We’ve all seen Hollywood’s depiction of hackers. Flashing graphics, strange
clothing, all night soda binges. This fantastical display of the ‘hacker
subculture’ provides very little insight into the technical aspects of
hacking. Very little of what we see is remotely close to the true
inner-workings of hacking. Despite this inaccuracy, the people involved are
shown in a realistic sense. The clothing, the ‘catch phrases’, the actual
culture displayed may or may not be accurate depending on who you speak to,
but the motivation and creativity displayed are universal. Hacking is
thinking outside the box in a technical sense. While you may need a vast
technical knowledge to execute an attack, the process of developing the
methodology can be accomplished without nearly as much technical knowledge.
These movie characters stop at nothing to accomplish their goal and often
find unorthodox solutions to problems.
Look around whatever room you are in and find a light. Can you think of 10
different ways to make that light useless? When I teach classes or lecture
at conferences I like to use this as an opening drill. Most of the time
people only come up with ‘turn off the switch’ or ‘take the light bulb
out.’ While these are valid answers, they are not very creative. What I
like to see are answers more like ‘destroy the power company,’ ‘shoot it,’
or ‘over-load it with current.’ ‘Destroy the power company’ is a great
example of a non-technical example explaining something useful. While that
particular person didn’t know about power grids or how that part of our
infrastructure works, they did understand a creative way to exploit it.
What is all this talk about creativity? Why is it so important? When you
are doing a penetration test, odds are good it is not on a virgin
environment. An environment void of firewalls and lacking patches would be
ripe for the picking, but this is rarely our situation. Creativity is how
we bypass the security already in place. Hacking is the art of using things
in unexpected ways, the art of being clever.
To give an example, think of a simple SQL injection vulnerability in a form
field for a first name. The developer was either careless or clueless when
he passed the value to the database and left it vulnerable. We’ll hope that
he was more clueless than careless and proceed. As a hacker, we look
at the input and see the potential to exploit his database by injecting our
own queries, but to the developer it’s simply a form field for a name. The
developer never saw this attack coming because of what he thought the code
did, rather than what it was capable of. A hacker has to be creative in
order to successfully understand and exploit things.
A great example of exploiting using creativity are logic flaws or process
exploits. These vulnerabilities are exploited when a hacker finds some
portion of code that the developer assumed would be used correctly. If you
were to goto a website and see a login field you couldn’t bypass, odds are
good that’s the end of trying to exploit it. Now, applying our new found
creativity, what if we guessed what URLs an authenticated user would have
access to and type them in manually. Many developers simply do not display
links to pages you don’t have access to, but don’t enforce those
restrictions. This perfectly illustrates how a hacker will use something in
an unexpected way. By attempting to find pages that we weren’t presented
with links to, we completely bypass the ‘workflow’ of the application and
therefore can introduce vulnerabilities in the process, rather than the
code.
While many vulnerabilities require an in-depth technical knowledge to
exploit, this technical knowledge isn’t required to be a ‘hacker.’ A hacker
without technical knowledge would do a poor job of executing his attacks,
but the concepts of thinking outside the box and finding places to look
that no one else did, or putting things together in just the right way to
reach the goal, these are creative skills.
To read the rest of the articles in this newsletter, please see:
http://www.bitsofspy.net/newsletter/1/the_newsletter_001.txt