Final Speech

Another one got caught today; it's all over the papers. Teenager Arrested in Computer Crime Scandal, Hacker Arrested after Bank Tampering". Yes, they are everywhere these days, the least understood and the most feared. Hackers today are ranked in the same group as terrorists, and super villains. Millions if not billions of dollars are spent yearly trying to stop these people. Everyone is so afraid, yet nobody really understands. They have the ability to get into any system, anywhere any time without a trace. They are cyber ghosts, moving from place to place taking what they want and disappearing into the digital shadows. However, have you ever stopped to think about who these people are, why they do it, and how they do it? Have you ever questioned their motives, instead of just assuming they are out to get you? Maybe if you learned a little more, you would understand instead of just judge and fear. We are going to look at where they come from, why they do what they do, and how they do it. Stay with me on this, you might learn something.

This is our world now... the world of the electron and the switch, the beauty of the baud. This is a quote taken from one of the most famous pieces of hacker literature, the hackers manifesto, written by a hacker known simply as, The Mentor. In it describes the nature of the underground and how these people are made. Mostly it talks of one thing, having control when you had none before. If you havent noticed, most hackers are in their prime from 13  20, a range when control on most things is at a minimum. A computer gives them complete control over all aspects of it. Also all hackers are smarter than your average kid; they are prone to complex problem solving, logical sequence, and often very mathematically inclined. They enjoy challenges, and being faced with problems that thinking and analysis can overcome. So here you have an individual who is smarter than most people, loves challenges, and very determined, and is pretty clever about problem solving.

Now look at a computer, it is a device that only knows what a user or program tells it, operates solely on logic and sequence, and has more challenges than you can shake a stick at. Most hackers dont start saying, I think I want to go break into a bank system when they first start using a computer. Most of them start with simple things like a game that they dont like something about, so they research and learn how to change it. Then they move to something a little larger, like instead of just changing a game a little they may want to make their own, or just skip the games all together and go for changing their computer itself. Being the logical people they are they will want to make things run better, and be more efficient. Odds are they will desire to have more control which will lead to learning a programming language, and writing their own code. Eventually they will become proficient programmers, know how their operating system works in and out, and have mastered every thing their computer can throw at them. What now? The hacker thirsts for challenges, and what could offer more of a challenge than getting into a place where there are people working to keep you out? Imagine the pure satisfaction of being able to leave the systems administrator at Microsoft or the white house a little note just saying that you have been there. That is what it is all about, outsmarting the people who oppose. A gauntlet is set forth, and with the attitude of a deterministic, clever hacker, all walls will fall. Its not about stealing information, or causing damage, or even learning things about the company or individual you are hacking. It is about curiosity, and gaining knowledge.

However, there are those hackers, who make a turn for the dark side; the temptation of so much power gets to them. Their skills and desire for money and power drives them to take advantage of their knowledge. These people are known as the crackers, or black hats. Those who have shifted away from the core principals of being a hacker; curiosity, defeating a challenge, learning more about computers and networks on the way, they become driven by money, revenge, hatred, and lust for power. Knowledge is a tool, the most powerful of tools, and they hackers contain so much, they become some of the most powerful people in the world, and its just a matter of how they use it. You never hear about the hackers who break into a system, only to leave a note to the systems administrator that they have been there and how to fix the hole. No, those Robin Hood hackers are ignored, or even worse have charges pressed against them. The last thing I want is to seem like a bleeding heart liberal when I say dont stereotype, but remember there are many classes of hackers; the neophytes, the script kiddies, and white hats, grey hats, black hats, and the masters.

How do these hackers do these things? How can they break security on the systems that are supposed to be unbreakable? I mean I forget my password to my email account and thats it, never mind trying to crack the encrypted 128 bit password on a remote SSH system. It is impossible to over everything that a hacker does in their quest to break a system, if it was easy, everyone would be a hacker. A hacker is like professional, he has tools, methods, and a group of other professionals he can share information with, and get it from. He has extensive training, maybe not in the conventional sense. They have lots of time training in various computer arts and have been exposed to lots of different environments. Not that I can cover all the tools used, but a few that are worth knowing about and are in every hackers tool box are port scanners, various encryption breakers, and remote connection clients.

Lets start with this; a computer is like a country. It has many ways into it, mostly boats. For a boat to come in it needs a port to harbor in. The same deal with computers. In this case instead of boats, the computers get data traffic. Every kind of traffic has to go to a specific port, for example, all internet traffic by default goes through 80 on a computer. Every single application, game, file, anything that connects to the internet has to go through a port of some kind. There are approximately 65000 ports on your computer. Ports are all closed by default until they are opened by a service of some kind. Like when you open your favorite instant messenger program, the program asks the computer to please open its desired port so it can communicate with the internet. The computer happily opens the port, the program can access the internet and everything is good. There are lots of programs that open ports, http, ftp, SMTP, SSH, DNS, pop3, telnet, and thousands more. Now back to our country analogy, all your ports for traffic are closed, except for ones you open for specific purposes. But, the ports you have open, are open to everyone, you really dont have a way to check and see who or what is trying to get into your country via the port. So what a curious hacker needs to know is what country he is trying to attack, and what ports they have open so they know how they can connect to and enter it. In the world of computers, instead of names, things are identified by a number called the IP address. An IP address is 4 sets of up to 3 numbers separated by .s. So say a hacker wanted to try to explore XYZ Company. Well the name XYZ company name is no good to a hacker, we need to find out the number it is addressed by, which isnt too hard. They cant just run a dos command called ping, which checks to see if a host is alive or not, and the command as a side effect also returns the IP address attached to that name. So then we have that computes number that it is known by. We can then plug that number into a program called a port scanner. The port scanner sends a small packet of information to the target computer that asks the specified port if it is open and accepting traffic. Depending on how the port responds you can tell if it is open or closed. So an attacker will let the scan run and come back in a while, a full scan usually takes about 20 minutes. Of course with almost every port scanner you can tell what ports you want to scan by either specifying a range, or specific port numbers that you are interested in. So when the scan is done the attacker now has a record of what ports the computer is accepting traffic on. Now they must identify what service is running on that port, because remember, every port that is open has a service that is using it, but sometimes you dont know what service it is. Like I talked about, everything has a default port that it runs on, but in most applications you can change what port it uses. The better port scanners know most if not all of the default port numbers used by applications and attach the name of the service usually running on that port to the port number.

So back the country analogy, say country XYZ is an interesting target to me. However I dont know how I should try to get in, because I dont know what ports it is letting boats into. So what I would do is give my port scanner the numeric address of XYZ and let the port scanner see what ports it is taking traffic on. Once the port scanner is done, say my port scanner tells me that XYZ is accepting traffic on ports numbered 23 and 80. So now I need to figure out what kind of boats are going into those ports. By default the usual types of services boats that go into port 23 is telnet. Telnet is a remote connectivity program for connecting to windows and Linux computers. Telnet is very interesting because if you can actually get into that port, you could have complete control of the computer/country. Port number 80 is used for internet traffic. There isnt a whole lot that can be done with that, so we just kind of ignore it because it really does no good for us. So when you boil it down, port scanning is the process of asking a computer Hey where and how are you allowing other computers to interact with you? and hoping that the reply you get will be something that you can exploit, which we will talk about later.

Okay, so far we have talked about trying to find interesting things on remote computers. What about on your own computer? Do you and your family share a computer? How about school computers with lots of users, and maybe some passwords used by administrators? Wouldnt it be cool to get your hands on those? Well there is most certainly a way to get windows logon, AIM, website, and any other kind of password that a computer has stored in its memory. The problem is once you get a hold of the password most of the time it is encrypted. Websters defines encryption as Any procedure used in cryptography to convert plaintext into cipher text (encrypted message) in order to prevent any but the intended recipient from reading that data. What this means to us is that if you actually find the stored password, it is going to be in a form that just looks like insane symbols, or a bunch of numbers, or you may not even be able to see it at all. So how do we turn this crazy set of garbage back into a readable text? The answer, we need programs called encryption breakers (go figure). The secret is that for the original program to turn the plain text into that crazy unreadable format that we are stuck with; it uses a complex mathematical process that it runs the message, password, or whatever through. The name for the big math problem that it runs stuff through is called an algorithm. The output from the algorithm is called either the hash, or cipher text. As anybody knows the best way to get something back to the way it was before a math problem, is to reverse it of course! So there are some really smart people out there that are able to get into a program, find the algorithm it uses, and find a way to reverse the process. They then take this reverse algorithm and put it in a program that they code. So then when you put the hash value into the encryption breaker it is able to run the reverse algorithm and turn the message back into original form. So then you would think that encryption is practically useless with such good reverse technology right?

Wrong, in fact encryption is still very strong and very useful because it is way more complex than just using one math problem to encrypt the message. Most of the time good encryption programs randomly create a math problem, use it to encrypt the message, use a key to let another program know what math problem it used, and delete the problem. So now any conventional encryption breaker is worth squat. Since the math problem to encrypt is randomly generated, have just one reverse algorithm wont do at all. Now you need hundreds of thousands. So again the encryption breaker writers go to try and find the code they want. This time, instead of just looking for an algorithm used by the program to encrypt messages, now they are looking for the random math problem generator. Once they get that, they are able to tweak the engine so that any output it makes will be the exact opposite of what it originally was. However because there are so many possible problems that it the original program could be using, and there is no way to identify what problem it used, the decryption program is forced to run through every single math problem it can generate, until it is finally able to turn the hash back into plaintext. So the battle between the software writers that make the encryption programs and the reverse engineers who crack the programs wages on.

Bottom line, you use a program to find the hash value of the password you want to crack, lets say in this case a windows password. So you use a program to find the encrypted form of the password, which in this case is held in a secret windows file called the .sam file. So you get the hash, and then go find a breaker for the type of encryption windows uses. The type of algorithm windows uses is known as NTLM or LM, it can use either. So then you grab a copy of Saminside, or l0phtcrack, or whatever program you choose to use, and plug your hash value into it. The program then goes to work trying everything is possibly can to get the hash to turn back into plain text. A little while later, (can be seconds, minutes, hours or days, depends on the password) you come back to find that all now that password that was encrypted has been decrypted by the program, you can now see the plaintext password, and you are free to use it as you please. The same basic principal holds true for almost all encryption / decryption processes.

Now youre saying, Dan, youve told me how hackers think, where they come from, you informed me about port scanning and how inbound and outgoing traffic works through ports. You have even given me a good idea on how to break windows passwords! But I still cant get into my instant messenger that I forgot my password for! I mean there is no encryption or stored password to try and break; I have nothing to go on! Never fear, because I have a solution for that one to. Actually two solutions, that are just similar but not quite the same. One is called a dictionary attack, the other a brute force. Think about it, if you sat at your computer all day, guessing passwords randomly, statistical odds say you would eventually hit it. Especially if the word was a word in the dictionary. Now think if you could type around 10,000 keys a second, and have to think for less than a microsecond about the next word you wanted to try? That is what a dictionary attack is all about. A dictionary attacker is a simple program that reads words out of a list, plugs them into the specified place, and tries the word. Some are customizable, like you can tell it what key to press before and after a password is entered, most of the time, just the enter button is used. You can tell them what file to read from, and if it should try adding numbers or not. Like say you had a file called words.txt and in the file were the words, speech is great. You could tell your dictionary attacker to load the file words.txt. Then the program would take the first word speech and put it into the field you told it to, the program would then press enter to tell the victim program to use that password. If it works, great, your attacking is done, go ahead and close the dictionary attacker. If not, which is usually the case, the program will then read the next word in the list which is is and try that one in the password field. It will continue this process until either you close the attacker, it runs out of words, or the password is broken. Keep in mind dictionary files are usually very large, containing hundreds of thousands of words, maybe even millions. But what if you know your password was not a real word, but a part of a word with some numbers in it. Then we cross into the territory of the brute force attack. Unlike dictionary attacks brute force attackers do not use word lists, because they only need to know the numbers, letters, and symbols printable on the keyboard. These programs do the unthinkable, they try every single password combination possible with the given length, or length range. Of course cracking passwords this way could take years, even on a super computer. So what you can do in any decent brute force is tell it what character set to use. Like say you know you didnt use any special characters in your password, and you know it was all lower case. So you can then tell your brute force program to only use lowercase characters, and numbers. Maybe you even remember that is was 5 characters long. So now you can plug all that info into your program. Tell it to use a character set with only lowercase letters and numbers, nothing else. Tell it only to try passwords that are 5 characters long. Odds are if you leave it running, and come back a few hours or a day later, your password will be cracked.

Of course there are many problems with brute force and dictionary attack programs. One problem is that some services will only give you only a limited number of guesses before it locks you out for a given amount of time. Or sometimes you may not remember anything about your password, in which case performing a totally brute force like mentions before, would take years, which is totally impractical. Also, if you are trying to crack something over the web like this, good luck. Because the attacking program is sending words way faster than your internet connection can take the word, send it to the server, have the server process it, and send back the info on whether the password was good or not, the attacking program is rendered useless. So brute forcing and dictionary attacks are good for things on your computer, or maybe across text based applications on the internet.

Sigh, even with all this information I still cant get into my email account that I forgot my password to! Once again I have a way to help you out. This time its not so much a program, as it is a method, a process, a form of trickery. The attack we are going to talk about now is known as SQL injection. Even the name sounds cool. Just a quick background, web sites with password forms are almost always handled using some form of SQL. SQL is a programming language that is good for working with databases, and other information holding file. Therefore it is a favorite among people who write websites with usernames and passwords, I even use it on my personal site. To get SQL to do something in a web page, the user must first issue what is called a query. A query is simply a request for the SQL to look in the database and try to find a certain piece of information. How websites use that is, they usually have a username and password field that you put your information into, then the webpage uses an SQL query to look and see if your information is in the database. If it is, then you get logged in, if it is not, then it asks you to login again or whatever. So then the question is posed, could you somehow send your own custom query to the database? Could you make it somehow give you information? The answer in many cases is yes. You have to keep in mind when you put information into those username and password boxes, or into the address bar of your browser you are simple sending information. The computer is happy to handle whatever kind of information you give it, including commands. So say instead of just a username, you asked the computer to please return all the contents of the database. The computer just being a dumb box would gladly say okay Mr. anonymous user guy, here is everything that is in the database, is there anything else I can do for you? How do we issue that command to the computer though? Well only a small amount of SQL knowledge is required to write a query, in fact, here is one right here. (Show slide with SQL query asking to return all usernames and passwords) Select all where username = * and password = *. That simple command will tell the database Hey give me everything that has a username equal to anything at all, and a password equal to anything. Of course that will return everything in the database. Sometimes is a little harder though because the words username and password can be anything, because the programmer can use anything they want to be the variable names. So usually the hardest part of performing and SQL injection attack is finding out what the programmer called the username and password fields. Beyond that its a cakewalk. Keep in mind though that SQL injection attacks dont work on many newer versions of servers, and usually if always doesnt work with the programming language called cold fusion.

Hacking doesnt seem so hard, I mean I could run a port scan, or try some SQL injection, why is everyone making it seem like hacking is so hard? Alright Mr. Big shot know it all try and wrap your head around this one. The attack is called FTP bounce, and it has been around for a while, but still no clear cut fix to it has been found. Lets look into the background on this before we plunge in kicking and screaming. So, on the internet you can look at files and view pictures and stuff. But what if you want to move files from one computer to another? That is where the file transfers protocol, ftp for short, comes in. Way back in the 70s universities needed a way to move files back and forth so they created FTP. It was originally meant for just exchanging messages between servers, but now days it is used for everything from family pictures, to software downloads, text documents, and more. FTP works in to modes, active and passive. In active mode the ftp server is listening and your computer tells the server what port it wants to open for connection. Oh, I almost forgot to mention, FTP uses to ports, one for connectivity, and one for actual data transfer. The default ports are 21 for data connectivity, and number 20 for file transfer. Now back to active and passive mode. So active the computer tells the server what port to use, and in passive the server tells the pc what port to use. Most computers trust the TCP/IP protocol and ftp, so they will let FTP do what it needs to as far as opening ports goes. So what that means is that if somehow we could get ftp to act actively against a target machine, and specify the port, we could force a port open for ourselves, and have file transfer abilities on the target machine through that port that we told it. Now Im not going to tell you exactly how to this, but the basic concept is we have attacker machine, ftp server and target machine. So attacker machine tries to connect to an ftp server in passive mode, so the ftp server says okay, Ill open up port 21 and 20, and give you the files. Remember now that computers are addressed by the IP address that they use, and thats how FTP communicates. So ftp is actually saying I will open ports 21 and 20, on the IP of the computer that is talking to me. What if the attacking machine is faking its IP address though? Then the port opening would be redirected to the computer with that IP address for real. For simplicities sake we will say the attacker machine has an IP address of 1 and the target has an IP address of 2 (of course IP addresses are much longer than that, but this is just an example). So attacker machine with IP of 1 asks to open a connection the FTP server, the FTP will then respond by trying to open ports 21 and 20 on the computer with the IP of 1. This is where some trickery comes in; the hacker can then fake their IP address, and say that their IP is actually 2. So the FTP server will say, okay Ill open ports 21 and 20 on IP address 2. All of a sudden the victim machine has file transfer ports opened on it! This is because the FTP server doesnt really know or care who actually has the IP address 2, its just going to try and open ports on it. So we have basically redirected the port opening process to a remote machine that we want to attack. Once those ports are open, its pretty easy from there to get into the machine.

Whew, we made it. Time for a little something easier to grasp&. Maybe. So we have services identified running on a remote machine, say its FTP or SSH, or telnet, it doesnt really matter. How can we get into it if we dont have a password of username? The answer is an exploit. To understand this you must keep in mind that all software, protocols and everything on computers contains errors of some kind. An exploit takes advantage of flaws in the code to manipulate the program and sometimes the chaos will give the attacker something to work with. The most common type of exploit is one that involves a buffer overflow. A buffer is a small area of computer memory that holds information being passed from the processor of a computer to a device that is waiting for that information. The buffer can only hold so much information before it is full and starts having problems. When the buffer cannot hold any more information strange things can happen, including dumping whatever information is in the buffer onto the screen. This is desirable to a hacker because information in the buffer can often be useful. Also when a buffer overflow happens, the program running on the computer is willing to accept commands from anybody because it has basically gone insane. So the question is how to we cause a buffer overflow? We get programs called exploits. These are usually very simple programs that have only one purpose, to make so much information have to be handled by the server program that it cannot process it all fast enough, the buffer fills up and hopefully we get a good buffer overflow. So people who know their programming language of choice well will learn how to send commands to the server and make a program that just sends commands really fast. Sometimes, if not most of the time exploits are slightly more complex than just that, but that is the basic idea. The problem for potential attackers becomes, what exact service is running that can be exploited and what version is it? Although all FTP server programs run similarly, they all do things a little differently. And even different version of the same program can act differently. The same holds true for any kind of server. With enough looking and knowing where to go, you can find an exploit for almost any program of any version, but finding out what one you need can be that hard part. There are certain programs and ways you can find footprints of the server. That is to say, by putting together small pieces of rather unique information you can find what program and what version it is. So you just record all the little oddities you find in a service that you are attacking, and then search the web for server programs that are known to have the same quarks that you are finding in yours. Then go find the appropriate exploit, run it and, odds are you will get the desired effect.

There you have it, a very small intro into the world of hacking. We have covered only a few of the programs and methods a seasoned hacker has mastery of. Hackers are not bad people, just those who are curious of systems, and are engaged in the ultimate game of chess. Except in this game the pieces, the prizes, and the consequences are real. Hackers are smart people, just bored with everything else that doesnt offer a challenge. The war will never end, hackers, crackers, security professionals, are all here to stay. The world of hacking will take on new forms, and gain new tricks. I see hackers being the digital ages super soldier. No longer will battles be fought on the field, but in the realm of information. The most powerful hackers will be sought out by nations to defend their own land, and to attack others. The more computers are engrained in out society the more power the hackers gain. No matter how many patches are released, or firewalls are installed, they are still all made by humans. Being made by humans renders them susceptible to mistakes, mistakes that hackers will find and exploit. I see the only way to combat this onslaught of cyber spies it to arm yourself with the knowledge of how they work. We must learn more of them, their methods, and their mindset. Without knowing of how they do what they do, we remain sheep waiting to be taken advantage of. As Sun Tzu wrote: Know yourself and your enemy and you will be victorious. I believe this statement holds truer today than ever before, do not let yourself become just another target. Learn about them, learn about your system, and learn how to defeat them. After all, hackers are humans to, which means they make mistakes to.

Credits go out to the mentor for his great peice of work, the hackers manifesto, and anyone else I may have references.