Chapter 1. Here There Be Hackers!

When the ancient mapmakers reached the edge of the world they said, “There Be Dragons Here!”

—Anonymous

In today’s interconnected world, this ancient representation of the world beyond a person’s knowledge holds true. When you connect your home or corporate network to the Internet, everything beyond your network is literally the edge of the world and the beginning of the World Wide Web, wherein the hackers are looking to take advantage of the unwary.

In a book about understanding network security, the obvious first step is to introduce and review what a hacker is and some of the methods a hacker employs to threaten your network.

From finding the right target to executing the attack, this chapter provides an overview of a hacker attack’s anatomy. You will learn some of the factors and footprints of hackers that will allow you to understand the threat that is present beyond the edge of your network.

Essentials First: Looking for a Target

There are only several billion possible public IP addresses on the Internet, so how hard can it be to find a suitable target? This is probably the first aspect of security on which people concentrate. Certainly your network’s presence on the Internet is a way for hackers to find you; as a result, you should consider the security of your network from attackers. You have purchased the best security technology to protect your PC, and you constantly ensure that it is up-to-date with the latest security patches. This includes your firewall, screening router, VPNs, antivirus software, proxy server, biometrics, and all the best security technologies that money can buy. You have done this, right?

It is natural to think that security technology can protect you from the malicious threats of hacker technology. In this case, however, you might have been yearning for a sense of security but forgotten about the weakest security link: the human factor.

Consider for a moment whether your employees are trained in security. Would they know what to do if someone tried to fool them into giving away potentially sensitive information? How many sets of keys to the building exist? What are the cleaning people doing when you are not there? Are they disposing of your trash properly, or are they bagging and dropping it into the dumpster? Could an intruder break a window or pick a lock to enter your building undetected? Now how does that awesome firewall completely protect you?

You might be thinking that you have a great IT staff or even a team dedicated to network security, which is a good thing. Security professionals are expected to have a high level of technical competence and, for the most part, this is true. However, these same professionals often do not expect the same to be true of those attackers and intruders from whom they defend their sites. Many do not take heed of the axiom that “There’s always someone out there smarter, more knowledgeable, or better-equipped than you.” Having an engineer who thinks that he is the smartest person in the company is a recipe for disaster.

Consider a popular term known as dumpster diving. You have probably heard the stories where people become obsessed with a movie star or popular television personality and go through their trash. In reality, this practice began with people trying to hack into the AT&T phone system; of course, they were called phone phreaks, not hackers. The point is that, to a social engineer, even the garbage a company places in the dumpster is not safe.

If you want a better understanding of the actual benefits of dumpster diving, rent the hacker movie, Sneakers. Not only is it an entertaining movie, but it also provides insight into many of the topics discussed in this section and the next.

Security is often simply an illusion that is facilitated and made more believable by the ignorance or naiveté of everyone in an organization. Do not place all your trust in security products; if you do, you are settling for the illusion of security. Any security process must be implemented—that is, both “technology” and rules. (Specifically, all people in an organization must hold to these stated rules.) In addition, you must perform random audits to determine whether certain people in the company, such as the CEO who does not heed all the rules, bypass any rules. The CEO usually has access to secrets and is a first target for a hacker. Letting the CEO bypass security policies is a sure way to weaken a security policy.

In summary, “true” security is more than a product; it is a series of processes that encompass products and personnel across an organization. The following section covers the importance of having company personnel be aware of the security process.

Hacking Innocent Information

Considering the introduction to this chapter, this discussion begins with hacking innocent information, which is also known as social engineering. Hacking innocent information from a person via social engineering is much easier than bypassing a firewall.

Fundamentally, people want to trust and help others, so they are more vulnerable to social engineering; combating this most basic hacking can be one of the biggest challenges to those who are responsible for security.

Although you might not think innocent information is worth protecting, it can be crucial to a social engineer attacker. When an attacker is armed with this information, he can use it to present himself as believable. In reality, this is where the hacker usually begins penetrating a company by obtaining some document that might seem innocent and commonplace; be careful, however, because it could be useful to others.

Consider the following scenario, which I used once while performing a Network Assessment. To see what people would be willing to give up to someone who “sounded” official, I called the senior IT engineer, Daniel:

“Hello, this is Tom from WindWing Travel. Your tickets to San Jose are ready; would you like us to deliver them or arrange for you to pick them up as e-tickets at the airport?”

“San Jose?” Daniel says, “I do not have any travel plans there.”

“Is this Daniel Thomas?” I asked.

“Yes, but I do not have any trips scheduled until AppleCon in Las Vegas, later this year.”

“Well,” I chuckle, “are you sure you do not want to go check out San Jose?”

Daniel chuckles as well, responding to a humorous situation and a break in his normal routine by saying, “Sure, I’d be happy to go if you can convince my boss....”

“Sounds like another computer glitch,” I say and, while chuckling, I remark, “I thought computers were supposed to make our lives easier.”

Daniel laughs too.

“In our travel system, we track travel arrangements under your employee number. Perhaps someone used the wrong number when booking the flight. What is your employee number?”

Daniel knows that several groups within his company have his employee number: security, human resources, his boss, and obviously finance, so why wouldn’t the travel company use a way to identify him that would fit with his company. There is no danger here, is there?

A competent hacker working on social engineering can take this simple piece of information and use it with some rather easily obtained data to take his hack to the next level. Imagine what access he might gain if he had an employee’s number, full name, telephone extension, department, work location, e-mail address, and even his manager’s information. This information is innocent when viewed in pieces, but it paints a scary picture when gathered together.

Clearly, innocent information should be protected and employees should be made aware that mishandling information that should never be released to the public could truly endanger both the company and, more importantly, the employee. For example, consider the following example:

“Daniel, I can’t find you by employee number. Let me try this another way. What is your social security number?”

A good rule of thumb is that all company data should be considered sensitive in nature and not released unless explicitly stated in a Data Classification Policy.

Targets of Opportunity

I cannot keep track of the number of times I have been with a customer who discusses their network and its security only to hear the following:

“We are a <Non-IT business> and there is nothing on our network that a hacker would want. Why should we be worried?”

Wow! What a statement. It astounds me every time I hear it. There are many ways to reply to such a statement—some of which are politically correct, and some of which are not. Usually the person making this statement is a customer, so the focus here should be on the correct response.

This belief is also known as Security Through Obscurity. In this book, you will see that when it comes to security, relying on obscurity is dangerous regardless of the company’s size or business.

Perhaps the company in question might not be a bank, but its network certainly contains servers, hard drive space, bandwidth to the Internet, and personal employee information. Believing that this information is unimportant to a hacker can be fatal. Consider what a hacker could do with such information:

• Servers—Hack a server and you get a slave device that could potentially be used remotely to attack other, more important targets. Can you envision getting a call from men in dark suits who have no sense of humor regarding what your server might be doing?

• Hard drive space—Every network has unused disk space. What if you were hacked and files of a questionable or perhaps even illegal nature were placed on them? Consider what the lawyers enforcing copyright laws might think. Perhaps, the files might contain pornography or terrorist material. In addition, most server hard drives today are of the hundred gigabyte variety or larger, the capacity of which is attractive to someone who needs to park a recently bootlegged movie for a few hours or even days.

• Bandwidth—A hacker can always use extra bandwidth and alternative means of connecting to other companies to hack into them.

• Personal employee information—Armed with all the information an employer might need to verify employment and even pay its employees, a hacker could engage in identity theft.

These hacker activities could place IT personnel, management, or even the entire company in danger with legal or criminal ramifications, not to mention the bad press associated with being hacked to this degree.

The more important question is not, “Why would someone hack us?” but, “Am I vulnerable enough to be selected as a target?”

Targets of opportunity are clearly the easiest for a hacker to penetrate because something has happened or not happened that allows him to easily identify and gain access to a corporate network that has nothing valuable.

Are You a Target of Opportunity?

In many cases, hackers prowl the Internet using a variety of tools (covered later in this book) and usually have an agenda in mind when they discover a potential target. In addition to hackers, there are a variety of individuals known as script kiddies:

Determining whether you are a target of opportunity depends on your security infrastructure. A good rule of thumb is that if you do not have a firewall in place or your firewall has not been updated in a while, you are likely to be a target of opportunity. Because they employ automated tools that look for vulnerabilities in your security, script kiddies are the most common threats to networks that are targets of opportunities. One of the easiest ways to ensure that you do not become a target of opportunity is to update your infrastructure with the latest patches. Do not let yourself get lulled into a false sense of security by patching only a server or two. You might not be a target of opportunity, but a target of the hacker’s choice.

Targets of Choice

Hackers often have a goal in mind when selecting a target. Consider the role the media has played in setting our internal vision of what a hacker is. Many people think that a hacker possesses the following characteristics:

• Disgruntled, negative, and angry at the world

• Bitter, with few friends and low self-esteem

• Extremely smart, yet not able to focus on traditional careers

• Has trouble maintaining relationships, friendship, or romance

• Disrespects authority; a social misfit

• Young and inept with women

• Enjoys junk food and pizza, ensuring the presence of pimples

• Writes with numb3r5 in th3r3 w0rd5 to be kewl

These stereotypes are true in some cases; regardless, a subculture of hacking exists, and some hackers revel in it. However, believing that all the security threats against your network come from individuals like these would be a mistake.

Are You a Target of Choice?

The following scenarios can help you understand that your company—or perhaps even you—might be a target of choice by a hacker:

• Perhaps your company has a new product that is going to revolutionize your area of business. What if it is a breakthrough?

• Perhaps you are engaged in a bitter dispute with a family member and you have information that the other party wants.

• Perhaps you have upset someone who knows a hacker.

• Perhaps you have a good credit rating, making your identity very attractive.

• Perhaps your company is in a business that, if disrupted, would allow people with an agenda to make a point?

• Perhaps your company has information on another company that is important to someone.

• Perhaps an employee has become disgruntled and wants to make a point.

• Perhaps you are trying to hide something from a lawyer during a bitter divorce. (Smile if you want, but it does happen.)

• Perhaps your company is doing business in a part of the world that is in the middle of social or political upheaval—even hackers have geopolitical consciences nowadays.

In these cases and perhaps many others, you are now officially a target of choice. Certainly the hacker could fit within the subculture described earlier, but perhaps he is not something out of a Hollywood movie. What about private investigators and lawyers—might they not be interested in information that you or your company might have?

As people wanting to know all sorts of things hire them, private investigators are learning new skills; therefore, to be successful, they could have turned to the Internet to find this information about you. What about the ex-military or those trained by the government as security specialists? It is highly doubtful that they fit the Hollywood hacker stereotype. What about a spurned lover or spouse who has some computer skills, or an employee who knows all your partnering companies. These groups do not fit the hackers we see on Hollywood’s silver screen, but they can certainly be viewed as a threat to your network.

Understand, as well, that a hacker might not do all the work himself, and it might not be electronic. For example, do you recall the dumpster diving discussion?

Dumpster diving is legal and is an easy means of acquiring all kinds information that could be helpful to a hacker.

The following section covers how an attack begins, and the process an attacker takes to begin compromising the target system.

The Process of an Attack

There are many ways that an attacker can attempt to gain access to or exploit a system. This system can be as simple as a home computer connected to the Internet through a DSL connection, or a complex corporate network. Regardless of the kind of system an attacker is targeting, they typically employ the same fundamental steps:

1. Reconnaissance and footprinting
2. Scanning
3. Enumeration
4. Gaining access
5. Escalating
6. Creating backdoors and covering tracks

The following sections discuss these steps in detail. It is important to understand the concepts of what an attacker might be doing in each step, and her goal.

Reconnaissance and Footprinting (a.k.a. Casing the Joint)

“Intelligence preparation of the battlefield” is a military term used to define the methodology employed to reduce uncertainties concerning the enemy, environment, and terrain for all types of military operations. During military actions, this concept has been clearly demonstrated through the use of drone aircraft that allowed military commanders to “see” the battlefield and thus pick when and, more importantly, how they engaged the enemy. Understanding the battlefield and subsequently having the ability to choose how you engage the target is analogous to the choices hackers make.

Hackers conduct intelligence preparation operations against your company and network. It is a continuous process that is used throughout all planned and executed operations. The networked environment that security professionals are tasked with securing is analogous to a battlefield. The myriad of attackers and intruders from the void are the aggressors who are constantly on the offense. The security professionals are the defenders, entrusted to preserve the confidentiality and integrity of data against these intruders.

In network security terms, this intelligence preparation is known as reconnaissance and footprinting; in Hollywood movies, it is referred to as “casing the joint.” In the real world, many criminals perform this step, but they probably have not named it. For example, a criminal might review the security of a convenience store so he can understand what the security is, where the money is kept, the location of security cameras, possible exits, and any other items that might help them succeed in his crime. As shown in Table 1-1, hackers look to gain information during this phase.

Table 1-1. Goals of Reconnaissance and Footprinting

There are certainly a lot of steps a hacker can take to learn about your network without your knowledge. Consider what simply looking at what Domain Name System (DNS) can reveal about your network through the use of a simple command known as nslookup. (See Example 1-1.)

Example 1-1. Using DNS for Passive Reconnaissance

Consider that through using just DNS tools, the attacker can reveal the public IP address of the Cisco website and that of its DNS and e-mail servers; in addition, it looks like the attacker is using proxy servers. Whois is a tool that is again freely available in many applications and on the Internet at the following locations. Try it out on your domain:

http://www.networksolutions.com/—whois web interface

http://www.arin.net/—ARIN Whois

http://whois.ripe.net/—European Whois

http://whois.apnic.net/—Asia Pacific IP Address Allocations

http://whois.nic.mil/—U.S. Military

http://whois.nic.gov/—U.S. Government

Cisco.com is queried all the time and is, therefore, not alarmed by passive reconnaissance. Do not forget the information available on a company’s website and how useful it is to know the address, main phone number, fax number, mergers, press releases, and members (with bios) of the company’s management team. A target’s corporate website has become a well of useful information from which an attacker can learn quite a lot. The hacker could use this knowledge for social engineering, identity of network systems, system administrators, and so forth. USENET and WEB searches on the system administrators and technical contacts are found when running host queries. By taking the time to track down this information, the attacker might be able to gain greater insight into the target network.

If you were a hacker, however, you could begin a more active reconnaissance to determine what services you could see on these servers through their public IP address.

Unfortunately, most companies are not prepared to detect these types of scans or probes. It is not that they do not have some of the basic tools; it is simply that the target devices most likely are not logging what is going on–or, if they are, no one is looking at the logs. Consider that one of the next steps could be a simple ping scan using any number of freely available tools on the Internet. Refer to Figure 1-1, in which you can see the results of a ping scan on a class subnet using WhatRoute. (A very neat tool; check it out at http://www.whatroute.net.)

Figure 1-1. Ping Scan of a Class C Subnet

Attackers know this and also understand that the more active they are, the more likely their activities will be noticed. An attacker will, therefore, start active reconnaissance and allow it to continue until he has learned enough information to launch an exploit against that system. If the exploit succeeds, the attacker moves onto the next step; if not, he goes back and gathers more information.

During this phase of an attack, the methods employed involve nonintrusive and standoff methods that hopefully will not allow the attacker’s efforts to be detected. The attacker wants to determine the type of network with which he is dealing, and with whom he is dealing: system, network, and security administrators. Again, the intent is to develop a network map that uses information gathered during footprinting; he then figures out which devices are routers and firewalls and places them on the map, and identifies key systems such as mail servers, domain name servers, file servers and so on. The attacker also wants to know where the target gets its Internet access in case he needs to try and access the target through its ISP.

Scanning

At this point, the attacker has a good idea of the machines on the network, their operating systems, who the system administrators are, any discussions posted to newsgroups, their office locations, and who their upstream Intrusion Prevention System (IPS) is. The attacker also knows that, from this point forward, everything he does might be logged; at a minimum, he should assume that it is. The attacker has a map of the network and devices and is ready to move on to identifying listening services and open ports. The attacker will also determine the acceptable risk. Can he afford to be logged during scanning? Is compromise acceptable during the latter stages of the attack? Is concealment of the originating attack location necessary? What about exposure of the sponsor if he is working on behalf of another entity?

There is a lot going on in the attacker’s mind. Some attackers sketch things out, and others internalize these considerations as they move from step to step.

In Example 1-2, the attacker has initiated a more active set of scans against a target using NMAP (www.insecure.org), a free tool that both hackers and ethical hackers (good guys) commonly use. Because it is free, you will not find a script kiddie without it!

Example 1-2. Active Port Scan Results

If you refer back to Figure 1-1, you will see that the ping scan revealed an active host at 192.168.254.69 and that the more detailed scan with NMAP, shown in Example 1-2, provided additional information. You might be wondering how accurate NMAP is. The answer is very accurate; specifically, the device scanned was, in fact, a Win2k server.

For example, Figure 1-2 uses TigerSuite (http://www.tigertools.net) to see the other services that are accessible on the server. The figure shows that the server is readily identified, as are some extraneous services that are easily exploitable: SMTP, NTP, and FTP. Also notice that the scan revealed the server’s name and domain, which is very helpful to users and hackers in a Windows network!

Figure 1-2. Server Query Scan

Being somewhat concerned about these services, I immediately shut them off and disabled them from starting again. This is a relatively new server, and I was more concerned about getting it functioning for my users than securing it. In their hearts, most OS vendors felt the desire to be helpful and reduce the number of expensive (for them) technical support phone calls turning on every single service and function from the beginning. Clearly, they were not thinking of security in this decision—only money. Apparently, they want their CEO to be the richest man in the world. Regardless of their irresponsible motives, Figure 1-3 shows that it does not take the IT professional long to correct this situation.

Figure 1-3. Secured Server Scan Results

You can Telnet to an open port 80 and do a simple get command. The result should be a “banner,” which identifies web server type (IIS, Apache, and so on) and other interesting facts, as shown in Example 1-3.

Example 1-3. Telnet to Port 80 to ID a Server

Another type of scanning known as vulnerability scanning is typically done from the Internet to find out how well a system is protected. As you have seen, each technique in the reconnaissance phase has value, but the true value (for the attacker) is gained when multiple techniques are combined to gain a complete picture of the target device.

As you move onto the next step in the attack process, remember that the scanning of a target allows the attacker to focus her efforts and attention on the most promising avenues of entry into your network. Attackers expect your IT professionals to be watching, but they doubt they will be seen; that assumption is subject to change, however.

Enumeration

Defining the network environment involves footprinting, scanning, and enumeration. Footprinting allows the attacker to limit the scope of her activities to those systems that are potentially the most promising targets to vulnerabilities she plans on running against the server. Scanning told the attacker what ports are open and what services are running.

Enumeration is the extraction of valid account information and exported resources. The key difference between the preceding scanning and footprinting techniques is that enumeration involves active connections to specific systems and directed requests to connect to these specific systems, too.

Like all steps in the attack, pulling the activities together makes the difference in the success of the attack. Following are the four main categories within a network:

• Network resources and shares

• Users and group

• Applications

• Device banners

As you can tell, the presence of each of these categories differs on every operating system. Consider that every major operating system allows for shares, but each—MAC OS, Windows, Linux, and Novell—handles them in a different way. This means that, from an attacker’s perspective, each operating system must be handled differently.

The earlier example of a layered approach becomes apparent here because, through the use of NMAP, you have a good idea of what operating systems you are trying to attack.

Enumerating Windows

As the industry leader in computer operating systems, Microsoft Windows is perhaps the most widely discussed; therefore, it makes sense to spend some time on it first. Windows operating systems still depends heavily on the use of NetBios (UDP Port 137), and many of the tools an attacker might use to learn more about a Windows-based network are built into the operating system itself as you will see in the text that follows.

Example 1-4 shows the results of issuing a net view command from the command line of a Windows machine. In this case, the domain was known, so including it in the command revealed all the machines in that domain. Had the domain been omitted, all the LAN’s domains would have been displayed.

Example 1-4. Using Windows Net View

This enumeration technique is even more useful when you combine it with the results of the earlier ping scan. IP addresses and NetBIOS names can be used interchangeably so for example with NetBIOS, you might access another computer using \COMPUTER-NAME. You can also use \192.168.254.69. Attackers know this and modify their systems so that their machines “automatically” cache the NetBIOS names.

Another great built-in Windows tool is nbtstat, which allows you to query another computer for its NetBIOS name table. What this means is an attacker can query a server for its table, as shown in Example 1-5.

Example 1-5. Query via nbtstat

And if you do not know the IP address of the machine you have your sights set on, you can issue the command nbtstat –c; you will then be provided with a listing of the NetBIOS names (in your cache) and their corresponding IP addresses. Don’t you just love friendly operating systems?

Example 1-6. Using nbtstat –c to Display NetBIOS Names

The best way to stop an attacker from learning this kind of information from your network is to ensure that your router and firewall are blocking the entry and exit of NetBIOS packets. Block at both points in order to prevent a layered approach to security. Specifically, block the following:

• TCP and UDP on ports 135 through 139

• TCP and UDP 445 for Windows 2000

Blocking these ports does not stop NetBIOS; it simply prevents it from entering your network. There are ways to disable NetBIOS on a Windows PC; however, this might not be an option. Table 1-2 shows some of the common tasks and tools that attackers use.

Table 1-2. Attacker Tasks, Tools, and Techniques

As discussed at the beginning of this section, each operating system has associated techniques that enumerate against it. You have looked at a couple techniques that are just for Windows, and there are many more. Later in this chapter, you will see some recommended titles that discuss more about the other enumeration possibilities.

Gaining Access

Many people mistakenly believe that an attacker wants to “take control” of a target device and that is the ultimate goal an attack. This is not entirely true. What is more likely is that an attacker want to gain access to a target PC. After enumeration identifies promising avenues of entry, more intrusive probing can begin as valid user accounts and poorly protected resource shares are exploited to gain access.

Ultimately, the attacker must gain access to a system through some aspect of that system. There are typically four major types of exploits that reflect different aspects of a system that attackers target:

• Operating system attacks

• Application attacks

• Misconfiguration attacks

• Script attacks

Within these different aspects of an attack, two ways in which an attacker can proceed follow:

• Automated attacks—These types of attacks target one or more aspects of the target and are usually opportunistic by their design. Automated attacks are opportunistic in the sense that they scan an entire block of IP addresses to look for vulnerability. For example, an automated attack might scan every IP address in a Class C block on port 80 looking for a known vulnerability that affects web servers. If the scan is successful, the attack proceeds; if not, the scan continues looking.

• Targeted attacks—These types of attacks are more dangerous than automated attacks because your organization has been singled out for an attack. In other words, an attacker knows that you have something he wants, or that by succeeding in his attack on you, he can achieve a goal. Increasingly, the later force drives attacks by using politics or social agenda as a rational for an attack. Fortunately, targeted attacks seem to make up the minority of Internet activity. However, the bad news is that if you are targeted, the more skilled the attacker, the less likely you are to “see” or detect the attack.

Remember these two ways an attack might occur as you consider how an attack can affect the different aspects of a system.

Operating System Attacks

An operating system is designed to support what a user would like to accomplish and, in the context of this discussion, the operating system must enable networking to some degree. The more networking that is enabled on a system, the more services are activated to support these needs. This results in more open ports and active services being available and visible. Therefore, attackers have more opportunities to select an attack, thereby resulting in the access they want.

In addition, users and administrators often think that the job is finished when a server has its OS installed and its services configured. Alas, this is a mistake that results in a perfect target for attackers. Consider being a hacker and finding a server that has the original operating system installed without patches and with all default services activated. That server will be compromised within the hour!

Application Attacks

I once worked in a business unit that wrote networking software for one of its products. The company was a large, international company with a strong history in telecommunications. I explain this background because, with all the software being written these days, you would think that this company would take advantage of its understanding of the technology and security.

Alas, that was not the case; software programmers were under amazingly tight deadlines and were always asked for new features. I knew many of them—they inherently wanted to do the right thing, but outside factors drove their activities in many ways. Essentially, software was not being tested as it should have been. Add in its increasing level of functionality, and you have opportunities for attackers. This is all terrible, but consumers did not care about security several years ago—only whether the software had the features they wanted. Perhaps, if consumers change what they spend money on, secure software will become more of a pressing issue.

Misconfiguration Attacks

Sometimes, system administrators work on the system when trying to secure a system or ensure that it provides the functionality users need. Usually, this means turning on several options, and the desired feature starts working when you hit the right option.

Did you clean up those options after yourself? Likely not. The problem is that the system administrator does not go back and research what fixed her issue and deactivate the unneeded options. This is perplexing because verifying that a system is not misconfigured is an easy precaution to ensure that your system is functioning correctly. A good rule of thumb is to turn unnecessary services off and concentrate on correctly securing and configuring those that are needed.

Keep a written record of what services and options you enable or disable; in the heat of the moment (especially when it is 3:00 a.m. and you are wondering what you did to deserve being hacked), the written record will help you reverse what you might have done earlier.

Another issue that fits under the misconfiguration umbrella is deploying a device and not changing the default administrator username and password that was programmed into the device. If you are wondering what I am referring to, look at the manual that came with your shiny new firewall device that has all the blinky lights and whiz-bang security features. Have you looked at the “quick startup” section that almost all manuals have nowadays? Somewhere among those pages is a section about logging in for the first time and setting up the device. Most security devices either have no password, or the username/password combination is something like “admin/admin.” Guess what? Hackers read manuals too, and they are aware that default passwords are still active on routers, firewalls, and other Internet toys.

Script Attacks

UNIX and Linux are undoubtedly the systems for which attackers will find scripts susceptible to their activities. Many of these operating systems come with sample scripts and programs that are available for use. These are a blessing in disguise and, if left activated or unchecked, they can result in successful attacks against your system.

Attackers try to execute some of the following attacks against your system during this phase of the attack:

• Buffer memory overflows—The information has to go somewhere, and the attacker can direct it to compromise a system. When the BIQ (Buffer In Question) blows, the OS might do things that the developer never intended.

• Brute force guess passwords—The attacker starts a program that tries every word in a dictionary. Webster’s is fine, but it could also be a dictionary of names, movies, or sports teams/lingo, and so on.

• Try and sniff a password—Everyone has to log in and, if the attacker can “see” a user’s password, he is in! Can you imagine the number of captured passwords that could be seen in the morning when everyone is logging in to your network?

• Capture the password flag—In this case, the attacker will want to capture the password file, which can then be decrypted and cracked at the attacker’s leisure and most likely not on the system that was compromised. In other words, the attacker copies this file and cracks it at his leisure (that is, sleeping or at his day job) so the information it contains is useful.

The techniques, tools, and procedures vary according to the attacker’s level of expertise and ability to code custom scripts and programs. Either way, a plethora of free open source tools are available for use; the attacker will more than likely make use of some, if not all of the following:

• NMAP—http://www.insecure.org/

• STROBE—http://www.deter.com/unix/index.html

• NESSUS—http://www.nessus.org

• SATAN—http://www.cerias.purdue.edu/coast/satan.html

• WinScan, Sam Spade, and others, if using a Windows box

Do not discount the fact that commercial products such as CyberCop Scanner and Internet Security Scanner (ISS) might also be used because these are available for sale on the open market. The following section discusses how an attacker works on escalating how much he is allowed to do (that is, privilege) after accessing a system.

Escalating Privilege

At this point in a hack, an attacker might have gained access to a system. Perhaps the attacker learned/guessed/hacked a user’s password because it was something simple, like the user’s favorite sports team or movie. A regular user, however, might not have the privileges the attacker needs for his goal. Thus, in this phase of the hack, the attacker must begin escalating his privilege level. He now understands the system a bit more, so he will likely look for the following:

• Being “in” the system, the attacker can run the appropriate exploit code against the system to gain more privileges.

• Try to crack passwords using the many freely available password crack tools.

• Look for passwords that are not encrypted (that is, clear text).

• Evaluate the trusts that exist between the hacked system and others within the network. Perhaps there is another opportunity?

• Perhaps file or share permissions are set incorrectly.

These are the types of steps an attacker will take after he has gained rudimentary access. He would not likely go through all the risk and trouble to stop without ensuring that he can do whatever it is he intended to do.

If all else fails, or if the attacker wants to implement a denial of service (DoS) attack, he uses specialized tools called exploit code to disable a system. The use of these exploits is operating system-specific and can also depend on the patch level of the system state. Specifically, this means that system X is vulnerable to exploit 666, but if it has been patched with service patch 5, it is not vulnerable. Some of the exploits that could be used are SYN flood, ICMP techniques, overlapping fragments/offset bugs, and out of buffer. Again, the effectiveness largely depends on the system’s patch level. The attacker knows that, when an exploit becomes public, he can quickly become useless against systems where the system administrators stay on top of things; however, an attacker also knows that new exploits are found daily, and that research and experimentation is required to find the most effective tools and techniques.

The remaining steps are rather straightforward and obvious. After the hacker has gained Administrator/Root access (that is, ownership), he completes the reason behind the attack, begins concealing his activities, and perhaps leaves a way for them to get back into the system.

Covering Tracks

After the attackers accomplish ownership of the target system, they must hide this fact from the system administrator. This is one of the most fundamental rules of hacking; however, it is also one of the hardest for the attacker to accomplish. For Windows-based systems, event log and registry entries are cleared/cleaned. For a UNIX-based system, the attacker clears the history file and executes a log wiper to clean entries from UTMP, WTMP, and Lastlog.

If the attackers want to maintain access to the system after achieving initial access, they create backdoors for future access. The methodology, tools, and techniques are system-dependent, but the intent is to create accounts, schedule batch/cron jobs, infect startup files, enable remote control services/software, and replace legitimate applications and services with Trojans. Possible tools include the following:

• Netcat—A simple UNIX utility that uses TCP or UDP protocol to read and write data across network connections.

• VNC (Virtual Network Computing)—A remote display system that allows you to view a system’s desktop environment—not only on the machine where it is running, but also from anywhere on the Internet and from a wide variety of machine architectures. Many programs do this—VNC just happens to be free and rather popular. Plus, it works on Windows, Linux, and UNIX (http://www.uk.research.att.com/vnc/).

• Keystroke loggers—Hundreds are available on the Internet, and they can be either hardware or software-based. Keystroke loggers record every keystroke pressed for a computer and can even e-mail you what they record.

• Customized programs—Add them to the Windows startup folder or configuration files (system.ini, win.ini, autoexec.bat, config.sys, and so on). For UNIX-based systems, you can employ entries in the /etc/rc.d directory.

There are cases when the attacker does not want to have a backdoor placed in the target system. Usually, this is in the case of corporate espionage, in which an attacker gains access to acquire a certain piece of information and leaves. In a situation involving corporate espionage, the attackers know what they want and has no interest in regaining access to the system at a later time. In these types of attacks, the attackers’ main goal is to cover their tracks so no one will ever know what happened.

Network Security Organizations

This section examines some of the exploits and vulnerabilities that are available to attackers. Prior to that though, it is important to look at where you can go to learn about vulnerabilities that are currently known.

At one time, each vendor or manufacturer was responsible for tracking all the vulnerabilities that affected its products. The result was that different companies would report that same vulnerability, thereby causing some confusion—or perhaps they would not acknowledge the vulnerability until it became public. The network security industry realized that this was not efficient, and it created CVE (common vulnerabilities and exposures). Do not misunderstand; CVE is not a database of vulnerabilities, but a dictionary. The CVE website, found at: http://www.cve.mitre.org/, defines its role as follows:

CVE is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. It is a dictionary, not a database. CVE’s goal is to make it easier to share data across separate vulnerability databases and security tools. Although CVE might make it easier to search for information in other databases, CVE should not be considered as a vulnerability database on its own merit. It is a community-wide effort. CVE’s content is a result of a collaborative effort of the CVE Editorial Board, which includes representatives from numerous security-related organizations like security tool vendors, academic institutions, and government, as well as other prominent security experts. The MITRE Corporation maintains CVE and moderates Editorial Board discussions.

CVE is beginning to gain more acceptance and use as it develops, and I look forward to seeing where it leads. Until then, several databases and checklists are considered essential resources for those who are interested or involved in network security. These organizations offer a variety of white papers, e-mail groups, forums, alerts, best practices, and educational opportunities to further increase your knowledge.

CERT Coordination Center

CERT (http://www.cert.org) defines itself as a center of Internet security expertise. It is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. Its information ranges from protecting your system against potential problems, to reacting to current problems to predicting future problems. CERT work involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help you improve security at your site.

SANS

SANS (http://www.sans.org/) defines itself as the trusted leader in information security research, certification, and education. The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. The SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons it is learning and find solutions to the challenges it faces. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. Many SANS resources, such as news digests, research summaries, security alerts, and award-winning papers are free to all who ask. Income from printed publications funds university-based research programs. Income from SANS educational programs fund special research projects and the SANS training program.

Center for Internet Security (CIS)

CIS (http://www.cisecurity.com) defines its mission as helping organizations around the world effectively manage the risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, and those of your business partners. CIS is not tied to any proprietary product or service. It manages a consensus process whereby members identify security threats of greatest concern and participate in the development of practical methods to reduce the threats. This consensus process is already in use and has proved viable in creating Internet security benchmarks that are available for widespread adoption.

SCORE

Score (http://www.sans.org/score/) defines itself as a cooperative effort between SANS/GIAC and the Center for Internet Security (CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds who work to develop consensus regarding minimum standards and best-practice information. It essentially acts as CIS’s research engine. After consensus is reached and best practice recommendations are validated, CIS can formalize them as best practice and minimum standards benchmarks for general use by industry at large.

SCORE Objectives:

• Promote, develop, and publish security checklists.

• Build these checklists via consensus and through open discussion via SCORE mailing lists.

• Use existing references, recruit GIAC-certified professionals, and enlist subject matter experts where and whenever possible.

Internet Storm Center

Internet Storm Center (http://isc.sans.org/) defines itself as a center that gathers more than 3,000,000 intrusion detection log entries every day. It is rapidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. Internet Storm Center is a free service to the Internet community. The SANS institute supports the work with tuition paid by students attending SANS security education programs.

ICAT Metabase

ICAT (http://icat.nist.gov/icat.cfm) defines itself as a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information.

Security Focus

With over 2.5 million unique users annually, Security Focus (http://www.security-focus.com/) is the largest community of security professionals available anywhere. Demographically, the Security Focus Online community consists of highly educated security professionals who hold technical or corporate management job titles within the security marketplace. The Security Focus Online venue is organized into seven focus areas, or channels: Home, The Basics, Microsoft, UNIX, IDS, Vulnerabilities, and Incidents; together these channels generate over seven million page views monthly. They are packed with compelling, late-breaking content featuring News, Columnists, InFocus articles, Vulnerabilities, Advisories, Events, Library, and much more. Security Focus Online is the security professional’s morning “newspaper” worldwide.

Learning from the Network Security Organizations

These organizations did not exist five years ago, and the increase in threats across the Internet from attackers of all types has supported their birth and growth. You should explore each website because there is a wealth of information that takes you beyond what is presented here. The following section reviews some of the ways vulnerabilities and exploits are used in attacks.

One of the useful things that manufacturers are doing these days is setting methods for users and white hat hackers (good guys) to report security issues with their products. For example, Cisco has provided this information to you online:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_advisory09186a00800b13d6.shtml#ContactPSIRT

Overview of Common Attacks and Exploits

This section reviews some of the more commonly used attacks and exploits that are available to attackers. It should by no means be considered complete because new attacks are being discovered at an alarming rate every day. For a more complete list or more information on the exploits listed here, refer to any of the organizations presented in the previous section:

• Denial of Service (DoS)—A denial of service attack attempts to force the target into a failure condition, thereby denying its services to others. There are several ways in which a failure condition can be induced, such as flooding the target with attempts to connect.

• Distributed Denial of Service (DDoS)—This type of attack uses a collection of unknowing accomplices to attack a target from multiple locations at once. See http://grc.com/dos/grcdos.htm for a good example of this type of attack.

• SYN flood attack—A SYN flood attack occurs when a network becomes so overwhelmed by SYN packets initiating incomplete connection requests that it can no longer process legitimate connection requests (thereby causing high CPU, memory, and NIC usage) and resulting in a DoS.

• UDP flood attack—Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. Port 53–DNS flooding is the hallmark modus operandi of this kind of attack.

• Port scan attack—Port scan attacks occur when packets are sent with different port numbers with the purpose of scanning the available services, in hopes that one port will respond.

• Ping of death—The TCP/IP specification requires a specific packet size for datagram transmission. Many ping implementations allow the user to specify a larger packet size, if desired. A grossly oversized ICMP packet can trigger a range of adverse system reactions, such as DoS, crashing, freezing, and rebooting.

• IP spoofing—Spoofing attacks occur when an attacker attempts to bypass the firewall security by imitating a valid client IP address, e-mail address, or user ID. This becomes important when an attacker decides to exploit trust relationships that exist between computers. Usually, administrators set up trust relationships between multiple computers; one of the side benefits to this is a single login for all.

• Land Attack—Combining a SYN attack with IP spoofing, a land attack occurs when an attacker sends spoofed SYN packets that contain the victim’s IP address as both the destination and source IP address. The receiving system responds by sending the SYN-ACK packet to itself, thereby creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, resulting in a DoS condition on the target system.

• Tear drop attack—Tear drop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the options is offset. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash.

• Ping scan—Similar to a port scan attack, a ping scan attack occurs when an attacker sends ICMP echo requests (or pings) to different destination addresses in hopes that one will reply and, therefore, uncover a potential target’s IP address.

• Java/ActiveX/ZIP/EXE—Malicious Java or ActiveX components can be hidden in web pages. When downloaded, these applets install a Trojan horse on your computer. Similarly, Trojan horses can be hidden in compressed files such as .zip, .gzip, and .tar, and executable (.exe) files. Enabling this feature blocks all embedded Java and ActiveX applets from web pages and strips attached .zip, .gzip, .tar, and .exe files from e-mail.

• WinNuke attack—WinNuke is a hacker application whose sole intent is to cause any computer on the Internet that is running Windows to crash. WinNuke sends out-of-band (OOB) data—usually to NetBIOS port 139—to a host with an established connection and introduces a NetBIOS fragment overlap that causes many machines to crash. This is yet another reason that NetBIOS should not be allowed into or out of a network.

• Smurf—The little blue folks are not coming back to make your day; rather, ping (ICMP) is being used to target devices via an intermediate device, thus hiding the attacks from the true source. You can read more about Smurf attacks at http://www.cert.org/advisories/CA-1998-01.html.

• Brute Force—In a brute force attack, an attacker tries to guess passwords through techniques such as repeatedly trying to log in to an account by using a dictionary of potential passwords.

• Source Routing—Source routing is an option in an IP packet’s header that defines how packets are routed. When this option is on many firewalls, rules are bypassed, thereby allowing access to your network. For example, the IP header information can contain routing information that can specify a different source IP address than the header source. This causes the packets to be routed in a different direction. Following are several other ways to control the routing of ICMP packets:

— Record route—An attacker sends packets where the IP option is 7 (Record Route). This option is used to record the route of a packet. A recorded route is composed of a series of Internet addresses that an outsider can analyze to learn details about your network’s addressing scheme and topology.

— Loose source route—An attacker sends packets where the IP option is 3 (Loose Source Routing). This option provides a means for the source of a packet to supply routing information for the gateways to use to forward the packet to the destination. This option is a loose source route because the gateway or host IP is allowed to use any route of any number of other intermediate gateways to reach the next address in the route.

— Strict source route—An attacker sends packets where the IP option is 9 (Strict Source Routing). This option provides a means for a packet’s source to supply routing information for the gateways to use to forward the packet to the destination. This option is a strict source route because the gateway or host IP must send the datagram directly to the next address in the source route, and only through the directly connected network indicated in the next address to reach the next gateway or host specified in the route.

• ICMP flood—An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. Several different types of ICMP messages exist, each with their own purpose, and attackers can use them:

— ICMP Echo Reply—(Code 0, Echo Reply) A response to a ping. Many firewalls allow ping responses so internal people can gain access to external resources. Therefore, they are an effective flooding technique.

— ICMP Host Unreachable—Code 3, Destination Unreachable) An error message from a host or router indicating that a packet you sent did not reach its destination.

— ICMP Source Quench—(Code 4, Source Quench) A response indicating congestion on the Internet. Someone might be trying to flood your network with these packets in an attempt to convince your machines to slow down data transmission.

— ICMP Redirect—(Code 5, Redirect) A message advising to redirect traffic—for example, for network X directly to gateway G2 because this is a shorter path to the destination. Someone might be trying to redirect your default router. This could be from a hacker trying to execute a man-in-the-middle attack against you by causing you to route through his own machine.

— ICMP Echo Request—(Code 8, Echo Request) These are ping request packets that are commonly used. They might indicate hostile intent of someone trying to scan your computer, but they might be part of the normal network functionality.

— ICMP Time Exceeded for a Datagram—(Code 11, Time Exceeded in Transit) A message indicating that a packet never reached its target because something timed out.

— ICMP Parameter Problem on Datagram—(Code 12, Parameter Problem on Datagram) A message advising that something unusual is going on; this probably indicates an attack.

— Large ICMP Packet—An ICMP packet with a length greater than 1024 can cause trouble for some devices because ICMP packets are not normally this size.

• Sniffing packets—The use of a sniffer is a passive attack that allows a network Interface card to be placed into a special mode: promiscuous. Do not be fooled into thinking that there is no danger because it is a passive attack. In fact, for an attacker to get a sniffer on your LAN, serious security issues have already occurred. Now that attacker can see most of the packets on your LAN with a sniffer, there is a definite threat.

This is simply a short list of the thousands of vulnerabilities that are known today. Now imagine the effectiveness of a coordinated attack using some these vulnerabilities. It puts it in a different perspective, doesn’t it?

Chapter Summary

This chapter examined the ways an attacker selects his targets, as those of opportunity or those of choice. Ultimately, you learned that everyone is a target, and the true differentiator comes when attackers either stumble across a target that is unprotected or in which there is perhaps a deeper and more malicious intent in the attacker’s selection.

After attackers determine that you are a target, they employs six common steps, which form the components of the attack whose goal is the ultimate compromise of a system.

This chapter also discussed online places to learn more about network security. These places were the “good guys,” and it is important to point them out because most locations on the Internet are the bad guys; be careful visiting these websites! Instead, read the last part of this chapter, where a few of the attacks and possible exploits were discussed. The following chapter discusses the next step in understanding network security—security policies, which are the first step in protection.

Chapter Review

Each chapter concludes with a “Chapter Review Section.” In a question-and-answer format, the “Chapter Review Section” tests the basic ideas and concepts covered in each chapter. In tandem with the “Chapter Objectives” and “Chapter Summaries,” the “Chapter Review Section” build upon and reinforce key ideas and concepts. “Chapter Review Section” are composed of a series of topical questions, and answers to the “Chapter Review Section” are included in Appendix A, “Answers to Chapter Review Questions,” at the back of this book.

1. What is a target of opportunity?

2. What is a target of choice?

3. What is the purpose of footprinting?

4. Which of the following are ways by which an attacker can gain access?

a. Operating system attacks

b. Application attacks

c. Misconfiguration attacks

d. Script attacks

e. All of the above

5. List four of the network security organizations.

6. Briefly explain why it is important for an attacker to cover his tracks.

7. Social engineering can be damaging without an overt attack ever happening. Explain why.

8. What kind of information might be found if an attacker dumpster dives at your place of work?

9. DNS information gained through WHOIS is used for what kind of reconnaissance?

10. What two free reconnaissance tools are available with most versions of the Windows operating system?