How Hackers Do It: Tricks, Tools, and Techniques
This article describes the tricks, tools, and techniques hackers use to gain unauthorized access to Solaris_ Operating Environment (Solaris OE) systems. Ironically, it's often the most basic methods that hackers use to successfully gain access to your systems.
For this article, we use the default configuration of a Solaris OE system to evaluate which vulnerabilities are most attractive to an intruder. Using easily obtainable freeware security tools, we demonstrate the techniques hackers employ to attack systems.
All of the attacks described in this article have preventive solutions available; however, every day, hackers compromise systems using these attacks. Being aware of how these attacks are performed, you can raise awareness within your organization for the importance of building and maintaining secure systems.
Many organizations make the mistake of addressing security only during installation, then never revisit it. Maintaining security is an ongoing process, and it is something that must be reviewed and revisited periodically.
Using the information in this article, you can try hacking into your organization's datacenter, high-end server, or other system to determine where basic attacks would succeed. Then, you can address security weaknesses to prevent unauthorized users from attacking the system.
This article contains the following topics:
- "How to Use the Tools"
- "Related Resources"
A trick is a "mean crafty procedure or practice...designed to deceive, delude, or defraud.1" Hackers use tricks to find short cuts for gaining unauthorized access to systems. They may use their access for illegal or destructive purposes, or they may simply be testing their own skills to see if they can perform a task.
Given that most hackers are motivated by curiosity and have time to try endless attacks, the probability is high that eventually they do find a sophisticated method to gain access to just about any environment. However, these aren't the types of attacks we address in this article, because most successful intrusions are accomplished through well-known and well-documented security vulnerabilities that either haven't been patched, disabled, or otherwise dealt with. These vulnerabilities are exploited every day and shouldn't be.
You can implement many of the changes necessary to patch, disable, or deal with security vulnerabilities by using the Solaris Security Toolkit, available from: http://www.sun.com/blueprints/tools.
Finding Access Vulnerabilities
What generally happens is that an advanced or elite hacker writes a scanning tool that looks for well-known vulnerabilities, and the elite hacker makes it available over the Internet. Less experienced hackers, commonly called "script kiddies," then run the scanning tool 24 x 7, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into.
The script kiddies use a list of vulnerable IP addresses to launch attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. Depending on the vulnerability, an attacker may be able to create either a privileged or non-privileged account. Regardless, the attacker uses this initial entry (also referred to as a "toe-hold") in the system to gain additional privileges and exploit the systems the penetrated system has trust relationships with, shares information with, is on the same network with, and so on.
Once a toe-hold is established on a system, the attacker can run scanning tools against all the systems connected to the penetrated system. Depending on the system compromised, these scans can run inside an organization's network.
Finding Operating System Vulnerabilities
As mentioned previously, hackers first look for vulnerabilities to gain access. Then they look for operating system (OS) vulnerabilities and for scanning tools that report on those vulnerabilities.
Finding vulnerabilities specific to an OS is as easy as typing in a URL address and clicking on the appropriate link. There are many organizations that provide "full-disclosure" information. Full disclosure is the practice of providing all information to the public domain so that it isn't known only to the hacker community.
Mitre, a government think tank, supports the Common Vulnerability and Exposures (CVE) dictionary. As stated on their web site (http://cve.mitre.org), the goal is to provide the following:
A list of standardized names for vulnerabilities and other information security exposuresCVE aims to standardize the names for all publicly known vulnerabilities and security exposures2
Other security sites, such as SecurityFocus, CERT, the SANS Institute, and many others, provide information about how to determine the vulnerabilities an OS has and how to best exploit them.
Attacking Solaris OE Vulnerabilities
Let's use Solaris 2.6 OE as an example. A well-known vulnerability, for which patches are available, is the sadmind exploit. Hackers frequently use this vulnerability to gain root access on Solaris 2.6 OE systems.
Using only a search engine and the CVE number, found by searching through the Mitre site listed previously, it is possible to find the source code and detailed instructions on how to use it. The entire process takes only a few minutes. The hacker finds the source code on the SecurityFocus web site and finds detailed instructions on the SANS site.