05 December 2009 ~ 3 Comments

Hacking Information Systems: The Seven Steps

Hacking an information system which can be a computer network, server or a web site collection can be, and it is, very complex procedure and different procedure for every information system. But in it’s essence follows the basic seven steps of hacking into some kind of information system. From basic scouting to full takeover these seven steps are executed consciously or unconsciously by the attacker.

     _                          
 ___| |_ ___ ___    ___ ___ ___ 
|_ -|  _| -_| . |  | . |   | -_|
|___|_| |___|  _|  |___|_|_|___|
            |_|

Reconnaissance

The first step to hacking an information system is to gather as much information as one can. From domain name, IP address to open ports, operation system running that system, applications running that system to versions of software used to run that system. For example, some websites contain lists of users. As most of the companies use standardized usernames, for example John Doe’s username most likely will be “john.doe” or “jdoe” and half of work is done! Attacker doesn’t have to guess username but can focus it’s time and resources for guessing passwords. Some might go that far to collect phone numbers and email of people working in targeted system and contact them directly via phone or email representing themselves as support staff, sales agent and so on to acquire usernames and passwords.

     _              _             
 ___| |_ ___ ___   | |_ _ _ _ ___ 
|_ -|  _| -_| . |  |  _| | | | . |
|___|_| |___|  _|  |_| |_____|___|
            |_|  

Probe

Information gathered in the first step, reconnaissance, is used in this step to detect weaknesses of the targeted system in order to deploy hacking tools. It is most likely that attacker will use in this step automated or semi-automated tools to conduct security surveys and to generate reports of security-related vulnerabilities. For example, attacker can detect that some website is running on web, FTP or email server which is unpatched with ports 80, 21, 25 or 110 open. Detecting (fingerprinting) those ports most likely will reveal which version of server is running and prepare specific exploit for that versions of server.

Tools used for this step are numerous and the list is never finalized. From desktop applications like NMAP to web services like Whois to piece of paper on which one can draw logical structure of targeted website (sitemap) and information what can be found and used later on specific pages of that website.

     _              _   _               
 ___| |_ ___ ___   | |_| |_ ___ ___ ___ 
|_ -|  _| -_| . |  |  _|   |  _| -_| -_|
|___|_| |___|  _|  |_| |_|_|_| |___|___|
            |_|

Toehold

Exploiting security weaknesses detected while probing and gaining entry to the system is called toehold. Once the attacker has found which versions of applications or services are running on targeted system and which vulnerabilities are still active for that specific version of services, the attacker will exploit one or more of those vulnerabilities to gain access to the system. Most of the vulnerabilities found in web services applications, like FTP server, can be exploited to create an terminal connection to the server. Once the connection has been made, the attacker can search for more information. If the current user identification is for a privileged user, the intruder will jump to the stealth step, otherwise he will get into the advancement phase.

     _              ___             
 ___| |_ ___ ___   |  _|___ _ _ ___ 
|_ -|  _| -_| . |  |  _| . | | |  _|
|___|_| |___|  _|  |_| |___|___|_|  
            |_|

Advancement

Advancement is a step when the attacker is trying to advance from an unprivileged (non-administrator) user to highest level user like root, sa, administrator and so on. This step is possible using tools to detect and exploit weak system configuration, vulnerabilities in operating system, weak passwords and so on. Once the vulnerability has been found the attacker can advance to high-privileged user level and can fully control attacked system.

     _              ___ _         
 ___| |_ ___ ___   |  _|_|_ _ ___ 
|_ -|  _| -_| . |  |  _| | | | -_|
|___|_| |___|  _|  |_| |_|\_/|___|
            |_|

Stealth

Hacking into information system leaves traces and for the attacker it is absolutely necessary to hide that traces. All the previous steps leave some kind of traces in various log files like system logs (events in Windows operating system) or database logs in Microsoft SQL Server, IIS logs and so on. Deleting those logs is one way to go but missing logs can immediately draw attention. Time holes in logs also can draw attention because fro the past logs an pattern can be made of how is system functioning. More experienced attacker will modify those logs to cover his tracks but not in a way just to delete his steps but to modify them so they look like an legitimate usage of the attacked system.

     _                  _     
 ___| |_ ___ ___    ___|_|_ _ 
|_ -|  _| -_| . |  |_ -| |_'_|
|___|_| |___|  _|  |___|_|_,_|
            |_|

Listening post

Once the attacker has gained fully privileged access to the system and has hidden his tracks, he will deploy some kind of backdoor software that will create a listening post. In this step the attacker will deploy backdoor tool, stealth tool or a sniffer that will enable him to gather important information (sniffer), to fully control the system (backdoor remote administration utilities) and to hide his activities (stealth tools). Gathered information is then used in the next step.

     _                                  
 ___| |_ ___ ___    ___ ___ _ _ ___ ___ 
|_ -|  _| -_| . |  |_ -| -_| | | -_|   |
|___|_| |___|  _|  |___|___|\_/|___|_|_|
            |_|

Takeover

Spreading the control from one host to multiple hosts in the attacked information system is called takeover. From the listening post step, the attacker might have collected some important information either by sniffing the network data or by examining specific configuration files like SAM files on Windows hosts and so on. With this kind of information the attacker can retake the previous steps to gain access to other host and to expand his control to the entire information system.

3 Responses to “Hacking Information Systems: The Seven Steps”

  1. Christopher Burd 10 March 2010 at 03:22 Permalink

    This is well over my head. All I can say is “Interesting”.

  2. Vladimir Remenar 10 March 2010 at 11:55 Permalink

    Thanks for the comment. I hope you enjoyed the article :)

  3. Black Dolphin 29 December 2012 at 21:08 Permalink

    Thank you for the support and work you have done; do you have more specific information relating to what software is required for these steps; or I do believe there is multiple software that is required. What software do you recommend Linux, Python etc as a starting point….etc..thanks


Leave a Reply