ETHICAL HACKING
VULNERABILITIES, COUNTERMEASURES & ENUMERATION.
HACKERS:
Hackers
are the persons who compromise the computer system, networks, and breach the
security policies, firewalls to obtain unauthorized access to the victim’s
computer, information and data. There are three types of hackers.
i)
Black Hat Hackers.
ii)
Grey Hat Hackers.
iii)
White Hat Hackers.
BLACK HAT HACKERS:
Black hats are the bad guys: the
malicious hackers or crackers who use their skills for illegal or
malicious purposes. They break into or otherwise violate the system integrity
of remote systems, with malicious intent. Having gained unauthorized access,
black-hat hackers destroy vital data, deny legitimate users service, and just
cause problems for their targets.
Black-hat hackers and crackers can easily be differentiated
from white-hat hackers because their actions are malicious. This is the
traditional definition of a hacker and what most people consider a hacker to
be.
GREY HAT HACKERS:
Gray hats are hackers
who may work offensively or defensively, depending on the situation. This is
the dividing line between hacker and cracker. Gray-hat hackers may just be
interested in hacking tools and technologies and are not malicious black hats.
Gray hats are self-proclaimed ethical hackers, who are interested in hacker
tools mostly from a curiosity standpoint.
They may want to
highlight security problems in a system or educate victims so they secure their
systems properly. These hackers are doing their “victims” a favor. For- Instance
if a weakness is discovered in a service offered by an investment bank, the
hacker is doing the bank a favor by giving the bank a chance to rectify the
vulnerability.
WHITE HAT HACKERS:
White hats are the good guys, the ethical hackers who
use their hacking skills for defensive purposes. White-hat hackers are usually
security professionals with knowledge of hacking and the hacker toolset and who
use this knowledge to locate weaknesses and implement countermeasures.
White-hat hackers are prime candidates for the exam. White hats are those who
hack with permission from the data owner. It is critical to get permission
prior to beginning any hacking activity. This is what makes a security
professional a white hat versus a malicious hacker who cannot be trusted.
PHASES OF ETHICAL HACKING:
The process of
ethical hacking can be broken down into five distinct phases. Later in this book,
hacking software programs and tools will be categorized into each of these
steps.
An ethical hacker
follows processes similar to those of a malicious hacker. The steps to gain and
maintain entry into a computer system are similar no matter what the hacker’s intentions
are. Figure 1.1 illustrates the five phases that hackers generally follow in
hacking a computer system.
· Passive and Active Reconnaissance
Passive reconnaissance involves
gathering information about a potential target without the targeted
individual’s or company’s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when
they leave. However, most reconnaissance is done sitting in front of a
computer.
When hackers are looking for information on a potential
target, they commonly run an Internet search on an individual or company to
gain information. I’m sure many of you have performed the same search on your
own name or a potential employer, or just to gather information on a topic. This
process when used to gather information regarding a TOE is generally called information gathering. Social
engineering and dumpster diving are also considered passive
information-gathering methods. These two methods will be discussed in more
detail later in this chapter.
Sniffing the network is
another means of passive reconnaissance and can yield useful information such
as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is
similar to building monitoring: a hacker watches the flow of data to see what
time certain transactions take place and where the traffic is going. Sniffing
network traffic is a common hook for many ethical hackers. Once they use some
of the hacking tools and are able to see all the data that is transmitted in
the clear over the communication networks, they are eager to learn and see
more.
Sniffing tools are simple and easy to use and yield a
great deal of valuable information. An entire chapter in this book (Chapter 6,
“Gathering Data from Networks: Sniffers”) is dedicated to these tools, which
literally let you see all the data that is transmitted on the network. Many
times this includes usernames and passwords and other sensitive data. This is
usually quite an eye-opening experience for many network administrators and
security professionals and leads to serious security concerns. Active reconnaissance involves
probing the network to discover individual hosts, IP addresses, and services on
the network but the process also increases the chance of being caught or at
least raising suspicion. Many software tools that perform active reconnaissance
can be traced back to the computer that is running the tools, thus increasing
the chance of detection for the hacker.
Both passive and active reconnaissance can lead to the
discovery of useful information to use in an attack. For example, it’s usually
easy to find the type of web server and the operating system (OS) version
number that a company is using. This information may enable a hacker to find
vulnerability in that OS version and exploit the vulnerability to gain more
access.
· Scanning
Scanning involves
taking the information discovered during reconnaissance and using it to examine
the network. Tools that a hacker may employ during the scanning phase include Dialers,
Port scanners, Internet Control Message Protocol (ICMP) scanners, Ping sweeps, Network
mappers, Simple Network Management Protocol (SNMP) sweepers, Vulnerability scanners.
Hackers
are seeking any information that can help them perpetrate an attack on a
target, such as the following:
·
Computer names
·
Operating system (OS)
·
Installed software
·
IP addresses
·
User accounts
Gaining Access
Phase 3 is when the real hacking takes place. Vulnerabilities
exposed during the reconnaissance and scanning phase are now exploited to gain
access to the target system. The hacking attack can be delivered to the target
system via a local area network (LAN), either wired or wireless; local access
to a PC; the Internet; or offline. Examples include stack based buffer
overflows, denial of service, and session hijacking once a system has been
hacked, the hacker has control and can use that system as they wish.
·
Maintaining Access
Once a hacker has gained access to a target system, they
want to keep that access for future exploitation and attacks. Sometimes,
hackers harden the system from
other hackers or security personnel by securing their exclusive access with
backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use
it as a base to launch additional attacks. In this case, the owned system is
sometimes referred to as a zombie system.
·
Covering Tracks
Once hackers have been able to gain and maintain access,
they cover their tracks to avoid detection by security personnel, to continue
to use the owned system, to remove evidence of hacking, or to avoid legal
action. Hackers try to remove all traces of the attack, such as log files or
intrusion detection system (IDS) alarms. Examples of activities during this
phase of attack include
·
Steganography
·
Using a tunneling protocol
·
Altering log files
INFORMATION GATHERING:
The first step of the hacking process
is gathering information on a target. Information gathering, also known as footprinting, is the process of
gathering all available information about an organization. In the age of the
Internet, information is available in bits and pieces from many different
sources.
Seemingly
insignificant bits of information can be enlightening when pieced
together—which is the purpose of information gathering. Footprinting can be
effective in identifying high value targets, which is what hackers will be
looking for to focus their efforts.
·
RECONNAISSANCE:
The
term reconnaissance comes from
the military and means to actively seek an enemy’s intentions by collecting and
gathering information about an enemy’s composition and capabilities via direct
observation, usually by scouts or military intelligence personnel trained in surveillance.
In the world of ethical hacking, reconnaissance applies to the process of
information gathering. Reconnaissance is a catchall term for watching the
hacking target and gathering information about how, when, and where they do
things. By identifying patterns of behavior, of people or systems, an enemy
could find and exploit a loophole.
· FOOTPRINTING:
Footprinting is
defined as the process of creating a blueprint or map of an organization’s network
and systems. Information gathering is also known as footprinting an
organization. Footprinting begins by determining the target system,
application, or physical location of the target.
Once this information is known, specific information
about the organization is gathered using nonintrusive methods. For example, the
organization’s own web page may provide a personnel directory or a list of
employee bios, which may prove useful if the hacker needs to use a
social-engineering attack to reach the objective.
The information the hacker is looking for during the
footprinting phase is anything that gives clues as to the network architecture,
server, and application types where valuable data is stored. Before an attack
or exploit can be launched, the operating system and version as well as
application types must be uncovered so the most effective attack can be
launched gainst the target. Here are some of the pieces of information to be
gathered about a target during footprinting:
i. Domain Name.
ii. Network Blocks
iii. Network Services & Applications.
iv. System Architecture.
v. Intrusion detection System.
vi. Authentication Mechanism.
vii. pecific IP Address.
viii. Access Control Mechanism.
ix.
Phone Numbers
x.
E-mail Addresses.
xi.
Contact details.
Once this information is compiled, it can give a hacker
better insight into the organization, where valuable information is stored, and
how it can be accessed.
· SOCIAL ENGINEERING:
Social engineering is
a nontechnical method of breaking into a system or network. It’s the process of
deceiving users of a system and convincing them to perform acts useful to the hacker,
such as giving out information that can be used to defeat or bypass security
mechanisms. Social engineering is important to understand because hackers can
use it to attack the human element of a system and circumvent technical
security measures. This method can be used to gather information before or
during an attack.
DNS ENUMERATION:
Enumeration occurs after
scanning and is the process of gathering and compiling usernames, machine
names, network resources, shares, and services. It also refers to actively querying
or connecting to a target system to acquire this information. Hackers need to
be methodical in their approach to hacking. The following steps are an example
of those a hacker might perform in preparation for hacking a target system:
1. Extract
usernames using enumeration.
2. Gather
information about the host using null sessions.
3. Perform
Windows enumeration using the SuperScan tool.
4. Acquire
the user accounts using the tool GetAcct.
5. Perform
SNMP port scanning.
The
object of enumeration is to identify a user account or system account for
potential use in hacking the target system. It isn’t necessary to find a system
administrator account, because most account privileges can be escalated to
allow the account more access than was previously granted.
· NULL SESSION:
A null session occurs when you log in to a system with
no username or password. NetBIOS null sessions are vulnerability found in the
Common Internet File System (CIFS) or SMB, depending on the operating system.
Once a hacker has made a NetBIOS connection using a null
session to a system, they can easily get a full dump of all usernames, groups,
shares, permissions, policies, services, and more using the Null user account.
The SMB and NetBIOS standards in Windows include APIs that return information
about a system via TCP port 139.
One method of connecting a NetBIOS null session to a
Windows system is to use the hidden Inter-Process Communication share (IPC$).
This hidden share is accessible using the net use command. As mentioned earlier,
the net use command is a built-in Windows command that connects to a share on
another computer. The empty quotation marks (“”) indicate that you want to
connect with no username and no password. To make a NetBIOS null session to a
system with the IP address 192.21.7.1 with the built-in anonymous user account
and a null password using the net use command, the syntax is as follows:
C: \> net use \\192.21.7.1 \IPC$ “” /u: “”
Once the net use command has been successfully
completed, the hacker has a channel over which to use other hacking tools and
techniques.
SNMP
ENUMERATION
SNMP enumeration is
the process of using SNMP to enumerate user accounts on a target system. SNMP
employs two major types of software components for communication: the SNMP
agent, which is located on the networking device, and the SNMP management
station, which communicates with the agent.
Almost all network infrastructure devices, such as
routers and switches and including Windows systems, contain an SNMP agent to
manage the system or device. The SNMP management station sends requests to
agents, and the agents send back replies. The requests and replies refer to
configuration variables accessible by agent software. Management stations can
also send requests to set values for certain variables. Traps let the
management station know that something significant has happened in the agent
software, such as a reboot or an interface failure. Management Information Base
(MIB) is the database of configuration variables that resides on the networking
device.
SNMP has two passwords you can use to access and
configure the SNMP agent from the management station. The first is called a read community string. This password
lets you view the configuration of the device or system. The second is called
the read/write community string;
it’s for changing or editing the configuration on the device. Generally, the
default read community string is public and the default read/write community
string is private. A common security loophole occurs when the community strings
are left at the default settings: a hacker can use these default passwords to
view or change the device configuration.
VULNERABILITY & SCANNING
After the reconnaissance and information-gathering
stages have been completed, scanning is performed. It is important that the
information- gathering stage be as complete as possible to identify the best
location and targets to scan. During scanning, the hacker continues to gather
information regarding the network and its individual host systems. Information such
as IP addresses, operating system, services, and installed applications can
help the hacker determine which type of exploit to use in hacking a system.
Scanning is the process of
locating systems that are alive and esponding on the network. Ethical hackers
use scanning to identify target systems’ IP addresses. Scanning is also used to
determine whether a system is on the network and available. Scanning tools are
used to gather information about a system such as IP addresses, the operating
system, and services running on the target computer.
Port
Scanning Port scanning is the process of identifying open and
available TCP/IP ports on a system. Port-scanning tools enable a hacker to
learn about the services available on a given system. Each service or
application on a machine is associated with a well-known port number.
Port Numbers are divided into three ranges:
Ø Well-Known
Ports: 0-1023
Ø Registered
Ports: 1024-49151
Ø Dynamic
Ports: 49152-65535
Network
Scanning Network scanning is a procedure for identifying active
hosts on a network, either to attack them or as a network security assessment.
Hosts are identified by their individual IP addresses. Network-scanning tools
attempt to identify all the live or responding hosts on the network and
their corresponding IP addresses.
Vulnerability
Scanning Vulnerability scanning is the process of proactively
identifying the vulnerabilities of computer systems on a network. Generally, a
vulnerability scanner first identifies the operating system and version number,
including service packs that may be installed. Then, the scanner identifies
weaknesses or vulnerabilities in the operating system.
During
the later attack phase, a hacker can exploit those weaknesses in order to gain
access to the system.
Scanning Methodology
This methodology is the process by which a hacker scans
the network. It ensures that no system or vulnerability is overlooked and that
the hacker gathers all necessary information to perform an attack.
Ping Sweep Techniques
The
scanning methodology starts with checking for systems that are live on the
network, meaning that they respond to probes or connection requests. The
simplest, although not necessarily the most accurate, way to determine whether
systems are live is to perform a ping sweep of the IP address range. All
systems that respond with a ping reply are considered live on the network. A
ping sweep is also known as Internet Control Message Protocol (ICMP) scanning,
as ICMP is the protocol used by the ping command.
ICMP
scanning, or a ping sweep, is the process of sending an ICMP request or ping to
all hosts on the network to determine which ones are up and responding to
pings. ICMP began as a protocol used to send test and error messages between
hosts on the Internet.
It
has evolved as a protocol utilized by every operating system, router, switch or
Internet Protocol (IP)-based device. The ability to use the ICMP Echo request
and Echo reply as a connectivity test between hosts is built into every
IP-enabled device via the ping command. It is a quick and dirty test to see if
two hosts have connectivity and is used extensively for troubleshooting.
NMAP Command Switches
Nmap is a free, open source tool that quickly and
efficiently performs ping sweeps, port scanning, service identification, IP
address detection, and operating system detection.
Nmap has the benefit of scanning a large number of
machines in a single session. It’s supported by many operating systems,
including Unix, Windows, and Linux. The state of the port as determined by an
nmap scan can be open, filtered, or unfiltered. Open means that the
target machine accepts incoming request on that port. Filtered means a firewall
or network filter is screening the port and preventing nmap from discovering
whether it’s open. Unfiltered mean the port is determined to be closed,
and no firewall or filter is interfering with the nmap requests.
Nmap
supports several types of scans. Table 3.2 details some of the common scan methods.
-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Windows scan
-sR RPC scan
-sL List/DNS scan
-sI Idle scan
-Po Don’t ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB TCP and ICMP ping
-PB ICMP timestamp
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-OA All output
DENIAL OF SERVICE
A
DoS attack is an attempt by a hacker to flood a user’s or an organization’s
system. There are two main categories of DoS attacks Attacks sent by a single
system to a single target (simple DoS) and Attacks sent by many systems to a
single target (distributed denial of service, or DDoS).
The goal of DoS
isn’t to gain unauthorized access to machines or data, but to prevent legitimate
users of a service from using it. A DoS attack may do the following:
·
Flood a network with traffic, thereby
preventing legitimate network traffic.
·
Disrupt connections between two machines,
thereby preventing access to a service.
·
Prevent a particular individual from
accessing a service.
·
Disrupt service to a specific system or
person.
Different tools use different types of traffic to flood
a victim, but the result is the same: a service on the system or the entire
system is unavailable to a user because it’s kept busy trying to respond to an
exorbitant number of requests.
A DoS attack is usually an attack of last resort. It’s
considered an unsophisticated attack because it doesn’t gain the hacker access
to any information but rather annoys the target and interrupts their service.
DoS attacks can be destructive and have a substantial impact when sent from
multiple systems at the same time (DDoS attacks).
MECHANISM OF DDOS ATTACK
DDoS is an advanced version of the DoS attack. Like DoS,
DDoS tries to deny access to services running on a system by sending packets to
the destination system in a way that the destination system can’t handle. The
key of a DDoS attack is that it relays attacks from many different hosts (which
must first be compromised), rather than from a single host like DoS. DDoS is a
large-scale, coordinated attack on a victim system.
The services under attack are those of the primary
victim; the compromised systems used to launch the attack are secondary
victims. These compromised systems, which send the DDoS to the primary victim,
are sometimes called zombies or BOTs. They’re usually compromised
through another attack and then used to launch an attack on the primary victim at
a certain time or under certain conditions. It can be difficult to track the
source of the attacks because they originate from several IP addresses.
Normally, DDoS
consists of three parts:
·
Master/handler
·
Slave/secondary victim/zombie/agent/BOT/BOTNET
·
Victim/primary victim
The
master is the attack launcher. A slave is a host that is
compromised by and controlled by the master. The victim is the target
system. The master directs the slaves to launch the attack on the victim
system.
Reference:
WORKING
OF BOTS/BOTNETS:
A BOT is short for web robot and
is an automated software program that behaves intelligently. Spammers often use
BOTs to automate the posting of spam messages on newsgroups or the sending of
emails. BOTs can also be used as remote attack tools. Most often, BOTs are web
software agents that interface with web pages. For example, web crawlers
(spiders) are web robots that gather web page information.
The most dangerous BOTs are those that covertly install
themselves on users’ computers for malicious purposes. Some BOTs communicate
with other users of Internet-based services via instant messaging, Internet
Relay Chat (IRC), or another web interface. These BOTs allow IRQ users to ask
questions in plain English and then formulate a proper response. Such BOTs can
often handle many tasks, including reporting weather; providing zip code information;
listing sports scores; converting units of measure, such as currency; and so
on.
A BOTNET is a group of BOT systems. BOTNETs serve
various purposes, including DDoS attacks; creation or misuse of Simple Mail
Transfer Protocol (SMTP) mail relays for spam; Internet marketing fraud; and
the theft of application serial numbers, login IDs, and financial information
such as credit card numbers. Generally a BOTNET refers to a group of
compromised systems running a BOT for the purpose of launching a coordinated
DDoS attack.
SMURF ATTACK:
A smurf attack sends a large
amount of ICMP Echo (ping) traffic to a broadcast IP address with the spoofed
source address of a victim. Each secondary victim’s host on that IP network replies
to the ICMP Echo request with an Echo reply, multiplying the traffic by the
number of hosts responding. On a multi access broadcast network, hundreds of
machines might reply to each packet. This creates a magnified DoS attack of
ping replies, flooding the primary victim. IRC servers are the primary victim
of smurf attacks on the Internet.
A SYN flood attack sends TCP connection requests
faster than a machine can process them. The attacker creates a random source
address for each packet and sets the SYN flag to request a new connection to
the server from the spoofed IP address. The victim responds to the spoofed IP
address and then waits for the TCP confirmation that never arrives.
Consequently, the victim’s connection table fills up waiting for replies; after
the table is full, all new connections are ignored. Legitimate users are
ignored as well and can’t access the server. A SYN flood attack can be detected
through the use of the netstat command. An example of the netstat output from a
system under a SYN flood.
Here are some of the
methods used to prevent SYN flood attacks:
SYN
Cookies SYN cookies ensure the server does not allocate system
resources until a successful three-way handshake has been completed.
RST
Cookies Essentially the server responds to the client SYN frame
with an incorrect SYN ACK. The client should then generate an RST packet
telling the server that something is wrong. At this point, the server knows the
client is valid and will now accept incoming connections from that client
normally.
Micro
Blocks Micro blocks prevent SYN floods by allocating only a
small space in memory for the connection record. In some cases, this memory
allocation is as small as 16 bytes.
Stack
Tweaking This method involves changing the TCP/IP stack to
prevent SYN floods. Techniques of stack tweaking include selectively dropping
incoming connections or reducing the timeout when the stack will free up the
memory allocated for a connection.
DoS/DDoS Countermeasures
There are several ways to detect, halt, or prevent DoS
attacks. The following are common security features:
Network-Ingress
Filtering All network access providers should implement network
ingress filtering to stop any downstream networks from injecting packets with
faked or spoofed addresses into the Internet. Although this doesn’t stop an
attack from occurring, it does make it much easier to track down the source of
the attack and terminate the attack quickly. Most IDS, firewalls, and routers
provide network-ingress filtering capabilities.
Rate-Limiting
Network Traffic A number of routers on the market today have
features that let you limit the amount of bandwidth some types of traffic can
consume. This is sometimes referred to as traffic shaping.
Intrusion
Detection Systems Use an intrusion detection system (IDS) to
detect attackers who are communicating with slave, master, or agent machines.
Doing so lets you know whether a machine in your network is being used to
launch a known attack but probably won’t detect new variations of these attacks
or the tools that implement them. Most IDS vendors have signatures to detect
Trinoo, TFN, or Stacheldraht network traffic.
Automated
Network-Tracing Tools Tracing streams of packets with spoofed
addresses through the network is a time-consuming task that requires the
cooperation of all networks carrying the traffic and that must be completed
while the attack is in progress.
Host-Auditing
and Network-Auditing Tools File-scanning tools are available that
attempt to detect the existence of known DDoS tool client and server binaries
in a system. Network scanning tools attempt to detect the presence of DDoS
agents running on hosts on your network.
SOCIAL
ENGINEERING ATTACKS:
Social engineering includes the acquisition of sensitive
information or inappropriate access privileges by an outsider, based on the
building of inappropriate trust relationships. The goal of a social engineer is
to trick someone into providing valuable information or access to that
information.
Social engineering preys on qualities of human nature,
such as the desire to be helpful, the tendency to trust people, and the fear of
getting in trouble. Hackers who are able to blend in and appear to be a part of
the organization are the most successful at social-engineering attacks. This
ability to blend in is commonly referred to as the art of manipulation.
People are usually the weakest link in the security chain.
A successful defense depends on having good policies in place and teaching
employees to follow the policies. Social engineering is the hardest form of
attack to defend against because a company can’t protect itself with hardware
or software alone.
Types
of Social Engineering-Attacks
Social
engineering can be broken into two common types:
Human-Based
Human-based
social engineering refers to person-to-person interaction to retrieve the
desired information. An example is calling the help desk and trying to find out
a password.
Computer-Based
Computer-based
social engineering refers to having computer software that attempts to retrieve
the desired information. An example is sending a user an email and asking them
to reenter a password in a web page to confirm it. This social-engineering attack
is also known as phishing.
We’ll
look at each of these more closely in the following sections.
Human-Based
Social Engineering
Human-based social engineering techniques can be broadly
categorized as follows:
Impersonating
an Employee or Valid User In this type of social-engineering
attack, the hacker pretends to be an employee or valid user on the system. A
hacker can gain physical access by pretending to be a janitor, employee, or
contractor. Once inside the facility, the hacker gathers information from
trashcans, desktops, or computer systems.
Posing
as an Important User In this type of attack, the hacker pretends
to be an important user such as an executive or high-level manager who needs
immediate assistance to gain access to a computer system or files. The hacker
uses intimidation so that a lower-level employee such as a help desk worker
will assist them in gaining access to the system. Most low-level employees
won’t question someone who appears to be in a position of authority.
Using
a Third Person Using the third-person approach, a hacker
pretends to have permission from an authorized source to use a system. This
attack is especially effective if the supposed authorized source is on vacation
or can’t be contacted for verification.
Calling
Technical Support Calling tech support for assistance is a
classic social-engineering technique. Help desk and technical support personnel
are trained to help users, which makes them good prey for social-engineering
attacks.
Shoulder
Surfing Shoulder surfing is a technique of gathering passwords
by watching over a person’s shoulder while they log in to the system. A hacker
can watch a valid user log in and then use that password to gain access to the
system.
Dumpster
Diving Dumpster diving involves looking in the trash for
information written on pieces of paper or computer printouts. The hacker can
often find passwords, filenames, or other pieces of confidential information.
A
more advanced method of gaining illicit information is known as reverse
social engineering.
Using this technique, a hacker creates a persona that
appears to be in a position of authority so that employees ask the hacker for
information, rather than the other way around. For example, a hacker can
impersonate a help desk employee and get the user to give them information such
as a password.
The facilitator of a live Computer Security Institute
demonstration showed the vulnerability of help desks when he dialed up a phone
company, got transferred around, and reached the help desk. “Who’s the
supervisor on duty tonight?” “Oh, it’s Betty.” “Let me talk to Betty.” [He’s
transferred.] “Hi Betty, having a bad day?” “No, why?” “Your systems are down.”
Betty said, “My systems aren’t down, we’re running fine.” He said, “You better sign
off.” She signed off. He said, “Now sign on again.” She signed on again. He
said, “We didn’t even show a blip, we show no change.” He said, “Sign off
again.” She did. “Betty, I’m going to have to sign on as you here to figure out
what’s happening with your ID. Let me have your user ID and password.”
So this senior supervisor at the help desk tells him her
user ID and password. In a few minutes a hacker is able to get information that
might have taken him days to get by capturing traffic and cracking the
password. It is much easier to gain information by social engineering than by
technical methods.
Computer-Based
Social Engineering
Computer-based social-engineering attacks can include
the following:
·
Email attachments
·
Fake websites
·
Pop-up windows
Insider
Attacks
If a hacker can’t find any other way to hack an
organization, the next best option is to infiltrate the organization by getting
hired as an employee or finding a disgruntled employee to assist in the attack.
Insider attacks can be powerful because employees have physical access and are
able to move freely about the organization. An example might be someone posing as
a delivery person by wearing a uniform and gaining access to a delivery room or
loading dock. Another possibility is someone posing as a member of the cleaning
crew who has access to the inside of the building and is usually able to move
about the offices. As a last resort, a hacker might bribe or otherwise coerce an
employee to participate in the attack by providing information such as
passwords.
Identity
Theft
A hacker can pose as an employee or steal the employee’s
identity to perpetrate an attack. Information gathered in dumpster diving or
shoulder surfing in combination with creating fake ID badges can gain the
hacker entry into an organization. Creating a persona that can enter the
building unchallenged is the goal of identity theft.
Phishing
Attacks
Phishing involves sending an email, usually posing as a
bank, credit card Company, or other financial organization. The email requests
that the recipient confirm banking information or reset passwords or PINs. The
user clicks the link in the email and is redirected to a fake website. The
hacker is then able to capture this information and use it for financial gain
or to perpetrate other attacks. Emails that claim the senders have a great
amount of money but need your help getting it out of the country are examples
of phishing attacks. These attacks prey on the common person and are aimed at
getting them to provide bank account access codes or other confidential
information to the hacker.
Online
Scams
Some websites that make free offers or other special deals
can lure a victim to enter a username and password that may be the same as
those they use to access their work system.
The hacker can use this valid username and password once
the user enters the information in the website form. Mail attachments can be used
to send malicious code to a victim’s system, which could automatically execute
something like a software keylogger to capture passwords. Viruses, Trojans, and
worms can be included in cleverly crafted emails to entice a victim to open the
attachment. Mail attachments are considered a computer-based social-engineering
attack. Here is an example of an email that which tries to convince the
receiver to open an unsafe attachment:
URL
Obfuscation
The URL (uniform resource locator) is commonly used in
the address bar of a web browser to access a particular website. In lay terms,
it is the website address. URL obfuscation consists of hiding a fake URL in
what appear to be a legitimate website address. For example, a website of
204.13.144.2/Citibank may appear to be a legitimate web address for Citibank but
in fact is not. URL obfuscation is used in phishing attacks and some online
scams to make the scam seem more legitimate. A website address may be seen as
an actual financial institution name or logo, but the link leads to a fake
website or IP address. When users click the link, they’re redirected to the
hacker’s site.
Addresses can be obfuscated in malicious links by the
use of hexadecimal or decimal notations. For example, the address 192.168.10.5
looks like 3232238085 as a decimal. The same address looks like C0A80A05 in IP
hex. This conversion requires that you divide 3232238085 by 16 multiple times.
Each time the remainder reveals the address, starting from the least
significant value.
Here’s
the explanation:
3232238085/16
= 202014880.3125 (.3125 × 16 = 5)
202014880/16
= 12625930.0 (.0 × 16 = 0)
12625930/16
= 789120.625 (.625 × 16 = 10 = A)
789120/16
= 49320.0 (.0 × 16 = 0)
49320.0/16
= 3082.5 (.5 × 16 = 8)
3082/16
= 192.625 (.625 × 16 = 10 = A)
192/16
= 12 = C
