Tools of the Trade (Part II)
Introduction
What are your tools of the trade? This article focuses on some tools that can help you analyze a targeted system on the Internet, Intranet, Extranet, or through remote access. My first article Tools of the Trade (Part I) was a very general article stating the importance of the command shell, an editor and a programming language, some of the basic tools you need to understand in order to progress to the "next step". For example, if you understand the command shell and a basic programming language, say Perl, then you could easily automated many painstaking processes involved in analysis of a system. The tools that you use depend upon the targeted system (listen to what this is saying!). Assume for the sake of this article, that the system includes everything (network, firewall, OS, etc) because every piece of the puzzle is very important.
Let’s get started to add some fun and interesting tools to your toolbox, not to mention providing you with a systematic approach to analyzing target systems. Good luck!
Case da Joint
Casing da joint is the process of gathering as much information about your target as you can in order to make educated decisions in your attack plan. I mean analysis of the target. It allows you to know the lay and feel of the land, and in some cases will allow you to know your target better then the administrators do of the target. You want to learn everything you can about your target, right? What tools can you use to clearly case da joint? The following tools can be used:
Usenet is a good starting point because people are always posting questions and in these questions they are giving away free information that makes their systems vulnerable. "Hey I just installed this brand name firewall software using the default settings and my question is…" joeh@Kr*ft.com. The EDGAR database is another great place to start. The idea here is when a company buys out another company they work to get the buyout company on there corporate network thus there could be lack of security leaving a couple of doors and windows open in the process. Whois is another starting-point in figuring out a range of IP addresses and network blocks associated with your target. Another word to keep in your mind is stealth. You really don’t want to give away you intentions about what you are going to do, right? If you don’t get my point then you need to read the book the Art of War.
Scanning for Life
Scanning is really simple because you simply want to perform ping sweeps on a range of IP addresses and network blocks to determine what systems are alive. The following tools can be used:
Find Some Valid Users
Finding some valid users is the process of probing to identify valid user accounts or poorly protected resource sharing. The following tools can be used:
Gain Access!
Gaining access is just what it means, we are looking to gain access to a system and we don’t care at what level the access is at this time. Root access would be nice but sometimes you have to take what you can get. The following tools can be used:
Doing Some Crack
Below is a list of some tools available when you are doing some password cracking. What it always comes down to is brute force cracking.
Give Yourself Some ROOT
In the previous step we were looking to gain access on the targeted system, now we need to escalate the privileges. The beauty at this step is once you have some access it’s a matter of time before you get root access and own the house. The following tools can be used:
Stealing and Looking to Branch Out
Stealing is different then gaining access to a target because in this step you are looking to expand your horizons to other trusted systems. Stealing is such a bad word to use to describe what you are doing, but I guess the only word to use. The following tools can be used:
Cover Your Ass
Once you have obtained total ownership of the target... hide! If they detect you then your fun and games could come to an end. The following tools can be used:
Back Doors
Back doors are important because they will ensure that privileged access can be easily regained again and again. This is what’s so scary when you realize your system has been compromised. The administrator starts thinking where are all the back doors, hidden treats, and surprises? It’s the administrator’s worst nightmare come true. The following tools can be used:
Conclusion
There are many more tools that can be found out there on the Internet that have not been mentioned in this article. I hope that this article provided you with a good strong start point, and a guide to a more systematic approach to analyzing a system. Now it’s up to you to start applying, learning and progressing in the use of your new tools. You should now categorize your toolbox, label each step in the process of analysis of a system, and identify the tools for each category.
A topic that I didn’t talk about much is remote access and the tools that can be used to compromise a target. Investment and banking institution have tons of clients that access their systems via remote access such as modems. You might want to check this out for clients are lazy people, given simple usernames and passwords. Even if the clients are accessing a Metaframe Server via an ICA Client over the Internet. Strong username and password protections... forget it! If users would be a little more creative then we’d have a little tougher time cracking and hacking around.
Things just don’t happen. Evolution does not exist, everything happens out of designed or failure of the design. Nothing is coincidental in our world. The best thing to do is start hacking and cracking around with the different tools. If you find more tools that could help please drop me an email.
Characterdisorder & Oubug
For a really good book check out "Hacking Exposed – Network Security Secrets & Solutions" by Stuart McClure & Joel Scambray & George Kurtz. It’s a really good book that goes beyond listing the tools that I have in this article!
|
