Editor's note: This excerpt has been derived from Leonard Chin's white paper, "5 Phases Every Hacker Must Follow," which has been reprinted with permission. This is part three of the series. See part two here.
Once scanning is complete, hackers use a variety of ways to gain unauthorized access to a computer or system. The method chosen often reflects more on the skills of the hacker than the weaknesses of the target. For example, a hacker unskilled in attacking websites would simply move on to another target if a website is the only access.
However, sophisticated hackers develop diverse skills and associated tools to be able to attack a wide variety of targets. This article will go through some of the general tools and approaches used to gain access.
Social Engineering is the term used by hackers to refer to tricking a human into giving them access, usually by handing over log-in credentials. Although this sounds like an old-fashioned scam, it can be quite sophisticated. More importantly, it can also be quite effective.
Cybersecurity analysts estimate that over 80% of attacks are launched using stolen credentials. Once an attacker has the user ID and password of a victim, it’s a simple matter to log in and do what they wish inside the system. Of course, no one would willingly hand over their passwords to a hacker, but it happens frequently.
The simplest form of social engineering is to simply impersonate someone in authority and ask for credentials. To do this, hackers will call into an organization and ask to be transferred to someone else (which can help hide the fact that a call is from an outside line). Then, the hacker impersonates an IT staffer trying to troubleshoot a problem. To fool an employee, the hacker needs to take a few steps:
- First, the hacker needs to have some information about the organization and/or the employee to use as context. This creates credibility. For example, they may say, “Joe Jones asked me to look into this personally," knowing that Joe Jones is the COO of the company.
- Next, the scammer needs to create a crisis. For example, they may say “I am in so much trouble, I’m afraid my boss will be angry if I don’t get this fixed immediately…” On the other hand, if they don’t think the person will be empathetic, they may say “Someone was surfing some shopping sites on this computer, which is against company policy. We have an audit coming up next week, and I don’t want you to get into trouble. Allow me to delete the history for you." After that, the scammer will ask the employee to do some small task, such as open a command window and type “netstat." This fills the screen with technical jargon which is used to frighten an employee.
- Finally, when the hook is set, the scammer asks for the employee’s ID and password to continue fixing the problem (usually right before lunch or at the end of the day when the employee wants to leave). This is only one approach, but there are many other ways to fool employees by impersonating a vendor, customer, or executive.
We’ve just reviewed a “low tech” way to get a password, but there are more sophisticated ways as well. Many hackers use free software called the Social Engineering Toolkit (SET). Using this tool, the hacker goes to a website that the victim likely uses. Usually, a bank or credit card company website is used. The tool can capture a copy of the login page of the website, and then builds a fake website with the copied image.
No one looking at the copy would be able to tell the difference. The hacker then sends a carefully crafted email to the victim (using copied logos) to impersonate that website and asking them to click on a link to log in. There is usually some urgency either a short period to win a prize like a gift card, or a warning that the account has been hacked and they need to check it.
When the victim clicks the link provided by the attacker, they are taken to the fake website where they enter their credentials. The fake website collects the credentials, then flashes a login error, and then connects the victim to the real website.
At this point, the victim assumes they mistyped the password, so they log in again, and it works this time. However, unknown to the victim, the hacker now has their login credentials. It’s important to stress that this is not a highly technical attack. The SET software automates the entire process for the attacker, so they don’t need to know how to code or build websites. They just launch the tool, specify the website, send the link in an email, and wait for the victim’s ID and password to be sent to them.
Perhaps the oldest and most well-known cybersecurity attack is to hack into a website, and there are many ways to do it. It’s a very broad topic, but some of the more common types of attacks will be outlined here.
First, one of the most obvious ways to hack into a website is to look at the URL and observe the changes as the user traverses pages the website. In simple websites, you’ll notice that links on the website are really just tracing a directory structure. Many websites can be hacked simply by putting other information into the URL bar in the browser and experimenting.
A famous travel website was hacked when attackers noticed the user number in the URL at the top of the browser. By simply putting other numbers in, they could see the accounts of other users. Of course, trial and error can be tedious, so many hackers use tools like URL fiddlers to experiment for them automatically. Hackers also use tools like Burpsuite to customize their responses to webforms and insert intentional errors to cause the website controls to fail.
Many websites use a database (such as a SQL database) backend to store information. Poorly written websites often include the database commands in the URL links where they are visible, or directly from fields in forms. Using a technique called SQL injection, a hacker can add additional database commands which get passed directly through the webserver to the database.
Typically, attackers will try to add commands to see all customer accounts or other information. If they are clever, they can get the website to display all of this information to them. More importantly, if passwords are stored in the database, they can get credentials as well. If they can get credentials for the webserver administrator, they can then install additional tools on the webserver and use it to pivot into the rest of the company infrastructure.
Most modern websites are trying to close the basic vulnerabilities described above, but many have yet to do so. Small businesses, schools, and local governments rarely have the resources to stay on top of website security. A list of common website vulnerabilities is maintained by the Open Web Application Security Project (OWASP). Each year, they compile a list of the top 10 website vulnerabilities along with instructions on how to mitigate the risk. You can check out the list here: OWASP Top 10
Another way to hack into an organization is to use sophisticated attack tools to penetrate networks and directly attack servers and computers. This is probably most similar to the hacker approaches shown on TV and movies, where the attacker, types a few keys and announces, “I’m in!”
In reality, it's not so simple, but there are techniques for doing this. If an attacker is physically close, they may be able to use a tool like Aircrack-NG to hack into a WiFi access wireless network to gain access to the network. Even better, if an attacker can get inside the building briefly to install a device (called a turtle) to call back out to them later, access is easy. If no local access is possible, attackers still have other methods to penetrate an organization.
By scanning an organization, attackers may locate machines with known vulnerabilities that can be exploited. Often, this is simply an old, forgotten computer that has not been updated and patched. If an attacker can scan it, they can use attacks like buffer overflows or exploit weaknesses in protocols like SMB and RDP to get access to the machine. Once they get into the machine, the attacker can install additional software to launch attacks against other machines in the network.
Hackers Will Exploit Security Flaws
While the technical details have been omitted here (for obvious security reasons) the message is clear. It’s just not that difficult for attackers to gain access to a network or computer, especially if it’s not been protected adequately. Typical protections include malware and virus detection, firewalls and intrusion detection, as well as strict policies on software patching and updates.
Security engineers can take many other steps to reduce the risk of attack and intrusion. However, it takes good training to do that.
Here are some courses to get you started: