Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "User:Hatter/getting started"

From NetSec
Jump to: navigation, search
(Code)
 
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
 +
{{social}}
 +
 
So you're new to offensive security, and one day you want to call yourself a hacker.  Understanding the building blocks of a system is the first step towards learning to control it.  A solid basis in [[administration]] is needed in order to know how to use a machine.  A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]].  While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].
 
So you're new to offensive security, and one day you want to call yourself a hacker.  Understanding the building blocks of a system is the first step towards learning to control it.  A solid basis in [[administration]] is needed in order to know how to use a machine.  A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]].  While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].
  
 +
This page will start you off on the right foot, it is meant to be a guide that briefly skims the surface of what hacking is composed of. A talented hacker does their research first so you have already made a good decision in your hacking career! For further inquiries we encourage you to come and talk to us on the [[IRC|NetSec IRC Network]].
  
 
== [[Administration]] ==
 
== [[Administration]] ==
 
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration.   
 
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration.   
  
Mastery of an [[Operating System]] is essential.  Most [[server]]s on the internet are powered by [[Linux]].  While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]].  We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.
+
Mastery of an [[Operating System]] is essential.  Most [[server]]s on the internet are powered by [[Linux]].  While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]].  We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the Linux environment will make you much more efficient when using Linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarize you with the commands that are essential to efficiently using a Linux system.
  
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.
+
Protecting yourself on the Internet is essential, although you have already taken the first step by using a Linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the Internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.
  
 
== [[Programming|Code]] ==  
 
== [[Programming|Code]] ==  
  
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. If you want to go head-first, start programming with a [[compiled language]] or go to a lower level like [[assembly]], if you prefer the easier approach, [[interpreted languages]] are the best place to start.
+
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. If you want to go "head-first", start with a lower level language like [[assembly]] and move on to [[compiled languages]], finishing with [[interpreted languages]].  If you prefer the easier, or "feet-first" approach, [[interpreted languages]] are the best place to start, then work towards [[assembly]] - perhaps learning one of the [[compiled languages]] in between.  
  
[[Assembly]] and [[machine code]] are the building blocks of all other programming language. Machine code is what most people think of when they refer to "binary code" (though it is more often represented as hexadecimal opcodes), and assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80".   
+
[[Assembly]] and [[machine code]] are the building blocks of all other [[programming language]]s. Machine code is what most people think of when they refer to "[[binary]] code" (though it is more often represented as hexadecimal opcodes), while assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80".  [[Bitwise math]] is the fundamental starting place for novices learning [[assembly]] - whether [[Linux assembly]] or [[Windows]].  Having a solid understanding of [[xor]], [[and]], [[not]], [[or]], and other manipulations is key to understanding basic arithmetic in [[hexadecimal|base 16]].
  
 
These languages are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]].  The [[Linux]] operating system is written in [[C]] and [[C++]]. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.
 
These languages are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]].  The [[Linux]] operating system is written in [[C]] and [[C++]]. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.
  
When learning to code, it is important to avoid the kinds of mistakes that lead to vulnerabilities in your code - such as [[Unsafe string replacement]]. Not only does learning about these vulnerabilities prevent your own code from being exploited, but the better you understand the potential pitfalls of a language, the better you can exploit those same pitfalls.
+
When starting out with [[programming]], it is important to avoid the kinds of mistakes that lead to [[vulnerability|vulnerabilities]] in your code - such as [[unsafe string replacement]] and other [[Design Flaws|design flaws]]. Not only does learning about these vulnerabilities prevent your own code from being [[exploitation|exploited]], but the better you understand the potential pitfalls of a language, the better you can exploit those same pitfalls.
  
== Information Gathering ==
+
The biggest priority to the aspiring hacker and beginning programmer is to just start programming.  Practice makes perfect and the sooner you start, the faster you will become a competent coder.  Thankfully, it is an amazing time for people new to programming as there are now many resources for learning how to code.  A good place to check out is [http://www.codecademy.com Codecademy] due to the fact that it is very beginner friendly and will get you on the road to learning essential tools in your hacking career like [[JavaScript]] and [[Python]].
 +
 
 +
 
 +
== [[information gathering|Information Gathering]] ==
 +
 
 +
=== [[Social Engineering]] ===
 +
 
 +
[[Social Engineering]] is a method of extracting information from targets by means of social/psychological manipulation for the purpose of gaining unauthorized access to desired targets later on. Techniques often rely on the follies of human nature such as our tendency to easily trust others and help our fellow man.
 +
 
 +
An example scenario would be if an individual wanted to gain access to a targeted financial firm, utilizing [[social engineering]] the individual may wear a cast and crutches to approach the door just as an employee were walking out. It is reasonable to assume that if any of us were in this position we would kindly hold the door open for this person. The financial firm has just been compromised and is now vulnerable to any number of attacks. The door may have been secured with a sophisticated access card lock but it is useless against this kind of social engineering technique. The weakest link in any security set up are the users, this is a fact that [[social engineering]] [[Exploit|exploits]].
 +
 
 +
=== [[Network Reconnaissance]] ===
 +
 
 +
Network reconnaissance is a method of information gathering that has a variety of tools and techniques to implement.  The most useful tools for automated network reconnaissance have been established for a long time: [[traceroute]], [[dig]], and [[nmap]].  Utilizing layers 2-7 of the OSI Model (depending on your target, and whether you are on the same network segment), [[nmap]] also supports scriptable plugins, including [[DNS]] enumeration, [[SNMP]] enumeration, Banner checking, [[IDS evasion]], and [[Operating System|OS]] Detection.
  
 
== [[Exploitation]] ==  
 
== [[Exploitation]] ==  
Most beginners find [[web exploitation]] to be the easiest topic to start with.  This requires a strong understanding of the [[HTTP|world wide web]].  [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]].  This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet.  Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code.  The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client.   
+
The best way to learn exploitation is with a solid basis in [[programming]].  The best place to start is usually with exploiting a [[programming language]] that you are familiar with.  If you are familiar with [[interpreted languages]], [[web exploitation]] is the best place to begin; whereas if you are familiar with [[compiled languages]], binary exploitation is the best step for a beginner.  It is also best to start with an environment already familiar to you.   
  
 
=== [[Web exploitation]] ===
 
=== [[Web exploitation]] ===
 +
Most beginners find [[web exploitation]] to be the easiest topic to start with.  This requires a strong understanding of the [[HTTP|world wide web]].  [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]].  This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet.  Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code.  The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. 
 +
 
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], plant [[database]]-powered [[privilege escalation]] [[SQL backdoors|backdoors]] and more.  Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective.  This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin.  We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.
 
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], plant [[database]]-powered [[privilege escalation]] [[SQL backdoors|backdoors]] and more.  Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective.  This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin.  We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.
  
 
=== Binary exploitation ===
 
=== Binary exploitation ===
Exploitation of [[compiled languages]] used to be much easier than it is today.  Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult.  To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place.  Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]].  Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner.  It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]]. The [[Bleeding Life]] project contains [[shellcode]] which utilizes [[return oriented programming]] in order to bypass [[ASLR]] and [[DEP]] [[countermeasures]] for [[vulnerability|vulnerable]] [[applications|software]] running on the windows 7 [[operating system]].
+
Exploitation of [[compiled languages]] used to be much easier than it is today.  Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult.  To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place.  Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]].  Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner.  It is even possible to write printable and [[polymorphic]] [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].  It is possible to detect processor architecture and operating system, find libraries and functions at runtime, evade firewalls, identify the location of currently executing code, obfuscate binary, and detect breakpoints with the properly crafted shellcode utilized as a payload. The [[Bleeding Life]] project contains [[shellcode]] which utilizes [[return oriented programming]] in order to bypass [[ASLR]] and [[DEP]] [[countermeasures]] for [[vulnerability|vulnerable]] [[applications|software]] running on the Windows 7 [[operating system|Operating System]].
  
 
=== Network exploitation ===
 
=== Network exploitation ===
Network exploitation requires a solid understanding of network administration and network [[protocols]].
 
  
== Maintaining access ==
+
Network exploitation requires a solid understanding of [[network]] [[administration]] and [[network]] [[protocols]].  One of many exploitation techniques include [[ARP_Poisining|ARP Poisoning]], [[Sniffer|Sniffing]], [[Wireless_Security|Wireless exploitation]], and [[IDS_Evasion|IDS Evasion]].  ARP techniques require you to be on the same physical network segment or broadcast domain.  Exploitation which involves anything above layer 2 of the OSI model will most likely be application-based exploitation, can be accomplished with [[Fuzzing|fuzzing]] and [[Fingerprinting|application fingerprinting]] to identify your target and exploitation vector.
 +
 
 +
== [[maintaining access|Maintaining access]] ==
 +
There are several ways to maintain access, and I will attempt to cover a few of the basics here.  The first such would be using innocent looking process names (init , [kthreadd], httpd, sshd, etc.).  This is to mislead administrators to hopefully overlook the process. 
 +
 
 +
Another way would be a LKM rootkit, on older kernels these can be an ideal way to maintain a backdoor in to the system.  An important thing to remember is that anti-rootkit technologies for Linux based systems such as chkrootkit and rkhunter are merely shell scripts.  These can be easily modified to even remove checks for whatever public rootkit that you may choose as well as removing the checksum checks on its own script.  If it is a newer kernel you may wish to check in to something like [[Jynx Rootkit]] as this will compile on most servers.

Latest revision as of 05:03, 29 May 2015

So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in administration is needed in order to know how to use a machine. A solid basis in programming will help you understand what information gathering leads to successful exploitation and maintaining access. While countermeasures do get in the way, most can be evaded or bypassed with an intermediate knowledge of programming.

This page will start you off on the right foot, it is meant to be a guide that briefly skims the surface of what hacking is composed of. A talented hacker does their research first so you have already made a good decision in your hacking career! For further inquiries we encourage you to come and talk to us on the NetSec IRC Network.

Administration

Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration.

Mastery of an Operating System is essential. Most servers on the internet are powered by Linux. While difficult, a head-first approach to learning Linux can be obtained with Gentoo Installation. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the Linux environment will make you much more efficient when using Linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the Bash book, which will familiarize you with the commands that are essential to efficiently using a Linux system.

Protecting yourself on the Internet is essential, although you have already taken the first step by using a Linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on Iptables for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the Anonymity article for tips on how to keep your identity secret on the Internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.

Code

Programming is the next essential skill. While it is possible to perform exploitation on an application without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. If you want to go "head-first", start with a lower level language like assembly and move on to compiled languages, finishing with interpreted languages. If you prefer the easier, or "feet-first" approach, interpreted languages are the best place to start, then work towards assembly - perhaps learning one of the compiled languages in between.

Assembly and machine code are the building blocks of all other programming languages. Machine code is what most people think of when they refer to "binary code" (though it is more often represented as hexadecimal opcodes), while assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80". Bitwise math is the fundamental starting place for novices learning assembly - whether Linux assembly or Windows. Having a solid understanding of xor, and, not, or, and other manipulations is key to understanding basic arithmetic in base 16.

These languages are the predecessors to the C language, a mid-level compiled language which became the cornerstone for nearly all of the modern interpreted languages, including PHP, Perl, Python, and Ruby. The Linux operating system is written in C and C++. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.

When starting out with programming, it is important to avoid the kinds of mistakes that lead to vulnerabilities in your code - such as unsafe string replacement and other design flaws. Not only does learning about these vulnerabilities prevent your own code from being exploited, but the better you understand the potential pitfalls of a language, the better you can exploit those same pitfalls.

The biggest priority to the aspiring hacker and beginning programmer is to just start programming. Practice makes perfect and the sooner you start, the faster you will become a competent coder. Thankfully, it is an amazing time for people new to programming as there are now many resources for learning how to code. A good place to check out is Codecademy due to the fact that it is very beginner friendly and will get you on the road to learning essential tools in your hacking career like JavaScript and Python.


Information Gathering

Social Engineering

Social Engineering is a method of extracting information from targets by means of social/psychological manipulation for the purpose of gaining unauthorized access to desired targets later on. Techniques often rely on the follies of human nature such as our tendency to easily trust others and help our fellow man.

An example scenario would be if an individual wanted to gain access to a targeted financial firm, utilizing social engineering the individual may wear a cast and crutches to approach the door just as an employee were walking out. It is reasonable to assume that if any of us were in this position we would kindly hold the door open for this person. The financial firm has just been compromised and is now vulnerable to any number of attacks. The door may have been secured with a sophisticated access card lock but it is useless against this kind of social engineering technique. The weakest link in any security set up are the users, this is a fact that social engineering exploits.

Network Reconnaissance

Network reconnaissance is a method of information gathering that has a variety of tools and techniques to implement. The most useful tools for automated network reconnaissance have been established for a long time: traceroute, dig, and nmap. Utilizing layers 2-7 of the OSI Model (depending on your target, and whether you are on the same network segment), nmap also supports scriptable plugins, including DNS enumeration, SNMP enumeration, Banner checking, IDS evasion, and OS Detection.

Exploitation

The best way to learn exploitation is with a solid basis in programming. The best place to start is usually with exploiting a programming language that you are familiar with. If you are familiar with interpreted languages, web exploitation is the best place to begin; whereas if you are familiar with compiled languages, binary exploitation is the best step for a beginner. It is also best to start with an environment already familiar to you.

Web exploitation

Most beginners find web exploitation to be the easiest topic to start with. This requires a strong understanding of the world wide web. Web applications are programmed using a series of interpreted languages. This nearly always involves some form of HTML and CSS, originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a database, and usually involves SQL code. The programming languages used to render dynamic content are interpreted on the web server, while languages such as HTML, CSS, and JavaScript are interpreted and rendered by the client.

Web exploitation can be used to execute remote commands, steal cookies, extract database information, bypass authentication, plant database-powered privilege escalation backdoors and more. Simply because exploitation of interpreted languages is easier than exploitation of compiled languages does not make it any less effective. This, in conjunction with the recent popularity of web applications makes it the best place to begin. We've also developed a series of web exploitation tools to assist beginners in remedial tasks.

Binary exploitation

Exploitation of compiled languages used to be much easier than it is today. Due to countermeasures like DEP, ASLR, and IPS applications/devices, binary exploitation is becoming more and more difficult. To perform a filter bypass on a modern Operating System, the shellcode or machine code used during a buffer overflow exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write shellcode with a fundamental knowledge of assembly. Once an understanding of assembly for the respective operating system is obtained, null-free shellcode is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic alphanumeric shellcode and ascii shellcode for IDS evasion. It is possible to detect processor architecture and operating system, find libraries and functions at runtime, evade firewalls, identify the location of currently executing code, obfuscate binary, and detect breakpoints with the properly crafted shellcode utilized as a payload. The Bleeding Life project contains shellcode which utilizes return oriented programming in order to bypass ASLR and DEP countermeasures for vulnerable software running on the Windows 7 Operating System.

Network exploitation

Network exploitation requires a solid understanding of network administration and network protocols. One of many exploitation techniques include ARP Poisoning, Sniffing, Wireless exploitation, and IDS Evasion. ARP techniques require you to be on the same physical network segment or broadcast domain. Exploitation which involves anything above layer 2 of the OSI model will most likely be application-based exploitation, can be accomplished with fuzzing and application fingerprinting to identify your target and exploitation vector.

Maintaining access

There are several ways to maintain access, and I will attempt to cover a few of the basics here. The first such would be using innocent looking process names (init , [kthreadd], httpd, sshd, etc.). This is to mislead administrators to hopefully overlook the process.

Another way would be a LKM rootkit, on older kernels these can be an ideal way to maintain a backdoor in to the system. An important thing to remember is that anti-rootkit technologies for Linux based systems such as chkrootkit and rkhunter are merely shell scripts. These can be easily modified to even remove checks for whatever public rootkit that you may choose as well as removing the checksum checks on its own script. If it is a newer kernel you may wish to check in to something like Jynx Rootkit as this will compile on most servers.