Tuesday, 5 April 2016

Are Old Hacking Techniques Dead?

ARE OLD HACKING TECHNIQUES DEAD?

This is a question I ask myself everyday. There are variations to this question that go around every hacker mind and those are: Are the old techniques I used and studied dead, are the old techinques worth the time learning and teaching if not dead and can the old dead techniques be re modified for modern scenario?

Yes and No
Many old techniques that were relevant a year ago have vanished as fast as they came. Let say the case of the famous 0days like heart-bleed vulnerability. But not all the vulnerabilities are dead. This question is so difficult to answer because there are no quality techniques that a beginner can use to break into a big thing like the old highschool kids used SQLi and XSS to hack FBI website and all that old news. But now due to widespread hackers and more that enough knowledge on how to hack and find vulnerabilities, old techniques have pretty much gone. See for instance that SQLi is still there but usually for small time spammers and hackers. If you talk about a year ago, XSS was too famous, but now it seems that every "good" site is protected until another variation is discovered.

How To Find New Vulnerabilities 
It really depends on what kind of vulnerability you want to find. If you talk about web-applications, there can a lot of vulnerabilities found because the average web-developer and software developer studies the basic security but not the advance one. Moreover they donnot practice security most of the times because there is no need for them to study the vast subject of hacking and then we as hackers get their job as hackers along with debunking thier studied abilities. In short, let hackers be hackers and programmers be them.

But for finding vulnerabilities for web-apps, say, a web application for online payment made in asp.net, you need to know what .net framework is and what are the loopholes in it. Also having a basic knowledge of asp helps in understanding where is the bug in that application. It's not necessary for learning the whole language because you have to take the help of the developer for finding the vulnerabilities because no-one expects you to learn the whole language in one assignment. 

If you go for network security, you need to be well versed in the big universe of networks. It's best to know the basic security and also the common areas of bugs in network security. I've found over the years & by word of mouth that network security is difficult, but in reality nothing is difficult if we focus on one area. Network security is a very large field. Lets say that you want to protect a local network of a school. This school has a really good protection and the latest firmware & hardware of the networking company. An average hacker would search for common bugs, vulnerabilities and try to exploit it by using the tested methods. But a researcher would literally try to break it. I mean that a researcher would use everything possible to exploit it and maybe it may take resources and time, but he may break into the firmware and find a new 0day in it! In such a scenario, I would usually brute force into the firmware of the networking device because if I ever found  vulnerability worth exploiting, I would earn a lot if cred, rep and a hike in salary + job ;)

SO, back to the original question... Are new techniques dead? 
NO!
You can always find new ways to exploit via the old techniques. Just see the example that when people thought that SQLi was dead, XSS came and along with it came the power to excecute SQLi attacks. There are a lot of such examples that you may have tries. Just twisting a peice of code may result in a million dollar cheque to your bank account, so why not test it that regretting later on?


BYE ALL AND KEEP READING 

3 comments :

Super Blog Directory