So, what is 'hacking'?

Off-topic posts go in here; this forum is only loosely moderated.

So, what is 'hacking'?

Unread postby Calcifer » 5th February, 2018, 11:03 am

Oh we've all seen it in media. Many of us are familiar with The Matrix, Wargames, Mr. Robot, Hackers, etc so we all have a vague idea of what hacking is on the surface.

First of all - I can tell you what it isn't. It isn't two people typing on a keyboard at once a la NCIS:



Nor is it uploading a virus that was embedded in a fractal in a bone that set your computer's maximum temperature to 1000 degrees and set it on fire. (In Bones, unfortunately I couldn't find a video)

Oh, and who can forget the 'I know this, it's a UNIX system!' from Jurassic Park?



The term gets thrown around a lot too, people who 'hack' other's Facebook by borrowing their phone and that kinda thing. As a computer scientist, I do find it a little bit annoying so I thought I'd give a crash course on exactly what hacking is!

Warning: Some small amount of code ahead

Hacking at its very core is making a computer do something it shouldn't, in order to gain access to something you shouldn't, in order for you to do something you shouldn't. Sometimes it's to deface a website, steal information, crash servers, or to distribute a virus to disable a countries nuclear program. The question you may ask is how exactly do they do this?

First you tend to start off with information gathering. You'll poke around on a system, see what's installed and what versions. If people haven't kept things up to date then boom, possible exploit. Even if they are up to date, if the programs aren't set up correctly then they can be tricked into doing some odd things. It's hard to explain quite how this works without an example, so that's exactly what I'll do!

-----------------------------PART 1: SQL and you-----------------------------



Our victim is called Bob. Poor Bob runs a website, bestbloggers.com. Now, people can log in to his website to manage their blogs, but Bob doesn't know anything about computers and so he just followed some shitty guide written in the 90s.

[Reveal] Spoiler: Quick Sidebar: How SQL works
SQL stands for Structured Query Language, and it's how you interact with a database. A database has a series of fields, and SQL statements returns stuff from the database. For example, our table is called Users. Inside we have the fields of Username and Passsword. if we were to do SELECT Password FROM Users WHERE Users.Username = 'Bob', we can get Bob's password. A small note is the * symbol, which just means everything.


Bob's log in page works something like this:

Code: Select all
class Login(String username, String password) {
    users = Database.open('Users.db');
    passwordStored = users.executeSQL('SELECT password FROM Users WHERE Username=' + username);
    if (passwordStored == password) {
        logIn(username);
    }
}


(Note: Never ever code anything like this live or the ghost of computer scientists past will find you and eat your soul)

What this code basically says is we have a big list of usernames, with their passwords associated with it. When you enter a username, it looks in this list and sees if the password is correct. If it is, then it'll log you in with that username. However, what happens if you start messing with what you enter in the password field? As you can is, it is an if statement. An if statement is only ever looking for two things - True, or False. So, logically, if we can force that to be true then we can log in as whoever we want yes?

(Yes)

As logIn just needs a username, if we can make it pass with say, an arbitry password, then we can log in as anyone. So what happens if we enter "a' OR true" as the password? Well, the statement becomes if (passwordStored == 'a' OR TRUE'), which means that this will always return true. Therefore, we can log in as literally anyone!

So, let's try a few usernames. We find out we can log in as Bob, Jim, Billy, and admin. Bob was at least smart enough to have a separate account to run the website, and the one he uses. However with that we've just gained access to the admin account and so we can do pretty much whatever we want to the front end of the website - Deleting posts and what have you.

This is a textbook example of something called sanitization which quite literally just means keeping your inputs clean. The general rule when it comes to programming anything is never trust the user, because they will inevitably try to break something and screw you over.

Now, we want to do something a bit more in depth.

-----------------------------PART 2: Bash & Unix-----------------------------

We don't just want to deface his website, because Bob might have copies stored. He's bad at making websites, but that doesn't mean he's bad at everything to do with running one. So, assuming Bob makes nightly archives of his website and stores them somewhere, how do we get rid of them?

Well, first we're going to have to find out where he's storing them. Thankfully it's a pretty good bet that the server that hosts his website also stores the copies, so all we need to do is connect to that server. Connecting to a server typically requires two things, an IP and a login.

We're going now to head over to Linux, because it has way more tools for doing these things than Windows. I'll explain the process and commands as I go along, and try not to lose any of y'all who have stayed with me so far.

So far, all we know is the website name, and what we need is an IP. Thankfully Linux has us handled with a command called 'host'. If I do for example, host google.com I get this result:

Code: Select all
google.com has address 216.58.201.14


(Plus several other IPs for its mail but hey, that's besides the point right now)

So now we do host bestbloggers.com, and we get the IP 192.168.0.1. We've now got part of the puzzle and all we need is a login. Here we're going to have to get a little bit lucky, and assume that Bob is lazy. We try logging in with the admin account and password we found earlier (let's just assume we somehow got the password list, don't ask how) but it doesn't work. Balls.

[Reveal] Spoiler: Linux in a nutshell
Linux's version of an admin account is called root, it has the power to run anything and everything, delete and open whatever it wants, and if you get access to root then you have access to everything on the server. Everything you do on Linux is done through something called 'the shell' which is basically your terminal window you use to type things in


Thankfully, we try Bob's login and it turns out he made a user account on the server! Except it doesn't have root access. Bummer. So, how do we get access to root?

This is where it gets a bit more technical, so try and hold on to your hats.

We need to become root, and one easy way to do so is to find something that is already running as root. In linux we can do that by typing 'ps' which means processes, or something like that. Honestly I don't know what it stands for, but what it does is give a list of every running process, and its permissions. This is important because if we can find a process that a) we can access, and b) can exploit and c) is running as root, we can become root.

Looking at the processes, we find out that for some strange reason, the database is running as root. That is to say, the database that checks users and passwords is running with the highest possible permission. The database we have some sort of access to via the website via logging in. Let's for the sake of it say that this is the way the website works:

User visits website -> Enters login information -> Information is passed to the server -> Server runs SQL statement built by website -> Server returns the info -> Login is true or false.

Now we have all the required pieces to do what we want, we just need to put it together in a way that gives admin access on the server as well as the website. So, assuming we can force commands to be run on the server as root by the database using its sql commands, we just need the right command.

Let's go for something like this -

Username = -
Password = '; usermod --password admin admin

In our example, what that will do is escape the string with ', signify the end of the command in Unix with ;, then enter the next command which is usermod --password admin admin which changes the admin's password to admin.

[Reveal] Spoiler: Realistically...
So that's the wrong usage of usermod --password in the first place, because it needs to take an encrypted password so we'd have to generate one first, but I skipped over that for the sake of clarity. In addition, you can't actually execute commands this way - The realistic way to do it would be either to crash the process and hijack it to open a shell as root, likely by use of shellcode but that's also a bit too heavy for this simple explanation


After this, we just log in as admin with the new admin password and voila. Full access to the server that runs the website, and we could delete it entirely, delete everything on the server, make it give all its users viruses, the world is really your oyster at this point.


TlDr: Hacking is more of using existing commands in clever ways, and hoping that other people have made mistakes you can exploit.
ImageImageImage
User avatar
Calcifer
Some Hypersexual Puppy Cat Thing
 
First name: Calum
Posts: 1257
Likes received: 126
Joined: 30th June, 2014, 3:12 pm
Location: England
Country: United Kingdom (gb)

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
0 / 7

Re: So, what is 'hacking'?

Unread postby Kaspar » 5th February, 2018, 11:46 am

I got very little of some parts, but it was entertaining (and concerning) in many ways :P Thanks Cal
Proudly, the Captain of team Spirited Away
House Cup 2017



ImageImage
ImageImage
User avatar
Kaspar
Lochlan's cat enthusiast
 
First name: Kacper
Posts: 2622
Likes received: 702
Joined: 18th January, 2017, 5:50 pm
Location: Northern Poland almost by the sea ey
Country: Poland (pl)

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
0 / 7

Re: So, what is 'hacking'?

Unread postby Sturgeon » 5th February, 2018, 12:32 pm

You can't forget this infamous scene.
User avatar
Sturgeon
Road to Ruin
 
First name: Sam
Posts: 613
Likes received: 166
Joined: 20th February, 2016, 7:20 pm
Location: cool britannia (but also Lake District and Sheffield)
Country: United Kingdom (gb)

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
0 / 7

Team: Odd Squad

Re: So, what is 'hacking'?

Unread postby Dolly » 5th February, 2018, 1:00 pm

i hacked ur man's bussy
Image
User avatar
Dolly
hotty & country singer
 
Posts: 3730
Likes received: 853
Joined: 19th July, 2015, 11:50 pm
Location: Tennesee
Country: United States (us)

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
6 / 7

Re: So, what is 'hacking'?

Unread postby Hierax » 6th February, 2018, 11:05 am

Cal comin' up with the interesting threads
ImageImage
User avatar
Hierax
Flaz├ęda
 
Posts: 1420
Likes received: 379
Joined: 3rd August, 2017, 8:55 am

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
0 / 7

Team: Cheer Team

Re: So, what is 'hacking'?

Unread postby joshe » 6th February, 2018, 11:31 am

Very interesting!
Cannot stand people who go on peoples phones with the person's full permission and post on the other person's snapchat story at post a picture of them and put something like 'hacked my the greatest haha add up +tastelessbitch748'
User avatar
joshe
GTF's Gayby
 
First name: JOSHUA
Posts: 145
Likes received: 47
Joined: 15th August, 2017, 4:37 pm
Country: United Kingdom (gb)

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
3 / 7

Team: Odd Squad

Re: So, what is 'hacking'?

Unread postby Adyuto » 14th April, 2018, 2:41 pm

I know this is a somewhat old thread, but this was very entertaining and educational. I expect more quality content like this.
Image
User avatar
Adyuto
Mafia A Rank
 
Posts: 353
Likes received: 55
Joined: 3rd March, 2017, 10:25 pm
Location: United States

Activity levelBased on posting activity in the past two weeks. Tier IV and above grant custom name colours in Discord.
:
Tier I
Progress to next tier:
0 / 7

Team: Cheer Team


 Mafia A Rank


Recently active
Users browsing this forum: CommonCrawl [Bot], Google [Bot], Linkdex [Bot], Majestic-12 [Bot], Yandex [Bot] and 87 guests