Cipher

Hacking: A very brief Introduction

Posted in Articles by EK on October 18, 2006
Guest Post by (Pascal.Cretain[AT]gmail.com)
An awful lot has been said about hacking, most of it is simply not true. Due to misinformation, ignorance, the decline of mass media, and other miscellaneous obscure powers, hacking has been associated with electronic crime, illegal access to forbidden realms, the pentagon, the FBI, the CIA, the Russian mafia, credit card fraud, identity theft, software piracy, vandalism, corruption, murder and death. Give me a break. A hacker, in the original sense, is a person who is curious, inventive, intelligent, eager to learn, willing to discover (and perhaps fail a thousand times before achieving any result) alternative ways of using tools and ideas. Using a metaphor here, if I may, a hacker is a bit like a child; she likes to take things apart to see what’s inside, and find out how things actually work. A hacker likes to stretch things to their limits, use devices in ways they were not meant to be used, cross borders and break rules just for the sake of experimentation. A real hacker does not give a fuck about the potential trophy (be it a p0rn, software, monetary compensation, sensitive databases or anything else) waiting for her as soon she has gained access to a restricted domain using a creative, alternative route to circumvent the defence mechanisms in place. She might e-mail the system administrators to let them know that their security is crap, at best, leave everything impact, then move on to a new project. A hacker is more than anything else, a student, not a criminal mind, period. This definition is not necessarily restricted in the world of computing. One can hack in real life. If you decide that your TV does not have any positive effect on your life when it’s on, and decide to cover it with a table cloth, and use it to eat your breakfast on, then you have hacked your TV, in a primitive fashion. Well done, that’s a great starting point.
There is a reason why all this bad hype around hacking has been created. See, hacking is tightly bound with intelligence, creativity and free spirit. Now these attributes are a bit of a threat to governments, global regulators and other bodies ‘in charge’ who want to run the show. To achieve their goal easily and effectively, the controlling powers need to have obedient, non-creative and certainly not very intelligent citizens under their supervision. Where this profit-making, control seeking ‘plan’ is supposed to lead humanity is beyond me, still there is a good chance that this is the way things work nowadays. It is not a coincidence that formal education has degraded to simple (biased) information processing. Our schools, institutions, society and family do not encourage creative and alternative thinking. In fact, they are afraid of it. This concept can extend even more, taking into consideration our lives and career aspirations in general. As the freegan manifesto (http://freegan.info/?page=anotherview) accurately proclaims, as much as capitalists like equating the free market with freedom, our lives are severely constrained under capitalism. Here in we are all expected to live within the rules of a specific narrow model. We go to schools that promote hierarchy and obedience while suppressing creativity and indoctrinating us with the patriotic dogmas and distorted histories of the dominant forces of our national leadership. We are compelled to fiercely compete for the best grades so that we can get into the best college, run up big debts on college loans that we will spend years paying off. Get good grades, get into the best grad school, get a high paying job, buy lots of stuff, buy a house and spend years paying off the mortgage, have kids, keep working to the point where out jobs become miserable unending chores, put our kids through college and grad school so they can start on the same cycle. We go through a mid-life crisis where we wonder what the point of it all is. We retire and get sick with degenerative diseases from a lifetime of eating an unhealthy, fast-food, meat based died and from sedentary living– miserable desk jobs and hours spent vegetating in front of corporate pablum on television. As we degenerate, bored, lonely, and isolated in a society that overvalues competition and undervalues community, we are shipped off to nursing homes, eventually end up in hospitals that attempt to prolong miserable and unhealthy lives, with surgical procedures and drugs and radiation treatments that are tremendously profitable to insurance companies, hospitals, physicians, and medical equipment and drug manufacturers, but do little to address the underlying issues of poor health and often make us even sicker. Eventually we die, providing income to the undertakers, coffin manufacturers, funeral parlours, and cemeteries to turn our corpses into formaldehyde filled hazardous waste that will not be cycled back into the ecosystem locked in boxes made of dead rainforest trees or strip-mined metals. This is considered “a successful life’ for the Western middle class and lower portions of the upper class. Apparently, I got a bit carried away, but follow me and you will see where I am getting at.
Don’t panic, though, for all is not lost. We have the unbelievable luxury of living in the internet era. Now this is a whole new topic again, and a huge one indeed, but it is very relevant to this study for certain reasons. If you think back some years ago, access to information and knowledge was very, very different. First of all, there used to be one horrible restriction to acquire information: it had a price. To learn how to be a doctor, computer programmer, lawyer, journalist, biologist, builder, you had to buy many, expensive books and/or go to expensive schools. You very evolution itself was too damn hard, since every time you encountered a problem, an unknown condition in your field, you had to go to public libraries, make expensive telephone calls to other fellow professionals, spend time investigating and if you were lucky enough to find a solution, you would rely on it just because it was the only solution you were able to locate. It is not the case today. Today’s internet is a gift. An ever-changing, almost organic collection of all sorts of information that brings together individuals and ideas of all races, social classes, religions, scientific fields and arts. The power of this mechanism lies in its multi-inclusive nature. Looking for an answer to a question you might have, you are very likely to encounter tons of crap, some quite good approaches, and a few superb ones. You will, though, invariably gain the ability to evaluate, judge, search and think for yourself. And that, my friend, is a tremendous skill. In fact, it is the very root of becoming a superior human being and understanding the world you happen to live in, in depth, so you can make conscious choices and reject this or that lifestyle that ‘they’ are trying to enforce upon you. Computer (or real life) hacking just happens to be one of the benefits drawn from this new skill that you will (hopefully) acquire. So, if there is one service you have to buy in this damn world, it is, in my humble opinion, a good internet connection. Get DSL. Assuming that living in London you speak English, internet access is all you are ever going to need ( provided that you have a computer ‘ a crappy one will do, get your uncle’s old PC that she was planning to donate to charity if you have to), plus some spare time to invest.
Trust me in this one, reader: It will not always be like that. The internet is a very new invention, and a very groundbreaking one. As it happens with all radical inventions in the history of mankind (the wheel, electricity, relativity) it takes quite some time until people are eventually able to govern the new invention’s power, and restrict its potential misuse through many rules, legislation and supervision. The early stages are somewhat ‘experimental’ and very liberal. Man (including the superior forces running the show) has realised the full potential of the internet as a generous profit-making source. Due to the fact that one of our main characteristics is greed, people got quickly addicted (and dependent) to the internet, and now refuse to let go. Fortunately for the rest of us, not profit-oriented, various healthy tendencies including open source information exchange grew in parallel and got their place quietly in the internet. Because of the fact that no-body actually ‘owns’ the internet, it is deemed very unlikely that the internet is going to shut down some time soon for ‘general maintenance and regulations introduction’. Control is happening, though. Slowly it spreads over the wires through mechanisms like legislation, and sniffing. There are however countermeasures to being supervised: Cryptography is a good one. Cryptography has been made available to the masses about a decade ago through a program called PGP (Pretty Good Privacy) written by a genius hacker called Phil Zimmerman. Cryptography is another, very complicated issue that we are not going to cover here, but it is worth mentioning that the strength of your encrypted messages relies on the size (in bits) of the encryption algorithm. If 40 bits are used, it’s quite easy to decrypt. If 256 bits are used it’s bloody difficult, even for governments or intelligence agencies to decrypt your message. This is because the extent of difficulty introduced to a cipher by adding just one bit doubles, so that a cipher with 41 bits is twice as hard to crack (takes twice the time) compared to one using 40 bits. This is why the US government has put restrictions to the exports of cryptographic algorithms (40 bits I think), and they have classified cryptography under ‘weapons’ so that they can maintain control of the game. Moral of the story: (Ab)use the internet in its present form, for it might not last that long.
While it is possible to hack computer networks without being a programmer (or at least being able to read and understand code) I strongly suggest you acquire that skill. Remember, the goal is not to scratch the surface (as sick of it all says), but to get a shovel and start digging. If you want to hack wisely, you have to understand how the tools you are going to use actually work. That’s why I personally support the ‘open source’ approach, because it gives you access to the underlying architecture of all the tools you are using. In that way, you can really understand what’s going on behind the scenes, and perhaps modify anything as you see fit. The languages commonly used in the computer security field are Ansi C (often used in a scripting approach under the UNIX shell), and many general purpose scripting languages such as Tcl, Perl and Python. I have seen apps recently written in pure Java, though this language is generally not preferred in the underground. Moreover, you must get acquainted with the basic concepts of computer networking. There are a few protocols which are extremely popular and you should know how they work. These include the TCP/IP protocol suite (including UDP and ICMP), the mail protocols (POP3 and SMTP) and various others such as HTTP. You should also get familiar with the major Operating Systems, Windows and Linux. There are things you can do with one but can’t with the other, so you should learn and use both. If you have no fuckin’ clue what I’m talking about in these last few lines, then I strongly urge you to get an internet connection (see above), and start using www.google.com to educate yourself. I shall warn you here, reader, that the legislation on computer attacks is rapidly changing, and getting stricter every day. So as soon as (and if) you ever start launching attacks against computer networks, be sure to launch them against networks you own, or ones that you have formal authorisation to perform testing against, to avoid getting in trouble. It is perfectly possible to hide your tracks and clean up your mess effectively, but it is a very daunting task, something that comes with experience. As a newbie, you might as well forget about it for the time being.
I suspect what you might be thinking ‘Hey, that’s all good, now teach me how to hack!’, and, gee, I really hope that I’m wrong. See, there is a reason why I decided to release this document in this very event – the resistance festival. Taking into account the fact that you came here, you are quite likely a person who already has an ‘alternative’ approach to life. You try to differentiate yourself from the mass through unconventional music and other art forms, ‘revolutionary’ appearance (we have all been there at one time or another), maybe travelling and the likes. If you have followed me until this point, you have hopefully realised that the mission of this document is not to provide some quick guide to getting porn and certainly not illegally accessing your girlfriend’s hotmail account. It is to teach you how to be a creative problem solver, and how to seek knowledge. The means employed to try and get you started is computer hacking. This is because it just so happens that I have an elementary knowledge of this field, I consider it interesting, and I feel that there is a great potential to it. If, on the other hand, you are one of them people who want to learn how to hack computer systems because it is considered ‘elite’, or to get some free shit, while not having genuine interest in improving yourself, perhaps the security mechanisms employed in the IT industry nowadays, and eventually getting (more) wise then to hell with you anyway. Forget you ever read this document and go back to whatever you were doing. The community does not need you.
Section II: Doing it
——————————- Although I have been fiercely propagating creativity, I do believe that it is important to follow (not religiously though) a standard methodology when hacking. This ensures that you hack effectively and do not forget any necessary steps due to your enthusiasm or various other reasons. Of course, the methodology you choose should be one you have studied thoroughly (or created it yourself ‘ even better), and customized to your specific needs. What we are talking about, here, is a hacked methodology, by means of our prior definition of what hacking essentially is. A nice, open-source methodology for security testing is provided by the fine folks at ISECOM, and is called OSSTMM. I suggest you have a look at it. Now moving on to the juicy bits.
Step 1: Profiling the target (fingerprinting): Just like in real life, the first thing you need to when planning an attack is information gathering. If your target was to break in a house, you wouldn’t just smash the window and enter, not if you didn’t want to get busted that is. The same goes for hacking. You main source to gather information is, you guessed it, the internet. Use the main search engines (Google is good, but there’s tons of other search engines that you might want to have a look at, see Fravia’s ww.searchlores.org to learn how to find anything and everything on the web). Identify IP addresses, Domain Name Servers, telephone numbers (might come in handy for war dialling) , key personnel names; try to find messages in public message boards seeking technical information on specific problems they might have, for this might reveal specific software or hardware they are running, as well as version numbers. Gather e-mail addresses and e-mail server IPs, articles written by the target’s personnel, whatever seems relevant and you can lay your hands on. Use tools such as SamSpade, query the public Whois databases (like www.ripe.net), do what you have to do, be creative. This way, you will plot a nice picture of the target, though public channels, without having to query the target at all. This phase might seem dull to you, but it’s the quintessence of hacking. Without this information, you will be surely lost and helpless, in danger of knocking other people’s virtual doors, or even worse, knocking in vain where it is unlikely that you will ever get an answer.
Step 2: Scanning & Beyond: Now comes the point where you reckon you have gathered enough information to start getting more active. You have discovered several public facing devices perhaps a couple of firewalls, routers, Web and Mail Servers and you wonder what you can do to them. This is when you start scanning your target. The art of scanning attempts to find out what particular services and program daemons are listening, and on which ports. While there are several methods (Xmas, Null, Full, UDP) to discover such information, the most common and effective one is to send synchronisation (SYN) requests to your target. This is also known as the half-open TCP connection, and usually it manages to obtain a list of ports which demonstrated an interest, revealing that there is something running there. When there is something running, it can probably be exploited. You can use tools like Nmap by Fyodor, or Superscan(GUI)/Scanline(command line) by Foundstone. There are many free scanners out there, you go and have a look for yourself. An indispensable part of port scanning is the so-called banner grabbing. This functionality is included nowadays with many of the freely available scanners and what it does is try to tell you more about what it has found, such as which piece of software is active, what version it is running etc. There is a beautiful tool capable of doing myriads of things, that might help you in this goal too, and this tool is called NetCat. Netcat tries to establish a remote connection to a user-defined port, and sometimes it can achieve that, often revealing sensitive, useful information that will help you better profile your target’s vulnerabilities. Alternatively, you can use a splendid free tool called Nessus, which does just that, without getting you into manual trouble at all. Nessus is a general purpose scanner, which runs off a constantly updated vulnerability database. If you run Nessus against your target, it will inform you of any specific holes it has found, and will propose remedial action. If you like it manual, though, you can now browse to a public vulnerability database (hint: www.securityfocus.com), and see which (if any) exploits are applicable in your situation.
Step 3: Exploitation: There you are, you have found at least one machine that’s running a service vulnerable to some exploit you are now aware of. You can try to exploit the hole reported, using publicly available exploit code, or when you have become a competent hacker, perhaps write your own exploit. Not all exploits will provide you with System privileges in your target system; many of the security problems are of a different nature, some can cause Denial of Service Attacks (another big topic), others are related with more subtle issues, such as ineffective logging. Give it a try, though. See if the problem you have spotted is likely to cause ‘remote arbitrary code execution’. If the problem is a buffer overflow, your chances are good. Check out the MetaSploit framework, an experimental website dedicated to exploit development and research. With some luck, you might end up having System privileges in your target network. This effectively means you can do whatever you want. Even if you have not achieved to break in with Systems privileges, you might try to escalate your privileges while inside. For that, you can use local exploits, a different family of exploits. Use your imagination and creativity. There is no strict rule as to what you can do. You can attempt to go even further, perhaps by obtaining a copy of the local password file. In modern OSs, the password file is encrypted so you ‘d better transfer a copy of the password file to your local machine and try to crack it later using one of the many, free password crackers. You might now be thinking ‘Hey what’s all that crap you said before that strong cryptography is extremely difficult to crack’? There is one condition under which cryptography is effective: that the user chooses a good password. See, most of the times the cryptographic algorithm generates a hash of the password provided. A hash is a mathematical one-way function that’s meant to be extremely difficult to reverse. What password crackers do, effectively, is to try to match weak passwords (taken from password lists) with the equivalent entries in a hash file. A different approach (more lengthy indeed) is to try all possible combinations to match a password and its hash. These approaches are tagged Dictionary and Brute Force attack, respectively.
Step Null: Web Application Hacking: A category of devices that deserves special treatment is that of Web Servers. To you, the newbie, this probably can be interpreted as website hacking. Websites sit on machines called Web Servers, which run special software to achieve their goal (serve web content to you). We classify this as ‘application hacking’ because most of the stuff runs at the application (the highest) layer of the OSI seven-layered model. There’s a bunch of nasty things you can do to web applications, including, but not limited to SQL injection, path traversal, and cross site scripting. The list goes on. For a very good interactive tutorial on application testing, I refer you to the WebGoat (www.owasp.org). As far as automated Web app scanning, there’s a fine tool called Nikto which launches specialised attacks to test security and/or patching level. Manually speaking, there’s a suite of tools called proxies which you will find very useful if you are interested in application testing. Proxies basically sit between you and the web server, acting as a man-in-the-middle. All requests that you send to the web server can be intercepted and modified by the proxy before they leave your machine. In this way, you can craft customised requests, mess around with HTTP, manipulate cookies, change fields as you see fit, and see what happens. Some nice, free proxies for Windows are Odysseus, Achilles and WebScarab.
Step Nullx02: Firewall Hacking / IDS evasion: Due to the increase in electronic attacks, the high availability of information and tools, and human stupidity, today’s IT landscape is very tight. One can envisage a company’s network as a castle, without an easy way in. Devices called Firewalls can be thought of as the walls protecting the castle; Intrusion Detection Systems can be viewed as dog guards. What a firewall effectively does is take the responsibility to define which services and protocols will be allowed in and out of the caste. It’s a passive, but effective, means of defence if configured correctly. IDS systems usually work with attack signatures. Their role is to be more energetic, logging and preventing potential attacks. They also attempt to stop so-called 0-day hacks by applying intelligent hostile activity recognition methods to incoming traffic, even when there is no actual match to one of the attack signatures in the database. Firewall hacking is difficult and requires skill and creativity. One simple approach is to try and tunnel hostile traffic through a port/service that is being permitted by the firewall ‘officially’. Port 80, the one used to allow internal users to browse the web, is a good candidate for experimentation. IDS systems evasion can also be a difficult task, because these systems are getting more and more intelligent as we speak. One straightforward approach to attempt to cause confusion is packet fragmentation. Using tools such as the fragrouter by Dug Song, the IDS systems cannot tell with certainty whether the incoming packets constitute an attack or not, because the structure of the packets differs from the signatures in the IDS’ database. To be honest with you, this last step is a bit advanced, but I thought I’d mention it here since I had some free space, and it’s an important section in the IT infrastructure.
Considerations & Conclusions: As I said before, hacking in our era can be dangerous. Needless to say here, I do not have responsibility if you do anything stupid with the knowledge and tools that you became aware of in this document. Handle with caution. Other than that, may I wish to you, reader, good luck in you journey to knowledge through hacking. It is a difficult and certainly long journey, and you will often feel disappointed and might consider quitting. I strongly suggest that you stay, though, for it is a fascinating field and many interesting people are involved in this. I wish to stress one more time, here, that if you feel like staying with us, please do it right, and don’t be one of these lusers who go out there and Change HTML (the equivalent of Spray painting) in some old, forgotten, unprotected and unpatched web servers operated, perhaps, by the catholic church of Stoke-on-Trent. These people give a bad reputation to hacking, and are certainly not hackers themselves.
Contact: That’s it reader. I hope you have gained some useful information from this document I composed. Even more, I hope that you might be inclined to research these issues for yourself, hopefully under the right ethics and mentality, as a true hacker should. Obviously, this is just an A4 you’re holding so you probably didn’t expect me to fit in here even more information than I already did. Feel free to contact me with your opinion/feedback on this paper. If you intend to ask me any questions, though, be very careful. If you manage to convince me that you have spent considerable time on research, tried different approaches, used your brain but still have not managed to reach a sound conclusion, I will be more than happy to help you. (If I know the answer, which I seriously doubt for I am a novice as well). If, on the contrary, you send me an email with a very lame question that clearly demonstrates you fall into the dreadful category of hotmail password seekers/lazy lusers that want everything served to them without moving their little finger, then I am afraid that I will not reply to you, hell I might even try to spam your mailbox (joke). I’m sorry if my communication approach does not satisfy you, but these are the rules of the game. Take care.

Guest Post by (Pascal.Cretain[AT]gmail.com)

An awful lot has been said about hacking, most of it is simply not true. Due to misinformation, ignorance, the decline of mass media, and other miscellaneous obscure powers, hacking has been associated with electronic crime, illegal access to forbidden realms, the pentagon, the FBI, the CIA, the Russian mafia, credit card fraud, identity theft, software piracy, vandalism, corruption, murder and death. Give me a break. A hacker, in the original sense, is a person who is curious, inventive, intelligent, eager to learn, willing to discover (and perhaps fail a thousand times before achieving any result) alternative ways of using tools and ideas. Using a metaphor here, if I may, a hacker is a bit like a child; she likes to take things apart to see what’s inside, and find out how things actually work. A hacker likes to stretch things to their limits, use devices in ways they were not meant to be used, cross borders and break rules just for the sake of experimentation. A real hacker does not give a fuck about the potential trophy (be it a p0rn, software, monetary compensation, sensitive databases or anything else) waiting for her as soon she has gained access to a restricted domain using a creative, alternative route to circumvent the defence mechanisms in place. She might e-mail the system administrators to let them know that their security is crap, at best, leave everything impact, then move on to a new project. A hacker is more than anything else, a student, not a criminal mind, period. This definition is not necessarily restricted in the world of computing. One can hack in real life. If you decide that your TV does not have any positive effect on your life when it’s on, and decide to cover it with a table cloth, and use it to eat your breakfast on, then you have hacked your TV, in a primitive fashion. Well done, that’s a great starting point.

There is a reason why all this bad hype around hacking has been created. See, hacking is tightly bound with intelligence, creativity and free spirit. Now these attributes are a bit of a threat to governments, global regulators and other bodies ‘in charge’ who want to run the show. To achieve their goal easily and effectively, the controlling powers need to have obedient, non-creative and certainly not very intelligent citizens under their supervision. Where this profit-making, control seeking ‘plan’ is supposed to lead humanity is beyond me, still there is a good chance that this is the way things work nowadays. It is not a coincidence that formal education has degraded to simple (biased) information processing. Our schools, institutions, society and family do not encourage creative and alternative thinking. In fact, they are afraid of it. This concept can extend even more, taking into consideration our lives and career aspirations in general. As the freegan manifesto (http://freegan.info/?page=anotherview) accurately proclaims, as much as capitalists like equating the free market with freedom, our lives are severely constrained under capitalism. Here in we are all expected to live within the rules of a specific narrow model. We go to schools that promote hierarchy and obedience while suppressing creativity and indoctrinating us with the patriotic dogmas and distorted histories of the dominant forces of our national leadership. We are compelled to fiercely compete for the best grades so that we can get into the best college, run up big debts on college loans that we will spend years paying off. Get good grades, get into the best grad school, get a high paying job, buy lots of stuff, buy a house and spend years paying off the mortgage, have kids, keep working to the point where out jobs become miserable unending chores, put our kids through college and grad school so they can start on the same cycle. We go through a mid-life crisis where we wonder what the point of it all is. We retire and get sick with degenerative diseases from a lifetime of eating an unhealthy, fast-food, meat based died and from sedentary living– miserable desk jobs and hours spent vegetating in front of corporate pablum on television. As we degenerate, bored, lonely, and isolated in a society that overvalues competition and undervalues community, we are shipped off to nursing homes, eventually end up in hospitals that attempt to prolong miserable and unhealthy lives, with surgical procedures and drugs and radiation treatments that are tremendously profitable to insurance companies, hospitals, physicians, and medical equipment and drug manufacturers, but do little to address the underlying issues of poor health and often make us even sicker. Eventually we die, providing income to the undertakers, coffin manufacturers, funeral parlours, and cemeteries to turn our corpses into formaldehyde filled hazardous waste that will not be cycled back into the ecosystem locked in boxes made of dead rainforest trees or strip-mined metals. This is considered “a successful life’ for the Western middle class and lower portions of the upper class. Apparently, I got a bit carried away, but follow me and you will see where I am getting at.

Don’t panic, though, for all is not lost. We have the unbelievable luxury of living in the internet era. Now this is a whole new topic again, and a huge one indeed, but it is very relevant to this study for certain reasons. If you think back some years ago, access to information and knowledge was very, very different. First of all, there used to be one horrible restriction to acquire information: it had a price. To learn how to be a doctor, computer programmer, lawyer, journalist, biologist, builder, you had to buy many, expensive books and/or go to expensive schools. You very evolution itself was too damn hard, since every time you encountered a problem, an unknown condition in your field, you had to go to public libraries, make expensive telephone calls to other fellow professionals, spend time investigating and if you were lucky enough to find a solution, you would rely on it just because it was the only solution you were able to locate. It is not the case today. Today’s internet is a gift. An ever-changing, almost organic collection of all sorts of information that brings together individuals and ideas of all races, social classes, religions, scientific fields and arts. The power of this mechanism lies in its multi-inclusive nature. Looking for an answer to a question you might have, you are very likely to encounter tons of crap, some quite good approaches, and a few superb ones. You will, though, invariably gain the ability to evaluate, judge, search and think for yourself. And that, my friend, is a tremendous skill. In fact, it is the very root of becoming a superior human being and understanding the world you happen to live in, in depth, so you can make conscious choices and reject this or that lifestyle that ‘they’ are trying to enforce upon you. Computer (or real life) hacking just happens to be one of the benefits drawn from this new skill that you will (hopefully) acquire. So, if there is one service you have to buy in this damn world, it is, in my humble opinion, a good internet connection. Get DSL. Assuming that living in London you speak English, internet access is all you are ever going to need ( provided that you have a computer ‘ a crappy one will do, get your uncle’s old PC that she was planning to donate to charity if you have to), plus some spare time to invest.

Trust me in this one, reader: It will not always be like that. The internet is a very new invention, and a very groundbreaking one. As it happens with all radical inventions in the history of mankind (the wheel, electricity, relativity) it takes quite some time until people are eventually able to govern the new invention’s power, and restrict its potential misuse through many rules, legislation and supervision. The early stages are somewhat ‘experimental’ and very liberal. Man (including the superior forces running the show) has realised the full potential of the internet as a generous profit-making source. Due to the fact that one of our main characteristics is greed, people got quickly addicted (and dependent) to the internet, and now refuse to let go. Fortunately for the rest of us, not profit-oriented, various healthy tendencies including open source information exchange grew in parallel and got their place quietly in the internet. Because of the fact that no-body actually ‘owns’ the internet, it is deemed very unlikely that the internet is going to shut down some time soon for ‘general maintenance and regulations introduction’. Control is happening, though. Slowly it spreads over the wires through mechanisms like legislation, and sniffing. There are however countermeasures to being supervised: Cryptography is a good one. Cryptography has been made available to the masses about a decade ago through a program called PGP (Pretty Good Privacy) written by a genius hacker called Phil Zimmerman. Cryptography is another, very complicated issue that we are not going to cover here, but it is worth mentioning that the strength of your encrypted messages relies on the size (in bits) of the encryption algorithm. If 40 bits are used, it’s quite easy to decrypt. If 256 bits are used it’s bloody difficult, even for governments or intelligence agencies to decrypt your message. This is because the extent of difficulty introduced to a cipher by adding just one bit doubles, so that a cipher with 41 bits is twice as hard to crack (takes twice the time) compared to one using 40 bits. This is why the US government has put restrictions to the exports of cryptographic algorithms (40 bits I think), and they have classified cryptography under ‘weapons’ so that they can maintain control of the game. Moral of the story: (Ab)use the internet in its present form, for it might not last that long.

While it is possible to hack computer networks without being a programmer (or at least being able to read and understand code) I strongly suggest you acquire that skill. Remember, the goal is not to scratch the surface (as sick of it all says), but to get a shovel and start digging. If you want to hack wisely, you have to understand how the tools you are going to use actually work. That’s why I personally support the ‘open source’ approach, because it gives you access to the underlying architecture of all the tools you are using. In that way, you can really understand what’s going on behind the scenes, and perhaps modify anything as you see fit. The languages commonly used in the computer security field are Ansi C (often used in a scripting approach under the UNIX shell), and many general purpose scripting languages such as Tcl, Perl and Python. I have seen apps recently written in pure Java, though this language is generally not preferred in the underground. Moreover, you must get acquainted with the basic concepts of computer networking. There are a few protocols which are extremely popular and you should know how they work. These include the TCP/IP protocol suite (including UDP and ICMP), the mail protocols (POP3 and SMTP) and various others such as HTTP. You should also get familiar with the major Operating Systems, Windows and Linux. There are things you can do with one but can’t with the other, so you should learn and use both. If you have no fuckin’ clue what I’m talking about in these last few lines, then I strongly urge you to get an internet connection (see above), and start using www.google.com to educate yourself. I shall warn you here, reader, that the legislation on computer attacks is rapidly changing, and getting stricter every day. So as soon as (and if) you ever start launching attacks against computer networks, be sure to launch them against networks you own, or ones that you have formal authorisation to perform testing against, to avoid getting in trouble. It is perfectly possible to hide your tracks and clean up your mess effectively, but it is a very daunting task, something that comes with experience. As a newbie, you might as well forget about it for the time being.

I suspect what you might be thinking ‘Hey, that’s all good, now teach me how to hack!’, and, gee, I really hope that I’m wrong. See, there is a reason why I decided to release this document in this very event – the resistance festival. Taking into account the fact that you came here, you are quite likely a person who already has an ‘alternative’ approach to life. You try to differentiate yourself from the mass through unconventional music and other art forms, ‘revolutionary’ appearance (we have all been there at one time or another), maybe travelling and the likes. If you have followed me until this point, you have hopefully realised that the mission of this document is not to provide some quick guide to getting porn and certainly not illegally accessing your girlfriend’s hotmail account. It is to teach you how to be a creative problem solver, and how to seek knowledge. The means employed to try and get you started is computer hacking. This is because it just so happens that I have an elementary knowledge of this field, I consider it interesting, and I feel that there is a great potential to it. If, on the other hand, you are one of them people who want to learn how to hack computer systems because it is considered ‘elite’, or to get some free shit, while not having genuine interest in improving yourself, perhaps the security mechanisms employed in the IT industry nowadays, and eventually getting (more) wise then to hell with you anyway. Forget you ever read this document and go back to whatever you were doing. The community does not need you.

Section II: Doing it

Although I have been fiercely propagating creativity, I do believe that it is important to follow (not religiously though) a standard methodology when hacking. This ensures that you hack effectively and do not forget any necessary steps due to your enthusiasm or various other reasons. Of course, the methodology you choose should be one you have studied thoroughly (or created it yourself ‘ even better), and customized to your specific needs. What we are talking about, here, is a hacked methodology, by means of our prior definition of what hacking essentially is. A nice, open-source methodology for security testing is provided by the fine folks at ISECOM, and is called OSSTMM. I suggest you have a look at it. Now moving on to the juicy bits.

Step 1: Profiling the target (fingerprinting): Just like in real life, the first thing you need to when planning an attack is information gathering. If your target was to break in a house, you wouldn’t just smash the window and enter, not if you didn’t want to get busted that is. The same goes for hacking. You main source to gather information is, you guessed it, the internet. Use the main search engines (Google is good, but there’s tons of other search engines that you might want to have a look at, see Fravia’s ww.searchlores.org to learn how to find anything and everything on the web). Identify IP addresses, Domain Name Servers, telephone numbers (might come in handy for war dialling) , key personnel names; try to find messages in public message boards seeking technical information on specific problems they might have, for this might reveal specific software or hardware they are running, as well as version numbers. Gather e-mail addresses and e-mail server IPs, articles written by the target’s personnel, whatever seems relevant and you can lay your hands on. Use tools such as SamSpade, query the public Whois databases (like www.ripe.net), do what you have to do, be creative. This way, you will plot a nice picture of the target, though public channels, without having to query the target at all. This phase might seem dull to you, but it’s the quintessence of hacking. Without this information, you will be surely lost and helpless, in danger of knocking other people’s virtual doors, or even worse, knocking in vain where it is unlikely that you will ever get an answer.

Step 2: Scanning & Beyond: Now comes the point where you reckon you have gathered enough information to start getting more active. You have discovered several public facing devices perhaps a couple of firewalls, routers, Web and Mail Servers and you wonder what you can do to them. This is when you start scanning your target. The art of scanning attempts to find out what particular services and program daemons are listening, and on which ports. While there are several methods (Xmas, Null, Full, UDP) to discover such information, the most common and effective one is to send synchronisation (SYN) requests to your target. This is also known as the half-open TCP connection, and usually it manages to obtain a list of ports which demonstrated an interest, revealing that there is something running there. When there is something running, it can probably be exploited. You can use tools like Nmap by Fyodor, or Superscan(GUI)/Scanline(command line) by Foundstone. There are many free scanners out there, you go and have a look for yourself. An indispensable part of port scanning is the so-called banner grabbing. This functionality is included nowadays with many of the freely available scanners and what it does is try to tell you more about what it has found, such as which piece of software is active, what version it is running etc. There is a beautiful tool capable of doing myriads of things, that might help you in this goal too, and this tool is called NetCat. Netcat tries to establish a remote connection to a user-defined port, and sometimes it can achieve that, often revealing sensitive, useful information that will help you better profile your target’s vulnerabilities. Alternatively, you can use a splendid free tool called Nessus, which does just that, without getting you into manual trouble at all. Nessus is a general purpose scanner, which runs off a constantly updated vulnerability database. If you run Nessus against your target, it will inform you of any specific holes it has found, and will propose remedial action. If you like it manual, though, you can now browse to a public vulnerability database (hint: www.securityfocus.com), and see which (if any) exploits are applicable in your situation.

Step 3: Exploitation: There you are, you have found at least one machine that’s running a service vulnerable to some exploit you are now aware of. You can try to exploit the hole reported, using publicly available exploit code, or when you have become a competent hacker, perhaps write your own exploit. Not all exploits will provide you with System privileges in your target system; many of the security problems are of a different nature, some can cause Denial of Service Attacks (another big topic), others are related with more subtle issues, such as ineffective logging. Give it a try, though. See if the problem you have spotted is likely to cause ‘remote arbitrary code execution’. If the problem is a buffer overflow, your chances are good. Check out the MetaSploit framework, an experimental website dedicated to exploit development and research. With some luck, you might end up having System privileges in your target network. This effectively means you can do whatever you want. Even if you have not achieved to break in with Systems privileges, you might try to escalate your privileges while inside. For that, you can use local exploits, a different family of exploits. Use your imagination and creativity. There is no strict rule as to what you can do. You can attempt to go even further, perhaps by obtaining a copy of the local password file. In modern OSs, the password file is encrypted so you ‘d better transfer a copy of the password file to your local machine and try to crack it later using one of the many, free password crackers. You might now be thinking ‘Hey what’s all that crap you said before that strong cryptography is extremely difficult to crack’? There is one condition under which cryptography is effective: that the user chooses a good password. See, most of the times the cryptographic algorithm generates a hash of the password provided. A hash is a mathematical one-way function that’s meant to be extremely difficult to reverse. What password crackers do, effectively, is to try to match weak passwords (taken from password lists) with the equivalent entries in a hash file. A different approach (more lengthy indeed) is to try all possible combinations to match a password and its hash. These approaches are tagged Dictionary and Brute Force attack, respectively.

Step Null: Web Application Hacking: A category of devices that deserves special treatment is that of Web Servers. To you, the newbie, this probably can be interpreted as website hacking. Websites sit on machines called Web Servers, which run special software to achieve their goal (serve web content to you). We classify this as ‘application hacking’ because most of the stuff runs at the application (the highest) layer of the OSI seven-layered model. There’s a bunch of nasty things you can do to web applications, including, but not limited to SQL injection, path traversal, and cross site scripting. The list goes on. For a very good interactive tutorial on application testing, I refer you to the WebGoat (www.owasp.org). As far as automated Web app scanning, there’s a fine tool called Nikto which launches specialised attacks to test security and/or patching level. Manually speaking, there’s a suite of tools called proxies which you will find very useful if you are interested in application testing. Proxies basically sit between you and the web server, acting as a man-in-the-middle. All requests that you send to the web server can be intercepted and modified by the proxy before they leave your machine. In this way, you can craft customised requests, mess around with HTTP, manipulate cookies, change fields as you see fit, and see what happens. Some nice, free proxies for Windows are Odysseus, Achilles and WebScarab.

Step Nullx02: Firewall Hacking / IDS evasion: Due to the increase in electronic attacks, the high availability of information and tools, and human stupidity, today’s IT landscape is very tight. One can envisage a company’s network as a castle, without an easy way in. Devices called Firewalls can be thought of as the walls protecting the castle; Intrusion Detection Systems can be viewed as dog guards. What a firewall effectively does is take the responsibility to define which services and protocols will be allowed in and out of the caste. It’s a passive, but effective, means of defence if configured correctly. IDS systems usually work with attack signatures. Their role is to be more energetic, logging and preventing potential attacks. They also attempt to stop so-called 0-day hacks by applying intelligent hostile activity recognition methods to incoming traffic, even when there is no actual match to one of the attack signatures in the database. Firewall hacking is difficult and requires skill and creativity. One simple approach is to try and tunnel hostile traffic through a port/service that is being permitted by the firewall ‘officially’. Port 80, the one used to allow internal users to browse the web, is a good candidate for experimentation. IDS systems evasion can also be a difficult task, because these systems are getting more and more intelligent as we speak. One straightforward approach to attempt to cause confusion is packet fragmentation. Using tools such as the fragrouter by Dug Song, the IDS systems cannot tell with certainty whether the incoming packets constitute an attack or not, because the structure of the packets differs from the signatures in the IDS’ database. To be honest with you, this last step is a bit advanced, but I thought I’d mention it here since I had some free space, and it’s an important section in the IT infrastructure.

Considerations & Conclusions: As I said before, hacking in our era can be dangerous. Needless to say here, I do not have responsibility if you do anything stupid with the knowledge and tools that you became aware of in this document. Handle with caution. Other than that, may I wish to you, reader, good luck in you journey to knowledge through hacking. It is a difficult and certainly long journey, and you will often feel disappointed and might consider quitting. I strongly suggest that you stay, though, for it is a fascinating field and many interesting people are involved in this. I wish to stress one more time, here, that if you feel like staying with us, please do it right, and don’t be one of these lusers who go out there and Change HTML (the equivalent of Spray painting) in some old, forgotten, unprotected and unpatched web servers operated, perhaps, by the catholic church of Stoke-on-Trent. These people give a bad reputation to hacking, and are certainly not hackers themselves.

Contact: That’s it reader. I hope you have gained some useful information from this document I composed. Even more, I hope that you might be inclined to research these issues for yourself, hopefully under the right ethics and mentality, as a true hacker should. Obviously, this is just an A4 you’re holding so you probably didn’t expect me to fit in here even more information than I already did. Feel free to contact me with your opinion/feedback on this paper. If you intend to ask me any questions, though, be very careful. If you manage to convince me that you have spent considerable time on research, tried different approaches, used your brain but still have not managed to reach a sound conclusion, I will be more than happy to help you. (If I know the answer, which I seriously doubt for I am a novice as well). If, on the contrary, you send me an email with a very lame question that clearly demonstrates you fall into the dreadful category of hotmail password seekers/lazy lusers that want everything served to them without moving their little finger, then I am afraid that I will not reply to you, hell I might even try to spam your mailbox (joke). I’m sorry if my communication approach does not satisfy you, but these are the rules of the game. Take care.

Tagged with: ,

leave a comment