The Attack Types and Phases
The Attack Types and Phases
Attacks on network systems can be divided into three types and three phases. The three types of attacks are reconnaissance, access, and denial of service (DoS). The first phase is defining the objective of the attack. The second phase, reconnaissance, is both a type of an attack and a phase of the attack. The third and final phase is the actual intrusion or attack on the network resources. As the phases of an attack progress, the type of attack can also change. The second phase of an attack, reconnaissance, would, by definition, include a reconnaissance attack, while the third phase, attack, would include a DoS or an access attack. DoS attacks are discussed in the section “Denial of Service (DoS) Attacks.”
Attack Types
As stated, the three types of attacks are reconnaissance, access, and DoS. Reconnaissance is both a type of attack and a phase of an attack. Intruders typically perform reconnaissance on a target network before attempting to access or disrupt the network resources. The performing of reconnaissance on a target network is considered an attack.
Reconnaissance Attacks
Reconnaissance is the unauthorized data collection of system resources, vulnerabilities, or services. Access and DoS attacks are normally preceded by reconnaissance attacks. Hackers obviously have to know what’s available to attack before launching any intrusion. Reconnaissance is analogous to a bank robber casing a bank to find out how many security guards are on duty, how many cameras exist and their placement, and what escape route to use. Reconnaissance is more than a type of attack—it’s also a phase of attack. Discussion of the need for, and the tools used for, reconnaissance attacks are discussed in more detail in several upcoming sections on reconnaissance and the section “Reconnaissance Tools.”
Access Attacks
Access is a broad term used to describe any attack that requires the intruder to gain unauthorized access to a secure system with the intent to manipulate data, elevate privileges, or simply access the system. The term “access attack” is used to describe any attempt to gain system access, perform data manipulation, or elevate privileges.
System Access Attacks
System access is the act of gaining unauthorized access to a system for which the attacker doesn’t have a user account. Hackers usually gain access to a device by running a script or a hacking tool, or exploiting a known vulnerability of an application or service running on the host.
Data Manipulation Access Attacks
Data manipulation occurs when an intruder simply reads, copies, writes, deletes, or changes data that isn’t intended to be accessible by the intruder. This could be as simple as finding a share on a Windows 9x or NT computer, or as difficult as attempting to gain access to a credit bureau’s information, or breaking into the department of motor vehicles to change a driving record.
Elevating Privileges Access Attacks
Elevating privileges is a common type of attack. By elevating privileges an intruder can gain access to files, folders or application data that the user account was not initially granted access to. Once the hacker has gained a high-enough level of access, they can install applications, such as backdoors and Trojan horses, to allow further access and reconnaissance. A common goal of hackers is to gain root or administrator-level access. Once administrator or root-level access is accomplished, the intruder can gain complete control of the server, host, or network system.
Denial of Service (DoS) Attacks
DoS attacks are performed with the intent of disabling, corrupting, or crashing network resources to prevent the use of these systems by the intended users. This electronic vandalism is one of the worst types of attacks faced by e-businesses because the only intent of the hackers is to prevent customers from using the company’s electronic storefront. The intent of this type of attack is simply to do damage and prevent the target company from conducting business.
Some script tools attempt to take advantage of a known exploit to damage a host or network, while others generate large amounts of network traffic. A hacker with a home PC would have a difficult time in generating enough traffic to overload an Internet class server. To perform an effective DoS attack, hackers use many different computers in an attempt to overwhelm the target host. Using many computer systems to attack a host or network is called a distributed denial of service attack (DDoS). This type of attack has been successful when used against the web sites of Yahoo!, eBay, and CNN.com. One hacker who performed this type of attack was later caught and prosecuted. See http:// www.nipc.gov/investigations/mafiaboy.htm for more details on this attack.
| Note? |
A known exploit or vulnerability is simply a security flaw in an application, service, or operating system (OS) that can be used by an intruder to violate or bypass system security. Vendors of these software products usually release patches to fix these security flaws. This is why it’s important to keep current with all security patches for any software installed on your network. |
Hackers could use one or all of these attack types to gain unauthorized access to a target network or system. Most access and DDoS attacks are preceded by a reconnaissance attack, which might have been ongoing for days, weeks, or even months. A hacker could also perform a DoS attack on one portion of the network, while attempting to gain access to other network resources.
Attack Phases
Attacks follow a general structure that takes them from planning through execution and, if they aren’t detected and halted, success. The structure consists of three core phases that, though they could vary in detail, are designed toward the same goal. The three phases are objective, reconnaissance, and attack.
Phase One—Objective
The first phase is the objective phase. The first thing to understand in any project, hacking included, is what is the objective or goal. For example, the goal of a DDoS attack is different from that of a system access attack. As a result of identifying the objective of the attack, the determination of appropriate tools and methodology is made. The tools and methodology used to perform a DDoS attack are different than the tools and methodology of attempting to gain system access. The objective is simply the overall goal of the intruder. If the attacker is motivated by revenge, then a DoS attack might suit their needs. If the attacker is a competitor, system access and data manipulation could be the objective.
As the intruder goes through the phases of an attack, the objectives can, and usually do, change. If the overall objective is to manipulate data, then the first objective is to gain system access. Once system access is obtained, the intruder can then attempt to elevate privileges for a compromised user account. Once the privileges have been elevated, the intruder can then use the account to access the objective server and change the data. This is an example of a structured attack.
Another significant factor in determining the objective is the motivation behind the intrusions. Most script kiddies are motivated by revenge, as well as the thrill and excitement, while more advanced hackers are motivated by the intellectual challenge, revenge, or monetary gain.
Phase Two—Reconnaissance
The reconnaissance phase, as the name implies, is the stage in which the hacker uses various resources to collect information about the target network or system. The collection of information isn’t limited to information about the network or hosts on the network, however. Sophisticated and experience hackers will collect information about the target company, such as company location, phone numbers, employee names, e-mail addresses, and company vendors, all of which can be useful to the experienced intruder.
Reconnaissance—Public Information
Employee names and e-mail addresses provide a good start in guessing the user name for an employee’s account. Common practice is to use an employee’s first initial and last name as the user name for their network computer account. E-mail addresses are also a common user name for computer accounts. Large companies usually have their phone numbers assigned in blocks from the local telephone company and many large corporations have their own dialing prefix. By using this information, the intruder can begin war dialing all the company’s phone numbers looking for a dial-up server. Once a dial-up server is found, the intruder can begin guessing account user names, based on an employee’s first initial and last name or e-mail addresses. Brute-force password crackers are freely available on the Internet. Once a user name is guessed, it’s only a matter of time before a weak password can be cracked.
| Note? |
A war dialer is a program used to dial blocks of phone numbers until it finds a computer on the other end of the line. Once a computer is found, the war dialer application records the number dialed for later use by the intruder. |
To use a user account on a server or a network, you must first have the user name and password. Discovering the user names is a fairly straightforward process, as you can see in the preceding paragraph. Attackers use password crackers to crack the passwords to user accounts. Some password crackers find the encrypted password files on the server and decrypt them. When a hacker is unable to retrieve the password files, then brute- force password crackers are used. Brute-force password crackers attempt to log in to a computer account over and over, using multiple password combinations. Some cracking software uses dictionary files, while others attempt every combination of each key on the keyboard, an extremely time-consuming ordeal.
Commonly used password crackers are the following:
|
Microsoft Windows |
UNIX |
|---|---|
|
L0phtCrack 4 |
Qcrack by the Crypt Keeper |
|
PWLVIEW |
CrackerJack by Jackal |
|
Pwlhack 4.10 |
John the Ripper by Solar Designer |
|
PWL-Key |
Crack by Alec Muffet |
|
ntPassword | ? |
Internet Protocol (IP) address information is publicly available via the ARIN and many other Internet-registering authorities. From www.arin.net, anyone can begin a search using a single known IP address. The search will yield the complete block of IP addresses belonging to the company. Domain Naming Systems (DNS) is another publicly available system that can provide a wealth of information regarding the IP addressing and naming strategies of virtually any company connected to the Internet.
For a company to host its own e-mail, web, ftp, or any other service on the Internet, it must first have each of these servers listed within the DNS infrastructure. These DNS servers list the name of the servers, along with the IP addresses that can be used to access these services. To mitigate these risks, security-conscious companies might choose to host these servers and services outside their private networks with a hosting company. Companies can then host these services for their customers and users, without the worry of hackers using these servers or services to attack their private network.
Electronic Reconnaissance
The attacker must perform electronic reconnaissance to find what systems and resources are on the network. Unless the attacker has prior knowledge of the target network, he or she must find where the company’s resources are logically located. Once the company’s IP addresses are known (see the previous Public Information section), the attacker can begin to probe and scan the network. The intruder can scan the network looking for vulnerable hosts, applications, or infrastructure equipment.
Scanning the network is typically done using a ping sweep utility that will ping a range of IP addresses. The purpose of this scanning is to find what hosts are currently live on the network. The ping sweep identifies viable targets on the network. Once the IP address of viable hosts is known, the attacker can then begin to probe those hosts to gather additional information, such as the OS or applications running on those hosts.
Probing is defined as attempting to discover information about the hosts on the network. Probing is accomplished by looking for open ports on the available host computers. Ports are like virtual doorways to the computer. For a computer to offer or use services on the network, it must first have an open port. Web servers typically use port 80, while FTP servers use port 21. An attacker can find out what services are running on a computer by discovering what ports that computer has opened.
| Note? |
TCP/IP uses port addresses to locate services running on host computers. The port numbers used by the application are that application’s address on that host. The address for a web application located on host 10.0.0.1 would be 10.0.0.1:80. This address specifies the host address 10.0.0.1 and the application address of 80. Most common applications use well-defined port numbers. A list of well-known port numbers managed by the Internet Assigned Number Authority (IANA) can be viewed at http://www.iana.org/assignments/port-numbers. |
The more open ports, the more potential for someone to exploit the services running on the host computer. Once the attacker knows which ports are open, he or she can use this information further to discover the OS and application servicing the port.
The purpose of this scanning and probing is to find weaknesses on the network. Intruders know the vulnerabilities of certain OSs and the applications they run. The intruder increases his or her chance of succeeding by finding the weakest point on the network and, later, attacking that vulnerability. The attacker continues to discover information about the network until he has a complete map of the hosts, servers, and weaknesses to exploit in the future.
Reconnaissance Tools
The most common and widely available hacking tools are reconnaissance (recon) tools. The purpose of most recon tools is to assist engineers in troubleshooting, documenting, or maintaining their networks, but hackers use these tools to map network resources illegally. Many of these tools have been developed or modified by hackers to aid them in their illicit activities. Many tools are also developed under the guise of being a legitimate tool for network engineers but, in truth, are built to aid hackers.
As security and intrusion detection have become more sophisticated, so has the software used by hackers. Intrusion-detection software looks for people or software probing or scanning the network. Hackers know scanning and probing a network is likely to create suspicion and could generate alarms. Because of this, hackers have begun to develop new software that attempts to hide the true purpose of its activity. Reconnaissance tools commonly used today include the following:
|
NMAP |
WHOIS |
|
SATAN |
Ping |
|
Portscanner |
Nslookup |
|
Strobe |
Trace |
Phase Three—Attack Phase
The final phase is the attack phase. In the attack phase, the intruder begins to attempt accessing network and system resources on the network. Using information gathered during the reconnaissance phase, the hacker already knows the host IP addresses, open ports, and OSs in use. Some hackers might go as far as to build a test bed, mimicking the target systems. With this test bed, the hacker can practice attacking the system over and over until a vulnerability is found that can be exploited. Once the hacker has found a vulnerability and is confident in their ability, they will begin to attack the actual target system.
Once a hacker has successfully gained access to a host on the network, that host is described as being compromised. Any systems that have a trust relationship with the compromised host must also be considered compromised.
Attacking IP Trust Relationships
Common practice is to establish IP trust relationships between computer and network systems. A trust relationship simply means host A will only accept connections to a particular port from host B with a known and trusted IP address. Any other connection attempts from other IP addresses or hosts are denied. These trust relationships can be configured within the OSs of the hosts or as access lists configured on the routers between the hosts. A common use for these trust relationships is to allow web servers to connect to database servers within the trusted network.
As you can see in Figure 23-1, the firewall has been configured to deny any packets from the Internet with the destination address of the database server. Because the web server needs access to the database server, the firewall has also been configured to permit packets from only the web server to the database server. The database server could also be configured to allow access from only the web server, as well. Once a hacker has compromised the web server, the hacker could use this trust relationship to continue the attack on the database server. Once the database server has been compromised, the hacker can continue to use each trust relationship to access each machine on the network.
Figure 23-1: Attacking IP trust relationships between compromised hosts
Trust relationships are easy to attack and use by intruders because they’re based on weak or no authentication. IP provides no way to authenticate that a packet came from the source address listed in the IP header. Another weak authentication mechanism used in trust relationships is DNS-based authentication. DNS-based authentication suffers from the same weaknesses as IP-based authentication in that no method exists to insure an address isn’t being spoofed.
| STUDY TIP? |
Spoofing is the act of changing the source IP address listed in the IP header. IP packets include the sending computer’s IP address in the IP header, which is called the source address. This information is read by the receiving host, allowing it to respond to the sending host. Some hacking software allows the hacker to change the source address to be any address they want, and is typically changed to an address within the internal network or a nonroutable IP address. |
