ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Techniques and tools of the hacker


May 10, 2000
Web posted at: 10:40 a.m. EDT (1440 GMT)

(IDG) -- I recently heard of yet another penetration test in which the vendor charged $150,000 for two days of testing. It seemed pretty expensive to me, but I assumed that the testers must have brought in some major security gurus who ran uber-elite secret exploits against the systems. In fact, they ran ISS Scanner.

Don't get me wrong; ISS Scanner is a useful tool that tests for all known vulnerabilities. (I'm not picking on ISS; there are other tools like this as well.) It's just that for $150,000, I want Robert Redford testing my system. (Ok, who hasn't seen Sneakers? Go rent it!) It also occurred to me that there are hackers capable of penetrating almost any system. The good ones get paid for it.

What is a hacker's approach to penetration testing? What tools do hackers use? I decided to find out.

Hacker phobia


The term hacker has been abused by the media and by hacker wannabes to the extent that many people think all hackers are criminals. This is simply not true. For the purposes of this column, I'll define a hacker as "an expert with informal training."

While it's true that there are hackers who have violated laws and/or cannot be trusted, the same can be said for people who avoid the hacker label. We've all heard of insiders who, using their computers, rob a company blind. To make a hiring decision based solely on the label a person uses to describe him or herself is a copout.

In the following Q&A, I asked three well-known security specialists about their background and approach to penetration testing. The players include:

Brian Martin, a.k.a. Jericho:
Founder of, a popular hacker site with an eclectic mix of computer security tools, humor, rants, and the ever-popular Attrition Defacement Mirror. Brian presently works as a computer security consultant responsible for leading a security audit and penetration assessment team. In recent months, Brian's articles focusing on security issues have been widely circulated in corporate newsletters, in print magazines, and on the Internet.

Mark Abene, a.k.a. Phiber Optik:
Cofounder and president of Crossbar Security. Mark's teenage curiosity with phone networks prompted a federal judge to sentence him to a year in jail. While the experience deterred Mark from illegal hacking, time has proved that it wasn't much of a deterrence to others.

Rain Forest Puppy, a.k.a. RFP:
The bane of Microsoft. Best known for releasing the Microsoft IIS RDS exploit used by thousands of script kiddies. RFP is the author of the Web-scanning tool whisker, which can defeat intrusion detection systems. RFP is credited for recently revealing a backdoor inserted by Microsoft engineers that stated that "Netscape engineers are weenies!" RFP prefers to keep his professional identify anonymous.

  Hacking your way to an IT career
  Behind the scenes at Hackers, Inc.
  Diary of a hack attack
  The best security action plan for your site
  Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to free daily newsletter for system admins
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Q: How long have you been doing penetration testing?

Brian: Professionally, for five years.
Mark: Professionally for over five years, but I first started penetrating systems when I was about 12.
RFP: Professionally with a company for about eight months, although individually as needed for about two years.

Q: Do you work for a company or independently?

Brian: I presently work for a company, although I've done both in the past.
Mark: Both. Currently, I'm the president of my own firm, Crossbar Security, Inc.
RFP: Company.

Q: Do your perceive yourself as a hacker-type or a computer security professional?

Brian: A bit of both. I try to be a well-balanced hybrid of the two.
Mark: One's experiences as a hacker-type are what make one a truly great computer security professional -- which is to say [that] it's one thing to be book smart or school taught and quite another to have years of hands-on experience defeating security systems.
RFP: I'm a hacker-type, but I'm billed as a computer security professional because my clients are scared by the former. (Laughs)

Q: Do you see any problems with how penetration tests are typically performed? If so, what?

Brian: Yes. Most companies are charging an arm and a leg for canned security scanner output. While these scanners test for most vulnerabilities, they're always behind the curve in the latest exploits. The whole reason for having a penetration test is to test for everything, especially the latest vulnerabilities. If they can't do that, the client should just purchase their own copies of the scanners.
Mark: Typical penetrations are hardly thorough. They often rely on untrained auditors that use canned tools, which are only as good as their updates. They produce canned reports, devoid of actual useful information and hard facts. We go in after some large audit firm has done their thing, leaving the client with reason for doubt, and we totally penetrate their most sensitive systems. A truly valuable penetration study is a strategic operation, from start to finish.
RFP: Auditors who walk in and exclusively run ISS or CyberCop aren't doing a thorough job. The majority of the time, the auditors don't understand the security vulnerabilities that the scanners are finding.

Q: How can auditors prove that they've done a good job if they've been unable to find anything wrong in the allotted time?

Brian: By writing a comprehensive and well-written report that covers what was tested. I also believe that every network can be improved, so if they didn't find a single point of concern, no matter how trivial, they missed something.
Mark: If an auditor hasn't found anything, by de facto he's done a poor job. Any sufficiently large corporation is going to have security problems. Bureaucracy often unintentionally creates an environment where good security practices are overlooked. The larger the corporation, the more likely it is that holes are lurking. Disorganization and breakdowns in management breed security problems.
RFP: Auditors should document the list of vulnerabilities they checked and say something like, "I didn't find any problems, given the time frame and this list of checks." If the list of checks was small, an explanation of why those checks were picked would probably be sufficient. Obviously, more critical problems and popular vulnerabilities should take precedence.

Q: Do your clients ask you to sign a nondisclosure agreement?

Brian: Yes. And we require them to sign one as well.
Mark: Yes.
RFP: For the most part, yes.

Q: How do you and your clients reach an agreement on the scope of the audit? Do you have a written Statement of Work before you proceed?

Brian: We always come to agreement and are very clear on what is within the scope. 99 percent of the time there's a written Statement of Work.
Mark: We always try to sell our clients on the largest scope possible, because we believe that a penetration greatly diminishes in value the more restrictions and off-limits areas are declared. Obviously, we both have to agree to something on paper, and we author our Statement of Work based on preliminary meetings with clients. Also, we treat each client separately, so our simulation will best suit their individual needs.
RFP: Typically, yes. However, the best interest is with the client, so if they wish to have extra systems audited, and time permits, we'd be happy to check them. This works well if you work with your client beforehand to firmly establish what they should and need to have done. Some companies have a sales guy/gal roll through, sell some service, and when the actual assessment team shows up, it turns out what was sold is not really what should be done.

Q: Do you tell your clients which tools you use?

Brian: If they ask. While it's no secret, we try not to list every single step and tool, because to do so would create a lot more work for us.
Mark: Always. We don't believe in crystal balls or sleight-of-hand, and we don't want our clients to either. Part of our final report is detailing exactly what tools and exploits were used, even demonstrating them after the fact for technical staff. We believe we're all on the same team, and teaching security awareness is the most valuable tool of all.
RFP: If they ask, we do tell, and, time permitting, offer to demonstrate and even teach them how to use ones that are available to them.

Government computers: The ultimate hackers' proving ground
March 23, 2000
Mitnick schools feds on hacking 101
March 3, 2000
Experts say more legislation will not deter computer hackers
May 5, 2000

Part II: The Hacker's toolchest
How hackers cover their tracks
New hacker attacks and why they do it
(PC World)
The enemy within
(Network World Fusion)
Script kiddies -- geniuses or idiots?
Can you counter-attack hackers?
(Network World Fusion)
Tripwire for DoS attacks
Hackers as hired guns
(Network World Fusion)

Brian Martin
Mark Abene
Rain Forest Puppy
University of Florida's page on hacker tools and techniques
Links to security resources

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.