0 1 00:00:00,000 --> 00:00:03,180 Hacker's Methodology, a malicious mindset. 1 2 00:00:03,180 --> 00:00:04,710 In this lecture, we're going to talk 2 3 00:00:04,710 --> 00:00:06,509 about the different steps of the hacking 3 4 00:00:06,509 --> 00:00:08,160 methodology. There are six steps to the 4 5 00:00:08,160 --> 00:00:09,630 hackers methodology. We're going to 5 6 00:00:09,630 --> 00:00:11,460 perform reconnaissance, skin and 6 7 00:00:11,460 --> 00:00:13,410 enumerate the network, gain our access, 7 8 00:00:13,410 --> 00:00:15,450 maintain our access, and then we're going 8 9 00:00:15,450 --> 00:00:17,699 to place back doors, and cover our tracks 9 10 00:00:17,699 --> 00:00:19,740 on our way out. These are the six steps 10 11 00:00:19,740 --> 00:00:22,410 that every hacking evolution tends to go 11 12 00:00:22,410 --> 00:00:23,850 through. We're going to cover each of 12 13 00:00:23,850 --> 00:00:25,830 them in detail further, and then we'll 13 14 00:00:25,830 --> 00:00:26,910 show you tools and techniques to use 14 15 00:00:26,910 --> 00:00:28,439 those, but in this lecture, we'll talk 15 16 00:00:28,439 --> 00:00:30,990 about a brief overview. The first step is 16 17 00:00:30,990 --> 00:00:32,850 performing reconnaissance. So in this 17 18 00:00:32,850 --> 00:00:33,899 case we're going to do everything 18 19 00:00:33,899 --> 00:00:35,969 passively, we don't want to touch the 19 20 00:00:35,969 --> 00:00:37,950 victim network yet. Here, we're going to 20 21 00:00:37,950 --> 00:00:39,239 be looking at open source sites in the 21 22 00:00:39,239 --> 00:00:40,710 Internet. So, we're going to be scanning 22 23 00:00:40,710 --> 00:00:42,180 for things like understanding what their 23 24 00:00:42,180 --> 00:00:44,250 networks look like, from their network 24 25 00:00:44,250 --> 00:00:46,680 ranges, their IP addresses. We might be 25 26 00:00:46,680 --> 00:00:47,789 able to find things like ports and 26 27 00:00:47,789 --> 00:00:49,980 protocols. We might find victim email 27 28 00:00:49,980 --> 00:00:51,570 addresses to launch a spear phishing 28 29 00:00:51,570 --> 00:00:53,280 campaign against. We're going to find out 29 30 00:00:53,280 --> 00:00:54,899 who owns their domain. We might find 30 31 00:00:54,899 --> 00:00:56,219 pattern of life on different employees. 31 32 00:00:56,219 --> 00:00:58,440 This is where we start looking and do 32 33 00:00:58,440 --> 00:01:00,539 spend a lot of our time. Most hacking 33 34 00:01:00,539 --> 00:01:02,129 evolutions take about eighty percent of 34 35 00:01:02,129 --> 00:01:04,199 the hacker's methodology spent in this 35 36 00:01:04,199 --> 00:01:06,060 phase. Everything we do here is very 36 37 00:01:06,060 --> 00:01:07,740 passive, and we're going to be looking at 37 38 00:01:07,740 --> 00:01:09,689 everything from an arm's reach. We don't 38 39 00:01:09,689 --> 00:01:11,040 want them to know who we are and where 39 40 00:01:11,040 --> 00:01:12,390 we're coming from yet. Some of the 40 41 00:01:12,390 --> 00:01:13,770 techniques we use are things like 41 42 00:01:13,770 --> 00:01:16,590 dumpster diving, Internet harvesting, 42 43 00:01:16,590 --> 00:01:20,280 domain information gathering, we'll be 43 44 00:01:20,280 --> 00:01:21,869 receiving any emails we can find, we'll 44 45 00:01:21,869 --> 00:01:23,189 be checking social media and 45 46 00:01:23,189 --> 00:01:25,560 establishing those patterns of life. The 46 47 00:01:25,560 --> 00:01:26,670 second step is where we start getting 47 48 00:01:26,670 --> 00:01:28,290 active. It's called scanning and 48 49 00:01:28,290 --> 00:01:30,119 enumeration. So, here's where we might be doing 49 50 00:01:30,119 --> 00:01:31,470 things like port scanning, actually 50 51 00:01:31,470 --> 00:01:32,640 reaching out and touching the network, 51 52 00:01:32,640 --> 00:01:34,140 finding out what ports are open and what 52 53 00:01:34,140 --> 00:01:36,030 services are on those ports. We'll do our 53 54 00:01:36,030 --> 00:01:37,470 enumeration, where we can start figuring 54 55 00:01:37,470 --> 00:01:39,030 out are they using Windows, or Linux, or 55 56 00:01:39,030 --> 00:01:40,860 Mac. We'll figure out what versions are 56 57 00:01:40,860 --> 00:01:42,150 running. If they're running a web server, 57 58 00:01:42,150 --> 00:01:43,259 are they running Apache, or are they 58 59 00:01:43,259 --> 00:01:44,850 running IIS? These are all the things 59 60 00:01:44,850 --> 00:01:45,930 we're going to find out during our 60 61 00:01:45,930 --> 00:01:47,610 scanning and enumeration phase that's 61 62 00:01:47,610 --> 00:01:49,350 going to help us build our attack before 62 63 00:01:49,350 --> 00:01:51,540 we ever get into stage three. In our 63 64 00:01:51,540 --> 00:01:53,250 third step, we're doing our exploitation 64 65 00:01:53,250 --> 00:01:55,409 and we're gaining access. At this point, 65 66 00:01:55,409 --> 00:01:56,549 we're going actually launch our attack. 66 67 00:01:56,549 --> 00:01:58,409 So, we've spent probably eighty to ninety 67 68 00:01:58,409 --> 00:02:00,119 percent of our time between phases one 68 69 00:02:00,119 --> 00:02:01,710 and phase two at this point, and now 69 70 00:02:01,710 --> 00:02:02,969 we're in our third phase, and our third 70 71 00:02:02,969 --> 00:02:04,229 phase is where we actually launch this 71 72 00:02:04,229 --> 00:02:05,729 attack. This is where we might actually 72 73 00:02:05,729 --> 00:02:07,979 throw an exploit, conduct a social 73 74 00:02:07,979 --> 00:02:09,629 engineering campaign, something where 74 75 00:02:09,629 --> 00:02:11,459 we're being very active, and now our risk 75 76 00:02:11,459 --> 00:02:12,450 level has gone up, because there's a 76 77 00:02:12,450 --> 00:02:13,860 possibility that the organization 77 78 00:02:13,860 --> 00:02:15,930 we're going after can see us, and see 78 79 00:02:15,930 --> 00:02:17,400 what we're doing. At this point, we're 79 80 00:02:17,400 --> 00:02:19,140 either doing client side or remote 80 81 00:02:19,140 --> 00:02:20,610 exploitation. This can be things like 81 82 00:02:20,610 --> 00:02:23,040 social engineering, launching exploits, 82 83 00:02:23,040 --> 00:02:26,010 sending out malicious code that attacks a bug 83 84 00:02:26,010 --> 00:02:27,900 or vulnerability. We could be putting out 84 85 00:02:27,900 --> 00:02:30,600 viruses or Trojans. All the different 85 86 00:02:30,600 --> 00:02:32,220 ways that we can go about it and we'll 86 87 00:02:32,220 --> 00:02:33,810 go through some of those in this course. 87 88 00:02:33,810 --> 00:02:35,490 The fourth phase is we're going to do 88 89 00:02:35,490 --> 00:02:37,320 our escalation of privileges. So, now that 89 90 00:02:37,320 --> 00:02:38,820 we've launched our exploit, we've gained 90 91 00:02:38,820 --> 00:02:40,620 our initial access. Usually we're 91 92 00:02:40,620 --> 00:02:42,330 going to gain access as a user. So for 92 93 00:02:42,330 --> 00:02:44,280 instance, if I do a spear phishing campaign, 93 94 00:02:44,280 --> 00:02:46,260 and one of the users clicks it, it's most 94 95 00:02:46,260 --> 00:02:48,240 likely going to be someone in the 95 96 00:02:48,240 --> 00:02:49,800 generic pool, not a system 96 97 00:02:49,800 --> 00:02:51,420 administrator. So, at this point, I want be 97 98 00:02:51,420 --> 00:02:53,430 able to get system admin rights. At this 98 99 00:02:53,430 --> 00:02:54,989 point, I'm going to have to do something 99 100 00:02:54,989 --> 00:02:57,120 to get from a user level to a system or 100 101 00:02:57,120 --> 00:02:58,800 root level or a domain administrator, and 101 102 00:02:58,800 --> 00:03:00,180 I'm going to always go for the highest 102 103 00:03:00,180 --> 00:03:02,370 privilege that I can get. The way I'll do 103 104 00:03:02,370 --> 00:03:03,900 this is I'll use various exploits and 104 105 00:03:03,900 --> 00:03:05,790 bugs in the operating system, and we'll 105 106 00:03:05,790 --> 00:03:07,560 use those vulnerabilities to our own 106 107 00:03:07,560 --> 00:03:09,630 advantage. For a windows environment, the 107 108 00:03:09,630 --> 00:03:10,680 golden ticket that we're looking for 108 109 00:03:10,680 --> 00:03:13,320 here is the domain admin. Now once I've 109 110 00:03:13,320 --> 00:03:14,910 got those administrative rights, I move 110 111 00:03:14,910 --> 00:03:16,500 into phase five, which is maintaining my 111 112 00:03:16,500 --> 00:03:18,540 access. Just because I have one user 112 113 00:03:18,540 --> 00:03:20,310 account, doesn't mean that I'm going to be able to stay in 113 114 00:03:20,310 --> 00:03:21,510 there because if the system 114 115 00:03:21,510 --> 00:03:23,340 administrators realized that I'm the bad 115 116 00:03:23,340 --> 00:03:24,780 guy, they can just delete that account 116 117 00:03:24,780 --> 00:03:27,090 and then I've lost my access. So, instead, 117 118 00:03:27,090 --> 00:03:28,680 once I get access, I'm going to go and 118 119 00:03:28,680 --> 00:03:30,120 create several user accounts and I'm 119 120 00:03:30,120 --> 00:03:31,320 going to hide myself throughout the 120 121 00:03:31,320 --> 00:03:32,910 system. That way i can gain that 121 122 00:03:32,910 --> 00:03:34,739 persistent access where I can always get 122 123 00:03:34,739 --> 00:03:36,930 back to that network anytime I want. Some 123 124 00:03:36,930 --> 00:03:38,190 of the techniques I'll use here is I'll 124 125 00:03:38,190 --> 00:03:39,870 put network sniffers in there, or key 125 126 00:03:39,870 --> 00:03:41,880 loggers, so I can gain additional user 126 127 00:03:41,880 --> 00:03:43,709 names and passwords. If I'm a domain 127 128 00:03:43,709 --> 00:03:45,150 admin at this point, I can create my own 128 129 00:03:45,150 --> 00:03:47,519 usernames and passwords, and create new 129 130 00:03:47,519 --> 00:03:49,590 accounts. Of course it's better to steal 130 131 00:03:49,590 --> 00:03:51,330 somebody else's because then it's easier to 131 132 00:03:51,330 --> 00:03:53,100 blend in because it's a legitimate user. 132 133 00:03:53,100 --> 00:03:54,959 And again our goal here is to maintain 133 134 00:03:54,959 --> 00:03:56,549 persistent access. That might include 134 135 00:03:56,549 --> 00:03:58,440 punching some holes in the firewall, so 135 136 00:03:58,440 --> 00:03:59,730 we have ports that are open and 136 137 00:03:59,730 --> 00:04:01,470 listening for our return when we want to 137 138 00:04:01,470 --> 00:04:03,750 come back. Finally, the last thing we're 138 139 00:04:03,750 --> 00:04:05,340 going to do in phase six is we're going 139 140 00:04:05,340 --> 00:04:06,810 to hide ourselves, and we're going to 140 141 00:04:06,810 --> 00:04:08,730 cover our tracks. So, at this point, we've 141 142 00:04:08,730 --> 00:04:10,290 created some additional accounts. Now, 142 143 00:04:10,290 --> 00:04:11,459 we're going to put some back doors in 143 144 00:04:11,459 --> 00:04:12,930 and we're going to start going through and 144 145 00:04:12,930 --> 00:04:15,060 clearing out those log files. If there's 145 146 00:04:15,060 --> 00:04:16,769 information we want to steal, this is the 146 147 00:04:16,769 --> 00:04:17,549 point where we're going to start 147 148 00:04:17,549 --> 00:04:18,989 exploiting that information and start 148 149 00:04:18,989 --> 00:04:20,340 downloading it and exfiltrating it. 149 150 00:04:20,340 --> 00:04:22,049 At this point, we might install a rootkit 150 151 00:04:22,049 --> 00:04:24,120 or a backdoor, and this way I can always 151 152 00:04:24,120 --> 00:04:25,410 get back in it, again 152 153 00:04:25,410 --> 00:04:26,850 maintains that persistence like I was doing 153 154 00:04:26,850 --> 00:04:28,980 in phase five, but for the long term. A 154 155 00:04:28,980 --> 00:04:30,510 lot of hackers and attackers at this 155 156 00:04:30,510 --> 00:04:32,490 point have their fingers in a lot of 156 157 00:04:32,490 --> 00:04:33,840 different networks, and they don't always 157 158 00:04:33,840 --> 00:04:35,310 go in and steal everything right away. 158 159 00:04:35,310 --> 00:04:37,500 They might go in, lay the groundwork, and 159 160 00:04:37,500 --> 00:04:39,450 then sit dormant for a while, and then 160 161 00:04:39,450 --> 00:04:40,410 they'll take the information they want, 161 162 00:04:40,410 --> 00:04:41,940 or use that network for some other 162 163 00:04:41,940 --> 00:04:43,860 nefarious purpose. And so as you can see 163 164 00:04:43,860 --> 00:04:45,360 as we've moved through these six phases 164 165 00:04:45,360 --> 00:04:47,700 in the operation, we went from the 165 166 00:04:47,700 --> 00:04:49,770 passive collection reconnaissance, then 166 167 00:04:49,770 --> 00:04:51,270 we started getting more and more active 167 168 00:04:51,270 --> 00:04:52,890 and as we actually get onto the box in 168 169 00:04:52,890 --> 00:04:54,510 stage three and four and five and six, 169 170 00:04:54,510 --> 00:04:56,160 that's where our risk level goes up 170 171 00:04:56,160 --> 00:04:57,450 because if I'm on the box, there's a 171 172 00:04:57,450 --> 00:04:58,830 chance that I can get caught by the 172 173 00:04:58,830 --> 00:05:00,840 system administrator. So I can be very careful 173 174 00:05:00,840 --> 00:05:02,370 in where I go and what I do so I don't 174 175 00:05:02,370 --> 00:05:03,810 set off any alarms and trigger any 175 176 00:05:03,810 --> 00:05:05,190 alerts because I don't want to get 176 177 00:05:05,190 --> 00:05:06,960 caught. I want to be very quiet and very 177 178 00:05:06,960 --> 00:05:08,670 sneaky as I go in, and take the 178 179 00:05:08,670 --> 00:05:10,410 information that I want, and meet my 179 180 00:05:10,410 --> 00:05:13,100 intended purpose.