Hacking Methodology (Steps)

Footprinting Scanning Enumeration

whois, nslookup

Nmap, fping

An excellent description inside of the back cover page of Hacking Exposed text by McClure et al.

dumpACL, showmount legion, rpcinfo

Tcpdump, Lophtcrack NAT

Gaining Access
Escalating Privilege Pilferting Covering Tracks Creating Back Doors

Johntheripper, getadmin
Rhosts, userdata Config files, registry zap, rootkits Cron,at, startup folder netcat, keystroke logger remote desktop Synk4, ping of death tfn/stacheldraht chow

Denial of Service
cs591 1

Footprinting
Information gathering. Sam Spade is window-based network query tool. Find out target IP address/phone number range Why check phone numbers? Namespace acquisition. Network Topology (visualRoute). It is essential to a surgical attack. The key here is not to miss any details. Note that for penetration tester, this step is to avoiding testing others instead of your client and to include all systems to be tested (sometime the organization will not tell you what their systems consist of). Technique deploy NIDS (snort),Find domain name, DNS zone Defense: Open Source RotoRouter

search

Tools

admin, IP addresses name servers Google, search Whois engine, Edgar (Network solution; arin)
2

transfer

Nslookup (ls d) dig Sam Spade

chow

cs591

Scanning

Bulk Target assessment Which machine is up and what ports (services) are open Focus on most promising avenues of entry. To avoid being detect, these tools can reduce frequency of packet sending and randomize the ports or IP addresses to be scanned in the sequence. Note that some machine does not respond to ping but responds to requests to ports that actually open. Ardor is an example. Technique s Ping sweep TCP/UDP port scan OS detection

Tools

Fping, icmpenum WS_Ping ProPack nmap

3

Nmap Superscan fscan

Nmap queso siphon

chow

cs591

Enumeration

Identify valid user accounts or poorly protected resource shares. Most intrusive probing than scanning step. Techniques list user list file shares identify accounts applications

Tools

Null sessions DumpACL Sid2usre onSiteAdmin

Showmount NAT legion

Banner grabing with telnet or netcat, rpcinfo

cs591

chow

Gaining Access

Based on the information gathered so far, make an informed attempted to access the target.

Techniq Password ues eavesdroppin g Tools

File share brute forcing

Password File grab

Buffer overflow

Tcpdump/ssld NAT ump legion L0phtcrack readsmb

5

Tftp Ttdb, bind Pwddump2(NT IIS .HTR/ISM. ) DLL

chow

cs591

Escalating Privilege

If only user-level access was obtained in the last step, seek to gain complete control of the system. Techniques Password cracking Known Exploits

Tools

John the ripper L0phtcrack

Lc_messages, Getadmin, sechole

cs591

chow

Pilfering

Webster's Revised Unabridged Dictionary (1913) Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.] [OF. pelfrer. See Pelf.] To steal in small quantities, or articles of small value; to practice petty theft. Gather info on identify mechanisms to allow access of trusted systems.

Techniques

Evaluate Trusts

Search for cleartext passwords

User data, Configuration files Registry

Tools

rhosts LSA secrets

cs591

chow

Covering Tracks

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Techniques

Clear Logs

Hide tools

Tools

Zap, Event Log GUI

Rootkits file streaming

cs591

chow

Creating Back Doors

Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides. Technique Create rogue Schedule batch Infect startup files s user accounts jobs

Tools Technique s Tools

Members of wheel, admin Plant remote control services Netcat, remote.exe VNC, B02K remote desktop

Cron, AT Install monitoring mechanisms Keystroke loggers, add acct. to secadmin mail aliases

rc, startup folder, registry keys Replace appls with Trojans Login, fpnwcint.dll

cs591

chow

Denial of Services

If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort. Syn flood synk4 ICMP techniques Ping to death smurf Identical src/dst SYN requests Land Latierra DDoS

Technique s Tools Technique s Tools

Overlapping Out of bounds fragment/offse TCP options t bugs (OOB) Netcat, remote.exe VNC, B02K remote desktop Keystroke loggers, add acct. to secadmin mail aliases
10

Trinoo TFN stacheldraht

chow

cs591