on each OS. If it’s a web server, they might find Internet Information Server 8.5 on the Windows server and Apache 2.4.25 on the Linux server. They do an inventory of each device, OS, application, and version running on each of their intended targets. It’s always best to do a complete inventory to get an inclusive picture of the target’s landscape, but other times a hacker may find a big vulnerability early on and just jump into the next step. Outside of such a quick exploit, usually the more information the hacker has about what is running, the better. Each additional software and version provides additional possible attack vectors.
NOTE
Some hackers call the general, non‐technical, information gathering footprinting and the OS and software mapping fingerprinting.
Sometimes when a hacker connects to the service or site it helpfully responds with very detailed version information so you don’t need any tools. When that isn’t the case, there are plenty of tools to help with OS and application fingerprinting. By far the number one used hacker fingerprinting tool is Nmap (https://nmap.org/). Nmap has been around since 1997. It comes in several versions including Windows and Linux and is a hacker’s Swiss Army knife tool. It can perform all sorts of host scanning and testing, and it is a very good OS fingerprinter and an okay application fingerprinter. There are better application fingerprinters, especially when they are focused on a particular type of application fingerprinting, such as web servers, databases, or email servers. For example, Nikto2 (https://cirt.net/Nikto2) not only fingerprints web servers better than Nmap, but also performs thousands of penetration tests and lets you know which vulnerabilities are present.
Penetration
This is the step that puts the “hack” in “hacker” – gaining initial foothold access. The success of this step makes or breaks the entire cycle. If the hacker has done their homework in the fingerprinting stage, then this stage really isn’t all that hard. In fact, I’ve never not accomplished this stage. There is always old software being used, always something left unpatched, and almost always something misconfigured in the collection of identified software.
NOTE
One of my favorite tricks is attacking the very software and devices that the defenders use to defend their networks. Often these devices are appliances, which is simply another word for running a computer with harder‐to‐update software. Appliances are notorious for being years out of patch compliance.
If by chance all the software and devices are perfectly secured (and they never are), then you can attack the human element, which is always the weakest part of the equation. But without the initial penetrating foothold, all is lost for the hacker. Fortunately for the hacker, there are lots of ways to penetrate a target. Here are the different techniques a hacker can use to break into a target:
● Zero‐days
● Unpatched software
● Malware
● Social engineering
● Password issues
● Eavesdropping/MitM
● Data leaks
● Misconfiguration
● Denial of service
● Insider/partner/consultant/vendor/third party
● User error
● Physical access
● Privilege escalation
Zero‐days
Zero‐day (or 0‐day) exploits are rarer than every‐day vulnerabilities, which vendors have usually long ago patched. A zero‐day exploit is one for which the targeted software is not yet patched against and the public (and usually the vendor) isn’t aware of. Any computer system using software with a zero‐day bug is essentially exploitable at‐will, unless the potential victim uninstalls the software or has put in place some sort of other mitigation (for example a firewall, an ACL list, VLAN segmentation, anti‐buffer overflow software, and so on).
Zero‐days are not as common as known exploits because they can’t be widely used by an attacker. If an attacker overused a zero‐day, the coveted exploit hole would be discovered and patched by vendors and placed in anti‐malware signatures. These days most vendors can patch new exploits within a few hours to a few days after discovery. When zero‐days are used, they are either used very broadly against many targets all at once for maximum exploitation possibility or used “low and slow,” which means sparingly, rarely, and only used when needed. The world’s best professional hackers usually have collections of zero‐days that they use only when all else has failed and even then in such a way that they won’t be especially noticed. A zero‐day might be used to gain an initial foothold in an especially resistant target, and then all traces of it will be removed and more traditional methods used from that point onward.
Unpatched Software
Unpatched software is always among the top reasons why a computer or device is exploited. Each year there are thousands (usually between 5000 and 6000, or 15 per day) of new publicly announced vulnerabilities among all popularly used software. (Check out the stats reported in each issue of Microsoft’s Security Intelligence Report, http://microsoft.com/sir.) Vendors have generally gotten better at writing more secure code and finding their own bugs, but there are an ever‐increasing number of programs and billions of lines of code, so the overall number of bugs has stayed relatively stable over the last two decades.
Most vendors do a fairly good job of patching their software in a timely manner, especially after a vulnerability becomes publicly known. Unfortunately, customers are notoriously slow in applying those patches, even often going so far as disabling the vendor’s own auto‐patching routines. Some moderate percentage of users never patch their system. The user either ignores the multiple patch warnings and sees them as purely annoying or is completely unaware that a patch needs to be applied. (For example, many point‐of‐sale systems don’t notify cashiers that a patch needs to be applied.) Most software exploits happen to software that has not been patched in many, many years.
Even if a particular company or user patches critical vulnerabilities as quickly as they are announced, a persistent, patient hacker can just wait for a patch to be announced that is on their target’s fingerprint inventory list and launch the related attack before the defender has time to patch it. (It’s relatively easy for a hacker to reverse engineer patches and find out how to exploit a particular vulnerability.)
Both zero‐days and regular software vulnerabilities come down to insecure software coding practices. Software vulnerabilities will be covered in Chapter 6.
Malware
Malicious programs are known as malware, and the traditional types are known as viruses, Trojan horse programs, and worms, but today’s malware is often a hybrid mixture of multiple types. Malware allows a hacker to use an exploit method to more easily attack victims or to reach a greater number of victims more quickly. When a new exploit method is discovered, defenders know that malware writers will use automated malware to spread the exploit faster in a process known as “weaponization.” While any exploit is something to be avoided, it is often the weaponization of the exploit that creates the most risk to end‐users and society. Without malware, an attacker is forced to implement an attack one victim at a time. With malware, millions of victims can be exploited in minutes. Malware will be covered in more detail in Chapter 9.
Social Engineering
One of the most successful hacking strategies is social engineering. Social engineering, whether accomplished manually by a human adversary or done using automation, is any hacker trick that relies upon tricking an end‐user into doing something detrimental to their own computer or security. It can be an email that tricks an end‐user into clicking on a malicious web link or running a