weapon against other servers.
• Use it as a proxy to hack other websites.
• Install a rootkit so he can come back and have full control over the server when needed.
• Constantly steel information as it comes.
• Use the system to store illegal data.
• Deface the website and sometimes the hacker will delete everything off of the server.

Countermeasures

There are a few things you can do to stay secure from network hacking attempts.

1. Keep all your software up to date. There will always be new vulnerabilities coming out, and your responsibility is to patch them immediately after a patch comes out.
2. Implement a firewall. This will keep most of the bad data out and good data in.
3. Install anti-virus software.  
4. Scan your system with a vulnerability scanner. This may reveal possible vulnerabilities in your system.