And so, last Friday after Salat Jumaa, Teddy and his kambasam groupie called me and invited me to with them to Naivasha, CrayFish. I was in the middle of code, but decided to take this as a good chance to take a break from Anastacia (My Ubuntu 10.10 Laptop) and first of all, I backed up all my systems, including ProjectX4 on my cloud, incase someone broke in and stole my stuff.
All safe, I left with them. At night, my phone went dead as I had no charger, so for the first time, I was off the net for over 24 hours.
On Sunday evening, I returned to the city, tired but rejuvenated. I charged my phone and opened the holy 4 (twitter, gmail, ArsenalTimes and Facebook). The I read a tweet. ‘Kenya Police Website Hacked. Again.’
“Hmmmn… Real hackers, at last!”, I smiled. “Now the banks and telcos will take us seriously”. So I decided to open the KP website and check out the hack. ready to be awed and my hackrection slowly hardening and throbbing.
Pffft! Kid stuff. Hacked? Is that hacking? How about we call a Vitz a car while we are at it? The KP website has been a victim of a ‘defacing’. A simple Home Page replacement. That’s all. Any idiot with access could do that. The sysadmin. His friend. His girlfriend. His cat. Anonyone!
I was partly annoyed. But then, the question arose. How did the ‘hacker’ get access to the KP website. So I started digging for e-clues and investigating. And then I found the answer. And i will share it.
Now, in this post, I will openly share some simple kindergarten tricks that a would-be ‘hacker’, hacker or script-kiddie could use to ‘hack’ or, correctly put, deface a low-or-zero website. I have never done this before, but I feel obliged. This information is meant for use by Sysadmins to check just ‘how much’ information their website is leaking to the prying eyes.
Step 1 – Reconnaissance (Information Gathering)
It is now a tired song. And at the risk of sounding like a broken record, I will repeat it: “You are only as strong as your weakest link”. The same applies to security. The most mundane type of reco is looking for all publically available ‘common files’. E.g. .TXT, .PDF, .DOC, .MDB etc. A simple Google search for all the TXT files on the Kenya Police site does the job. Sadly.
Step 2 – The Hack – (Intrusion, Defacing, Real hacking)
This is step 2. Involves the actual hack and privilege escalation. You did not expect me to share that, did you? In the case of the KP site, the job is already done by now. All the ‘hacker’ had to do was…. you guessed it.. LOGIN!!
Step 3 – Owning
Once in, make sure no one else (externally) can get in. This involves FIXING the holes you found (remove the TXT file above etc or leave it but change the password in the TXT, not the system, lest the admins notice the change). Incase they change the password, install a backdoor or change the code for the login script to accept all valid logins PLUS yours. (Add an OR to the SQL Where clause).
Step 4 – Covering Tracks
This is where people get caught. Not covering tracks. Using direct connections. Assuming ‘no one will notice’. Etc. #IWontShare. Shikweni nyote.
In Retrospect – catching the attackers.
I heard that in a bid to stop further hacking, the police have banned machetes and axes. This is a good step, but we could do it better. The police can use the fact that the ‘hacker’ is inexperienced and still has a hard-on for their website.
- They could setup a honey-pot and lure the assailants back to hack 4, which will prove to be their last.
- They could set-up an IP-logging model of a FAM.
Na mengine mengi.
The US government has setup hacker department for defending the country and pre-empting attacks. It is time the Kenyan government rewarded the elite, don’t you think? We are here. We are capable. We are willing. We are waiting.
Back to code.