Hacking 101

[root]

This thread is in response to someone who asked me to teach them how to hack, Now I don't pretend to know everyting about hacking, but I do intend to write a rough guide to computer hacking, and conversly securing against computer hacking...
It's bound to read a little all over the place as I'm more technically minded than litterary minded...

here goes.
===========
Installment 1
===========
Hacking
This is intended to be a quick guide to hacking, I by no means consider myself an expert, and would really urge people not to go off and hack anyone else's computers. By all means you can set up your own servers and hack your own servers. After all at the end of the day the only real reason for knowing how to hack is just so you can tell people! Personally my job as a network administrator sometimes brings me to the world of hacking, sometimes this will just be some kind of research, sometimes more direct action is taken and programs need to be written to do certain things. Any hacking that I actually do is usually proof of concept, and or checking the week's popular scripts against a web server to check its security. I've written a few programs to perform DOS attacks and have written some brute force telnet password hacking programs, and the best bit, I get paid to do this! But, alas all my exploits are safely contained in a private network, cut away from both the real world of the internet and the business world of the corporate network, my own little playground where I do all my hacking, I suggest, and strongly advise you sort yourself out with a playground for hacking. Certainly don't jump in at the deep end, the banks will not be forgiving, government agencies won't see the funny side of trial hacking, and any small company will just be straight onto your ISP reporting your illicit activities. (I know that for sure, another part of my job is reporting hacking etc to the persons ISP).

Background
Hackers can be split into a few small groups.

Social engineers
Social engineers don't look at the technical aspect of computer crime so much as they look at the targets. All a good social engineer needs is himself, (or herself). Social engineers study the owner of the machines that they are trying to hack in order to make educated guesses as to what passwords could be.

Script kiddies
Seen as the lowest of the low in the hacking world, script kiddies generally leech off of the hard exploratory work of others, running pre-made script against web servers in order to get results.

Hackers
Hackers can be either black hat or white hat; these terms generally mean good or bad. Be they either white hat or black hat, the methods of investigation will be the same, just the end result will be different. (A white hat hacker would usually report a bug whilst a black hat would exploit it!)

Hacking
Hacking is obviously very illegal, so I don't suggest that you try it. at least not on anyone else's' machine. if you want to practise your hacking skills then
I suggest you practise on your own machines. It's not too hard, -get an old second hand PC from eBay and set up a small network.
I recommend that you try to get a server OS, (Windows NT 4, windows 2000 professional, or windows 2000 server. windows XP pro or windows server 2003).
The reason I suggest that you should get these is because all of these OS's come with a version of IIS, you could also get apache from apache.org (It is the worlds most popular web server with a user base of >50% world wide sites served with apache).
Apache is free, relatively easy to configure.
As a last resort you could use a Linux / apache combination, - I say last resort because this will be a lot harder to hack than a Microsoft machine.

[I love the report Root; but we don't need to broadcast such things particularly, thanks] Along the same vein of interest, ASP support comes with IIS, but if you want PHP you'll have to download that from php.net and if you want a database you can get MySQL, the reason I mention these is because these are all services that may be running, and just about every service has an exploit.

 

[Lord Kalthorn]

I love it Root, very thorough. I did have to edit that one comment but don't take it as an insult - its a great report.

Can't wait for the next installment.

 

[root]

well I was going to go into something a bit more meaty involved with hacking, until during my example detail gathering I noticed that this forum was might be vulnerable to a script I was going to use as an example, So I'll have a look at the script, perhaps change it a bit to sort of unload it/block the barrel/decomission then post it, (the thoery will still be the same).

anyway...

===========
Instalment 2
===========

Before anyone starts to hack, first of all they are going to want to know what they are hacking, and what they need to do in order to make a successful hack. Now a part of the second reason will be why you are here, If you made it past the first instalment then there's a good chance that you actually want to find out about hacking, and how to hack, You my even have a specific target in mind…
Now with your specific target in mind, (this, if you take my advice, should be a server on your own network) you need to start doing a little exploratory work on that server…

Social Engineering
Social engineering is something every hacker needs to have a certain grasp of, whether it's spying on strangers, dumpster diving for useful paperwork or just asking the right questions at the right time in a manner that does not arouse suspicion.

I've started with social engineering, social engineering is sometimes seen as the easiest form of hacking, some people say it's skilful, others say no skill is involved, certainly the biggest skills required are interpersonal skills, you need to gain confidence and keep confidence, you need to offer something others can't. (Just search here for the how to hack hotmail threads –certainly that was quite a good social engineering trick). Another place to start with social engineering is to look at the weaknesses of the systems involved, are you expecting a passwo5rd length, (greater than three, 6 – 8 chars, case sensitive, do you have to have numbers? Do you have to have NT strong passwords (over 6 chars involving a mixture or lower case upper case numbers and punctuation?). When you know the password you are expecting you can then start to outlaw some possibilities.

A prize example of social engineering is hacking email accounts, it seems every email account you sign up for asks you for a secret password / question,
Yahoo have a set of standards, so all you really need to get started with taking control of an email account is a little social engineering, a smidgen of guesswork, and a hell of a lot of patients.
Knowing, the person's mother maiden name, dogs' name, cats name, boyfriend / girlfriends name etc... It all puts you in a great place to 'hack' an account by misusing the proper channels.

Social engineering might also involve setting up an online forum, when people sign up they seem perfectly willing to give email addresses, and tap in a password, MOST internet users only have some 5 passwords. MOST people will use their ‘weak' passwords on forums, if you own the forum; you have access to the databases storing passwords.
Like I said social engineering is a lot of research followed by a lot of guess work.
If you want proof of concept take a look at the email button below people's name, look at how many of them ask for a pets name as a password reminder question. Now go start a thread in the social lounge asking people if they have pets. Seem genuine, and inquisitive, perhaps sign up with a more girly username or something (no offence to any women reading this but asking about cute fluffy pets would be more of a girl thing)…
See how many people willingly tell you their pets names, post photos of them, tell you how old they are, without a thought in the world as to what the information they tell you could b used for.

Basically social engineering in its simplest form is gathering information in order to make your life as a hacker easier.

 

[root]

another day another installment...
===========
installment 3
===========
Right, I'm going to combine script kiddies and hackers into one description. The thing is there is very little technically to distinguish between them. Well that is to say a hacker will write scripts and find exploits, a script kiddie will just take and use exploits without really a clue on what they do, or how they work.

A script kiddie would take this example

[Address]/ [-exploit-]/ [command]

And run it against any server they came across, just changing the address and possibly the command (If they could figure out what the command was!)

Whilst a hacker would at least make sure the server they are trying to exploit is susceptible to the script! Aside from looking at attacks in a more technical aspect, perhaps with a little more directed intent I don't really think there is that much difference between a hacker and a script kiddie.

Script kiddies use pre-made scripts; usually they find these out by either visiting hacking websites. (Search hacking newsgroups, hacking websites hacking, zero day exploit), you're bound to find some scripts that you might like by looking through your web server logs, and it's almost inevitable that if you are on the internet people will be attacking you. It's bad enough when you're just on the internet, but map a domain name or two to your machine then you'll get more attacks, the more addresses it seems the more attacks. Get a top level popular address and you'll be getting new script samples every few minutes or so.

Hacking
To start with I suggest that you use a mixture of social engineering and pre-made scripts, I know I probably shouldn't advocate a whole new breed of script kiddies, but you really do have to start somewhere. Hackers will obtain information about a machine and then run a script against the machine, the script can, and most likely will be modified to suit the purposes of the hacker, successful hacking is like implanting a grenade by keyhole surgery, when you start you are practically blind, gathering whatever details you can from wherever you can. Slowly but surely you are poking your way through defences until you find a weakness then you blow that mother open and have some fun.

Once you've successfully made your first incision so to speak, it's a blast from there on in. If you have a successful exploit then you can start running programs, one of the first things you'll probably do is put some more tools onto the server you are hacking as this will let you a least see what you are doing.

As with social engineering the first thing a would-be-hacker needs to do is gather lots of information. So if your interest is hacking forums then get some forum software, if you want to experiment with internet disruption (Aside from needing some more machines) you'll need whatever service you intend to attack installed in your test domain ready for experimentation…

Right now I'll concentrate on web servers,
Right now the first thing you'll need to be aware of is that practically just about every web server is different. And mostly all web servers give away details about themselves. You'll need to collect these details so that you know what to run against the machine. For instance c:\windows\system32\cmd.exe doesn't exist on a Linux server, but does exist on a windows machine.

In the real big bad world of the internet you'd look to somewhere like net craft to easily find out what the target server runs.

First point of call www.uptime.netcraft.com
Of course on your test servers you'll already know what the platform and server is.

Secondly, now you know the web server and server platform, you'll need to do some research towards the weaknesses that are on those servers.
www.ntbugtraq.com
www.securityfocus.com
And of course www.google.com

Now the purpose of those websites is not to provide information to hackers, but they do a pretty good job of doing that. The sites do provide an essential service, but as with any service, with the correct amount of knowledge and interpretation any service can be exploited. (See the joke I made there?)

 

[root]

===========
Instalment 4
===========
Now that you have the information needed to decide what hacks to apply to the web server it's time to execute your practise hack.
Now I'm not going to post the full script I tend to illustrate, but search around enough and I'm sure you'll find it. What's also worth noting is that the vulnerability has been fixed on the last few versions of both IIS and apache.
The vulnerability is known to affect Apache 2.0.36 on an NT OS. (It came from server logs, so, I'll actually illustrate the hack).
The loaded part of the script took advantage of a Unicode based directory traversing exploit in the servers.

In order to explain this you'll first need to know a few things.

1, Unicode is a set of replacement symbols for regular text, the first that comes to mind I space (%20) try writing a URL with a space and see it transformed to a Unicode equivalent.
http://www.unicode.org/charts/PDF/U0000.pdf (this will help you understand)

2, directory traversing is what you do when you type something like ../ into the browser, (the exploit is actually based around ..\) as everyone should know, (and if you don't I suggest you play with DOS a little more).
Cd .. is directory up towards the root of the drive

3, On servers there are specialist folders that serve specialist content. The folders I am talking about are specifically called virtual folders. Virtual folders are not in the directory they are called from usually, they are usually placed somewhere else on the server and a re a global mapping to a folder.
/cgi-bin/ is the global mapping to a folder that can contain scripts. Program like scripts that have to execute server side are usually only allowed to execute from this folder.
Another virtual folder is the errors folder, /errors/ this folder by default serves page content to the client regardless of the actual place the errors are generated from. (it would be pretty stupid if you couldn't get an error 4040 (page cannot be found) because the error message could not be found!

(with a little common sense and the ability to put the pieces together you should be able to guess the rest of this instalment. If you can't guess then don't worry your reading this in order to learn.)

I'll look at this from the aspect of you have your test hack environment setup. Your environment consists of any NT server running apache 2.0.36, your client workstation has internet explorer and a TFTP server. You also have an install set for an FTP server that can run ‘unattended' –meaning it won't wait for you to press OK…
Assuming that you have a test environment then you'll know the relative paths of the directories and their ‘distance' from drive root.

First, take a look around the site, check to make sure there is an /error/ directory and a /cgi-bin/ directory, if there is you're ready to go. Your first assumption will be that the CGI-BIN is located in its default location. (C:\program files\apache group\apache2\cgi-bin), your next assumption will be that /ERRORS/ is located in its default location.
(C:\program files\apache group\apache2\errors\).

You'll have checked the server signature (using net craft or a similar tool in your test domain –though you will ‘know' what server you are running in your test domain) and so you will know if you are attacking a server that is vulnerable to the exploits you'll be using.

On your client machine, start internet explorer, (or any other tool capable of making HTTP requests). Now put…

[domain name]/ERRORS/[traverse backwards towards root Unicode symbols]/boot.ini
You'll have to experiment with how many Unicode ../ you need to get to the right place, the boot.ini file will be located in the root of the C drive, and you're exploit would have got you there. (Provided apache is in its default location).

Assuming that you have seem the contents of a boot.ini file appear in your browser windows then you now know for sure.
1 the server is vulnerable to the exploit.
2 the version of windows that is being run,
3 the server is installed on the system partition

Now it's pretty safe to assume that the windows directory is either,
C:\windows
C:\windows.000
C:\windows.001 etc
C:\winnt
C:\winnt.001 etc

You'll now use the same exploit, except you'll work from the CGI bin so that you can execute some programs,
[address]/cgi-bin/[exploit to root of drive][/windows/system32/cmd.exe]/dir+C+>>C:\dir.txt
If this works you should see a page marked error 500 (server error / malformed headers returned).
You can look at the directory list dump you just made by using the exploit from the /errors/ folder as before.
Remember use the /errors folder when you want to view files, use the cgi-bin when you want to execute.

This dumps a directory listing of the root C drive to the C drive in a file called dir.txt.
You can use this exploit and command to build up a good picture of the server

Obviously browsing to different folders and dumping out a list of commands.
Just remember, after you launch the cmd.exe %20 is no longer space + is space.

Now that you've successfully exploited the server and learned how to run programs on the server, (Using one particular exploit) next I'll go through installing toolkts on the server to allow easier access.

 

[CompGeekChic3k1]

I had a question regarding the email hacks, is there any alternative to getting into an email account without guesswork? Or is that a MUST here?

 

[root]

the hotmail forgot password option used to have a simple hack...
they used to send the new password to an already estabilshed account, but the parameter was a part of a get statement that could be changed to allow a 'hacker' send the new password to wherever.

most current email servers are much more secure.
so without, guessing the password
guessing the forgot password question answer (often easier)
Breaking a password manager that is installed on the users machine.
using a keylogger/other trojan.
or trying to copy a remeber me cookie there is very little that can be done.

if you are trying to hack a friends email account then I suggest the easiest way to do it is social engineering.
eg, for the secret question, directly ask them what their mothers maiden name / dogs name / cats name is (if you don't already know it).
if the have an obscure question the answer will be just as obscure, (and probably obvious because it's trying too hard to be obscure).
if you know that they check their email from a certain computer then a key logger might be an easy option.
however then you have to worry about how to get the passwords back to you, (some firewalls will warn when you try to send packets out).
Other social engineering, (again if it's a friend) might include setting up a forum.
most internet users have less than 3 passwords, and use the same one for email and banking even.

 

[cheeseman222]

impressive, but mostly guessing password and theres quicker less legal ways...

 

[DevilHack]

Uhm it's good but is it just a guide on what hacking is.. Or how to hack..

 

[rampagegfx]

or tip one :] Learn C.