Common Hacking Techniques

by UnKnOwN
courtsey: eworld.0fees.net
________________________________________________________________________________
________________________________________
Hacking is obtaining illegal access to information on your computer, or another
persons computer. Password cracking, spoofing, and sniffing are the main techniq
ues that hackers use. A typical network hacking could involve all three methods
simultaneously. For example:
* A hacker could first trick a user to visit the hacker's site and enter som
e personal data in it. This is called spoofing.
* While the user is entering the information, the hacker could sniff the net
work traffic emerging from the user's computer and obtain a list of passwords an
d logins. This is called sniffing.
* If the passwords are encrypted, the hacker could use a password-cracking t
ool to decrypt them.

After this, the hacker can access the user's machine with this information. If t
his hacking attempt takes place over a corporate network or even a website, the
result could bring down the entire network or site, or the hacker might access c
onfidential information for industrial espionage.
In this article, I'll cover common hacking techniques such as password cracking,
spoofing, sniffing, and, if space permits, the man-in-the-middle attack. Of cou
rse, this is not an article on how to hack so I will explain how to protect your
self against these type of attacks.

Using passwords is the most common method of authenticating and securing data. P
asswords are used in network logins, securing documents, ATM PINs, and other sen
sitive areas. I know, I am talking to you like a three year old, but just in cas
e there any absolute newbies out there I want to be thorough.
A password works as a data encryption key or as an authentication key. When a pa
ssword is used as a data encryption key, the data to be protected gets encrypted
. Without the encryption key, this data would appear as a garbled output. I will
do a detailed article on encryption one of these days.
For example, to see the effect of not password-protecting a simple Microsoft Wor
d document:
1. Create a new Word file.
2. Enter some text in it.
3. Save and close the file.
4. Open Notepad or any other text editor.
5. Open the Word file in a Hex editor. There are a lot of junk characters in thi
s unencrypted file, but the text you entered is still clearly visible, as shown
in Figure 1:

Figure 1: Shows our unencrypted text in a Hex Editor

To see the effect of password-protecting the same Microsoft Word document, encry
pt the file as follows:
1. Open the file.
2. Select File -> Save As.
3. Type a new name and select Tools -> Security Options in the dialog box, as sh
own in Figure 2:

Figure 2: The Security Options

4. In the Security dialog box, enter a password in the Password to open field, a
s shown in Figure 3. The password is encrypted.

Figure 3: The Security Window

5. Click the Advanced button.
6. Click Advanced to display the Encryption Type dialog box shown in Figure 4:

Figure 4: Encryption Type Window

7. Press OK.
8. In the Confirm Password window, you are prompted to reenter the password. Thi
s helps ensure that you remember your password correctly.
9. Save and close. And re-open in a Hex Editor again. This time you will see som
ething like this:

Figure 5: Our encrypted file

Use of passwords for authentication does not encrypt data. The system just check
s whether or not the credentials of the password are correct. If they are correc
t, then it allows user access to, for example, e-mail systems, like Hotmail or Y
ahoo!, or to your network login account.
Password cracking involves trying to figure out what the password for a given re
source is. A hacker carries out a dictionary or hybrid attack, or tries the brut
e force attack.

This type of attack uses a file that contains an extremely large number of words
and tries each password from this file for entering the target resource continu
ously. The dictionary file, called the wordlist, is a simple text file containin
g one word per line.
The principle of this attack is that most people use simple words or combination
of words as their passwords. The larger the wordlist, the better are the chance
s of cracking the password. Most modern password-hacking tools use the dictionar
y method as their first and fastest method of guessing a password.
Hackers also use permutations of each word in different cases. For example, if "
that" is the word chosen from the wordlist for trying out, the hacker tool would
 try all possible combinations of the alphabets, as listed in Table 1:

Table 1: Dictionary attack method

Hacking passwords in this way can take quite some time because the hacker needs
to try out multiple permutations for each word and needs to repeat the process f
or every word in the dictionary file. In comparison to the other methods, this i
s the fastest, but can also be the least effective if the password is non-word b
ased.

In this method, the hacker uses combinations of words and numbers as well as som
e other attributes, such as file names and dates.
The logic behind this attack is that many users simply rotate their passwords. U
sers simply add a number to the end of the file name and use that as the passwor
d. For example, for the July Sales Report.xls file, a user could choose a passwo
rd such as SAL1 and the next month alternate it to SAL2.
Parts of the file name, the date the file was created on, and any words that hav
e a special meaning, such as in July being the 7th month, could signify a passwo
rd such as SAL7, SAL07, 7SAL, or 07SAL.
Hybrid attacks are logic-based and can even detect non-word passwords. The stren
gth of this attack depends on how well written the guessing engine of the tool i
s and how many different hybrid attacks it can predict.

This method enables hackers to determine a password by trying every possible com
bination of characters including lowercase letters, uppercase letters, numbers,
punctuation, and special and reglar ASCII characters.
The brute force attack starts with a length of one character. It tries all chara
cters alone once and then a combination of two, three, and so on. A set of possi
ble combinations using the lowercase and uppercase alphabets and the digits are
listed in Table 2:

Table 2: Combinations Using Lowercase and Uppercase Alphabets

The number of password-cracking attempts by the hacking tool increases exponenti
ally as the number of characters in the password increases. If you include punct
uation and other print characters as well, the number of attempts increases furt
her.
A brute force attack can take a long time, maybe even a week depending on the co
mplexity of the password and the power of the hacking computer. Because this is
a very CPU-intensive job, a faster processor used on the hacking machine decreas
es the time the hacking requires.
This is the most comprehensive attack, and no password is safe from this attack
given enough time. The problem for the hacker is being able to dedicate that muc
h time and resources. I know I don't have the time, or patience, to let my compu
ter run for a year on a task.
L0phtCrack is a password-hacking tool. The current release is called LC4 and is
available from At Stake Inc. from their Website at http://www.atstake.com/. Figu
re 7 shows the interface of the hacker trying to crack the passwords on a user's
computer. This LC4 interface lists users and their passwords. The panel on the
right shows the current method of attack. My former employer had me buy this to
test their security. They failed.

Figure 7: LC4 Interface

I blacked out some information. Not that I don't trust you guys, but... :)
LC4 uses a 250,000-word long wordlist for the dictionary and hybrid attacks. If
these fail, the attack moves on to the brute force method.

A brute force attack in progress is shown in Figure 8. The figure shows the pass
word cracked using the brute force attack after the dictionary and hybrid method
s failed. I'll make this picture a bit bigger so you can see some details of thi
s attack in progress:

Figure 7: LC4 Interface

The following simple rules protect passwords from hackers, I would follow them:
* Select passwords at least eight characters in length.
* Do not use names, words, and common abbreviations for a password.
* Use a combination of uppercase and lowercase letters, numbers, and special
characters.
* Do not write down the password anywhere.
* Change your password regularly and do not repeat your passwords.

Sniffing is the act of eavesdropping on the network. It works pretty much the sa
me as a phone tap. In most cases, sniffing does not require any specialized equi
pment; any computer on the network can do the task.
The packet sniffer tool used for sniffing captures and logs all network traffic.
While running on any computer on the network, the tool works, captures, and ana
lyzes every network packet that travels through that machine. This mode is known
as the promiscuous mode. The default mode uses a filter that simply passes on a
ny packets not meant for that machine back to the Ethernet. Packet sniffers turn
this filter off so that all packets are accepted by the network card and passed
to the system running the sniffer, where it can be captured.
Because most of the traffic in the network is binary data, the captured log is s
ent to a protocol analyzer tool, which:
* Analyzes the packets captured
* Figures out the protocol type
* Opens each packet according to the rules of that protocol in order to get
to the data in the packet
* Other stuff?

The data can include sensitive information, such as logins and passwords. A skil
led hacker can scan the data for such information quickly and possibly get a few
passwords transmitted on the network.
Ethernet uses shared media. Every computer on the network can see all the traffi
c being generated on the network. The Ethernet card installed in each machine co
ntains a filter that rejects any packet that does not have its own Media Access
Control (MAC) address. The MAC address is a global 48-bit number that is unique
to each piece of Ethernet hardware.
Parts of a Sniffer
A sniffer tool consists of:
* Hardware: Is usually a standard Ethernet card in a machine. Advanced netwo
rk sniffers, such as tools for checking cyclic redundancy checks, voltage errors
, or jitter correction are used for network fault detection and use specialized
hardware such as network analyzers. A bit too complex for this article.
* Capture driver: Turns "promiscuous" mode on and captures the traffic that
flows past.
* Buffer: Stores the captured data. The buffer could be either disk- or memo
ry-based.
* Protocol analyzer: Reads the captured data, seperates it into different pr
otocols, and then opens it to show the hacker the information that the packet co
ntains.
* Packet editor and transmitter: Enable the hacker to change certain values
in the packet and to resend the packet on the network with the modified informat
ion, thereby enabling the hacker to spoof values in the network. This is an opti
onal add-on tool on the sniffer I am testing.

Many network protocols send login names and passwords in clear text over the net
work. Hackers usually try to get these logins and passwords by sniffing the netw
ork and analyzing the packets.
Modern packet sniffers can even be configured to watch for a specific protocol,
such as Telnet, and to automatically open each new packet and look for the login
information in the decoded data.
There are two common ways of packet sniffing in a network:
1. Sniffing by internal users: Hackers can run packet sniffers on their machine,
looking for admin-level passwords being passed on the network. This allows them
to log in as users with high levels of access and gain admission into areas, wh
ere they have no authorization. They can alter important information about thems
elves or others, such as payroll information and performance reviews. Screw with
someone's salary? Hackers can most likely do it! (the Bastards)
2. Sniffing by external hackers: If a system is connected to the Internet, a hac
ker who gains access to it can install a packet sniffer on that computer. In a b
usiness or other organization, a computer connected to the Internet is most like
ly to be connected to an internal network. By gaining entry into this computer,
the hacker can view the traffic in the internal network by running a sniffer. Af
ter getting a dump of passwords, the hacker can use the compromised system to ho
p onto a system in the network and so on. If he gets this far it will be disaste
rous.

There are two steps involved in installing packet sniffers:

1. Installing a packet capture driver
2. Installing Ethereal
Install the Packet Capture Driver
To install different packet sniffers on your own machine and view the output fro
m them, you first need to install the packet capture driver for Windows. This is
the driver for the network adapter that turns the promiscuous mode on for accep
ting all the packets flowing across the wire.
The standard packet capture driver for Windows is called WinPcap. To install it:
1. Download the Ethereal software from http://www.ethereal.com/distribution/win3
2/.
2. Install the driver.
Installing Ethereal
The next tool to install is called Ethereal. This is a free program for Windows
that does both sniffing and protocol analysis.
Ethereal can pick up and analyze packet sniffer logs from other popular packet s
niffers, such as TCPDump, MS Network monitor, Novell's LANAlyzer, and commercial
EtherPeek. A useful feature of Ethereal is its ability to filter packet-based p
rotocol, string, and even TCP conversation. To install Ethereal:
1. Download the Ethereal software from http://www.ethereal.com/distribution/win3
2/.
2. After you accept the license agreement, make sure you check all the available
options, as shown in my next figure:

Figure: Installation Options

3. Continue normal install, and then start the program. You should see the follo
wing window.

Figure: Main Ethereal Window

4. Select Edit -> Preferences -> Capture to select the network interface from th
e main window of ethereal, which you wish to sniff, as shown in Figure 20:

Figure 20: Selecting Network Interfaces

5. Save your options and return to the main menu.
6. Select Capture -> Start to display the dialog box shown in Figure 21. This di
alog box contains options you need to set.

Figure 21: Capture Options in Ethereal

7. Press OK. The main window displays the results of packet sniffing, as shown i
n Figure 22:

Figure 22: Results of Packet Sniffing

The above window is divided into three parts. The first part shows a single-line
summary of each packet that was captured. The second part shows the result of t
he packet analysis and a description and values of the header fields for the pac
ket selected in the first window. The final part is the actual hexadecimal and A
SCII dumps of the packet and contains logins and passwords.
Another useful command line tool for Windows is WinDump, a port of the very popu
lar and powerful UNIX network sniffer TCPDump. This is available from http://net
group-serv.polito.it/windump/. This tool simply captures the data appearing on a
n interface and logs it as a file. It is efficient and does not require an insta
llation. Simply running the executable file, as long as the packet driver WinPca
p is installed, will let you quickly dump the traffic to a file.
After you install Ethereal, you can run it as a command-line application to keep
other users from knowing about it. If it were running as a command line, it wou
ld be very difficult for anyone to understand what it is.

You need to be concerned about sniffers from both inside and outside of the netw
ork. To prevent sniffer attacks on the network, you can use:
1. A switched network rather than a shared one. Use switches instead of hubs. Th
is prevents casual sniffing of your network because the data is well segregated
and each computer does not see all the traffic.
2. Secure protocols. Avoid protocols that send their sensitive information in cl
ear text over the wire. Use protocols that encrypt data at the sender's end and
decrypt it at the receiver's end.
3.Use Kerberos on Windows 2000 or later. This, as well as many variations of UNI
X, has implementations of this secure authentication method. Kerberos is a netwo
rk security protocol that uses encrypted packets to exchange information as well
as giving user authentication rights.
4. Smart Cards and one-time pads. Each smart card contains millions of combinati
ons of digital one-time codes that are used for authentication and as encrypting
keys. I really want to do an article on Smart cards, but at this time I am not
familiar enough with them. Look for it soon, however.

Spoofing refers to pretending to be a part of the network mainly with malicious

intentions.

There are two types of spoofing, non-blind and blind. Non-blind spoofing is carr
ied out when a hacker is connected, such as by being on the same Ethernet, to a
target machine as well as to the machine the hacker wishes to spoof. Being on th
e same network, the hacker can predict the responses from the computer under att
ack. Makes sense.
In non-blind spoofing, the hacker has the advantage of knowing whether or not th
e machine under attack is online and whether it needs to be removed from the net
work while spoofing. Inside information is always helpful when hacking, I suppos
e.
In blind spoofing, the hacker is not connected to the target machine.
A TCP connection is made after a three-way handshake. For example, suppose that
X, T, and A are respectively, the target machine, the trusted machine (a machine
on the same network), and the attacker. When a TCP connection is being establis
hed between X and T, a handshake occurs, as shown in Table 3:
Table 3: The 3 way handshake
Don't be alarmed if this looks complex, it is not.
SYN and ACK are the TCP flags set by the machines. Seq#. C1 is a random sequence
number generated by the client T and sent to X. While replying to the network m
essage, X sends back this number increased by 1 as C1 + 1 and another sequence n
umber S1 that the server itself generates. The client then sends back C1 + 1 as
well as S1 + 1. This allows both the client and the server to ensure that the ma
chines are familiar with each other's numbers.
Suppose the attacking machine A spoofs machine T and sends the first packet. Whe
n the second return packet is sent by the server, A cannot view the sequence num
ber because the packet is sent to the real machine T. The hacker needs to guess
S1 and sends an ACK packet back to X with the correct sequence number.
There is one more problem associated with this scenario. When T receives a SYN+A
CK packet for a connection it did not initiate, T sends a reset signal back to X
instructing it to close the connection. In this case, the hacker first has to s
poof T and send a broadcast message to all the machines on the network, promptin
g a response. After this happens, T gets flooded with responses terminating anym
ore incoming connections. It will not see the SYN, ACK packet coming to it from
X.
When T is off the network, the hacker can start predicting the sequence numbers
that the server will send. The hacker can do this by performing a few legitimate
connections from A to X, without spoofing to check the pattern of the numbers b
eing generated and then spoof T and start sending the packets.
Hope I didn't screw up any letters in that scenerio! Ugh...Maybe a diagram will
help.

By spoofing a client, a connection can be established to bring down a server in

a typical DoS attack.

This type of spoofing is carried out either on an internal network or on the Web
itself.
For example, while browsing chat rooms or forums on the Web, you come across pos
ts that inform you of a highly recommended Windows security patch that you shoul
d apply immediately to secure your systems from attacks. If you click the link,
you are taken to http://www.micr0sOft.com/technet/security/q874787.asp. The tric
k in this case is that the URL points not to the actual Microsoft Corporation's
Website but to a cleverly disguised site run by the spoofer. Note that the lette
r O in Microsoft in the above URL is actually zero and you are taken to a differ
ent site.
When you are at this site, which has been made to look exactly like the Microsof
t site, you may be tempted to download the security patch offered. This patch wo
uld most probably be a Trojan horse that would install like a normal security pa
tch. It might install some hidden programs on your computer to monitor it and oc
casionally send out sensitive information to the hacker such as passwords, machi
ne information, and other data.
You can be fooled into all sorts of stuff if you are not careful!
Figure 24 depicts server spoofing, which involves pointing the victim to the hac
ker's own server instead of a real one:

Figure 24: A Spoof!

To protect yourself from server spoofing, you need to look at all the URLs very
carefully, scan all downloads including the ones from a trusted source, and make
sure that SSL is enabled before submitting personal details, especially credit
card information.

Damn, some of my papers in school were not this long. I really enjoyed writing t
his one, as always, I learned a lot. And I hope you did, too. My intention here,
I will say it again, was not to educate you on how to hack, but to promote safe
networking habits.
Until the next one...

________________________________________________________________________________
____________________________________________
I've been working on this article for over 4 days now. I have compiled a number
of resources that you may want to reference (as I did).
Books:
Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle
Microsoft Windows 2000 Server Deployment Planning Guide
Computer Security Handbook, Fourth Edition
Network Perimeter Security: Building Defense In-Depth
Network+ Certification Training Kit
Internet Security and Firewalls