Charles Engelke's Blog

February 27, 2004

Cracker Methodologies and Tools

Filed under: RSA 2004 — Charles Engelke @ 2:31 pm

Douglas Conorich of IBM and Matthew Luallen of Sph3r3 and Argonne
National Laboratory.

Types of Hackers: Novices (script kiddies) are usually male teenagers,
not sophisticated, motivated for personal satisfaction in disruption;
Cyberpunks are usually young adults, male and female, who are often
motivated for a cause of some kind; Insiders are people in your
company who may be motivated financially; Coders are the people
who create the tools, and consider themselves more “white hats”;
Professionals and Cyber Terrorists are the last two groups, and
we don’t know much about them. He defines cyber terrorists as
professionals who work for organized crime like the Mafia, which
doesn’t seem to me to be correctly called “terrorism”.

Attack Phases: Discover and map your systems through scanning and
probing; penetrate the perimeter through denial of service,
application attacks, spoofing, protocol exploits; the third phase
went away too soon for me to see it. I assume it’s exploiting the
resources you’ve now reached and control.

Why do they target you? Maybe because you have something they
want for personal, financial, or political reasons; or maybe
just because you’re a target of opportunity. The number of
incidents has been doubling every year for five years; about
180,000 last year. The number of new vulnerabilities goes up
almost every year (it went down slightly last year to just under
4000 new vulnerabilities). Malicious code is growing steadily,
though not at a real high rate. However, the number of malicious
code incidents is growing at a very fast rate. Worms are more than
80% of these incidents. Almost all of it (95.8%) comes from e-mail
attachments, which wouldn’t happen if people just stopped opening

The Slammer worm doubled infections every 8.5 seconds when it was
released, and 55 million hosts were being scanned each second
at it’s peak. It never should have spread at all, because it
required access to the SQL Server port which should never
have been open to the Internet.

There was discussion of Wi-Fi hacking and war driving with tools
like NetStumbler. It’s cheap and easy to find open Wi-Fi

Luallen recommends that we all attend at least one Defcon conference
to see what cracking tools are coming out. For example, the last
conference demonstrated a Wi-Fi tool that spoofed a legitimate
Starbucks hotspot in order to steal credentials. More information

We see a long list of available tools to help crack networks. When
establishing a Warez Evaluation Environment, be careful about
them calling home, and don’t install them on a production system.
Using VMware virtual machines is a good idea for this.

We’re not seeing actual examples of using the tools, just showing
us the breadth and depth of tools available. It’s getting really
each for an unsophisticated user to develop effective attacks using
these tools.

Another interesting talk, but not as much as I was expecting from
the description. Still, it’s been another good day at the
conference, and strong end to the week.


Create a free website or blog at

%d bloggers like this: