The Evolution of Hacking and Security – From Bindshells to Reverse Shells

So, if you read my previous post on what hacking was like in the mid 90’s to early 2000’s this post will be basically the polar opposite. The hacking game has drastically changed, the old wild wild west version of the internet has turned into cities and suburbs where hacking still takes place but there are now consequences and people are locking their doors. It takes a lot more effort these days to break into a server just like it would into guarded organization. In the old days of hacking 0day exploits would stay 0day for months or even years while a smaller group of hackers rooted most of the internet leaving system administrators ripping their hair out trying to figure out how they got in. Underground sites like rootshell.com and hack.co.za are non-existent.  Hackers discovering 0day vulnerabilities are now required to disclose the information to the vendor before releasing any proof of concept (PoC) code. With security awareness at an all time high this gives attackers very little time to compromise systems before a published CVE is patched on a target system.

Rooting servers at will remotely and slapping up a bindshell has become a thing of the past. Most organizations have multiple DAPE (deny all, permit by exception) firewalls in place. Even if you hack a server in the DMZ and update IPTABLES/IPCHAINS to open port 9999 for instance, there will still be a firewall in front of it preventing incoming connections on that port. You have to compromise uplink routers, switches and firewalls if you want direct access. Security communities are popping up left and right dishing out best practices and implementation procedures to prevent easy access to vital servers.

What bothers me most about hackers today, if I can even call them that as pretty much everything is automated is that hacking is all about money now, stealing peoples credit card information, holding computers for ransom (Ransomware), using bots to perform click fraud, installing fake anti-virus software. We also have the emergence of so called “hacktivist” attacking the left or the right depending on their political views. I hate to call myself a hacker as this generation has embarrassed and degraded the term “hacker.” Hackers were once an elite group of highly skilled free thinking innovators, not thieves and not out to make a quick buck. When we discovered a vulnerability we kept it to ourselves, these days hackers are willing to sell exploit code to the high bidder whomever it may be regardless of the consequences.

I am not trying to sound high and mighty, I have done a lot I am not proud of and maybe accidentally putting many companies out of business with massive sustained DDoS attacks or becoming the world’s #1 Age of Empires player by DoS’n my competition to get a cheap win and maybe I have a few dozen 2600 defacement listings but I never made a dime from any of it. Now I dedicate my life to helping protect the world from people like I was and slowly repaying my debt to society.

I work on the front line now defending against script kiddies and crimeware malware pushers. Remote root exploits are extremely uncommon these days, coders now go through code review checks every step of the way which has made a huge impact on the number of vulnerabilities being found. The term remote root exploit is basically a thing of the past, even if a hackers exploits an FTP server or Apache web server they will land themselves a user account shell instead of a root shell like they would have gotten years ago.

Open WinGates and anonymous proxies are a lot harder to come by these days, instead hackers have turned to The Onion Router (TOR) which makes them close to anonymous when while surfing the web. I say “close to anonymous” because for the most part nobody is looking beyond the TOR IP a user is using and back to the exit node. However, several recent bust were made by the FBI catching child porn rings and credit card schemes where the perpetrators were using TOR but unaware that the exit node was being monitored and logged making an easy bust for the feds.

Instead of hacking remote servers by exploiting vulnerable daemons which used to be the easiest and fastest means of popping a shell and having your way with a server, hackers have turned to hacking web app vulnerabilities. This was an inevitable shift once companies, organizations and even Microsoft Windows started implementing firewalls and blocking all unused and unneeded ports and protocols from the outside world. The most common vulnerabilities now are SQL injection (SQLi) and Cross Site Scripting (XSS). These attacks take time and patience and sometimes even a skilled attacker to know how to tweak a possible finding into actually working.

There are a plethora of tools out there to help automate the SQLi and XSS exploitation such as SQLmap, Havij, NetSparker, BurpSuite, ZAP and even websites such as Shodan which help expose vulnerabilities. A common method of maintaining access to a server once you have broken in is by installing a web shell such as C99 (one of the most popular) or r57. If the attacker is looking to use a compromised host for DoS they may install phpdos.php which is a UDP flooder that does not require root access.

For an attacker to actually get that magical rootshell prompt they typically have to hack user level access first and then exploit a local vulnerability to elevate their privileges to root. Hackers these days don’t even care what operating system they are attacking, they will even go after Windows servers now which would get you laughed at in the old days. *Nix rootshells are a lot more rare these days, the hackers that have them will typically Trojan the SSH daemon and use it as a backdoor into the system as root through an encrypted channel making detection very hard. The common way for a hacker to get CLI access is by installing a reverse shell script or manually running cmd.exe or /bin/sh via some other medium and catching it on the attackers machine with a Netcat listener (nc -v -l 9999).

It is almost ubiquitous now to have an Intrusion Detection System or Intrusion Prevention System running and everyone almost certainly has some type of anti-virus solution. Pure hackers are almost all white hat hackers now making bank working for the man to help secure their enterprise or organization, I know most of my old team has gone legit and profiting greatly from it. We showed the world it was vulnerable to attack from all angles and the world is finally answering with a myriad of security solutions.

Crimeware families are the biggest threat these days, they only care about money so they devote their time developing malware that will earn them revenue in some form. Since it was virtually impossible to break into a Windows machine remotely they figured out another way to get in. Crimeware groups and families developed what are now known as web based exploit kits and around 2010 they started to become prevalent. An exploit kit is essentially software that has a package of preloaded exploits for common web and browser based vulnerabilities such as Java, Flash, Silverlight, Internet Explorer font files and so forth. In order to exploit a victim, the victim needed to browse or land on a page that was hosting an exploit kit. Crimeware actors would use SQLi and stored XSS to insert <iframe> redirects to their malicious landing pages which would attempt to exploit any vulnerable application the host may be running. These campaigns have been extremely successful as many people do not update their version of Flash or Java as they should, when the window pops up saying your Java is out of date do you click update or do you worry about it later? If your one of the I’ll install it later folks you most likely are hosting some type of malware on your system.

The world of Denial of Service has evolved drastically as well, actual Distributed Denial of Service attacks by their most common definition where a hacker uses a group of compromised machines to simultaneously attack a target is far less common these days. Packet kiddies figured out that they were losing far too many shells and bots launching attacks from their own botnets so they started using reflection attacks. In a reflection attack the attacker sends a spoofed request to a server running a service vulnerable to reflection attack (NTP, SSDP, SNMP, CHARGEN, DNS – The most common) and the server responds back to the spoofed IP (the victim of the attack) with more bytes then the attacker sent creating an amplification factor. NTP would be one of the worst offenders with an amplification ratio sometimes as high as 500 to 1. That means an attacker sends one byte of data to the NTP server and the NTP server responds with 500 bytes. An attacker only needs to scan for NTP servers that answer to request for the mon_list command for example and they can be used in a DrDoS attack. These types of attacks have been known to send over 500 gigabytes a second to a victim. That makes them extremely dangerous and extremely hard to catch the attacker who launched it.

What the next evolution of hacking will look like I really don’t know, but I see wireless capability and Bluetooth being installed in everything from refrigerators to cars and homes. With our lives all being stored in the cloud and everything we do revolves around technology these days perhaps Skynet really is in our future.

 

Please follow and like us: