Security - Hacking Methodology

Copyright 1997 Ryan Net Works, LLC. - All Rights reserved In order to understand how to implement security it is necessary to characterize hacking. This document encapsulates years of hacking experience and I hope that it will shed some light on just what hacking is an how you can defend against it. This paper serves as a foundation course in the subject of hacking whithout delving deeply into advanced mathematics or highly theoretical issues

Generally, hackers are unorganized but that doesn't mean we can't perform an analysis of hacking. The method we will use is one that was pioneered in World War II by the RAND coporation. If we try to understand hacking as an operations research problem then we can get it onto a firm, even mathematical foundation. The goal of the hacker is to maximize some set of stated goals (Theft, Revenge etc.) while at the same time minimizing his risk. The defender, on the other hand, is looking to amplify the the risk to the hacker while minimizing his exposure to potential abuse.

Consider making an assault on, say, Normandy or Kuwait, a hacker is presented with many of the same problems. How is he to maximize his chance of success while minimizing his risk. Each action he can perform is characterized by a signal that the defender may or may not be able to detect. Therefore, one of his goals must be to minimize the signal he sends to the defender. We caveat this statement because the attacker may decide that stealth costs too much and his real goal is better served by a frontal assault. Even so, this choice simply means that the defender recieves the signal at full strength right from the start so the same methods we outline for amplifying and detecting attack signals will apply.

Attacker/Hacker Goals

Defender Goals

In order to begin an analysis of hacking we need to break it up into phases and then run our min/max analysis on each phase. Hacking, like any other attack, can be characterized by the following phases.

  1. Reconnaissance

  2. Strategy Developement

  3. Invasion

  4. Base Camp Developement

  5. Operations

The remainder of the paper considers each of these phases in turn. We also begin to give a method whereby we can assign weights to our matrix variables values according to their values leading to a stated goal.

1. Reconnaissance

Here the hacker tries to map out out the defenders assets. We create a table that with three columns, 

         METHOD                                 Asset   Signal      Comment


	1.1 DNS					nh(u)	h	
	1.2 INTERNIC (INer/DDN)			nh(u)	l
	1.3 Social engineering			
		1.3.1 Telephone book		u	l
		1.3.2 call personel		u	m
		1.3.3 Dumpster diving		nhup	m
		1.3.4 Def. marketing		p	m-l
		1.3.5 Att. marketing		p	h
		1.3.6 Knob rattling		nhup	h
		1.3.7 Help desk requests	u	l
		1.3.8 Admins name		u	l
		1.3.9  Financial statements	nhup	l
		1.3.10  News clippings		nhup	l
	1.4 Hacker BBS				
	1.5 Machine Based Data Collection

		1.5.1 Search news postings	nhups	l
		1.5.2 War dialing		hs	m	AIO5, toneloc
		1.5.3 Info bots			nhups	m	
		1.5.4 Satan			nhups	h
		1.5.5 DNS			nhu	l
		1.5.6 WHOIS			nhu	l
		1.5.7 Ping			hn	h
		1.5.8 Finger			hnu	h	finger @@espn.com
		1.5.9 Traceroute		nh	m	tcpdump ethload sniffers
		1.5.10 Net managers w/ host disc.nh	h	Scotty HPOpenview
		1.5.11 Ether host prob		nhs	h	Broadcasts
		1.5.12 Sniffers			nhups	l

2. Strategy Development

This is the heart of the operations research approach to hacking. Here the hacker plays out the what-if scenarios away from the prying eyes of the defender. By assigning a value to each of the goals (e.g. Curiosity = 5, Revenge = 1, Money = 0) and assigning a cost to each method we can minimize the signal, maximize the result, and minimize the cost.

We do not have time nor can we set up the mathematics for min/max problems here but the interested student can pickup a testbook on the subject of operations research and apply the mathematics to the analysis generated here. The columns of this table are given by: 

                Motivation                     Motivation Code	Signal	Comment

	2.1 Establish goals	
		2.1.1 Curiosity/inteligence		p	m
		2.1.2 Competetive edge/ corp espionage	md	h
		2.1.3 Revenge - disguntled employee...	pd	h
		2.1.4 Vandalism				pd	m
		2.1.5 Bragging				pd	h
		2.1.6 Blackmail				pmd	m
		2.1.7 Theft				m	m-h
		2.1.8 Embezzlement			m	l-m
	2.2 Inventory resources
		2.2.1 Create inventory			xxx	l-h

		2.2.2 Assign inventory cost - N.B. here code = cost

			2.2.2.1 Invent			h	l
			2.2.2.2 Trade			m	h
			2.2.2.3 Purchase		m	m
			2.2.2.4 Steal			l	h
			2.2.2.5 Freeware/shareware	l	l
		2.2.3 Fill inventory			
		 	2.2.3.1 Invent			h	l
			 2.2.3.1.1 Design Tools
			  2.2.3.1.1.1 Stack smashing
			  2.2.3.1.1.2 Race conditions
			  2.2.3.1.1.3 Lying (resource swapping)
			  2.2.3.1.1.4 Backdoor
			  2.2.3.1.1.5 Bruteforce		
		 	2.2.3.2 Trade	
			 2.2.3.2.1 Hacker Groups	l	m
		 	2.2.3.3 Purchase	
			 2.2.3.3.1 Consultants		h	l
			 2.2.3.3.2 Hacker CDROMs	l	l	l0pht
		 	2.2.3.4 Steal	
			 2.2.3.4.1 Hacker Groups	m	h
			 2.2.3.4.2 Government		h	h
		 	2.2.3.4 Freeware/shareware	
			 2.2.3.4.1 Hacker Groups	l	m
			 2.2.3.4.2 News letters		l	m

		2.2.4 Benefits analysis	- N.B. code: s = secrecy, e = effective

			2.2.4.2 Invent			es	n/a
			2.2.4.2 Trade			e	l
			2.2.4.3 Purchase		e	l
			2.2.4.4 Steal			es	m
			2.2.4.5 Free/shareware		es	l
		2.2.4 Assign inventory benefit		xxx	l
		2.2.5 Cost benefit analysis		xxx	l
	2.4 Make a battle plan				xxx	l
		2.4.1 Fill min/max matrix
		2.4.2 Run min/max matrix
		2.4.3 Review results and run min/max matrix again

3 Invasion ( establish a beachhead )

Here we try to get onto a host, ususally through a network. So we concentrate on network hacks in this section. 

         METHOD                                 	Access  Signal	Comment

	3.1 Brute force					u	h				
		3.1.1 ftp				u	h
		3.1.2 telnet				u	h
		3.1.3 pop2/3				u	h
		3.2.4 rlogin				u	h
		3.1.5 http				u	h
		3.1.6 sql				u	h
		3.1.7 kerberos				u	h
		3.1.8 smnp				an	m
	3.2 Sniffing					ua	l
	3.3 Spoofing
		3.3.1 DNS				h	m
		3.3.2 IP				h	m
		3.3.3 Kerberos IV			hua	l
		3.3.4 smtp				hua	m
		3.3.5 snmp v1				ha	l
	3.4 Stack smashing
		3.4.1 SMTP				ha	l-m
		3.4.2 Named/DNS				"	"
		3.4.3 pop				"	"
		3.4.4 http				"	"
	3.5 Race
		3.5.1 NFS				hua	m-h	
		3.5.2 Kerberos (all versions)		"	"
		3.5.3 All ticket authentication progs 	"	"
		
	3.6 Back Door
		3.6.1 Sendmail / wiz			ha	l
		3.6.2 Debug stuff
			3.6.2.1 Stack smashing		hua	m
			3.6.2.2 Race			"	"
			3.6.2.3 Brute			"	"
			3.6.2.4 Back door		"	"
			3.6.2.5 Spoofing		"	"

4 Base Camp Development

To establish a base of operations the hacker wants to insure that 1) access to the host/net continues and 2) boost priviledges to gain control of the log files and so erase evidence

We continue to use our familar table format: 

		METHOD					Access	Signal	Comments

4.1 Be able to get back
		4.1.1 Passwd cracking	
			4.1.1.1 Crack			hua	m
			4.1.1.2 Crypt			hua	h	
		4.1.2 Trojan horses
			4.1.2.1 login			hua	m
			4.1.2.2 r commands		"	m
			4.1.2.3 telnet			"	m
			4.1.2.4 all inetd.conf files	"	m
			4.1.2.5 kernal loadable modules hua	l
			    i.e. device driver trojans
		4.1.3 Config files					
			4.1.3.1 .rhosts			"	m
			4.1.3.2 host.equiv		"	"	
			4.1.3.3 etc.			"	"
	4.2 Become admin    
		4.2.1 Stack - spoits
			4.2.1.1 librar sploits		a	l   
			       getopt on Solaris.  In libc.so
			4.2.1.2 Most network attacks	a	m
				mail, DNS, etc.
		4.2.2 Race
			4.2.2.1 expreserve		a	l
			4.2.2.2 .rexecd			a	l
			4.2.2.3 cron			a	m
			4.2.2.4 any simlink+suid files	au	m
		4.2.3 Brute
			4.2.3.1 all networked files	au	m
			4.2.3.2 crack decryption	au	m
		4.2.4 Back door
			4.2.4.1 networking "debugs"	au	h
			4.2.4.2 OS "debugs"		au	h
			4.2.4.3 application "debugs"	au	m
			4.2.4.4 bios calls		au	l
			4.2.4.5 service maint passwd 	a	l
			    (unisys, ami, all routers)
		4.2.5 Spoofing
			4.2.5.1 all TCP/IP networking	hua	m
			4.2.5.2 symlinks		ua	l
			4.2.5.3 tmp files		ua	l
			4.2.5.4 config files  (cron)	ua	m
			    Cukoos egg
	4.3 Cover our tracks 
		4.3.1 Fix logs
			4.3.1.1 syslog  (syslog.conf)	a	h
			4.3.1.2 messages  (dmesg)	"	"
			4.3.1.3 utmp			"	"
			4.3.1.4 wtmp			"	"
			4.3.1.5 history of compromised 	"	"
				  accoun
			4.3.1.6 audit.log		"	"
			4.3.1.7 /var/log   authlog	"	"
		4.3.2 Fix the OS
			4.3.2.1 Fix loadable modules	"	l
			4.3.2.2 Fix ".o" files		"	l
			4.3.2.3 Bugs in OS  		"	l
			   eg.Sparc floating point exception bug

5. Operations

This is the heart of hacker motivation, the "why" a hacker hacks. Determination of a hackers motivation can lead to a strategy for dealing with computer fraud and abuse. That is simple curiosity can be dealt with without recourse to the law, whereas embezlment will reqire stronger action.

Last updated by John Ryanjohn@cybertrace.com on Wed Feb 12 1997