Illegal Internet

John Collins 

4. Hacking Techniques

4.1 Overview of Hacking Techniques

The depth and variety of techniques employed by hackers to illegally enter a computer system are vast, for this reason I intend to provide a brief overview of some of the more common techniques involved, without going into to much detail on any particular technique.

Hacking a system is a two-step process, Gathering Information and Launching an Attack.

4.2 Gathering Information

A dedicated hacker may spend several months gathering information on the intended target before launching an attack armed with this new information. Some of the more 'hands-on' techniques involved were discussed in depth in the previous section entitled "Infiltration and Trashing", but there are also more remote methods available to the hacker.

Port Scanning: A port scanner is a program that automatically detects security weaknesses in a remote system. Scanners are TCP port scanners, that attack TCP/IP ports and services (Telnet or FTP, for example), and record the response from the target. In this way, they learn valuable information about the targeted system such as if whether or not the remote system will allow an anonymous user to log in, or indeed if the system is protected by a firewall.

Many hackers simply type large amounts of IP addresses into a port scanning program and launch random attacks on many users simultaneously, hoping to strike it lucky with that one system that shows a serious weakness.

Packet Sniffing: A sniffer is a piece of software that grabs information 'packets' that travel along a network. That network could be running a protocol, such as Ethernet, TCP/IP, IPX or others. The purpose of the sniffer is to place the network interface into 'promiscuous' mode and by doing so, capture all network traffic. Looking into packets can reveal valuable information like usernames, passwords, addresses or the contents of e-mails.

4.3 Launching Attacks

There are many attacks employed by hackers. Here is an overview of just some of the more common:

Denial of Service (DOS): A denial of service attack is basically an act of sabotage against a service running on a port on a targeted system. The aim is to disable the service, for example a web server, in order to prevent people from being able to access that service remotely.

A typical denial of service attack would involve sending hundreds or even thousands of connection requests to a single machine at any one time, causing the machine to crash under the strain. A more advanced approach is to send corrupt connection requests, that exploit a flaw in the service software which fails to recognise the malformed data when it attempts to process it, resulting in a system crash.

Trust Relationship Exploitation (Spoofing): A 'spoofing' attack involves the hacker forging their source address, in order to use their machine to impersonate another. These machines may be operating within a 'trusted zone', for example, where each computer will challenge another trying to connect to it to identify itself. If the computer cannot authenticate itself with the computer that it is trying to connect to, the connection will not be allowed. The hacker uses this relationship to impersonate a particular computer in order to gain access, and because the authentication dialog between computers is automatic, the hacker never needs to use a username or password.

Password Cracking: A password cracker is a program that attempts to decrypt or otherwise disable password protection. Often simulation tools are used to simulate the same algorithm as the original password program. Through a comparative analysis, these tools try to match encrypted versions of the password to the original. Many password crackers are simply brute-force engines that try word after word from a dictionary, often at very high speeds.

Packet Fragmentation Attacks: The packet fragmentation attack leads to attacks that bypass many current firewalls, because of the way datagrams reassemble. Datagrams are supposed to be fragmented into packets that leave the header portion of the packet intact except for the modification of the fragmented packet bit and the filing in of an offset in the IP header. This indicates at which byte in the whole datagram the current packet is supposed to start. Once the whole datagram is reassembled, it is processed as if it came in as a single packet.

According to the IP specification, fragmented packets are to be reassembled at the receiving host. This means that an attacker can send a TCP packet to port 80 through the firewall. The host, behind the firewall, starts to reassemble the packet. The attacker then sends a second packet that overwrite the first and gets, for example, telnet access, which was originally forbidden by the firewall.

Packet Sequence Attacks: In packet sequence attacks, the hacker tries to guess the random sequence number of TCP packets so that he/she can insert their own packets into a connection stream. In this way the hacker can supply new corrupt content between two hosts, while remaining largely anonymous.

Operating System Exploits: All operating systems (Windows NT, Unix, Redhat Linux etc.) have their own specific vulnerabilities and bugs that need to be resolved by 'patching' the OS in order to keep it up to date. Unfortunately, many system administrators neglect to do so frequently enough, leaving their systems open to attack. Hackers, however, are very thorough in keeping abreast of all the possible vulnerabilities in all operating systems.

DNS (Domain Name Servers) Exploits: In DNS exploit attacks, the DNS cache is corrupted by the hacker. The mapping of DNS domain names and IP addresses can be changed so that traffic is redirected to bogus locations, for example to a pornography site in order to cause embarrassment to the targeted site.

FTP (File Transfer Protocol) Bounce Attacks: The main problem with FTP bounce attacks is that the hacker can use the PORT command in active FTP mode in order to establish connections with machines other the original FTP server, effectively allowing the hacker's connection to 'bounce' off the FTP server to another clients machine.

FTP Core Dumping: FTP core dumping enables the hacker to bring down the FTP service. A core dump may be stored on an FTP readable area, where it can then be retrieved in a following FTP session. The first few lines contain the password file that can be cracked offline. Once the hacker has the password, they can impersonate a legitimate user and remove, update or delete files at will.