How can hackers steal data without anyone knowing?
It has been shown that it takes months before a breach is found, let’s assume one of your users clicked on a phishing email.
With the email malware was installed on the persons computer, unbeknown to the user this malware has now opened a process named “notepad” ( or any name this is just an example) To confuse users malware writers name the processes they want to keep on the systems like similar programs on most computers.
Like Chrome, Firefox, svchost, or others.
So we have now established that the hacker somehow has a process that they control on the computer.
This process is now set to do the hacker’s bidding. Next the process opens a “command line” shell on the “Pwned” computer
imagine a command line on the computer now: C:\(Windows) or >(Linux)
On this command line they will download Netcat (if not already in the malware conveniently installed)
Netcat is a unique program http://netcat.sourceforge.net/ (official webpage)
There are many websites which explain how to use Netcat, this blog is not going to get in the details of this.
I will say that the SANS cheatsheet is sufficient in knowing how to use Netcat http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
With Netcat a skilled hacker can copy data from the breached system using any port number and either udp or tcp.
well there are physical limits to port numbers, since two bytes are used to store the port number
2 Bytes = 16 bits or otherwise known as 2^16 = 65536 potential ports
there are some well known port numbers – usually less than 1000, but computers do use higher port numbers.
So a skilled hacker can make the breach visit as difficult to detect as possible.
If Netcat can be used to send data with any port number from 1 – 65536 then any network device that you have looking for traffic needs to be able to see that.
Also notice the following website: http://leonjza.github.io/blog/2014/11/09/solving-kvasir-netcat-edition/
“netcat is our entry into the rabbit hole
With the command injection now exploitable, I grabbed some skeleton code that I normally use to try and make these types of command execution vulnerabilities slightly easier to work with. The basic premise is to have the command executed, and the response regex’d out. This ended up as the following python script:”
This is a diagram of the breach in action: