An Introduction to Hacking

Due to i've gotten quite a lot of questions the last couple of days about
hacking, i thought i would write a guide about how a full scale hacking
operation would be like. Keep in mind that not everyone follows this technique.

Though for those that doesn't know much about hacking, it should be
quite useful as you will get to know various things that i take for granted
as they're on my backbone. So lets get started with this guide.


Phase 1 - Think, before you Do ::
A) First of, i will not use Google to pick my target as that's not a part of
what i call _real hacking_ , as in you choose your target, google shouldn't.
(if i wanted to hack a random site like most script kiddies do, i would just
search for example inurl:search.asp?q= , or similar well known security holes)


B) I will also think about the risks when i pick my target, due to a minor target
like gimmewarez.tld is a place that has way less authority, than if i chose
an american security agency. (or similar places of authority)

I also have to take another factor in consideration, and that is i live in
Denmark. That means if i chose a danish site, i would have to be extra
catious, due to if a danish person hacks a danish website, the chance
of the authorities will react is a lot higher, than if i came from Antaractica.

So, in our case i've wanted to check out gimmewarez.tld, which location
is in lets say USA as a lot of IP-locations and hosting is in that country.

Now, before i start i do know that NSA has the right to monitor all traffic
passing through USA as well, but due to 33% of all the internets traffic
comes by USA, then i don't need to be that paranoid when it's a minor
semi-illegal website.


C) I will also take in consideration, if i should use a proxy depending on exactly
what i intend to do if i'm succesful exploiting the site, and also how secure
that proxy, proxy network or similar should be.

In this case i might just use a proxy from a random site, by quering Google
for something like: "Proxy List" or maybe "Anonymous Proxy". I should say
though, that some hackers usually proxy through one or more of their
earlyere hacked victims as that is usually the most private form of proxying.

I wont be using the Tor in this case, as i don't know who might be listening
on the exitnodes, as that can be anyone and you can get tracked through
the network if your exitnode has a guy monitoring it. IF you should intend
to use the Tor network, i suggest keeping a LONG DISTANCE to exitnodes
that are in Sweden, Israel, Turkey (and similar countries) thus Denmark & Norway.

The reason why i wont use Sweden at all, is due to they have a law similar
to the one NSA has, which says all traffic passing through sweden can be
monitored by a military facility called FRA. (Fösvarets Radio Anstalt)

I don't trust Israel either as they are in the no-scan/no-touch range, and
i would seriously not trust Turkey either as that's where A LOT of bad script
kiddies origin from that defaces random sites. Denmark is on there too as
that's where the technique of tracking through Tor originates from.


Phase 2 - Information Gathering ::
A) Okay, we have now made our thoughts and should go on to the next phase,
information gathering which can be quite long and also exhausting but none
the less quite interesting usually though don't think something is exploitable
just because you might find something that should be exploitable.

First of, i would start by doing a Whois on the website gimmewarez.tld .
Depending on the quality of the whois service, it can show a lot of good
informations. In this case it would show these informations:

    ICANN Registrar (where the domain was registered through)
    Created (when the domain was created)
    Expires (when the domain expires)
    Updated (if the domain has been updated)
    Registrar Status
    Primary Name Server
    Slave Name Server
    Whois Server
    IP-Address (you can just do this by ping gimmewarez.tld as well)
    IP-Location (useful to check where the website is located)
    Response Code

It can show a lot more than this, but these are the primary things i would
look at, including the actual Whois Record that in some cases contains in-
formation about the registrant which is either private or public.

In this case the information will be private, and we will not know who the
person behind is, though his email is a real email and not some obfuscated email.
(To get more information about the person, we could google his email.)


B) Lets move on to the next part, now we would want to map out their entire
network if it's possible. To do this, we will first start by doing everything we
can through the DNS protocol.

First we might want to do a Zone Transfer, and if that should fail, we could
try "bruteforcing" for subdomains, as in asking very fast with f.ex. a perl
script and a text file for any potential subdomains. A subdomain of our
target is for example www.gimmewarez.tld, even though the www. and
without www is usually completely the same.

We might also want to check their nameserver, and try to fingerprint it's
version, usually by asking it a "special way", or by using maybe a perl script.
Then we might find out what version they are running with, we will then be
able to save the information for later use.
In case, their nameserver runs BIND 9.2.3, which has a few flaws.

Now, we could stop here and try to exploit the server, but usually hacking
nameservers, it not something you just do, it can be quite hard, and you
must know exactly what you're doing to accomplish a succesful attack.
So we wont try to attack their nameserver as it's too hard for now.


C) So, now we got informations about their network, and it's time for a port-
scan of their services to check exactly what they're running/providing.
Now keep in mind as soon as you start port-scanning, you are in the gray-
zone of illegall activies or higher depending on the country you live in.

We have found out that port 80, 21 and 22 is open. (common ports)
Now, this doesn't mean we can hack into the system at all, because port
80 is http, 21 is ftp and 22 is ssh. As a new hacker, it might be like magic
to hear someone be able to remember those ports, but there's a list.

Since most FTP and SSH servers are logged and attacks at those usually
get reported faster than attacks via the HTTP protocol, we will start to
look for vulnerabilities on gimmewarez.tld in the web-browser.


D) So we visit the place, and we find out it's running Wordpress 2.0.1 . Now
how did i found out that? Well there's usually a "Powered by <version here>"
at the bottom of such sites.

We have also determined by looking at the addressbar, saying
gimmewarez.tld/index.php, that the website is running PHP.
(sometimes finding out what the server is running can be seen at some
whois-services, though keep in mind you wont usually be able to use that for much.)

Now we're still not done yet, we want to find out what versions of FTP
and SSH they're running with, and also the HTTP version (and program)
that they're running to provide their service.

To do that we could use command prompt and telnet to the FTP and SSH,
and just look at the welcome text usually saying program and version. In
our case the FTP says PureFTPD with no version and OpenSSH with the
newest version.
(This means there's not a high chance of failure if we try to break in.)

We will also try to find out what application they're running to provide
their Wordpress Blog on the HTTP protocol, in some cases even a 404
error (not found) can trigger this. In this case we try to provoke that
error by entering: gimmewarez.tld/asjdkalsjdsalk in the addressbar.

Some servers will tell us their header, others wont. In this case it says
Apache 2.2 and a lot more, which we will use later on, in our "operation".

Okay, we have allmost done what we could of information gathering, and
we have done a minimum of illegal activities so far without being a skiddie.
There is though, 1 more thing we might want to do, and that is to look
for directories on their webserver, for example those listed in this article.
(We can also use various scanners/fuzzers to look for directories as well.)

Phase 3 - Using Collected Information ::
A) Okay, we have gotten a lot of information now, and we could probably
have used even MORE time on collecting informations, because usually
it's the Informating Gathering phase that is the longest if you're serious
about hacking your target.

Now lets write up what informations we have:

    BIND 9.2.3
    PureFTPD (no version)
    OpenSSH (newest)
    Apache 2.2 with PHP 5.2.6 and more.
    Wordpress 2.0.1
    Found /administrator directory

B) We might have more than that, but lets just stick with this so far. Now
it's time to look for exploits for those things, and you could do this by
reading changelogs from each of the websites. F.ex. to find out about
security bugs i would maybe read BIND's changelog on BIND's WEBSITE.

So after sometime we find out that:

    BIND 9.2.3 - Has a Remote Cache Poisoning flaw.
    PureFTPD - Has been safe this year though it wasnt 2 years ago.
    OpenSSH - Had a bug recently, but only on Debian systems.
    Apache 2.2 & PHP 5.2.6 - Has a few bugs, but hard to exploit.
    Wordpress 2.0.1 - Has some SQL injection bugs and more.

C) So, we know what's exploitable etc. and we have even read what is needed
to exploit the security holes in the software at various sites including the
well known milw0rm. (and a lot more sites including using Google).

We find out that BIND holes are very hard to exploit, and we don't expect
the PureFTPD and OpenSSH to be vulnerable, thus the Apache and PHP
running on gimmewarez.tld is or should be secure so we skip that.

Though we did find a SQL injection, and even a proof of concept from some
random site written in pure text or perl most likely. The PoC contains a way
to show the administrator login etc. and we don't feel a need to deface the
site with an SQL injection.


D-1) So we use the SQL injection, and this is the part where it's a little bit script
kiddie'ish, as you didn't find the bug yourself, but just used another persons
exploit directly on the site without even editing it!

Gimmewarez.tld now shows a website with 2 input fields where the top one
says admin, and the lower one 817Zhw8, and since we found the admin dir
earlyere, we type /administrator in the addressbar and login.

At some parts, f.ex. where we f.ex. port-scanned, connected to their
service, and especially when we SQL injected and logged in, we used a
proxy. If not then it will appear on a log, which usually only root-access
can delete.

So, you're in, you got admin access and this is the part, where you are
either a Blackhat, or Grayhat. If you're pure Blackhat you just destroy that
persons whole blog that might have taken months to make. If you're Gray-
hat, you might just leave a message somewhere on the site, telling the
administrator/owner to update etc.

If you DEFACE the website, then you should have a really good reason to
deface it, especially if you destroy parts of the website, because would
you want to have someone destroy your computer just for fun? I think not.

So after reading this guide, i really hope you have become smarter, or that
you have maybe learned something you can use in the future, just remember
one thing, it's you that make the choice how illegal you choose to be.


D-2) An alternative to not get yourself in trouble and might even become friends
with the administrator/owner would be to kindly sent him an email, telling
him you found a bug and that he should really upgrade and that you haven't
touched anything.

Just keep in mind some people might think you hacked the site if it should
become hacked. (as i experienced that a couple of times including getting
life threats, even though i don't care, i warned them.)