After the intruder has successfully gained access to a single system, he begins settling in and getting comfortable. One of the first tasks is to obtain additional system privileges. Most really serious hacking requires a high level of access to the system. Intruders employ a number of strategies for increasing their access privileges. One method is to search around for files with password information. Even an encrypted password file can be downloaded to a safe location and attacked through a brute force dictionary attack. A hacker can use Trojan horses or buffer overflow techniques to trick the system into giving him additional privileges.
The Holy Grail of the hacker is always administrative or root access to the system. A user with root access can execute any command or view any file. When you have root access, you can essentially do whatever you want to do with the system.
After the intruder has gained root access, one of the first tasks is to upload what is called a root kit. A root kit is a set of tools used for establishing a more permanent foothold on the system. Some of the tools are used to compromise new systems and new accounts. Other tools are designed to hide the hacker's presence on the systems. These tools might include doctored versions of standard network utilities such as netstat, or applications that remove the trail of the intruder from system log files. Other tools in the root kit might help the intruder explore the network or intercept more passwords. Some root kits used with Unix or Linux systems might actually enable the intruder to alter the kernel itself to include new clandestine features.
The intruder then sets out to establish one or more back doors to the system—secret ways of getting in to the system that are difficult for a network administrator to detect. The point of a back door is to enable the intruder to avoid the logging and monitoring processes that surround everyday interactive access. A back door might consist of a hidden account or hidden privileges associated with an account that should have only limited access. In some cases, the back door path might include services such as Telnet mapped to unusual port numbers where the local administrator would not expect to find them.
Another goal of this "getting comfortable" phase might be to accomplish any dastardly business the hacker has in mind for the network. This might consist of stealing files or credit information. As you'll learn in the next section, the hacker's goal might be simply to upload tools for the next attack.