Whether the actions online are harmless or malicious, hackers will always try to cloak their actions online. This article will describe some of the tactics that a hacker may use to conceal their activity online and make it harder to be discovered as a threat by security devices. Many of the tactics within this article should be blocked by a website or web application unless it’s required for business purposes.

What we want to accomplish in this article is to blend in with normal web user traffic online. To do this we have to think of what actions a normal web user performs online and is seen as normal and allowed traffic on the internet.

Some normal actions may include:
• Visiting a web page
• Mistakenly clicking an invalid web link
• Visiting a broken web link
• Web link typo’s
• Clicking the wrong button on a web page
• Typing your password wrong on a login page
• Executing basic commands a network device would expect to receive
• Moderate the speed of your activity

Now we need to take advantage of this normal activity and exploit it to conceal our actions online. These actions may be recorded in an audit log on the website or web application, but in most cases will be allowed by the security appliance or server. The normal allowed traffic, will make it more difficult for someone to find the information needed while sifting through their audit logs.

Visiting a Web Page
Visiting a web page is harmless and also allowed by almost every website on the internet. The average person visits roughly 125 or more different websites per month. The average website may get up to 3,000 or more visitors per month. Obviously, the larger and more popular a company is will produce higher numbers, such as facebook.com and google.com.

First we need to see what ports the website has open, without the use of a port scanner. We can do this simply by visiting the website. Go to the website without specifying a protocol and pay attention while the website loads. Example “google.com”, normally “https://www.google.com”. If the website redirects you to a secure website with HTTPS, then the website may have HTTP or port 80 open. The website loading to an HTTPS would let us know port 443 is open. At this point, we now know that the website has ports 80 and 443 open. You can try other protocols such as FTP to see what response you get.

Now, we want to inspect the website to see if certain aspects of the website are vulnerable to disclosing sensitive information. Go to the website and allow the website to fully load. Then at the beginning of the website URL, let’s add “view-source:” and reload the web page. This will allow us to view the web pages source code. Example “view-source:https://www.google.com/”. Typically, if any links are available, they will be blue in color and underlined, similar to a hyper link on a website. In most cases, you can scroll through the source code, look at the links and determine what was used to build the website and version numbers of the platform. Example, if the website was built with WordPress, there will be several links with “wp-“ in them. Also, the links may contain the version of WordPress currently installed. Scrolling through the source code can also help with finding links to sub-domains, other websites owned by the parent website, user names and password.

The techniques in this article are examples of how an attacker can retrieve information about your company’s network without you knowing that it happened. If your website or web application is setup correctly, then an attacker would not be able to utilize most of these tactics. These types of tactics are some of the more difficult to monitor with any SIEM product.

Read more:

How Sneaky can a Hacker be: Part 2-3

How Sneaky can a Hacker be: Part 3-3





Register for your FREE Threat Check today: https://fns1.com/threatcheck/