CHAPTER
13
Hacker Techniques
235
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
236
Network Security: A Beginner’s Guide
N
o discussion of security would be complete without a chapter on hackers and
how they work. I use the term hacker here for its current meaning—an individual
who breaks into computers. It should be noted that in the past, “hacker” was not
a derogatory term but rather a term for an individual who could make computers work.
Perhaps a more appropriate term might be “cracker” or “criminal,” however, to conform
to current usage, “hacker” will be used to identify those individuals who seek to intrude
into computer systems or to make such systems unusable.
Studies have found hackers most often to be
▼
Male
■
Between 16 and 35 years old
■
Loners
■
Intelligent
▲
Technically proficient
This is not to say that all hackers are male or between the ages of 16 and 35, but most are.
Hackers have an understanding of computers and networks and how they actually work.
Some have a great understanding of how protocols are supposed to work and how proto-
cols can be used to make systems act in certain ways.
This chapter is intended to introduce you to hackers, their motivation, and their tech-

niques. I won’t teach you how to hack but I’ll hopefully give you some insights as to how
your systems may be attacked and used.
A HACKER’S MOTIVATION
Motivation is the key component to understanding hackers. The motivation of the hacker
identifies the purpose of the attempted intrusion. Understanding the motivation also
helps us to understand what makes a computer interesting to such an individual. Is the
system somehow valuable or enticing? To which type of intruder is the system of inter
-
est? Answering these questions allows security professionals to better assess the danger
to their systems.
Challenge
The original motivation for breaking into computer systems was the challenge of doing
so. This is still the most common motivation for hacking.
Once into a system, hackers brag about their conquests over Internet Relay Chat (IRC)
channels that they specifically set up for such discussions. Listening in on the IRC chan
-
nels shows how the hackers gain status by compromising difficult systems or large num
-
bers of systems.
Another aspect of the challenge motivation is not the difficulty of hacking a given sys
-
tem but the challenge of being the first to hack that particular system or the challenge of
hacking the largest number of systems. In some cases, hackers have been seen removing
the vulnerability that allowed them to successfully hack the system so that no one else can
hack the system.
The challenge motivation is often associated with the untargeted hacker, in other
words, someone who hacks for the fun of it without really caring which systems he com
-
promises. It is not often associated with the targeted hacker who is usually looking for
specific information or access. What this means for security is simply that any system at

-
tached to the Internet is a potential target.
Another form of the challenge motivation that is being seen more and more often is
hactivism, or hacking for the common good. This reason is often provided after the fact as
justification for the crime. Hacktivism is potentially a more dangerous motivation as it
entices honest and naive individuals.
Greed
Greed is one of the oldest motivations for criminal activity known. In the case of hacking,
I will extend this motivation to include any desire for gain whether it be money, goods,
services, or information. Is greed a reasonable motivation for a hacker? To determine this,
let’s examine the difficulty of identifying, arresting, and convicting a hacker.
If an intrusion is identified, most organizations will correct the vulnerability that al-
lowed the intrusion, clean up the systems, and go on with their work. Some may call law
enforcement, in which case, the ability to track the intruder may be compromised by a lack
of evidence or by the hacker using computers in a country without computer security laws.
Assuming that the hacker is tracked and arrested, the case must now be presented to a jury,
and the district attorney (or U.S. Attorney if the case is federal) must prove beyond a rea-
sonable doubt that the person sitting in the defendant’s chair was actually the person who
broke into the victim’s system and stole something. This is difficult to do.
Even in the case of a successful conviction, the hacker may not receive much of a pen
-
alty. Consider the case of Datastream Cowboy. In 1994, Datastream Cowboy broke into
the Rome Air Development Center at Griffis Air Force Base in Rome, NY and stole soft
-
ware valued at over $200,000. Datastream Cowboy, who was identified as a 16-year-old
living in the United Kingdom, was arrested and convicted of the crime in 1997. His pun
-
ishment was a fine of $1,915.
This example illustrates an important point about the greed motivation: there has to be
a way to control the downside for the criminal. In the case of hacking a system, the risk of

being caught and convicted is low; therefore, the potential gain from the theft of credit card
numbers, goods, or information is very high. A hacker motivated by greed will be looking
for specific types of information that can be sold or used to realize some monetary gain.
A hacker motivated by greed is more likely to have specific targets in mind. In this way,
sites that have something of value (software, money, information) are primary targets.
Chapter 13: Hacker Techniques
237
Malicious Intent
The final motivation for hacking is malicious intent or vandalism. In this case, the hacker
does not care about controlling a system (except in the furtherance of the vandalism). In
-
stead, the hacker is trying to cause harm either by denying the use of the system to legiti
-
mate users or by changing the message of the site to one that hurts the legitimate owners.
Malicious attacks tend to be focused on particular targets. The hacker is actively looking
for ways to hurt a particular site or organization.
The hacker’s underlying reason for the vandalism may be a feeling that he or she had
been somehow wronged by the victim or it may be a desire to make a political statement
by the defacement. Whatever the base reason, the purpose of the attack is to do damage
not to gain access. Figure 13-1 shows an example of a Web site that has been vandalized.
238
Network Security: A Beginner’s Guide
Figure 13-1.
An example of a vandalized Web site
Chapter 13: Hacker Techniques
239
HISTORICAL HACKING TECHNIQUES
This section is going to take a different perspective than most when we talk about the his
-
tory of hacking. The cases of the past have been well publicized and there are many re

-
sources that describe such cases and the individuals involved. Instead, this section will
approach the history of hacking by discussing the evolution of techniques used by hack
-
ers. As you will be able to see, many cases of successful hacking could be avoided by
proper system configuration and programming techniques.
Open Sharing
When the Internet was originally created, the intent was the open sharing of information
and collaboration between research institutions. Therefore, most systems were config
-
ured to share information. In the case of Unix systems, the Network File System (NFS)
was used. NFS allows one computer to mount the drives of another computer across a
network. This can be done across the Internet just as it can be done across a Local Area
Network (LAN).
File sharing via NFS was used by some of the first hackers to gain access to informa-
tion. They simply mounted the remote drive and read the information. NFS uses user ID
numbers (UID) to mediate the access to the information on the drive. So if a file were lim-
ited to user JOE, UID 104, on its home machine, user ALICE, UID 104, on a remote ma-
chine would be able to read the file. This became more interesting when some systems
were found to allow the sharing of the root file system (including all the configuration
and password files). In this case, if a hacker could become root on a system and mount a
remote root file system, he could change the configuration files of that remote system (see
Figure 13-2).
Open file sharing might be considered a serious configuration mistake instead of a
vulnerability. This is especially true when you find out that many operating systems (in
-
cluding Sun OS) shipped with the root file system exportable to the world read/write
(this means that anyone on any computer system that could reach the Sun system could
mount the root file system and make any changes they wished to make). If the default
configuration on these systems were not changed, anyone could mount the system’s root

file system and change whatever they wanted to change.
Unix systems are not the only systems to have file-sharing vulnerabilities. Windows
NT, 95, and 98 also have these issues. Any of these operating systems can be configured to
allow the remote mounting of their file systems. If a user determines the need to share
files, it is very easy to mistakenly open the entire file system up to the world.
In the same category as open sharing and bad configurations, we also have trusted re
-
mote access (in effect, we are sharing access among systems). The use of rlogin (remote
login without a password) used to be common among system administrators and users.
Rlogin allows users to access multiple systems without re-entering their password. The
.rhost and host.equiv files control who can access a system without entering a password.
If the files are used properly (one could argue that the use of the rlogin is not proper at
all), the .rhost and host.equiv files specify the systems from which a user may rlogin with-
out a password. Unfortunately, Unix allows for a plus sign (+) to be placed at the end of
the file. This plus sign signifies that any system will be trusted to vouch for the user and
thus, the user is not required to re-enter a password no matter which system the user is
coming from. Obviously, hackers love to find this configuration error. All they need to do
is to identify one user or administrator account on the system and they are in.
Bad Passwords
Perhaps the most common method used by hackers to get into systems is through weak
passwords. Passwords are still the most common form of authentication in use. Since
passwords are the default authentication method on most systems, using them does not
incur additional cost. An additional benefit of using passwords is that users understand
how to use them. Unfortunately, many users do not understand how to choose strong
passwords. This leaves us with the situation that many passwords are short (less than
four characters) or easy to guess.
Short passwords allow a hacker to brute-force the password. In other words, the
hacker keeps guessing at passwords until a successful guess is made. If the password is
only two characters long, there are only 676 combinations (if just letters are used). You can
compare that to 208 million combinations (if just letters are used) for an eight-character

password. While both can be guessed if all the combinations are tried, it is much easier to
guess a two-character password than an eight-character password.
240
Network Security: A Beginner’s Guide
Figure 13-2.
Use of NFS to access remote system files
TEAMFLY























































Team-Fly
®

Chapter 13: Hacker Techniques
241
The other type of weak password is one that is easy to guess. For instance, making the
root password “toor” (“root” spelled backwards) allows a hacker to gain access to the
system very quickly. Some password issues also fall into the bad configuration category.
For instance, on older Digital Equipment Corporation VAX VMS systems the field service
account was named “field” and the password was “field.” If the system administrator did
not know enough to change this password, anyone could gain access to the system by us
-
ing this account. Other common password choices that make weak passwords are: wiz
-
ard, NCC1701, gandalf, and drwho.
A good example of how weak passwords can be used to compromise systems is pro
-
vided by the Morris Worm. In 1988, a Cornell University student by the name of Robert
Morris, released a program onto the Internet. This program used several vulnerabilities
to gain access to computer systems and replicate itself. One of the vulnerabilities it used
was weak passwords. Along with using a short list of common passwords to guess, the
program also tried a null password, the account name, that account name concatenated
with itself, the user’s first name, the user’s last name, and the account name reversed. This
worm compromised enough systems to effectively bring down the Internet.
Unwise Programming
Hackers have taken advantage of unwise programming many times. Unwise program-
ming includes such things as leaving a back door in a program for later access to the sys-
tem. Early versions of Sendmail had such back doors. The most common was the WIZ
command. If a connection was made to the Sendmail program (by telneting to port 25)
and the command WIZ was entered, Sendmail would provide a root shell into the sys-

tem. This feature was originally included in Sendmail for use while debugging the pro-
gram. For that purpose, it was a great tool. However, such features left in programs
released to the public provide hackers with instant access to systems that use the pro-
gram. There are many examples of such back doors in programs. Hackers have identified
most of the known back doors and, in turn, programmers have fixed them. Unfortu
-
nately, some of these back doors still exist because the software in question has not been
updated on systems where it is running.
More recently, the boom in Web site programming has created a new category of un
-
wise programming. This new category has to do with online shopping. In some Web sites,
information on what you are buying is kept in the URL string itself. This information can
include the item number, the quantity, and even the price. The information in the URL is
used by the Web site when you check out to determine how much your credit card should
be charged. It turns out that many of these sites do not verify the information (such as the
price of the item) when the item is ordered. The site just takes what is in the URL as the cor
-
rect price. If a hacker chooses to modify the URL before checking out, he may be able to get
the item for nothing. In fact, there are cases in which the hacker set the price to a negative
number and was able to get the Web site to provide a credit to the credit card instead of be
-
ing charged for the item. Clearly it is not wise to leave this type of information in a location
(such as the URL string) that can be modified by the customer and then to not check the in
-
formation on the back end. While this particular vulnerability does not allow a hacker to
gain access to the system, it does provide a big a risk to the site.