For every step of the hacking process one or more tools could be required for the attacker to complete his objective. Although there are thousand of hacking tools variations all of them can be categorized to 14 basic categories.
Although, when talking about “tools” or “toolkit” many will think about software solutions. But in a broader sense, hackers toolkit is much more than just software and it can be anything from piece of paper and a pen to human activities for collection of sensitive information and the penetration into the target system.
A scanner is a tool which is used to obtain information about a host or a network. These tools are developed and used to probe hosts and report security related information to security administrators or to hackers. Scanners can be categorized into two main categories: network auditing tools and host-based auditing tools.
Network auditing tools are used to scan remote hosts and to detect which ports are opened on one ore more hosts, what services are running on those hosts and even versions of software application running those services. One of the most popular tools is NMAP, a free open source network exploration and security auditing application.
Host-based scanners are tools that are discovering security related information for computer on which they are running. For example, the COPS package can identify file permission problems, weak passwords and weak or improperly configured services.
Sniffers and Snoopers
Sniffers are application that are monitoring and logging all network communication. An attacker with access to local network (wired or wireless) can easily record all of the network communication which can contain anything from network information to username/password pairs. With most companies still using unsecured unencrypted POP3, SMTP, FTP, and so on, which are sending usernames and passwords in clear text an attacker can with very little effort obtain sensitive information. Most used sniffer by security administrators is Wireshark.
Snoopers, also known as spyware, is a malicious software running on clients computer with intention to collect sensitive data form clients computer. These application can monitor active process, sniff for information in installed applications (for example, stealing FTP information from FileZilla) to logging of keystrokes and send all of this to attacker.
Hiding the real identity for the attacker is a must, so every attacker will try to hide his real IP or physical address to avoid detection. The attacker will most likey use an nonexistent or another hosts address. The spoofed address can be physical (MAC) address or an IP address, depending on the network configuration. Another usage of spoofing tools is to gain access to attacked network through firewall that is configured to filter out unknown addresses and to allow addresses belonging to local domain. One of the most used application for MAC spoofing is A-MAC.
Malicious application hiding in what appears to be a legitimate application is called Trojan Horse. When the application which is infected with trojan horse is activated, the trojan horse is activated as well. When activated, the trojan horse will silently perform malicious actions and will try to spread himself to another applications and/or another hosts.
Application which can reveal hidden and encrypted passwords is called password cracker and is used by system administrators as well as hackers. There are three main categories of password crackers: smart guessing, dictionary based and brute-force. Smart guessing password cracker are using some of the known information of the user like email, username, birthday and so on. Dictionary based password crackers are using large collections of words and phrases called dictionaries. From dictionaries words and phrases are used and can be combined for password guessing. Brute-force password crackers are trying to guess the password in a way that they are trying all the combinations of letters, numbers and special characters. First two are very fast but they do not work on complex passwords. Brute-force password cracker can discover complex password but the process can be very slow. The most famous password cracker is L0pthCrack or the free alternative John The Ripper.
Denial of Service
DoS (Denial of Service) tools are used by the attacker in order to prevent legitimate users from using their subscribed services. The main idea behind DoS attacks is to consume as much resources as they can to the point when all available resources are used. Resource can be network connections, CPU time, memory and so on. DoS attacks can be aimed towards complete network, single host, single service (like FTP) or towards specific user. For example, they can consume scarce or non-renewable resources with a large number of ICMP echo packets, break network connectivity with SYN flooding, alter network configuration by changing the routing information, or even physically destroy network components.
Stealth and Backdoor
Backdoor tools are malicious programs that are running on the infected system hidden or disguised as a legitimate service. The attacker is using backdoor tools for constant and unauthorized un-logged access and use of the attacked system. These tools can hide suspicious processes and files from the users and system administrators, and report false system status to the users and system administrators. Some of these tools can enable the attacker full control over the system so they are sometimes also called Remote Administration Toolkit (RAT). Some of the most used tool are BackOriffice, Poison Ivy and NetCat.
Applets and Scripts
A logic bomb is a piece of code that is executed when specific conditions are met. Those conditions can be a specific date, number of executions, creation or deletion of a specific file and so on. When the logic bomb is triggered it will usually do something malicious like further infection, deletion of files, encryption of files and so on. Logic bombs may be the most insidious attack since they may do a lot of damage before being detected.
Every application which is running on the system has a memory block reserved for it’s execution. Buffer overflow attacks are misusing this feature in a way that this attacks insert an oversized block of data into a program’s input buffer and stack to enable an intruder to execute a piece of malicious code or destroy the memory structure. When an application receives a block of input data it puts it into the input buffer. Without proper validation of input data and it’s size the attacker can write some data past the end of the buffer to overwrite some unknown space in memory buffer. With this kind of attack, the attacker can write a malicious code that could be executed in the oversized data block or can crash an application with possible side effect of application leaving an open connection. For example an crashing an FTP server could leave an open connection for attacker to use.
Bugs in Applications
A final version of the application doesn’t exist, not even the famous “Hello World” application. Unfinished application is, most likely, containing bugs. If the intruder finds a bug in an application before it’s fixed, the bug could be exploited to hack the information system. For example, bug in the check of input data could be used for buffer overflow attacks. Second problem arises from the fact that developer use debugging code that can help on debugging an application when in development. Sometimes the developers forget to remove this code the attacker can either get a lot more information than usual but can also use this feature for his attack as debugging codes generally give the developers a lot of authorities. Bugs, and exploits, that are unknown to general public are called 0-day (zero-day) exploits.
Holes in Trust Management
Trust management is a crucial part of a large-scale security system. Due to possible complexity of trust management, mistakes in defining, configuring and managing trust management could leave an attacker a potential hole for gaining an access to the attacked system. Most holes in trust management are found on a logical level. For example if you have an application, a database and a employee, the application does trust an employee but the database does not. If the database trusts an application the employee could possibly access the database.
Social engineering is a method of collection sensitive data from people that are part of the information system. The attacker can present himself as an technical assistance, as a salesman, as a friend of a friend or whatever role the user will not suspect to gather data. For example the attacker can present himself as an technical assistance and ask the user for his computer or application user name and password.
What most information system user consider to be trash, the attacker sees as a potential fountain if sensitive information. Deleted email, files, partitions and even entire hard drives are still recoverable until something else is overwritten on top of old information. The attacker could use that fact to recover information that is supposed to be secret or limited to specific users. Some attacker will go that far to dig through real trash to find sensitive information as most of the companies don’t have a policy that defines disposal of paper and such material.
One thought on “Hacking Information Systems: Tools of the trade”
This is actually a great website write-up, I have learned a good deal.