1

Joshua Hickernell
05/03/13
WRIT 340
Townsend

Knowing the Opponent:

How understanding hackers can enable more comprehensive
computer security

Abstract
This article analyzes how understanding the mindset of a hacker and the methodology they use
to exploit systems can aid security experts in improving the security of software systems. It
looks more deeply at some of the technical aspects of the hacking process and attempts to
present them in a way that is understandable to someone without much programming or
computer experience.

“Hackers attack Microsoft computers” [1], “Apple computers 'hacked' in breach” [2], “Facebook

was targeted by 'sophisticated' hackers” [3]. These and similar headlines have been circulating

in the news over the past few months. Businesses in every industry have all recently admitted

to having their computer systems breached by unauthorized users. Some people have even

started calling 2013 “The Year of the Hack” [4]. The question that most people are asking is:

how did all these supposedly secure systems become compromised? While it might be

important to look at the specific vulnerabilities in software that hackers were able to bypass in

order to determine how they were compromised, more must be done in order to prevent such

attacks in the future. Ultimately, examining the mindset and methodology of hackers: their

attitude, skills, and attack strategy is vital to improving the security of software[5].

The Hacker Mindset: Attitude and Skills

While the hacker subculture grew out of a desire to understand computer systems and a love of

programming [6], it has since evolved into something that is more sinister. Today, hackers are
 2

motivated by a desire to gain money from their exploits. With the increasing amount of

information that is placed onto computers and the increasing amount of business that is being

conducted through computers and online, hackers have more opportunities than ever before to

profit from stealing sensitive data from computer systems. However, in order to do this, hackers

need to be more than just experts at computer programming.

While the common stereotype of a hacker is a nerd who sits at their computer all day writing

software to break into computer systems, the reality is that hackers need both computer

programming and social engineering skills in order to succeed. Rather than exploiting

weaknesses in the software systems, social engineering makes use of the fact that humans can

be manipulated to divulge information or allow access to things they are trying to protect given

the right motivation [7]. It involves a hacker leveraging human psychology and how humans

behave in order to deceive the victim into exposing information that may be useful in gaining

access to their computers. For example, phishing is a common example of social engineering

that attempts to gain private information (such as passwords and credit card numbers) from

someone by pretending to be a trusted individual or corporation.1 One example of a phishing

attack is a hacker masquerading as a user's bank and asking the user to send their account

information because fraudulent activity was supposedly detected on it, when in fact the hacker

is just trying to steal the account information. [Multimedia: example of a phishing email or

website with callouts showing different key parts of the email] The important role that

social engineering plays in all stages of a hacker’s attack cannot be overlooked.

1
See http://www.us-cert.gov/ncas/tips/ST04-014 for more information on phishing and how to protect
yourself from these types of attacks.
 3

Stages of an Attack
In order to actually break into a system, hackers generally follow a predictable series of steps:

Reconnaissance/Information Gathering, Scanning/Vulnerability Identification, Exploitation, and

Maintaining Access/Covering Tracks. While these steps are often followed linearly, they can

also be more cyclic in nature, as hackers may engage in further reconnaissance or scanning

after attempting many failed exploits (See Figure 1).

Figure 1: Stages of an Attack

Reconnaissance
The first step, reconnaissance, involves gathering as much information about the target as

possible in order to identify potential methods to attack them. There are two main types of

reconnaissance: passive and active. Passive reconnaissance attempts to obtain information

about the intended server(s) without alerting them to the attacker’s presence. One of the

easiest and most common methods of doing this is by using search engines in order to find

information about the organization, such as the infrastructure of the company, employee logins,

and other supposedly private information. For example, many companies use the local-part of

an employee’s email address as their login to computer systems (e.g. a user with email

[email protected] will have a username of “john”). If a hacker is able to learn the email

addresses of employees, they then know potential logins.

 4

Active reconnaissance, on the other hand, is much more aggressive and can therefore be

detected more easily by mechanisms that are designed to prevent hacking [8]. What

distinguishes active reconnaissance from passive reconnaissance is the fact that active

reconnaissance communicates directly with computer servers that may be owned by the victim,

as opposed to using tools such as search-engines which are unaffiliated with the target. One

important aspect of active reconnaissance is discovering the IP addresses of the target servers.

An IP address uniquely identifies any computer on the Internet, similar to how a street address

identifies any building. Hackers use tools such as nslookup in order to translate from a host

name of a web server (e.g. www.examplesite.com) to its IP address (e.g. 192.168.1.1) so that

they can carry out more complex attacks against that specific computer.

Scanning
After reconnaissance, penetration testers use various scanning techniques to identify

vulnerabilities within the discovered systems. Two related scanning techniques are port

scanning and vulnerability scanning. Port scanning attempts to find the open network ports on a

server. Network ports are used by computers to communicate with one another over a network

or the Internet. By sending messages to ports on a victim’s computer, a hacker can determine if

a port is “open”, “closed”, or “filtered”. Open ports are those ports which can accept incoming

connections. For instance, corporate web servers generally have a port open so that people

can use a browser to connect and view the company website. Closed ports, on the other hand,

are those ports on the server that are not accepting incoming communication. Finally, filtered

ports are ports that may be open or closed, but some defensive security measure, such as a

firewall, prevents the hacker from determining its actual state (See Figure 2). By determining

which ports are open on a target computer, hackers are able to enumerate possible “entrances”

into that computer.

 5

Figure 2: Filtered Port

A firewall filters messages sent from a hacker outside the
network trying to determine the port state of a victim. It drops
the message sent by the hacker, and no response is sent back
to the hacker.

Once a hacker determines which ports are open on a target computer, they then need to

determine which programs are running on the computer. In order to do this, hackers make use

of the fact that specific ports numbers (which range from 1 to 65,536) correspond to particular

“protocols” used by programs. For example, port 80 is used by the HTTP protocol and, if open,

generally corresponds to a web server. Table 1 lists some of the common well-known port

numbers and which protocols use them.1

Table 1: Common Network Protocols and their Port Numbers

Protocol Port Number(s) Description

HTTP 80 The Hypertext Transfer Protocol is used to transfer

webpages located on the WWW between the web server
and a client’s browser.

SMTP 25 The Simple Mail Transfer Protocol is used to transfer

email messages between email servers.

FTP 20,21 The File Transfer Protocol is used to transfer files from
one computer to another.

1
See https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt for
more information on all the protocols assigned to each port.
 6

After determining the running programs, vulnerability scanning goes one step further by also

attempting to find weaknesses in the discovered programs. If the port scanner determines that

port 80 is open and the hacker discovers that an Apache HTTP Server is running on that port, a

vulnerability scanner would attempt to find vulnerabilities in the exact version of the web server

that can then be exploited. For instance, if a hacker uses vulnerability scanner to scan a web

server running Apache HTTP version 2.2.0, they would find that the server has a critical

vulnerability with the way that it handles user requests that allows it to be exploited easily [8a].

Exploitation
After determining potential vulnerabilities, the tester or hacker attempts to exploit these

weaknesses in order to gain access to the system. By sending specific commands or pieces of

computer code to the vulnerable ports found in the previous step, an attacker may be able to

gain access to the filesystem of the computer and execute programs on the victim’s machine.

Various similar vulnerabilities exist in many different software applications and may therefore be

easier to find and exploit. For example, a buffer overflow is a common vulnerability that occurs

when a program accepts user input and does not check the length of the input before attempting

to store it in computer memory (a “buffer”). If the input string is too long, it “overflows” out of the

size of the buffer, overwriting other parts of computer memory that were not intended to be

modified, which can damage the program or allow the hacker to execute their own computer

code instead of the code of the original program (See Figure 3).1 [Multimedia: Flash Video of

how a buffer overflow works, that includes placing each of the letters in an input string

into their memory slots and showing how this overwrites other memory]

1
For a more in-depth look at buffer-overflows, see the SANS Institute article “Inside the Buffer Overflow
Attack: Mechanism, Method & Prevention” at
http://www.sans.org/reading_room/whitepapers/securecode/386.php
 7

Figure 3: Buffer Overflow Vulnerability

The input string “HELLO WORLD” (containing 11 letters) is
being placed in a buffer that can hold 8 letters. This results in
a “buffer overflow” of the last 3 letters into adjacent memory
(outlined in red) that is not part of the buffer.

However, not all forms of exploitation involve the hacker directly interacting with the victim’s

computer, trying to find weaknesses in its defenses. Hackers often create software programs

called “malware” that can be used to exploit many different victims. Malware can be defined as

“code or software that is specifically designed to damage, disrupt, steal, or in general inflict

some other “bad” or illegitimate action on data, hosts, or networks” [9]. Creating and distributing

malware often relies upon the social engineering skills of the hacker, as they must find ways to

try to convince users that the malicious software they are running is harmless. For example, a

hacker may advertize that they have various “free screensaver” files on their website, but when

those files are downloaded they are actually malicious and infect the user's computer.

It is important to note that there are actually different types of malware, as not all malware acts

in the same way or serves the same purpose. For instance, one type of malware is a virus.

Although many people colloquially refer to any type of malware as a virus, a virus is actually a

subset of malware. It consists of computer code that is “self-replicating”, having the ability to
 8

copy itself into the existing code of a different computer program, “infecting” that program. Once

it infects the new program, whenever that program is now run, the replication process repeats

(See Figure 4).

Figure 4: Virus Replication

A virus finds an uninfected program to infect and injects its code into that program,
infecting it. That new infected program then finds other programs to infect.

Although replication by itself is not necessarily harmful, a virus may also perform other

unwanted actions on the victim’s computer. For example, a virus might attempt to upload user

files to the attacker or download other types of malware on the machine, such as spyware, in

order to steal user information. This information can be of various forms, such as usernames,

passwords, web-viewing history, or financial information (such as bank accounts or credit card

numbers) [10, p. 16]. After collecting information from the victim computer, the spyware then

transmits this data back to a server, in a process known as “phoning home”, so that the attacker

can use it for personal or financial gain (See Figure 5).

 9

Figure 5: Phoning Home

A victim's computer “phones home” to the attacker's
computer, transferring documents and data obtained from
the victim.

Maintaining Access
The final step in a successful hack or penetration test involves the hacker “covering their tracks”

so that the infiltration is not easily discoverable. One way for hackers to do this is to modify the

timestamps on various files to make them appear as if they have not been modified. Attackers

could also install a type of malware called a “rootkit” in order to disguise any other malware

introduced into the system. A rootkit is a form of malware that attempts to hide its existence

from the user and any attempts to detect it. It allows an attacker “to maintain access to a

computer so that he can issue commands and scavenge data without alerting the system’s

owner” [11, p. 4]. By covering their tracks, attackers can make it more difficult for computer

administrators or computer forensic specialists to detect the infiltration.

Conclusion
Just as it is important to understand your opponent in order to defeat them, it is likewise

important to understand a hacker in order to prevent their attacks. By recognizing that the

motivation of hackers is primarily financial and understanding the methods that hackers take to

make money, security experts can take steps to protect their companies from computer threats.
 10

Understanding various hacking skills, such as social engineering, can allow individuals to

recognize when they are being targeted by phishing attacks and prevent them from falling victim

to other similar attacks. Finally, by comprehending the attack methodology of hackers, software

designers can test their programs to ensure that they are resilient to the exploits that hackers

typically employ, such as buffer overflow attacks, and thus write software that is resistant to

unwanted intrusion. Hopefully, as individuals gain a better understanding of how the

exploitation process works and begin to guard themselves and their software against such

threats, the current dangers and consequences of hacking will be eliminated in the future.
 11

Author Bio
Joshua Hickernell is currently a Senior at the University of Southern California studying
Computer Science with an emphasis on Video Games. After graduation, Joshua will be working
full-time for Google Inc. as a Software Engineer in their Los Angeles office.

Contact Information
Joshua Hickernell
[email protected]
720-496-6165
 12

Works Cited

[1] “Hackers attack Microsoft computers,” BBC News, Feb. 23, 2013. [Online]. Available:
http://www.bbc.co.uk/news/technology-21556611 [Accessed Apr. 15, 2013].

[2] “Apple computers 'hacked' in breach,” BBC News, Feb. 19, 2013. [Online]. Available:
http://www.bbc.co.uk/news/technology-21510791 [Accessed Apr. 15, 2013].

[3] “Facebook was targeted by 'sophisticated' hackers,” BBC News, Feb. 15, 2013. [Online].
Available: http://www.bbc.co.uk/news/world-us-canada-21481101 [Accessed Apr. 15, 2013].

[4] J. Herrman, “Welcome to the Year of the Hack,” BuzzFeed, Feb. 22, 2013. [Online].
Available: http://www.buzzfeed.com/jwherrman/welcome-to-the-year-of-the-hack
[Accessed Apr. 15, 2013].

[5] S. Bono, A. Rubin, A. Stubblefield, and M. Green. “Security through legality,”

Commun. ACM, vol. 49, no. 6, pp. 41-43, Jun. 2006.

[6] E. Raymond. “Hacker,” The Jargon File. [Online]. Available:

http://www.catb.org/jargon/html/H/hacker.html [Accessed Apr. 17, 2013].

[7] J. Goodchild. “Social Engineering: The Basics,” CSO. [Online].

Available: http://www.csoonline.com/article/514063/social-engineering-the-basics
[Accessed Apr. 17, 2013].

[8] A. Whitaker, D. Newman. “Performing Host Reconnaissance,” in Penetration Testing and

Network Defense, Cisco Press, 2006. [Online].
Available: http://www.ciscopress.com/articles/article.asp?p=469623&seqNum=2
[Accessed Apr. 15, 2013].

[8a] “Vulnerability Summary for CVE-2010-0425,” NIST National Vulnerability Database, Dec.
27, 2010. [Online].
Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0425
[Accessed May 1, 2013].

[9] “What Is the Difference: Viruses, Worms, Trojans, and Bots?” Cisco. [Online].
Available: http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html
[Accessed Apr. 15, 2013].

[10] J. Aycock. Computer Viruses and Malware, New York: Springer Science+Business Media,
2006.
 13

[11] B. Blunden. Rootkit arsenal : escape and evasion in the dark corners of the system, 2nd
ed. Burlington, MA: Jones & Bartlett Learning, 2013.