The Reconnaissance section discussed how hackers gain information against their targets by using a variety of websites for open source information gathering, tools and social engineering tactics. Armed with this information, hackers can send phishing emails or use help desk personnel to get accounts and passwords. In this manner, attackers build their information base of a target’s potential weakness areas.
The Network Scanning section let the students try their hand at identifying the operating system information, open ports and available services of their target. The hacker would then recreate a company’s infrastructure based upon the information they found. This would be completed on their own equipment so they could then laboriously search for vulnerabilities and experiment with creating exploits against them until they had success with an effective attack against this test infrastructure. Only once flawlessly successful, would they try the attack against the actual target.
The Exploitation section emphasized how software vulnerabilities such as stack/heap overflows, Structured Query Language (SQL) injection, cross-site scripting and other code weaknesses, are a gold mine for hackers and provide critical pathways to achieve success. The activities centered on using Metasploit, which is a hacking framework designed to streamline the attack process. Metasploit has a library of prebuilt exploits against applications and services and corresponding payloads for those exploits to support attacks. The hacker community creates and shares successful exploits for others to use. Using the information they gained in the previous phases, even novice hackers can use Metasploit to look for a service like a SQL Server or a product such as Adobe Flash and use a prebuilt attack against it.
In the hands-on portion of the Exploitation section, the students used Metasploit to attack the provided lab entities with the same exploit used in the Stuxnet attack. Additionally, a full exploitation demonstration was performed for the class using WarFTP to show how to use tools such as fuzzers and debuggers to crash an application, find weak code, and then create or inject malicious code for a successful attack on a system. Again, this stressed the necessity for developers to understand how code could be exploited and how to prevent the associated weaknesses so they could remove the paths hackers use.
Post-Exploitation & Maintaining Access
Hackers can remain active after an attack. In the Post-exploitation phase, the students reviewed network traffic, obtained passwords, moved to other systems and hid their traffic. Once an exploit is successful, hackers want to maintain access. They want to ensure that they can easily get back into a system and not be dependent on using their initial entrance to the system in case the initial path was detected or patched. For example, perhaps a watchful administrator responded to an intrusion detection system noting an unusual log-in. By the time the administrator closes the door the attacker came through, the attacker may have already created other accounts, installed a backdoor Trojan to easily get back in, set up callbacks to be able to send data out from the system back to themselves, or started stealing and cracking passwords to get into other areas of the system.
Finally, an attacker wants to cover their tracks so their existence within the system is not discovered. They do this by changing log files and other artifacts to remove traces of their activities. The students were given an opportunity to use the sum of the knowledge they had gained and tackle a mini Capture-the-Flag challenge, as well as other activities such as bypassing a firewall. A handout of references and topics was given to the students at the end of the class.
Hacker 101 – Summary & Take Away Message
Skilled attackers can relatively easily thwart our current security perimeter defenses that have been set up to keep them out. Unfortunately, an administrator and protector of the perimeter defenses has an overwhelming set of tasks to accomplish; an enemy with ever-changing tactics; and tools that can only address a part of the problem, are only successful against already known attacks and which may have been created with insecure code themselves. Once an attacker has obtained access to any part of an entire system of systems, they can then begin to install their own software. This software could potentially let them back into the system, control parts of the system, and/or move to more critical components in a system. While it is important to apply additional rigor to the more critical components, if a supporting non-critical component has access or connections into the system, it could be the weakest link and the key to the back door of the entire defense system. This is why securing code is so important. It is the main target and the last defense.