Sunday, April 03, 2022

Hacking 101

Originally published April 19, 2016





It continues to be relevant given the FBI 2021  Internet Crime Complaint Center (IC3) Internet Crime Report and the state-sponsored cyberactivity these past few days, including:









Learn to Hack Pentagon Computers Legally and Get Paid $150K


Posted By CotoBlogzz

Rancho Santa Margarita, CA – As evidenced by the recent spat between the FBI and Apple Computer and contrary to what Apple may claim, computer protection is not simply the best proprietary algorithm, but a series of carefully planned steps not unlike the Lockheed Martin Cyber Kill Chain®

Not too surprising then, the Pentagon announced a Hack-a-DOD program that runs through May 12, 2016 where contestants (would be hackers) will try to find vulnerabilities in the Department of Defense’s public websites for the ultimate price of $150,00, without going to jail!

Arguably, a major challenge in the initial stages of learning how to hack, is to legally use a network to try the various methods.  So, now you can learn how to hack legally and get paid for it.  The catch?   You have to agree to a background check before participating in the program.
In any case, you can still learn to hack as long as you have a MOM – motive, Opportunity and means.

We will briefly review what it takes to launch an attack, including different types of attacks and tools and techniques used in such an attack, with the following warning:



 NOTE:  Go directly to jail. Do not pass GO. Do not collect $200.

Various hacking activities may be punishable by law: Make sure you do not do anything that will land you in jail. Good intentions do not suffice - breaking in, or even probing, may still be a transgression even if it is done just in order to detect weaknesses and tell the system administrator about it.


Background

On march 24, 2016 the US Department of Justice charged seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks: 

The attacks disabled victim bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers:  http://cotobuzz.blogspot.com/2016/03/seven-working-for-iranian-government.html

On March 23, 2016, Stephen Su, a Chinese national pleaded guilty today to participating in a years-long conspiracy to hack into the computer networks of major U.S. defense contractors, steal sensitive military and export-controlled data and send the stolen data to China: http://cotobuzz.blogspot.com/2016/03/stephen-su-chinese-guilty-in-cyber-hack.html

On March 24, 2016, Sprouts Farmers Market a phising attack exposed employee payroll data:  http://www.computerweekly.com/news/450279834/Phishing-attack-at-US-retailer-underlines-need-for-proactive-security
Hollywood Presbyterian Medical Center’s computer network was attacked Feb. 5 2016 when malware locked access to certain computer systems and prevented communicating electronically - http://money.cnn.com/2016/02/17/technology/hospital-bitcoin-ransom/

Police Department Pays Cybercriminals Following Ransomware Infection - The Tewksbury, Massachusetts Police Department recently paid a $500 ransom to decrypt its files following an infection with KEYHolder ransomware, according to the Boston Globe:  http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html


The Attack Process

Individuals with MOM, including those above and those who may want to harm the Pentahgon, may want to use a combination of tools to implement an attack using a process such as the one below:
  1. Perform reconnaissance /profiling) on the target /Scan the target organization’s network.
  2. Research vulnerabilities.
  3. Perform the attack.
    1. snoop / decrypt
    2. spoof
    3. break in
    4. deny service
    5. Create a backdoor.
  4. Cover tracks

Tools:  There are a number of tools that can be used in the process,  including ping, phising simulators, password cracking tools and tools such as NMAP, Wireshark, Metasploit, Nessus, Aircrack, Snort and so on


Scan/Research Vulnerabilities Activity


  • Download the NMAP tool from www.nmap.org.
  • Install the tool on your computer.
  • Start the NMAP tool and select Ping scan.
  • Select an IP address for a known system on the network and use NMAP to send pings to the device. Click Scan. NMAP will scan target systems.
  • On the NMAP tool, select Regular scan and then click Scan. NMAP will scan commonly used ports and display what open ports were found.

What open ports are shown? What is the function of these ports? Are there any security implications on account of these ports being open?


The Attack – Password cracking

If you determine that the best way to crack a Pentagon computer is through password crackingselect a password cracking tool and  examine what it takes to crack passwords on Window and UNIX-based systems.  See for example
·         New Password Cracking software tries 8 Million Times Per Second To Crack Passwordhttp://hackersnewsbulletin.com/2013/09/new-password-cracking-software-tries-8-million-times-per-second-crack-password.html
·         Ten Most Popular Password cracking tools http://resources.infosecinstitute.com/10-popular-password-cracking-tools/
·         password cracking simulator:  http://www.password-online.com/password_simulator.php

Attack - DoS  

You can launch a DoD attack using a number of tools, such as ping or Swithcblade

The utility ping sends one or more ICMP ECHO packets to a given host and times how long it takes before the echo arrives. Uses:
  • Find out whether the host is reachable (and, in particular, up); if one does something bad to a host, and ping reply stops, then the host may have crashed.
  • Study the details of the reply in order to fingerprint the remote IP stack (e.g. via ping -c 1 host: send a single packet only). In particular the TTL (time-to-live) field in ping replies is often used to distinguish between systems. (Windows 95 uses TTL=32. Most other Windows systems use 128. Various Unix-like systems use 64 or 255. For each hop the TTL value is decreased by one.)
  • Flood ping: ping -f host: send a hundred packets per second to the remote host, probably to see how it keeps up under load, or to contribute to a DDoS attack.
  • Smurf : A stronger version is the smurf attack, where one pings the broadcast address of a large network, giving as spoofed sender address the address of the victim - now a single packet sent will cause several hundred (or thousand) packets to be received by the victim. An effective denial-of-service attack. (Cf. rfc919, rfc2644.)
For Switchblade, refer to:   https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool

Attack – Ransomware

For ransomware attack, review the following:

  • CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery
Attacks – Phishing


Develop a phising imitative targeting the Pentagon using Phising Simulators or use the one at Infosecinstitue.com. You may be surprised to know that a top Russian hacker was identified and caught, not because any weaknesses in his work, but because his wife, an avid Facebook user, led investigators to the hacker.  Leading to the Crypto MOM below.




In a test, using the Infosecinstitute.com simulators, individuals who should have known better, fell for the scam more than once!


Attack - Surface Area Minimization

Since the Pentagon Challenge refer to Department of Defense’s public websites, you may want to refer to OWASP's Surface Area Minimization Cheat Sheets.



Conclusion


Addressing the human-as-a--security Paradox, in its 2016 Human Factor Report, finds that the number one reason why attacks are successful is that attackers infected computers by tricking people into doing it themselves.  At the number three spot, if found that attackers timed email and social media campaigns to align with the times that people are most engaged. At number nine, the report lists low-volume campaigns of highly targeted phising emails focused on one or two people within and organization to transfer funds directly to attackers.

Happy exploits and keep us posted on what works or does not work.

No comments: