Hacking the Hacker. Grimes Roger A.
Читать онлайн книгу.did the real brain work years before.
The irony is that the uber‐smart people I know about in the computer world aren’t the malicious hackers, but the defenders. They have to know everything the hacker does, guess at what they might do in the future, and build a user‐friendly, low‐effort defense against it all. The defender world is full of PhDs, master’s degree students, and successful entrepreneurs. Hackers rarely impress me. Defenders do all the time.
It is common for defenders to discover a new way of hacking something, only to remain publicly silent. It’s the job of defenders to defend, and giving malicious hackers new ways to hack something before the defenses are in place won’t make anyone else’s life easier. It’s a way of life for defenders to figure out a new hack and to help with closing the hole before it gets discovered by the outside world. That happens many more times than the other way around (such as the outside hacker discovering a new hole).
I’ve even seen defenders figure out a new hack, but for cost efficiency or timing reasons, the hole didn’t get immediately fixed, and later on, some outside hacker gets credit as the “discoverer.” Unfortunately, defenders don’t always get immediate glory and gratification when they are doing their day jobs.
After watching both malicious hackers and defenders for nearly three decades, it’s clear to me that the defenders are the more impressive of the two. It’s not even close. If you want to show everyone how good you are with computers, don’t show them a new hack. Show them a new, better defense. It doesn’t require intelligence to find a new way of hacking. It mostly just takes persistence. But it does take a special and smart person to build something that can withstand constant hacking over a long period of time.
If you want to impress the world, don’t tear down the garage. Instead, build code that can withstand the hacker’s mauling axe.
2
How Hackers Hack
The most enjoyable career activity I do is penetration testing (also known as pen testing). Pen testing is hacking in its truest sense. It’s a human against a machine in a battle of wits. The human “attacker” can use their own ingenuity and new or existing tools as they probe for weaknesses, whether they be machine‐ or human‐based. In all my years of pen testing, even though I am usually given weeks to conduct a test, I have successfully hacked my target the majority of the time in around one hour. The longest it has ever taken me is three hours. That includes every bank, government site, hospital, and corporate site that has ever hired me to do so.
I’m not even all that good as a pen tester. On a scale 1 to 10, with 10 being the best, I’m about a 6 or a 7. On the defender side, I feel like I’m the best person in the world. But as an attacker, I’m very average. I’ve been surrounded by awesome pen testers – men and women who think nothing of writing their own testing tools or who don’t consider their testing a success unless they did not generate a single event in a log file that could have caused an alert. But even the people I consider to be 10s usually think of themselves as average and admire other pen testers that they think are tens. How good must those hackers be?
But you don’t have to be extremely good to be a very successful hacker. You don’t even have to actually break in for the customer that hired you (I’m assuming you’re being paid for a lawful assignment to pen test) to be happy with your work. In fact, the customer would absolutely be thrilled if you were not successful. They could brag that they hired some hackers and their network withstood the attack. It’s a win‐win for everyone involved. You get paid the same and they get to brag that they are impenetrable. It’s the only job I know where you cannot have a bad outcome. Unfortunately, I know of no pen tester who has ever not successfully broken into all of their targets. I’m sure there must be hackers who fail, but the vast majority of pen testers “capture their prize.”
NOTE
If your pen testing doesn’t find any weaknesses and soon afterward your client is compromised by real attackers, you aren’t going to look good. If this happens several times, word will get around and you’ll probably be looking for a new career. The weaknesses are there. Find them.
Usually pen testers will do something extra to impress their target’s senior managers, such as taking a clandestine picture of the CEO at his desk using his own computer’s camera or embedding the domain administrator’s password in the picture of a pirate flag that shows up on the security administrator’s screensaver. A picture is worth a thousand words. Never underestimate how much one goofy picture can increase your customer’s satisfaction with your job. They’ll be talking about the picture (and bragging about you) years after you’ve finished the job. If you can, always finish with a flourish. I’m giving you “consultant gold” with this recommendation.
The Secret to Hacking
If there is a secret to how hackers hack, it’s that there is no secret to how they hack. It’s a process of learning the right methods and using the right tools for the job, just like an electrician, plumber, or builder does. There isn’t even one way to do it. There is, however, a definitive set of steps that describe the larger, encompassing process, and that includes all the steps that a hacker could possibly have to perform. Not all hackers use all the steps. Some hackers only use one step. But in general, if you follow all the steps, you’re likely to be very successful at hacking. You can skip one or more of the steps and still be a successful hacker. Malware and other hacking tools often allow hackers to skip steps, but at least one of the steps, initial penetration foothold, is always required.
Regardless of whether you’re going to make a career out of being a (legal) hacker, if you’re going to fight malicious hackers, you have to understand the “hacking methodology” or whatever it is being called by the person or document describing it. The models can vary, including the number of steps involved, the names of the steps, and the specific details of each step, but they all contain the same basic components.
The hacking methodology contains the following progressive steps:
1. Information Gathering
2. Penetration
3. Optional: Guaranteeing Future Easier Access
4. Internal Reconnaissance
5. Optional: Movement
6. Intended Action Execution
7. Optional: Covering Tracks
Information Gathering
Unless a hacker tool is helping the hacker to randomly access any possible vulnerable site, the hacker usually has a destination target in mind. If a hacker wants to penetrate a specific company, the first thing the hacker does is start researching everything they can about the company that might possibly help them break in. At the very least, this means accessible IP addresses, email addresses, and domain names. The hacker finds out how many potential sites and services they can access that are connected to the company. They use the news media and public financial reports to find out who the senior executives are or to find other employee names for social engineering. The hacker looks up news stories to see what big software the target has bought recently, what mergers or divestitures are happening (these are always messy affairs often accompanied by relaxed or missed security), and even what partners they interact with. Many companies have been compromised through a much weaker partner.
Finding out what digital assets a company is connected to is the most important part of information gathering in most hacker attacks. Not only are the main (public) sites and services usually identified, but it’s usually more helpful to the attacker to find the less popular connected sites and services, like employee and partner portals. The less popular sites and servers are more likely to have a weakness compared to the main sites that everyone has already beat on for years.
Then any good hacker starts to gather all the software and services hosted on each of those sites, a process generally known as fingerprinting. It’s very important to learn what operating systems (OS) are used and what versions. OS versions can tell a hacker what patch levels and which bugs may or may not be present. For example, they might find Windows Server 2012 R2 and