Friday, October 11, 2013

How do I Hack?

"How do I hack? / How to hack?" is the question that spawns an interest in the field of computer science moreso than any other curiosity. The quest to find this information out almost always ends in failure. This "tutorial" is here to explain the difference between the different types of hacking, cracking techniques, and notes on the ethical implication of using "hacker" tools.

What is Hacking?

Many people want to hack, but very few are sure what hacking truly is. At its core, hacking is changing something to work for your devices. Richard Stallman defines hacking as "Playful cleverness". What most people searching for hacking information truly want is information on cracking.

So then, what is cracking?
Cracking is the deliberate breaking of computer security for either a gain in information, or modification of an external source. When you hear of a database of passwords being dumped on pastebin, that's a crack. For most of the article, "hack" and "crack" will be used interchangeably, but there are many people who very vehemently reject the second definition, so that social hacking can remain pure.

The Meat - An overview of a hack
So, you've read about the differences between hacking and cracking, and you're sure of what you want to do. These are the steps that a hack could follow, but there are multiple types of attacks. We will talk about two here.

0-day route
Bugs are serious business in high-security situations. Most bugs are patched, but it wasn't always like this. Around the time of the advent of computers, knowledge was enough to "tear the internet to shreds", according to an Anonymous member of a hacking group. Bugs can take years to be fixed, and many are undetected, and lie waiting in the code to strike. These undetected bugs are called 0-days, because they have been in the "to-do" list of the bug fixers for exactly 0 days. By exploiting a 0-day, you are essentially stabbing your target in its back.

0-days can be bought on some tor marketplaces for a couple thousand, to upwards of a couple million dollars, depending on the severity of the exploit and the implications of hacking it. They can also be found by reading the source code of the project you are trying to attack. Parts of the code relating to textual sanitization or risky memory allocation will provide the best chances of finding a 0-day bug. Don't hold your hopes up for large projects; many layers of security exist in modern operating systems to protect against even undocumented bugs. You're more likely to overflow the stack than hack the Gibson, but shoot for the stars.

Injection is the method of passing a string through a preprocessor, causing unpredictable side-effects. I define preprocessor as being any "parser" that works to interpret text, which most large projects have. 

An example of Injection would be exploiting a naive service that uses Lisp to serve web pages. What if the function looked like: (defun serve (x) (if (contains x (to-string "webserve")) (webserve x)) (EXT:SHELL x))

For any reader who doesn't know Lisp, this basically says "If the string is a web request, send it to further parsing. Otherwise, execute it as a shell command." Now, the world isn't this simple, but there are some surprisingly simple SQL injection attacks that can dump databases of Usernames, Passwords, Credit card numbers, etc.

Finding your Target
So, now you know the basic way to attack somebody. But how do you find the necessary information on your target? How do you send them the information required to perform the attack?

Assuming you are running on a Linux machine, prepare it for penetration testing. Please note: What you are about to do is not illegal, but it is frowned upon by most internet service providers. To protect yourself from trouble, run these commands on "localhost".

Before you continue, install the "nmap" package.

sudo apt-get install nmap

Nmap can coerce information from networks. To see a list of everything nmap can do, run it on your box:  nmap -A localhost

This will return all of the information nmap  can find about your network. Among this information, all udp and tcp/ip jobs will be displayed. These are the pathways you will use one of the two methods discussed earlier to exploit. If your target is running http, it is a good chance. http is the most compromised protocol, because it is usually succeptible to injection attacks. Using the command line tool curl, you can send raw data to the web server. (You will need to for attacks; rarely will a web browser be enough to attack a target, unless their SQL validation is laughably bad).

If you want to send data to another port, you can use dd like so:

dd if=/dev/zero bs=9000 count=1000 > /dev/tcp/$target_host/$port
In Conclusion
Attacking targets on the internet today is much more complex than it used to be. Exploits require knowledge of tons of frameworks, languages, and protocols to be used properly, and these exploits are hard to find, expensive, and may even have protection against them. Hopefully this guide is enough to deter the common "I want to hack" crowd off of the subject, and onto the "righteous path" of programming. However, if this still sounds like it floats your boat, you may be looking for a bright career in IT security.