Hacking is obtaining illegal access to information on your computer, or another persons computer. Password cracking, spoofing, and sniffing are the main techniques that hackers use. A typical network hacking could involve all three methods simultaneously. For example:
- A hacker could first trick a user to visit the hacker's site and enter some personal data in it. This is called spoofing.
- While the user is entering the information, the hacker could sniff the network traffic emerging from the user's computer and obtain a list of passwords and logins. This is called sniffing.
- If the passwords are encrypted, the hacker could use a password-cracking tool to decrypt them.
After this, the hacker can access the user's machine with this information. If this hacking attempt takes place over a corporate network or even a website, the result could bring down the entire network or site, or the hacker might access confidential information for industrial espionage.
In this article, I'll cover common hacking techniques such as password cracking, spoofing, sniffing, and, if space permits, the man-in-the-middle attack. Of course, this is not an article on how to hack so I will explain how to protect yourself against these type of attacks.
Using passwords is the most common method of authenticating and securing data. Passwords are used in network logins, securing documents, ATM PINs, and other sensitive areas. I know, I am talking to you like a three year old, but just in case there any absolute newbies out there I want to be thorough.
A password works as a data encryption key or as an authentication key. When a password is used as a data encryption key, the data to be protected gets encrypted. Without the encryption key, this data would appear as a garbled output. I will do a detailed article on encryption one of these days.
For example, to see the effect of not password-protecting a simple Microsoft Word document:
1. Create a new Word file.
2. Enter some text in it.
3. Save and close the file.
4. Open Notepad or any other text editor.
5. Open the Word file in a Hex editor. There are a lot of junk characters in this unencrypted file, but the text you entered is still clearly visible, as shown in Figure 1:
Figure 1: Shows our unencrypted text in a Hex Editor
To see the effect of password-protecting the same Microsoft Word document, encrypt the file as follows:
1. Open the file.
2. Select File -> Save As.
3. Type a new name and select Tools -> Security Options in the dialog box, as shown in Figure 2:
Figure 2: The Security Options
4. In the Security dialog box, enter a password in the Password to open field, as shown in Figure 3. The password is encrypted.
Figure 3: The Security Window
5. Click the Advanced button.
6. Click Advanced to display the Encryption Type dialog box shown in Figure 4:
Figure 4: Encryption Type Window
7. Press OK.
8. In the Confirm Password window, you are prompted to reenter the password. This helps ensure that you remember your password correctly.
9. Save and close. And re-open in a Hex Editor again. This time you will see something like this:
Figure 5: Our encrypted file
Use of passwords for authentication does not encrypt data. The system just checks whether or not the credentials of the password are correct. If they are correct, then it allows user access to, for example, e-mail systems, like Hotmail or Yahoo!, or to your network login account.
Password cracking involves trying to figure out what the password for a given resource is. A hacker carries out a dictionary or hybrid attack, or tries the brute force attack.
This type of attack uses a file that contains an extremely large number of words and tries each password from this file for entering the target resource continuously. The dictionary file, called the wordlist, is a simple text file containing one word per line.
The principle of this attack is that most people use simple words or combination of words as their passwords. The larger the wordlist, the better are the chances of cracking the password. Most modern password-hacking tools use the dictionary method as their first and fastest method of guessing a password.
Hackers also use permutations of each word in different cases. For example, if "that" is the word chosen from the wordlist for trying out, the hacker tool would try all possible combinations of the alphabets, as listed in Table 1:
Table 1: Dictionary attack method
Hacking passwords in this way can take quite some time because the hacker needs to try out multiple permutations for each word and needs to repeat the process for every word in the dictionary file. In comparison to the other methods, this is the fastest, but can also be the least effective if the password is non-word based.
In this method, the hacker uses combinations of words and numbers as well as some other attributes, such as file names and dates.
The logic behind this attack is that many users simply rotate their passwords. Users simply add a number to the end of the file name and use that as the password. For example, for the July Sales Report.xls file, a user could choose a password such as SAL1 and the next month alternate it to SAL2.
Parts of the file name, the date the file was created on, and any words that have a special meaning, such as in July being the 7th month, could signify a password such as SAL7, SAL07, 7SAL, or 07SAL.
Hybrid attacks are logic-based and can even detect non-word passwords. The strength of this attack depends on how well written the guessing engine of the tool is and how many different hybrid attacks it can predict.
This method enables hackers to determine a password by trying every possible combination of characters including lowercase letters, uppercase letters, numbers, punctuation, and special and reglar ASCII characters.
The brute force attack starts with a length of one character. It tries all characters alone once and then a combination of two, three, and so on. A set of possible combinations using the lowercase and uppercase alphabets and the digits are listed in Table 2:
Table 2: Combinations Using Lowercase and Uppercase Alphabets
The number of password-cracking attempts by the hacking tool increases exponentially as the number of characters in the password increases. If you include punctuation and other print characters as well, the number of attempts increases further.
A brute force attack can take a long time, maybe even a week depending on the complexity of the password and the power of the hacking computer. Because this is a very CPU-intensive job, a faster processor used on the hacking machine decreases the time the hacking requires.
This is the most comprehensive attack, and no password is safe from this attack given enough time. The problem for the hacker is being able to dedicate that much time and resources. I know I don't have the time, or patience, to let my computer run for a year on a task.
L0phtCrack is a password-hacking tool. The current release is called LC4 and is available from At Stake Inc. from their Website at http://www.atstake.com/. Figure 7 shows the interface of the hacker trying to crack the passwords on a user's computer. This LC4 interface lists users and their passwords. The panel on the right shows the current method of attack. My former employer had me buy this to test their security. They failed.
Figure 7: LC4 Interface
I blacked out some information. Not that I don't trust you guys, but... :)
LC4 uses a 250,000-word long wordlist for the dictionary and hybrid attacks. If these fail, the attack moves on to the brute force method.
A brute force attack in progress is shown in Figure 8. The figure shows the password cracked using the brute force attack after the dictionary and hybrid methods failed. I'll make this picture a bit bigger so you can see some details of this attack in progress:
Figure 7: LC4 Interface
The following simple rules protect passwords from hackers, I would follow them:
- Select passwords at least eight characters in length.
- Do not use names, words, and common abbreviations for a password.
- Use a combination of uppercase and lowercase letters, numbers, and special characters.
- Do not write down the password anywhere.
- Change your password regularly and do not repeat your passwords.
Sniffing is the act of eavesdropping on the network. It works pretty much the same as a phone tap. In most cases, sniffing does not require any specialized equipment; any computer on the network can do the task.
The packet sniffer tool used for sniffing captures and logs all network traffic. While running on any computer on the network, the tool works, captures, and analyzes every network packet that travels through that machine. This mode is known as the promiscuous mode. The default mode uses a filter that simply passes on any packets not meant for that machine back to the Ethernet. Packet sniffers turn this filter off so that all packets are accepted by the network card and passed to the system running the sniffer, where it can be captured.
Because most of the traffic in the network is binary data, the captured log is sent to a protocol analyzer tool, which:
- Analyzes the packets captured
- Figures out the protocol type
- Opens each packet according to the rules of that protocol in order to get to the data in the packet
- Other stuff?
The data can include sensitive information, such as logins and passwords. A skilled hacker can scan the data for such information quickly and possibly get a few passwords transmitted on the network.
Ethernet uses shared media. Every computer on the network can see all the traffic being generated on the network. The Ethernet card installed in each machine contains a filter that rejects any packet that does not have its own Media Access Control (MAC) address. The MAC address is a global 48-bit number that is unique to each piece of Ethernet hardware.
Parts of a Sniffer
A sniffer tool consists of:
- Hardware: Is usually a standard Ethernet card in a machine. Advanced network sniffers, such as tools for checking cyclic redundancy checks, voltage errors, or jitter correction are used for network fault detection and use specialized hardware such as network analyzers. A bit too complex for this article.
- Capture driver: Turns "promiscuous" mode on and captures the traffic that flows past.
- Buffer: Stores the captured data. The buffer could be either disk- or memory-based.
- Protocol analyzer: Reads the captured data, seperates it into different protocols, and then opens it to show the hacker the information that the packet contains.
- Packet editor and transmitter: Enable the hacker to change certain values in the packet and to resend the packet on the network with the modified information, thereby enabling the hacker to spoof values in the network. This is an optional add-on tool on the sniffer I am testing.
Many network protocols send login names and passwords in clear text over the network. Hackers usually try to get these logins and passwords by sniffing the network and analyzing the packets.
Modern packet sniffers can even be configured to watch for a specific protocol, such as Telnet, and to automatically open each new packet and look for the login information in the decoded data.
There are two common ways of packet sniffing in a network:
1. Sniffing by internal users: Hackers can run packet sniffers on their machine, looking for admin-level passwords being passed on the network. This allows them to log in as users with high levels of access and gain admission into areas, where they have no authorization. They can alter important information about themselves or others, such as payroll information and performance reviews. Screw with someone's salary? Hackers can most likely do it! (the Bastards)
2. Sniffing by external hackers: If a system is connected to the Internet, a hacker who gains access to it can install a packet sniffer on that computer. In a business or other organization, a computer connected to the Internet is most likely to be connected to an internal network. By gaining entry into this computer, the hacker can view the traffic in the internal network by running a sniffer. After getting a dump of passwords, the hacker can use the compromised system to hop onto a system in the network and so on. If he gets this far it will be disasterous.
There are two steps involved in installing packet sniffers:
1. Installing a packet capture driver
2. Installing Ethereal
Install the Packet Capture Driver
To install different packet sniffers on your own machine and view the output from them, you first need to install the packet capture driver for Windows. This is the driver for the network adapter that turns the promiscuous mode on for accepting all the packets flowing across the wire.
The standard packet capture driver for Windows is called WinPcap. To install it:
1. Download the Ethereal software from http://www.ethereal.com/distribution/win32/.
2. Install the driver.
The next tool to install is called Ethereal. This is a free program for Windows that does both sniffing and protocol analysis.
Ethereal can pick up and analyze packet sniffer logs from other popular packet sniffers, such as TCPDump, MS Network monitor, Novell's LANAlyzer, and commercial EtherPeek. A useful feature of Ethereal is its ability to filter packet-based protocol, string, and even TCP conversation. To install Ethereal:
1. Download the Ethereal software from http://www.ethereal.com/distribution/win32/.
2. After you accept the license agreement, make sure you check all the available options, as shown in my next figure:
Figure: Installation Options
3. Continue normal install, and then start the program. You should see the following window.
Figure: Main Ethereal Window
4. Select Edit -> Preferences -> Capture to select the network interface from the main window of ethereal, which you wish to sniff, as shown in Figure 20:
Figure 20: Selecting Network Interfaces
5. Save your options and return to the main menu.
6. Select Capture -> Start to display the dialog box shown in Figure 21. This dialog box contains options you need to set.
Figure 21: Capture Options in Ethereal
7. Press OK. The main window displays the results of packet sniffing, as shown in Figure 22:
Figure 22: Results of Packet Sniffing
The above window is divided into three parts. The first part shows a single-line summary of each packet that was captured. The second part shows the result of the packet analysis and a description and values of the header fields for the packet selected in the first window. The final part is the actual hexadecimal and ASCII dumps of the packet and contains logins and passwords.
Another useful command line tool for Windows is WinDump, a port of the very popular and powerful UNIX network sniffer TCPDump. This is available from http://netgroup-serv.polito.it/windump/. This tool simply captures the data appearing on an interface and logs it as a file. It is efficient and does not require an installation. Simply running the executable file, as long as the packet driver WinPcap is installed, will let you quickly dump the traffic to a file.
After you install Ethereal, you can run it as a command-line application to keep other users from knowing about it. If it were running as a command line, it would be very difficult for anyone to understand what it is.
You need to be concerned about sniffers from both inside and outside of the network. To prevent sniffer attacks on the network, you can use:
1. A switched network rather than a shared one. Use switches instead of hubs. This prevents casual sniffing of your network because the data is well segregated and each computer does not see all the traffic.
2. Secure protocols. Avoid protocols that send their sensitive information in clear text over the wire. Use protocols that encrypt data at the sender's end and decrypt it at the receiver's end.
3.Use Kerberos on Windows 2000 or later. This, as well as many variations of UNIX, has implementations of this secure authentication method. Kerberos is a network security protocol that uses encrypted packets to exchange information as well as giving user authentication rights.
4. Smart Cards and one-time pads. Each smart card contains millions of combinations of digital one-time codes that are used for authentication and as encrypting keys. I really want to do an article on Smart cards, but at this time I am not familiar enough with them. Look for it soon, however.
Spoofing refers to pretending to be a part of the network mainly with malicious intentions.
There are two types of spoofing, non-blind and blind. Non-blind spoofing is carried out when a hacker is connected, such as by being on the same Ethernet, to a target machine as well as to the machine the hacker wishes to spoof. Being on the same network, the hacker can predict the responses from the computer under attack. Makes sense.
In non-blind spoofing, the hacker has the advantage of knowing whether or not the machine under attack is online and whether it needs to be removed from the network while spoofing. Inside information is always helpful when hacking, I suppose.
In blind spoofing, the hacker is not connected to the target machine.
A TCP connection is made after a three-way handshake. For example, suppose that X, T, and A are respectively, the target machine, the trusted machine (a machine on the same network), and the attacker. When a TCP connection is being established between X and T, a handshake occurs, as shown in Table 3:
Table 3: The 3 way handshake
Don't be alarmed if this looks complex, it is not.
SYN and ACK are the TCP flags set by the machines. Seq#. C1 is a random sequence number generated by the client T and sent to X. While replying to the network message, X sends back this number increased by 1 as C1 + 1 and another sequence number S1 that the server itself generates. The client then sends back C1 + 1 as well as S1 + 1. This allows both the client and the server to ensure that the machines are familiar with each other's numbers.
Suppose the attacking machine A spoofs machine T and sends the first packet. When the second return packet is sent by the server, A cannot view the sequence number because the packet is sent to the real machine T. The hacker needs to guess S1 and sends an ACK packet back to X with the correct sequence number.
There is one more problem associated with this scenario. When T receives a SYN+ACK packet for a connection it did not initiate, T sends a reset signal back to X instructing it to close the connection. In this case, the hacker first has to spoof T and send a broadcast message to all the machines on the network, prompting a response. After this happens, T gets flooded with responses terminating anymore incoming connections. It will not see the SYN, ACK packet coming to it from X.
When T is off the network, the hacker can start predicting the sequence numbers that the server will send. The hacker can do this by performing a few legitimate connections from A to X, without spoofing to check the pattern of the numbers being generated and then spoof T and start sending the packets.
Hope I didn't screw up any letters in that scenerio! Ugh...Maybe a diagram will help.
By spoofing a client, a connection can be established to bring down a server in a typical DoS attack.
This type of spoofing is carried out either on an internal network or on the Web itself.
For example, while browsing chat rooms or forums on the Web, you come across posts that inform you of a highly recommended Windows security patch that you should apply immediately to secure your systems from attacks. If you click the link, you are taken to http://www.micr0sOft.com/technet/security/q874787.asp. The trick in this case is that the URL points not to the actual Microsoft Corporation's Website but to a cleverly disguised site run by the spoofer. Note that the letter O in Microsoft in the above URL is actually zero and you are taken to a different site.
When you are at this site, which has been made to look exactly like the Microsoft site, you may be tempted to download the security patch offered. This patch would most probably be a Trojan horse that would install like a normal security patch. It might install some hidden programs on your computer to monitor it and occasionally send out sensitive information to the hacker such as passwords, machine information, and other data.
You can be fooled into all sorts of stuff if you are not careful!
Figure 24 depicts server spoofing, which involves pointing the victim to the hacker's own server instead of a real one:
Figure 24: A Spoof!
To protect yourself from server spoofing, you need to look at all the URLs very carefully, scan all downloads including the ones from a trusted source, and make sure that SSL is enabled before submitting personal details, especially credit card information.
Damn, some of my papers in school were not this long. I really enjoyed writing this one, as always, I learned a lot. And I hope you did, too. My intention here, I will say it again, was not to educate you on how to hack, but to promote safe networking habits.
Until the next one...
I've been working on this article for over 4 days now. I have compiled a number of resources that you may want to reference (as I did).
Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle
Microsoft Windows 2000 Server Deployment Planning Guide
Computer Security Handbook, Fourth Edition
Network Perimeter Security: Building Defense In-Depth
Network+ Certification Training Kit
Internet Security and Firewalls