User talk:Dnextedge

Vandalism and Hacking Posted by: Ezekiel Nsidibe Frank

Tuesday, 03 October 2006 Vandals often use hacking techniques to deface a website or destroy data and files, but there are also those who just want to steal resources (make use of other peoples’ servers without their knowledge or permission) or to cover their tracks by stealthily making use of hardware owned by legitimate businesses to carry out processing for illegal operations or to relay spam and viruses to others. The best defence against the majority of these types of attacks comes through installing and maintaining the latest versions of anti-virus and firewall software. As new threats are identified, updates are issued which can identify and neutralise most harmful operations before they have a chance to do any damage. Having a server fully managed by a reputable hosting company ensures that these defences are always in place. Perhaps a more sinister threat is that of ‘black hat’ hackers, or ‘crackers’. As a general definition, ‘white hat’ hackers are enthusiasts who enjoy learning the intricacies (including weaknesses) of computer systems with no malicious intent, whereas ‘black hat’ hackers are those whose sole purpose is to break into systems and gain access to information and functions to which they are not entitled. The word ‘hacker’ was originally used to refer to the ‘white hat’ variety, whereas ‘cracker’ was used to identify ‘black hats’. The media have since latched onto the word ‘hacker’ almost exclusively in connection with ‘black hat’ hacking, and this is usually what is understood by the term ‘hacking’ today. SQL Injection One popular and potentially devastating method of attack is SQL injection. Any web application that makes use of a database usually communicates with the database for necessary functions using a special language known as ‘Structured Query Language’, or SQL. By issuing an SQL command to a database server, the web application can control virtually any aspect of the database – adding, editing, or deleting records or tables of data. Although a powerful tool in the hands of a software developer, SQL can become a lethal weapon in the hands of a hacker. Of course, the web server would need to be configured in such a way that prevents third parties from issuing SQL commands to the database, whilst allowing legitimate requests from the web application to be processed. The problem arises though where a programmer incorporates user input directly into an SQL command – quite a common practise. For example, a program might want to issue an SQL command such as this: “SELECT * FROM users WHERE first_name = 'John'” This SQL command would request all of the records from the ‘users’ table in the database where the first name matches the value supplied (in this case ‘John’). In many instances, the value to be matched against will need to come from the text that is entered into a form on the website, so instead of the program explicitly using the value ‘John’, it would need to insert the text that was entered by the user – perhaps like this (using PHP as the programming language): “SELECT * FROM users WHERE first_name = '”. $_POST['first_name']. “'” In this case, the value from the form (the $_POST['first_name'] bit) is inserted directly into the command. This would work fine for normal use, but if a hacker realised how this SQL command was constructed, he could ‘inject’ his own SQL command and perform any operation he likes on the database. For example, instead of entering a value like ‘John’ in the website’s form, he could type something like this: '; DROP users; The single quote mark and semi-colon will cause the original SQL command to end, and then the hacker can type any SQL command he likes to be run afterwards – in this case, the command ‘DROP users;’ would delete the users table from the database completely. All user input must therefore be carefully validated by the programmer, especially before use in an SQL command, and in particular single quote marks should be either removed or 'escaped' - which means they are tagged with a special symbol (or 'escape character' - usually a forward slash '/') that lets the database server know that the quote mark is part of the data and not part of the SQL command. Cross Site Scripting (XSS) Cross Site Scripting is a hacking technique whereby malicious scripting code (usually javascript) is injected into user input forms (in a similar way to SQL injection attacks) or incorporated in a URL query string. The threat is greatest when the user input is then output in a dynamically generated web page, and especially if the data is displayed as HTML code. A malicious entry could include a piece of javascript which performs virtually any action on an innocent end-user’s browser (typically a hacker would try to get users to visit the infected page, often by posting links in forums etc), including cookie theft (enabling the hacker to then log in as the other user and access their account), or logging the user’s activity – for example recording keystrokes so as to intercept passwords etc. The methods of counteracting cross site scripting are similar to those of SQL injection – all data entry (whether posted in a form or passed in a URL) must be carefully validated to ensure that it does not contain ‘special characters’ (such as greater than or less than symbols) which could allow scripting code to be embedded in the data. These special characters can be represented in hexadecimal notation as well as plain text, so both need to be checked for by the script. Where special characters are to be legitimately allowed, they must be converted to HTML character codes before being displayed in a web page – this prevents them from being interpreted as script by the browser. Directory Traversal A website is stored within a file system on a server. Some of the server's file system is therefore exposed to the outside world and can be accessed by an end-user's web browser. The part of the file system (or directory structure) that is visible to the outside world is limited to a specific root folder and its contents. Any folders higher up the hierarchy (ie. before you get to the root folder) are theoretically unreachable by the world at large - only authorised users who are logged in on the web server itself can access such folders. For example, on the actual web server, you might have a directory structure similar to this: home username public_html images downloads private documents passwords In the above example, the public_html folder is the root folder for the website. Anything underneath that folder in the hierarchy can be accessed by a web browser. All of the other folders are not accessible to the world at large because they are not located under the public_html folder.

In a directory traversal attack though, a poorly written script can allow a hacker to access those other folders and read their contents - just using a web browser. This is because a server-side scripting language, such as PHP, runs on the server as though it were a logged-in user - the scripting language has access to all of the folders and files, not just those underneath the root. If a script reads (or outputs the contents of) files on the server as part of its legitimate processing, it must be written in such a way that the files that are used cannot be specified arbitrarily by the end user. Taking the above directory structure as an example, suppose there was a script on the server that reads the contents of a text file in the public_html folder and outputs it to the screen. If the end user were able to specify the name of the text file to be displayed, the script would need to make sure that the name they entered was still within the public_html folder. If they entered a file name like '..\private\passwords\passwordlist.txt', the two dots at the start would tell the script to move up in the directory structure - effectively breaking out of the website's root folder - and then the hacker can specify any file path he likes whether within the website's root or not. Therefore, where user input is used as the basis of files that are to be read (or more importantly, output) by a dynamic web page, the script must include a validation routine that ensures that the value entered by the user is legitimate and does not allow the directory structure to be traversed. Denial of Service Attacks (DOS, DDOS) A denial of service attack takes place when a hacker overloads a system with large or repeated requests for a service. For example, where a script requires some intensive processing on the server, if lots of requests are received at the same time, this can cause the server to slow down to such an extent that legitimate requests from others cannot be processed. In some instances, a denial of service attack can cause the server to crash completely. In an effort to prevent denial of service attacks, many scripts which require intensive processing will only allow a single request from any one user (for example, by checking the IP address of the source of the request, and only allowing one request from that IP address within a certain time period). However, distributed denial of service attacks (DDOS) involve a hacker impersonating hundreds or even thousands of different users in such a way that the script cannot tell whether the requests are legitimate or not. DDOS attacks are very difficult to prevent, but they can also be very difficult to carry out - the effort involved in executing such an attack without being traced means that in most cases it is not a worthwhile excercise from the hackers point of view; they would prefer to use easier methods of attack. If a server has strong defences in other areas though, and an attacker has a strong grudge against a company, a DDOS attack becomes more likely. For this reason, it is usually large corporations and financial institutions who suffer from these attacks. HTTP Sniffing HTTP stands for ‘HyperText Transfer Protocol’, and it is the mechanism used to transfer data from one computer to another across the internet. You can use HTTP to request information from a server, or to send information to a client by wrapping the request or data in a ‘packet’. An HTTP packet consists of a header section which identifies the purpose of the packet (eg. to request a file), the destination (eg. the address of the website the file is being requested from), the format of the request (eg. what type of encoding is used in the main text of the packet), and whether the packet is in one part or has been split up and sent as separate parts (so the server can collect all of the parts it needs before dealing with the request), among other things. Usually, HTTP packets wing their way across the internet from one machine to another without any human intervention, and without anyone seeing what the packets contain. However, the data in an HTTP packet is usually just plain text – it is not encrypted in any way and can easily be intercepted, read, and even changed en-route by anybody with the appropriate software and technical skill. The programs used to intercept HTTP requests are known as ‘HTTP sniffers’ – and they are often used to ‘sniff out’ important information that can be used maliciously (there are also legitimate uses for HTTP sniffers – for example, they can be useful in debugging applications that rely on the transfer of HTTP packets). Any data sent over plain HTTP is therefore susceptible to interception, and must be presumed insecure.

For this reason, any sensitive data that must be transferred from one machine to another on the internet should not be sent as a plain HTTP packet. This includes login screens, and forms that collect sensitive personal information such as credit card details. In these instances it is usually best to use HTTPS. HTTPS is very similar to HTTP; it’s just that the data in the packet is encrypted. So even if someone uses as HTTP sniffer, they will not be able to read any of the data without a special ‘key’ – and that key is held securely on the receiving computer. If a hacker tries to change the data, this will be detected by the receiving machine, because it will no longer be able to decrypt the package. Other Tactics There are numerous other tactics that can be used to break into a computer system, and these usually involve discovering weaknesses or loopholes in the server software’s defences. When a programmer writes software that runs on a web server, he tries to make sure that the software cannot be abused – but it can be very difficult to foresee every eventuality; vandals and hackers are always pushing software to the limit and trying out operations which the software was not designed to handle, in an attempt to discover a way in. Usually, hackers practise using a copy of the software on their own server so that they can try out different tactics without getting caught – when they find something that works, they can then use it on other peoples’ servers. For this reason, it is often well-established server software that is the focus of the attack, rather than proprietary scripts written for a specific site. Manufacturers and vendors of software packages for web servers often advise on configuration recommendations which will negate common attack tactics, but sometimes even the manufacturers are unaware of, or don’t bother warning about a loophole which can easily be exploited. For example, sometimes the default configuration options are geared towards making the software easy to use and powerful – rather than secure. Installation log files, release notes, welcome screens, and various other files which are generally just ignored by server administrators can be the source of valuable information for a hacker. For example, just knowing which version of operating system your server runs can allow a hacker to exploit a known weakness in that particular version. If he cannot find out what version you are using, he risks being caught if he just tries out an exploit on the off-chance that it will be successful. It is therefore important to make the hacker’s job as difficult as possible by obscuring any information that could be used to identify what software and versions the server is using. For those of us stuck on Win boxes there's always the annoying necessity of dependance on a GUI. Most Win based programs explicitly require interaction with icons, mouse clicks, and pretty buttons. What most Windows users don't realize is that there is a host of functionality hidden at the command line prompt. Cleverly hidden, its even difficult to get to a command prompt from Win desktops. I've gone ahead and added a shortcut to the DOS prompt to my desktop. Although Windows 2000 makes this slightly easier by offering 'Command Line' in the Start menu, this prompt may be cryptic for the inexperienced. For instance, did you know that you can FTP from a DOS prompt? Not just one file at a time, but whole directories? The sad situation of affairs is that most of this functionality goes unused by the majority of Windows users, and this is understandable. I haven't been able to find a single good book outlining DOS commands. Sure, I've got the 1,000 page MS-DOS manual on my desk (you can get those pretty cheap these days), but even these manuals don't outline the vast majority of commands I use from a DOS prompt in any understandable way. The following is a list of DOS commands I use at a command prompt regularly, and a short synopsis of their common usages. Please feel free to write and let me know if there are any I forgot. As the purpose of Hack In The Box is to free information, and I feel this is information that vitally needs to be free, any reader tips would be greatly appreciated. Well, enough of the smarmy intro, here's the guts: Dir This command is used to display a directory's contents. We're probably all familiar with this handy gem. The problem with 'dir' is that if you're listing a long directory, then the contents scroll quickly across the screen and disappear, and since there is no scroll bar at the command prompt are lost. In order to view a long directory one screen at a time, try 'dir | more'. This will splash out one screen-full at a time so you can actually examine the directories contents. * is the wildcard for dir, so to find all the files or folders in a directory starting with 'a', try 'dir a*'. To find a sequence in the name of any of the files or folders in a directory try 'dir | find "dir"', this will find any files or folders with the sequence 'dir' in their names. Lets say, however, that you would like to sort this list alphabetically. Try 'dir | find "dir" | sort' and you will get an alphabetically sorted list. Ping This is actually a small program found in c:windows by default. Ping is used to send packets of data to a destination and measure their time of travel and loss. Since this is such a handy tool it may be useful to actually give you the usage and options available in ping as provided by the program itself: Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [-k host-list [-w timeout] destination-list Options: -t Ping the specified host until stopped. To see statistics and continue - type Control-Br To stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -v TOS Type Of Service. -r count Record route for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply. This one is pretty similar to the *nix command of the same name, only if you simply type 'ping hackinthepox.org' you will only transmit 4 32 bit packets (the default settings). Ping is also useful because if you don't know an IP address for a domain, you can simply ping the domain and the IP will be displayed ('ping hackinthebox.org' shows that Hack In The Box is at 203.106.21.47). Tracert Ah yes, the infamous traceroute does have a DOS manifestation. The official usage and options are as follows: Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list. -w timeout Wait timeout milliseconds for each reply. Tracert is useful for trying to figure out if an IP is in a subnet. Now, because of the internet's distributed architecture, the packets traced by tracert won't always take the same route, but by examining the last few hops to a destination you can usually figure out where a target is located, or a target's ISP. It is useful to note that tracert will fail if packets time out 3 times consecutively. The last few steps in tracert from my IP to hackinthebox.org are as follows: 12 488 ms * * 202.188.144.98 13 484 ms * * klj01-ether0-0.tm.net.my [202.188.4.33] 14 487 ms 502 ms * 202.178.23.5 15 501 ms 506 ms 517 ms 202.178.23.12 16 525 ms 518 ms * hackinthebox.org [203.106.21.47] 17 521 ms * 517 ms hackinthebox.org [203.106.21.47] so it's a good bet that hackinthebox.org has something to do with klj01-ether0-0.tm.net.my. Ipconfig This handy little command is used for windows IP configuration. The parameters are as follows: Windows 98 IP Configuration Command line options: /All - Display detailed information. /Batch [file] - Write to file or ./WINIPCFG.OUT /renew_all - Renew all adapters. /release_all - Release all adapters. /renew N - Renew adapter N. /release N - Release adapter N. This command is extremely useful for figuring out the IP address of the machine you're sitting on, whether its not your usual terminal or you get a dynamically assigned IP address. Netstat This command lists open ports on you computer, the protocols being used, the port's local address, any foreign connections to that port, and the state of the port. This one is handy for figuring out if anyone whom you don't know is connected to your computer, or if a certain connection is established, syncing or waiting. The official usage, etc. is as follows: NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. FTP The built in DOS command line file transfer program. This baby has come in handy so many times I couldn't even begin to tell you. Simply type in ftp somewhere.com and you're off. The commands available under the DOS ftp can be found by issuing the 'help' command once inside the ftp program. For information's sake though, here they are: Commands may be abbreviated. Commands are: ! delete literal prompt send ? debug ls put status append dir mdelete pwd trace ascii disconnect mdir quit type bell get mget quote user binary glob mkdir recv verbose bye hash mls remotehelp cd help mput rename close lcd open rmdir You'll notice a lot of similarity here to *nix commands. I find 'get' and 'put' to be the most commonly used. For instance, say I want to get a file through FTP from hackinthebox.org. I simply type in 'ftp hackinthebox.org' and when prompted enter my username and password. It is important to note that whenever you initiate an ftp from the DOS command line you're operating out of the directory in DOS in which you initiated the FTP. For instance, if I issue an FTP command from C:Windows: Then all the files I 'get' will end up in the Windows directory, and I will not be able to 'put' any files from my hard drive onto the host machine (hackinthebox.org for instance) except those that are in my Windows directory. I find it most useful to FTP from the C: directory. Telnet While this is actually a DOS command to launch the external Windows based Telnet program (found in C:Windows by default), you can issue optional arguments to telnet from the DOS prompt. For instance, if you wish to telnet to a port other than 23, you can issue that command at the prompt. For instance, if I wish to telnet to Hack In The Box's SMTP port I can issue 'telnet hackinthebox.org 25'. There is a bit of help offered in the telnet program itself, so I won't go into detail here. The last few commands I've got are programs found on a Windows boot disk, but are enormously helpful. These two are the format command and the fdisk command. Format will actually launch format.com, found again in C:WindowsCommand by default. Format can be used to format a drive and essentially wipe it clean (good for rebuilding a machine). Fdisk is another beautiful tool found in C:WindowsCommand. This is the DOS disk-partitioning tool (very handy when dual partitioning). Since fdisk is a fairly extensive program and has its own help section I won't go into any more detail than to mention it and tell you that it is really handy to know how to use (you should check it out if you never have before, simply issue 'fdisk' at the command prompt and poke around the program, it will alert you if you are about to do anything bad and won't actually mess with your partitions unless you direct it to). Well those are my top 9 commands to use at a DOS prompt, perhaps some of you will write me and let me know what the last command is in the DOS top 10. Take care and enjoy.