By using the same tools and methods that malicious attackers rely on, you can attempt to gain access to a server. If successful, you can identify necessary fixes and upgrades that must be performed to improve security and to detect and respond to malicious activity.
Gathering intelligence
The first phase of any hacking attempt generally involves the collection of information about the relevant target. This includes identifying the target system and gathering salient details about its IP address, operating system, hardware, network configuration and infrastructure, DNS records and so on. This can be done in a variety of ways, but it is most often done by using automated tools that scan a server for known vulnerabilities. Information about a target system’s physical hardware can be found through various means, often by carefully examining the responses various software subsystems send when initiating (or even sometimes rejecting) inbound connections. This information can then be used to narrow down the kinds of software known to commonly run on various hardware configurations. Hackers use tools that can test for a variety of security issues, including misconfiguration of software present on the targeted server, the presence of common or unchanged default passwords, outdated software in need of updating or patching and similar security issues.
Reconnaissance tools
HTTrack: An open-source web crawler which allows users to download entire websites to a local, offline computer for forensic analysis Maltego: An open-source link analysis and data mining tool Nessus: A vulnerability assessment scanner that checks for conditions such as software misconfiguration or deprecation, insecure or missing passwords and denial-of-service attack vulnerabilities which might allow a malicious attacker to gain access to — or total control over — a system Netsparker: Scans the sites, applications and services present on a web server for vulnerabilities, regardless of its operating system Nikto: Scans for dangerous files and CGIs, outdated server software and software misconfiguration known to be exploitable by malicious attackers ScanMyServer: A free online tool which crawls through every page of a specified website or blog and attempts to identify various security issues
These tools can provide a great deal of information about the targeted server — including data like the names of employees or staff members, email addresses associated with the server, computer names, network structure information and user account information. Armed with the right kind of knowledge about the target, you can move on to the next phase: attempting to gain access.
Hacking in
Using the gathered data, you can determine viable options for attempting to gain access to data stored on the server or control over the server itself. This can be done in many ways, but generally will involve efforts that rely on proven intrusion techniques. The Open Web Application Security Project, or OWASP, is an organization that tracks vulnerabilities. OWASP maintains a top ten list of the most common and potentially dangerous weaknesses used by attackers to gain unauthorized access to web servers. Known vulnerabilities are typically the easiest way to gain unauthorized control of a server and are most often relied upon by malicious attackers. These are the most effective and efficient means to gain unauthorized access. Though some hackers may use tools or methods that deviate from common attacks, many will move on and look for a “softer” target if these common attacks fail.
The OWASP top 10
The following vulnerabilities are those most commonly seen in security breaches in the past year.
Injection: In which an attacker will inject code into a program or query to execute remote commands (as in the case of an SQL injection) Broken Authentication: Relies on using stolen, misconfigured or otherwise vulnerable login data to gain access to a system Sensitive Data Exposure: Occurs when an application doesn’t adequately protect data such as passwords, session tokens or other sensitive and valuable data XML External Entities (also called XXE): A kind of attack which relies on vulnerabilities in how an application parses XML data Broken Access Control: Relies on failures in user and role permission configuration to enable unauthorized access Security Misconfigurations Cross-Site Scripting (XSS): Similar to injection attacks, XSS allows attackers to inject client-side scripts into web applications which can be used to bypass access controls Insecure Deserialization: A vulnerability in which misconfigured or unknown data is used to execute code, bypass authentication, cause a Denial of Service attack or otherwise circumvent security measures Using server components with known vulnerabilities Insufficient logging and monitoring
Once unauthorized access to a targeted server is secured, efforts then generally focus on maintaining control of the server for further exploitation. At this stage, malicious attackers would typically have gained access to one or more user accounts or roles; if they have managed to access a privileged user account or the operating system “account” for various software packages, this could allow them to either gain administrator privileges or set up a new administrator account on the system.
Backdoors and covered tracks
Typically, initial security breaches are used to prepare a system for subsequent use or exploitation. Though no overt or implicit misuse may occur when a server is first hacked, many hackers will monitor accounts they have created or gained control over to determine if their intrusion has been detected. Hackers may use these accounts to attempt to erase or alter logs and other system messages. However, many hackers adopt a wait-and-see approach, opting to refrain from anything “noisy” that may draw attention to them. In terms of vulnerability testing, once a system is compromised, the ethical hacker would then want to access and use the system as if they were a malicious attacker. Access to a hacked server should be used by the ethical hacker to monitor user accounts, to attempt to manipulate logs and other system data and to generally try to erase or otherwise cover any evidence of their intrusion. Though the goal of vulnerability testing is to make a server more secure and resistant to attack, this post-hack activity also serves an important purpose. Through the review of security logs and other ongoing intrusion detection methods, other improvements can be identified which help detect hacks that use an unusual or unknown mechanism, or in protecting data and limiting access once an attack has been successful.