Скачать книгу

it’s called vertical movement.

      Most attackers move from lower to high levels of privilege using vertical movement techniques (again, using the hacker penetration methods described in this chapter). For example, a very common hacker methodology is for the attacker to first compromise a single, regular end‐user workstation. They use that initial foothold to search for and download local administrative account passwords. Then, if those local administrative credentials are shared among more machines (which they often are), they then move horizontally and repeat the process until they can capture very privileged account access. Sometimes this is done immediately during the first break‐in because the logged on user or system already has very high privileges. They then move to the authentication server and capture every user’s logon credentials. This is the standard modus operandi for most hacker groups these days, and moving from the initial compromise to complete network ownership (or pwning in hacker terminology) can be less than an hour.

      In my personal experience, and remember I’m just an average hacker, it usually takes me about one hour to gain the initial foothold and another hour to capture the centralized authentication database. So for me, an average hacker, it takes about two hours to completely own a company. The longest it has taken me is three hours.

      Intended Action Execution

      After access is guaranteed and asset ownership is taken, hackers then accomplish what they intended to do (unless the action of breaking in revealed something new to do). Every hacker has intent. A legitimate penetration tester has a contractual obligation to do one or more things. A malicious hacker might spread malware, read or steal confidential information, make a malicious modification, or cause damage. The whole reason for the hacker to compromise one or more systems is to do something. In the old days (two or three decades ago), simply showing off that they had hacked a system would have been enough for most hackers. Today, hacking is 99 % criminally motivated, and the hacker is going to do something malicious to the target (even if the only damage they do is to remain silently infiltrated for some potential, future action). Unauthorized access without any direct damage is still damage.

      Covering Tracks

      Some hackers will try to cover their tracks. This used to be what almost all hackers did years ago, but these days computer systems are so complex and in such great numbers that most asset owners don’t check for hacker tracks. They don’t check the logs, they don’t check the firewall, and they don’t look for any signs of illegal hacking unless it hits them in the face. Each year, Verizon’s Data Breach Investigations Report (http://www.verizonenterprise.com/verizon‐insights‐lab/dbir/) reports that most attackers go unnoticed for months to years, and over 80 % of the attacks would have been noticed had the defenders bothered to look. Because of these statistics, most hackers don’t bother to cover their tracks anymore.

      Hackers need to cover their tracks even less these days because they are using methods that will never be detected using traditional hacker‐event detection. Or what the hacker uses is so common in the victim’s environment that it is nearly impossible to distinguish between legitimate and illegitimate activity. For example, after breaking in, a hacker usually performs actions in the security context of a legitimate user, often accessing the same servers and services as the legitimate user does. And they use the same tools (such as remote access software and scripting languages) that the admins do. Who can tell what is and isn’t malicious? The field of intrusion detection is covered in Chapter 14.

Hacking Is Boringly Successful

      If you want to know how hackers hack, there you go. It’s all summarized throughout this chapter. The only thing left to do is add tools, curiosity, and persistence. The hacking cycle works so well that many penetration testers, after getting over the initial excitement of being paid to be a professional hacker, get bored and move on to something else after a few years. Could there be a bigger testament to how well the cycle works? And it is within this framework and understanding that defenders need to fight against attackers.

Automated Malware as a Hacking Tool

      When malware is involved, the malware can accomplish one or more of the steps, automating everything, or hand over manual control once the target is acquired and pwned. Most hacking groups use a combination of social engineering, automated malware, and human attackers to accomplish their objectives. In larger groups, the individual hackers may have assigned roles and specialties. Malware may execute a single penetration step and be successful without ever trying any of the other steps. For example, the fastest malware program in history, SQL Slammer, was just 376 bytes big. It executed its buffer‐overflowing payload against SQL UDP port 1434 regardless of whether the target was running SQL. Since most computers aren’t running SQL, you might think it would be very inefficient. Nope, in 10 minutes it changed the world. No malware program has ever come close to infecting as many hosts in as short of a time.

      NOTE

      If I’ve missed a step in the hacker methodology or missed a penetration method, I apologize. Then again, I told you I was only an average hacker.

      Hacking Ethically

      I would like to think that my readers are ethical hackers who make sure they have the legal right to conduct hacking on any target they have fixed their sights on. Hacking a site you do not have the predefined and expressed authority to hack is unethical and often illegal. It is even unethical (if not also illegal) to hack a site and let them know of a found vulnerability for no money. It is unethical and often illegal to find a vulnerability and then ask the site to hire you as a pen tester. This latter scenario happens all the time. I’m sorry, there is no way to tell someone that you have found a way to hack their sites or servers and ask for a job or money without it being seen as extortion. I can tell you that almost all sites receiving such an unsolicited request do not think you’re being helpful and do not want to hire you. They see you as the enemy, and lawyers are always immediately called.

      The rest of this book is dedicated to describing specific types of hacking, particular penetration methods, how defenders fight those methods, and experts in their field at fighting hackers at their own game. If you want to hack for a living or fight hackers, you’ll need to understand the hacker methodology. The people profiled in this book are the giants in their field, and you can learn a lot from them. They led the way. A great place to start is with Bruce Schneier, who is profiled in Chapter 3 and is considered by many to be the father of modern computer cryptography.

3

      Profile: Bruce Schneier

      Bruce Schneier is one of those people with so much experience and expertise that many introductions refer to him using the words “industry luminary.” Starting out as what many people called the “father of modern day computer cryptography,” Schneier transcended his early cipher‐focus to ask the bigger questions about why computer security is not significantly better after all these decades. He speaks with authority and clarity on a wide range of computer security topics. He is frequently invited as an expert on national television shows and has testified several times in front of the United States Congress. Schneier writes and blogs, and I have always considered his teachings to be my informal master’s degree in computer security. I would not be half the computer security practitioner I am today without his public education. He is my unofficial mentor.

      Schneier is famous for saying disarmingly simple things that get to the heart, and sometimes gut, of a previously held belief or dogma. For example, “If you are focused on SSL attacks, then you’re doing better in computer security than the rest of the world.” He meant that there are so many other, more often successfully exploited things to be worried about, that if you were truly worried about a rarely used SSL exploit, you must have solved all the other more likely, more important, things first. In other words, we need to prioritize our computer security efforts instead of reacting to every newly announced (and sometimes never exploited) vulnerability.

      Another example of something he has commented on is computer security workers getting upset when employees don’t treat password security seriously. Instead, many employees use weak passwords (when

Скачать книгу