TID Article #05
This months article will be on "Direct Hacks". Direct hacking is the hardest type of hacking to describe to non-technical users because it is an extremely technically involved process. Rather than attempt to explain the hundreds and thousands of ways that a system can be hacked or breached, I will simply give you a description of how I do it.
As you might have already guessed this is the aspect of hacking that I am most familiar with. I started my "hacking" career the same way many have, trying to get around those #1*&@^#%$ shareware limitations. I spent a great deal of time learning how encryption and key generators worked, I learned assembly language (that the absolute lowest level of programming, any lower and you start sending binary code (10010010..) straight to the CPU) and many other programming languages (I think I know about 12 total), I hung out in IRC (Internet Relay Chat) with other like minded individuals and so on. While in IRC, a favourite tactic of getting rid of someone you did not like or agree with was to force their computer to drop off-line or reboot by sending it badly formatted messages and net code. After this happened to me several times (and one massive IRC channel war (groups of people trying to knock off each others computers) later), I decide to learn how to defend myself better and how to strike back with immunity (we were all arrogant script-kiddies then). So begins the learning process which led me to my current understand of computers now. (This occurred back in 1996 right after Windows95 came out and computers became more available.)
These days I still hang out with the same guys and girls that I did then, we all have grown up to become respectable people (hackers). One works for NASA in the JPL, several work for IBM, and many others have jobs in engineering and biology fields. For the purpose of this article I will describe how my former room-mate "DaRKaNGEL" and I "spar" with each others systems. We do this to test each others defences against other hackers (If I can find a hole, they can).
The first step in hacking a system is to find your target. In this case I know his IP (Internet Protocol) address already (he has a cable modem). If I did not know this critical information I would have to search it out using some common networking tools: ping, tracert, ethersniff, nmap, and rmap. Ping works by sending a packet of information to the other computer and waiting for a response. It is generally used to test network speed and latency. It can also be used to cause the other machine to slow down or lag-out by sending very large packets without waiting for a response and thus creating a backlog that the other machine must answer (called ping flooding). Tracert or "Trace Route" works be listing the computers that the ping packet goes through (routing info) so you can see the path to other machine. Ethersniff allows you to record and analyze packets going into and leaving your target machine (used to check to see what type of machine your looking at e.g. WebServer, ftp server, etc.). Rmap and Nmap are used to examine what ports are open on the other machine (port allows access to the system much like a doorway).
Having found the target machine next I will examine the system layout. In this case I can determine that his system is layout is as follows:
Internet => ISP => Modem w/firewall and NAT => target PC#1 +> target PC#2 +> target PC#3 +> target PC#X+1.....
For those that do not follow the above txt diagram, the connection from the internet to his Internet Service Provider to his cable modem which has a firewall built-in and has Network Address Translation. Having discovered this I am faced with two problems the Firewall and the NAT. I must carefully determine what the firewall will block and what it will allow. There are two different way to determine this, one relatively safe for detection and another that risky from a detection standpoint. The safe way is simply use Ethersniff to monitor his modems IP address for several days and analyse the logfile. This is possible thanks to all the various worms like W32.Kelz, W32.CodeRED, W32.Melissa, Unx.Ramen, and others. Since these worms are around and looking for new unpatched hosts (see the benefit of constantly upgrading and patching your system) his firewall is constantly being robed by other peoples computers and all I have to do is steal their worms work for my own. This is safer for me because his firewall log does not register that I am looking at it and thus cannot alert him to the fact that I am about to strike. The hard way which will result in him detecting me is to electronically bombard his firewall with requested information from a sequential port list e.g. try port 1, try port 2, try port 3, etc... This will leave a visible sign in his log because all requests come from the same computer and they are a predictable pattern. I could spoof my IP address to conceal myself but any extremely good firewall will save some suspect packets from each scan allowing him to back trace to eventually to me. The only thing that spoofing the IP address does is adds several steps to the analyses to make it harder to find the originating computer. Everything that you do on the Internet is trackable, all it takes is time and resources.
Having determined what can pass through the firewall, I must now deal with the NAT. NAT or Network Address Translation is a method that allows one system, called a gateway, to allow several independent systems share a internet connection (one IP address). The Windows ICS (Internet Connection Sharing) program is NAT and most "Internet Ready" routers have this function as well. First I need to discover what type of NAT I am dealing with, To do this I send a connect request to his Modem (IP) and get a login screen to the administration controls of his modem. The login screen by default (set by manufacture) tells me who made the modem and what the firmware code version is. Knowing this allows me to go and research how the modem works. Since he does not own the modem, i can assume that its settings are set by his ISP not him. Doing a little more research I discover that this particular ISP uses default settings on both the firewall and NAT subsystems. I now can compare my log and the default settings to see if he changed how the firewall or NAT were configured. From this analyses I discover that some funny is going on. The default setting allows all traffic through the modem and NAT is turned off. As discovered earlier he is blocking most ports and NAT is present. This tells me he does not trust his ISP and has setup his own network and firewalls.
Well I do now understand that he has setup his own firewall so I must use the research gained earlier to start collecting information on his side of the firewall. Again Ethersniff is called on to sniff out his packets. Looking closely at the new packet dump I discover something interesting, there are more than 60 machines using the NAT feature but of those 60 it seems that there are only 3 or 4 machines transmitting. If this was a business or a server farm this many machines present would expected, but this is too many for a home user. I sense a honeypot. A honeypot is a clone image (or a real machine) setup to catch hackers probing a network. Each honeypot has some obvious bait (usually looks good but has no real value) and holes to get to the bait. Once you have gotten the bait you are hooked because the owner of the honeypot has been recording your every move. Because of my analyses of the network, I will first locate and eliminate any and all honeypots from the list of computers behind his firewall. This leaves me with 5 computers of which 3 or 4 are actively broadcasting. Using Ethersniff again, I determine from broadcast characteristics that 2 of the remaining 5 are honeypots as well (traps within traps). Apparently he believes that someone will get through the firewall and through the first level of honeypots (righty because I just did) and discover these more tempting real targets. I would guess (actually I know because he was my roommate) that these 2 machines are in reality probably old PCs that are not useful for practical reasons ( slow processor, small amount of RAM or hardisk space, several generations old).
Now I have three target machines to look at. A quick spoofed packet exchange later, I have determined the Operating systems of the three machines. One is a Windows NT Server 4 machine, one is a Windows 95B machine and one is Mac. However I choose to verify that these machines are in fact what the say they are. It is a well know trick (in the hacker and security communities) to set you machine up to respond as if it is something else entirely. I suspect this may be the case because:
1. He has setup his own firewall and NAT machine.
2. He has several layers of honeypots.
3. He seems to be paranoid of hackers (just because you're paranoid does not mean their not out to get you).
After a quick double check using a different method, I can rule out the Mac as target. It appears as if One of the remaining computers has 2 network cards in it and one of them is setup to return information packets as if it was a Mac. The remaining two computers both have some signature characteristics of Unix style operating systems. At this point I have defeated most of what are called "ghosting" techniques. A "Ghosting" technique is an advanced form of misdirection possible only from Unix based OS's. All that is left to do now is choose which machine I want to explore and go about exploring it.
I choose to examine both machines for remote connection software. I believe that it will be present because of two reasons. The first is that Unix style operating systems have built-in networking features called terminals. In the early days of computers, there was only one kind. It was called a Mainframe. Connected to the Mainframe were a series of terminals, that is a remote control station comprised of a keyboard (punch card reader, etc.) and monitor. Many people could use the computer at once because of these terminals. Modern Unix style OS's still retain these remote terminal features. (If anyone is interested in learning more about the Modern Unix style OS's like Linux, shoot me an email at and I will write a primer on them for you and send it via TID). The second reason that I believe that it will be present is anyone using a setup like this frequently plans on remote connecting to the home system, probably from work, to do things like send private emails, transfer work you did at home to work or vice-versa.
I scan both machines using a special software package that I wrote that looks for specific versions of software's and OS's. Through this I discover that one of the target machines is setup as a server running a specific OS know to me with the following programs running. A Unreal Tournament Game Server, a Apache WebServer, a ProFTPd Server, a SSH server, a Quake Server, a X11 Server, and a NFS system. Now a quick run down of those servers shows the following:
Unreal Tournament - Video game - No real permission to do anything on the computer except play the game
Apache WebServer - Http server - Potential read/write/execute access to file system
ProFTPd Server - FTP server - Potential read/write/execute access to file system
SSH Server - Secure Shell Server - Remote encrypted connection server
Quake Server - Video game - No real permission to do anything on the computer except play the game
X11 Server - Graphics Server - Graphics display server
NFS Server - Network File System - Potential read/write/execute access to file system
Out of these, depending on what I want to do, there are 3 or 4 choices to work with. Anything that can read/write/execute or the graphics server will probably give the access I need. A quick check give my version number and it off to do a little research. Unfortunately this time, I discover that he has updated all the programs and locked down any of the known holes, so I have to make one.
Using my understanding of how the OS works, I guess that there will be certain login names present. Knowing that the NFS server must communicate with its clients, and knowing that it must authenticate each transaction with a username (login)/ and password, I fire up Ethersniff again, this filtering all non-NFS traffic. After several hours, one system finally transmits a user request for a file. The server responds with a encrypted query, client responds with a encrypted response, they handshake and the file is released to the client. I am only interested in the encrypted query and response at this point. Every known encryption scheme but one has a function that actually generates the generates the encrypted code. (The one that does not have a engine is the one the US Government uses to generate its codes- Atmospheric Radio Interference is used to generate a unique encryption key. There are never identical atmospheric conditions so there is no chance of duplication) Looking at the pattern of encryption I can determine which of the encryption functions was used. Knowing the function however, does not give me the keys used. To get these, I need more info. Firing up Ethersniff again I proceed to let it monitor the server for several days, getting hundreds of file requests. Some severe number crunching later a encryption pattern appears. Using this pattern I can, in time, reverse engineer his encryption key and from there, I can finally read all of his encrypted network traffic. Once I have free read of his network traffic, its only a matter of time before I get his root(Administrator) password and from there I can do whatever I want.
As you can see the direct hacking method comes down to TIME. The longer you are only line the more vulnerable you are. There are of course, several things that my friend (and you) can do to make these hacking techniques harder. They are in no particular order (and he and I both do them on a regular basis):
1. Read your firewall logs. Of course since most of what I did was passive you would not necessarily see the probes I performed.
2. Any time you are not using the internet, disconnect. In the case of a cable modem either turn off the modem or your computer. My friend and myself frequently do not do this because we are remote connecting via our internet connections. We do however carefully watch our logs carefully for probes (See #1)
3. Keep your software patched and up to date. This will prevent hackers from using known exploits to get into your computer.
4. Change those passwords on a regular basis. Do not choose words, Make those passwords big (8+ characters) and random.
Remember that you cannot stop someone from breaking into your machine (the only computer that is completely safe is the un-built one), but you can make very difficult for someone to get in. The harder you make it the more determined the hacker will have to be to gain access. Most hackers will go after the easy target rather than hard one, after all why waste all this time (days and days) going after a hard challenge when you have all the easy pickings on other machines. Those of us good enough to crack the hard machines are not interested in your credit cards or stock portfolio (unless we work for the FBI), we are in it for the knowledge of how it was done.
Next issue, by request, I will be taking a look at hand held computers. I will attempt to describe what all those fancy terms really mean and hidden clauses are in the advertisements for them. If you have a request for an article, shoot me an email to and I will try and help you out.
- Login to post comments
