How malicious hackers attack

When developing software or defending a network, it’s helpful to understand how malicious hackers hack. A dedicated attacker will fingerprint the intended host, starting first with available IP addresses and then perform TCP -- and sometimes UDP -- scans looking for active and listening TCP/IP ports. Each found port is then further fingerprinted to determine the listening application. For example, if port 80 is found, is it running Apache or IIS?

All the applications running on the targeted host are then recorded and the underlying operating system is enumerated. At this point, the attacker has eight primary, basic ways to break in. They are:

1. Log-on credential or password guessing/cracking
2. Buffer overflow
3. Application or OS vulnerability
4. Application or OS misconfiguration
5. Data malformation -- SQL injection, XSS, and so on
6. Sniffing/eavesdropping
7. Client-side attack
8. Social engineering

Buffer overflows are responsible for many of the most popular, widespread attacks -- Blaster, Slammer, Ramen worm, and so on. A malicious hacker can code their own buffer overflow or choose from thousands of pre-coded buffer overflows found on the Internet. Milw0rm is one of the favorite buffer overflow download sites. Other Web sites come and go, but milw0rm lives on.

If you don’t want to download and compile a buffer overflow program, you can install the Metasploit framework. Buffer overflow hacking doesn’t get any easier than that, but Metasploit is still young and growing and contains just over 100 exploits.

OS or application misconfiguration is another popular hacker choice. I’ve audited many Web sites throughout the years, only to find that the Everyone group (or World group in Linux) had Full Control (or RWX) permissions to all files and folders. This means anyone connecting to that server has complete control of the box. Sometimes these servers have been up and misconfigured for years.

How does it happen? I saw the problem all the time in older versions of Windows: The administrator was trying to add one person or group with new permissions to a particular high-level folder, and Windows prompted them with a message dialog box similar to “Replace all permissions on files and folders beneath this level with these new permissions?” The administrator, not really understanding the consequences of their actions, replies “Yes” to ensure that their new permissions, for the one new user or group, get applied. But in reality, they’ve just replaced all previous permissions for all users with what should have been limited to one folder for one user or group.

Even when everything is patched and there are no misconfigurations, enterprising hackers can malform their input so that the accepting application barfs (yes, that’s a technical word), commingling expected data into executable commands. For example, many online databases do not contain appropriate data validation checks on incoming data. The hacker can place into a data field a command that ends up being executed on the database server to provide unauthorized remote access or dump data.

It’s important to remember that the vast majority of attacks against your network are automated, appearing in the form of viruses, worms, Trojans, and bots, and using a client-side attack with some form of social engineering.