Attack Phases

Attacks follow a general structure that takes them from planning through execution and, if they aren’t detected and halted, success. The structure consists of three core phases that, though they could vary in detail, are designed toward the same goal. The three phases are objective, reconnaissance, and attack.

Phase One—Objective

The first phase is the objective phase. The first thing to understand in any project, hacking included, is what is the objective or goal. For example, the goal of a DDoS attack is different from that of a system access attack. As a result of identifying the objective of the attack, the determination of appropriate tools and methodology is made. The tools and methodology used to perform a DDoS attack are different than the tools and methodology of attempting to gain system access. The objective is simply the overall goal of the intruder. If the attacker is motivated by revenge, then a DoS attack might suit their needs. If the attacker is a competitor, system access and data manipulation could be the objective.

As the intruder goes through the phases of an attack, the objectives can, and usually do, change. If the overall objective is to manipulate data, then the first objective is to gain system access. Once system access is obtained, the intruder can then attempt to elevate privileges for a compromised user account. Once the privileges have been elevated, the intruder can then use the account to access the objective server and change the data. This is an example of a structured attack.

Another significant factor in determining the objective is the motivation behind the intrusions. Most script kiddies are motivated by revenge, as well as the thrill and excitement, while more advanced hackers are motivated by the intellectual challenge, revenge, or monetary gain.

Phase Two—Reconnaissance

The reconnaissance phase, as the name implies, is the stage in which the hacker uses various resources to collect information about the target network or system. The collection of information isn’t limited to information about the network or hosts on the network, however. Sophisticated and experience hackers will collect information about the target company, such as company location, phone numbers, employee names, e-mail addresses, and company vendors, all of which can be useful to the experienced intruder.

Reconnaissance—Public Information

Employee names and e-mail addresses provide a good start in guessing the user name for an employee’s account. Common practice is to use an employee’s first initial and last name as the user name for their network computer account. E-mail addresses are also a common user name for computer accounts. Large companies usually have their phone numbers assigned in blocks from the local telephone company and many large corporations have their own dialing prefix. By using this information, the intruder can begin war dialing all the company’s phone numbers looking for a dial-up server. Once a dial-up server is found, the intruder can begin guessing account user names, based on an employee’s first initial and last name or e-mail addresses. Brute-force password crackers are freely available on the Internet. Once a user name is guessed, it’s only a matter of time before a weak password can be cracked.

Note

A war dialer is a program used to dial blocks of phone numbers until it finds a computer on the other end of the line. Once a computer is found, the war dialer application records the number dialed for later use by the intruder.

To use a user account on a server or a network, you must first have the user name and password. Discovering the user names is a fairly straightforward process, as you can see in the preceding paragraph. Attackers use password crackers to crack the passwords to user accounts. Some password crackers find the encrypted password files on the server and decrypt them. When a hacker is unable to retrieve the password files, then brute- force password crackers are used. Brute-force password crackers attempt to log in to a computer account over and over, using multiple password combinations. Some cracking software uses dictionary files, while others attempt every combination of each key on the keyboard, an extremely time-consuming ordeal.

Commonly used password crackers are the following:

Microsoft Windows	UNIX
L0phtCrack 4	Qcrack by the Crypt Keeper
PWLVIEW	CrackerJack by Jackal
Pwlhack 4.10	John the Ripper by Solar Designer
PWL-Key	Crack by Alec Muffet
ntPassword

Internet Protocol (IP) address information is publicly available via the ARIN and many other Internet-registering authorities. From www.arin.net, anyone can begin a search using a single known IP address. The search will yield the complete block of IP addresses belonging to the company. Domain Naming Systems (DNS) is another publicly available system that can provide a wealth of information regarding the IP addressing and naming strategies of virtually any company connected to the Internet.

For a company to host its own e-mail, web, ftp, or any other service on the Internet, it must first have each of these servers listed within the DNS infrastructure. These DNS servers list the name of the servers, along with the IP addresses that can be used to access these services. To mitigate these risks, security-conscious companies might choose to host these servers and services outside their private networks with a hosting company. Companies can then host these services for their customers and users, without the worry of hackers using these servers or services to attack their private network.

Electronic Reconnaissance

The attacker must perform electronic reconnaissance to find what systems and resources are on the network. Unless the attacker has prior knowledge of the target network, he or she must find where the company’s resources are logically located. Once the company’s IP addresses are known (see the previous Public Information section), the attacker can begin to probe and scan the network. The intruder can scan the network looking for vulnerable hosts, applications, or infrastructure equipment.

Scanning the network is typically done using a ping sweep utility that will ping a range of IP addresses. The purpose of this scanning is to find what hosts are currently live on the network. The ping sweep identifies viable targets on the network. Once the IP address of viable hosts is known, the attacker can then begin to probe those hosts to gather additional information, such as the OS or applications running on those hosts.

Probing is defined as attempting to discover information about the hosts on the network. Probing is accomplished by looking for open ports on the available host computers. Ports are like virtual doorways to the computer. For a computer to offer or use services on the network, it must first have an open port. Web servers typically use port 80, while FTP servers use port 21. An attacker can find out what services are running on a computer by discovering what ports that computer has opened.

Note

TCP/IP uses port addresses to locate services running on host computers. The port numbers used by the application are that application’s address on that host. The address for a web application located on host 10.0.0.1 would be 10.0.0.1:80. This address specifies the host address 10.0.0.1 and the application address of 80. Most common applications use well-defined port numbers. A list of well-known port numbers managed by the Internet Assigned Number Authority (IANA) can be viewed at http://www.iana.org/assignments/port-numbers.

The more open ports, the more potential for someone to exploit the services running on the host computer. Once the attacker knows which ports are open, he or she can use this information further to discover the OS and application servicing the port.

The purpose of this scanning and probing is to find weaknesses on the network. Intruders know the vulnerabilities of certain OSs and the applications they run. The intruder increases his or her chance of succeeding by finding the weakest point on the network and, later, attacking that vulnerability. The attacker continues to discover information about the network until he has a complete map of the hosts, servers, and weaknesses to exploit in the future.

Reconnaissance Tools

The most common and widely available hacking tools are reconnaissance (recon) tools. The purpose of most recon tools is to assist engineers in troubleshooting, documenting, or maintaining their networks, but hackers use these tools to map network resources illegally. Many of these tools have been developed or modified by hackers to aid them in their illicit activities. Many tools are also developed under the guise of being a legitimate tool for network engineers but, in truth, are built to aid hackers.

As security and intrusion detection have become more sophisticated, so has the software used by hackers. Intrusion-detection software looks for people or software probing or scanning the network. Hackers know scanning and probing a network is likely to create suspicion and could generate alarms. Because of this, hackers have begun to develop new software that attempts to hide the true purpose of its activity. Reconnaissance tools commonly used today include the following:

NMAP	WHOIS
SATAN	Ping
Portscanner	Nslookup
Strobe	Trace

Phase Three—Attack Phase

The final phase is the attack phase. In the attack phase, the intruder begins to attempt accessing network and system resources on the network. Using information gathered during the reconnaissance phase, the hacker already knows the host IP addresses, open ports, and OSs in use. Some hackers might go as far as to build a test bed, mimicking the target systems. With this test bed, the hacker can practice attacking the system over and over until a vulnerability is found that can be exploited. Once the hacker has found a vulnerability and is confident in their ability, they will begin to attack the actual target system.

Once a hacker has successfully gained access to a host on the network, that host is described as being compromised. Any systems that have a trust relationship with the compromised host must also be considered compromised.

Attacking IP Trust Relationships

Common practice is to establish IP trust relationships between computer and network systems. A trust relationship simply means host A will only accept connections to a particular port from host B with a known and trusted IP address. Any other connection attempts from other IP addresses or hosts are denied. These trust relationships can be configured within the OSs of the hosts or as access lists configured on the routers between the hosts. A common use for these trust relationships is to allow web servers to connect to database servers within the trusted network.

As you can see in Figure 23-1, the firewall has been configured to deny any packets from the Internet with the destination address of the database server. Because the web server needs access to the database server, the firewall has also been configured to permit packets from only the web server to the database server. The database server could also be configured to allow access from only the web server, as well. Once a hacker has compromised the web server, the hacker could use this trust relationship to continue the attack on the database server. Once the database server has been compromised, the hacker can continue to use each trust relationship to access each machine on the network.

Figure 23-1: Attacking IP trust relationships between compromised hosts

Trust relationships are easy to attack and use by intruders because they’re based on weak or no authentication. IP provides no way to authenticate that a packet came from the source address listed in the IP header. Another weak authentication mechanism used in trust relationships is DNS-based authentication. DNS-based authentication suffers from the same weaknesses as IP-based authentication in that no method exists to insure an address isn’t being spoofed.

STUDY TIP

Spoofing is the act of changing the source IP address listed in the IP header. IP packets include the sending computer’s IP address in the IP header, which is called the source address. This information is read by the receiving host, allowing it to respond to the sending host. Some hacking software allows the hacker to change the source address to be any address they want, and is typically changed to an address within the internal network or a nonroutable IP address.

cp23 Intrusion Detection