What Do Intruders Want?
As the preceding section mentioned, network attackers approach their craft from a number of motivations. Their goals might differ, but they all have the goal of gaining power and control of a computer system or network. Many of their intermediate steps are therefore the same.
The computer attack and infiltration process is organized around the following steps:
1. | Get access to the system. |
2. | Get privileges. |
3. | Get comfortable. |
4. | Get ready for the next attack. |
It is also worth noting that, for coordinated and well-organized attacks on computer networks, a separate reconnaissance phase often precedes these steps.
Attackers have several methods for gaining entry and getting comfortable, and, although it isn’t possible to describe them all, it is possible to classify these techniques into three basic categories:
Credential attacks— These attacks focus on getting credentials to log in to the system normally. In essence, the attack takes place before the intruder even infiltrates the security system. A variation of this technique is privilege escalation, in which the attacker gains low-level access and then works to attain higher privilege levels.
Network-level attacks— The attacker slips in by finding an open port, unsecured service, or gap in the firewall. Other network-level attack techniques exploit nuances of the TCP/IP protocol system to gain information or reroute connections.
Application-level attacks— The attacker exploits known flaws in the program code of an application running on the system, such as a web server, tricking the application into executing arbitrary commands or otherwise behaving in a way the programmer never intended.
A full-scale network intrusion often uses a combination of these attack techniques. In a typical scenario, an attacker might use an application-level attack for the initial breach, then escalate privileges to administrator-level status, and then open a hidden back door for unlimited access through the system.
Another powerful attack technique that doesn’t result in system access but is, nevertheless, damaging and disruptive is the so-called denial-of-service attack, in which the attacker causes a crash or system overload, so the system can’t function normally. You learn more about denial-of-service attacks later in this hour.
By the Way
A full-scale attack on a corporate network begins with a broad sweep to determine as much information as possible about the company. This process is sometimes called footprinting. Some of this information can be collected over the Web: company locations, email addresses, and affiliations, as well as links to other websites. The intruder attempts to obtain any and all domain names used by the company. The domain names are then used to query DNS servers for company IP addresses.
Credential Attacks
The classic way to gain access to a computer system is to find out the password and log in. An intruder who gains interactive entry to a system can employ other techniques to build system privileges. Therefore, finding a password—any password—is often the first step in cracking a network. Methods for getting passwords range from high-tech (password-cracking dictionary scripts and de-encryption programs) to extremely low-tech (digging around in trash cans and peeking in users’ desk drawers). Some common password attack methods include
Looking outside the box
Trojan horses
Guessing
Intercepting
The following sections discuss these methods for clandestinely obtaining users’ passwords.
Looking Outside the Box
No matter how secure your system is, your network won’t be safe unless users protect their passwords. A major source of password compromise is the inattentiveness of users. The earliest intruders often obtained passwords by looking for clues in discarded computer printouts. Since that time, operating system vendors thankfully have become more sophisticated about protecting password information. However, a significant percentage of password-compromise cases still results from offline detection. Users tell their passwords to other users or write down their passwords in some easily accessible place. The physical security of a workplace often is far less rigid than network security. Janitorial staff, disgruntled coworkers, or even unauthorized outsiders are often free to slip into the office unsupervised and look for password clues. When a worker quits or is dismissed, the worker’s account is deactivated, but what about other user accounts belonging to users who have shared their passwords with the former employee?
Some experienced intruders are skilled at getting users to reveal their passwords or getting network admins to tell them passwords. They’ll call the help desk, act a little lost, and say, “Uhh, I forgot my password.” This sounds silly, but it saves the intruder a lot of effort, and it is often the first thing he tries. Every organization should clearly instruct computer professionals not to reveal password information to any user without taking precautions to ensure that the request is legitimate.
As you learn later in this hour, the ultimate goal of the intruder is to achieve administrative-level privileges. Every password should be protected, because any access can often lead to administrative access, but it is especially important to protect administrative accounts from compromise. The administrative username is another line of defense against intrusion that should also be protected. Most computer systems come with a well-documented and well-known default administrative account. An intruder who is familiar with the operating system has a head start in gaining administrative privileges with knowledge of the username of the administrative account. Experts therefore recommend changing the username of the administrative account.
Trojan Horses
A common tool of computer intruders is the so-called Trojan horse. In general, a Trojan horse is a computer program that purports to do one thing but actually takes other unseen and malicious actions behind the scenes. One early form of the Trojan horse was a fake login screen. The screen looks just like the login screen used for the system, but when the user attempts to log in, the username and password are captured and stored in some secret location accessible to the intruder (see Figure 22.1).
Figure 22.1. Stealing passwords with a Trojan horse login program.
As you might guess, this technique for stealing passwords is designed for a public setting such as a computer lab in which multiple users might use a common set of terminals or workstations. In recent years, operating systems have become more proficient at preventing or detecting this form of password capture.
By the Way
Not all Trojan horses capture passwords, and not all password Trojans are as blatant as the example described in this section. Many other types of Trojan horse programs are available on the Internet. Some take the form of games or false system utilities. Many of these Trojan horse programs are distributed as freeware or shareware over the Internet. The best defense against this kind of attack is to be careful what you download. Before you download and install a free utility, read the project documentation and search the Internet for any security warnings. Or to paraphrase the princess Cassandra, who prophesized the arrival of a particularly virulent Trojan horse at the gates of her city in 800 B.C., “Beware of geeks bearing gifts.”
Guessing
Some passwords are so simple or poorly formed that they can easily be guessed by the intruder. You would be surprised how many users use a password that is the same as their username. Some users use a street name, a maiden name, or the name of a child for a password, and some use easily guessable character combinations, such as 123456, abcde, or zzzzzz.
An intruder who knows a little about the user can often guess bad passwords the user might choose. In fact, the intruder doesn’t even have to guess anymore, because tools now exist that automate the process of guessing passwords. The attack tools guess through a list of obvious character combinations. Some tools even use a dictionary to guess every possible word or name in the language. This might require thousands of attempts, but computers can guess quickly.
Intercepting
Packet sniffers and other tools that monitor network traffic can easily capture passwords transmitted over the network in clear text (unencrypted) form. Many classic TCP/IP utilities such as Telnet and the r* utilities or SNMP (see Hour 15, “Monitoring and Remote Access”) were designed to transmit passwords in clear text form. Some later versions of these utilities offer password encryption or operate through secure channels (see Hour 23, “TCP/IP Security”). In their basic form, however, the clear text password security of these applications makes them hopelessly ill-suited for an open and hostile environment such as the Internet.
By the Way
Even in a closed environment such as a corporate network, clear text passwords are not really safe. Some experts estimate that one corporate employee in a hundred is actively engaged in trying to thwart network security. One percent is a small fraction, but when you consider a network with 1,000 users, that one percent amounts to 10 users who would love to get their hands on someone else’s clear text password.
Several methods exist for encrypting passwords. These password-encryption methods are much better than the clear text option, but password encryption still has some limitations. Tools such as the LC5 and John the Ripper are capable of decrypting encrypted passwords using dictionary and brute-force techniques.
Attackers operating on the Internet can intercept packets that contain encrypted passwords and uncover the passwords using these password-recovery utilities. Recent developments in encrypted channel technologies, such as SSL and IPsec (see Hour 23), raise the bar considerably higher for intruders who want to eavesdrop on TCP/IP to obtain sensitive information such as passwords.
An attacker who has gained initial access to the system has a variety of options for intercepting or discovering other system passwords (including administrative passwords). Some tools allow the intruder to capture and log the keystrokes of a user typing a password at the keyboard. The attacker also might obtain access to an encrypted system file with password information and analyze the file offline using standard password attack techniques to uncover passwords.
What to Do About Credential Attacks
The best defense against credential attacks is eternal vigilance. Networks have employed a number of strategies for reducing the incidence of password compromise. A few of the more obvious guidelines are as follows:
Provide a good, clear password policy for the users in your organization. Warn them about the danger of telling their password to other users, writing their password down on a sticky note by their desk, or even storing their password in a file.
Configure all computer systems to support mandatory password policies. Force users to change their passwords at some regular interval. Set a minimum length for passwords (usually 6–8 characters). Don’t let a user use the name of a dog or the name of a child as a password. In fact, passwords should not consist of any standard word, phrase, or name. All passwords should contain a combination of letters and numbers and at least one nonalphanumeric character that is not the first or last character. To prevent password-guessing attacks, make sure the computer is configured to disable the account after a predefined number of failed logon attempts.
Make sure that passwords are never transmitted over public lines in clear text form. If possible, it is better not to transmit clear text passwords on your internal network either, especially on large networks.
Some systems have methods for controlling the number of passwords that each user must remember. Microsoft networks feature a passwords cache and a unified network logon through the domain security system. Unix systems offer systems such as Kerberos authentication (see Hour 23). These methods are useful for controlling password proliferation in some environments. The downside of these unified logon methods is that an intruder who gets one password has unlocked access to all the user’s resources.
See Hour 23 for more on protecting passwords through encryption.
Network-Level Attacks
As you learned in Hour 6, “The Transport Layer,” access to network applications is managed through logical channels known as ports operating at the Transport layer of the TCP/IP stack. Attackers often gain access to a system by finding an open port that leads to a network service listening for network connections. In some cases, the service might be running by default without the owner of the system even knowing it. Other times, the service might be misconfigured, or it might allow access through a default or anonymous user account.
Scanning tools such as Nmap and Nessus automate the process of looking for open ports. These scanners are used by both intruders (looking for gaps so they can gain access) and IT professionals (looking for gaps so they can plug them and prevent access). Other more specialized tools search out gaps in specific network protocols and services. In many cases, the mere existence of an open port isn’t enough to get the intruder in, but it provides an opportunity for the attacker to launch an application-level attack to exploit a known vulnerability of the service listening on the port.
Scanners are literally running constantly on the Internet, continually traversing the full range of IP addresses in search of open ports and unprotected services. As you learned in Hour 10, an important function of a firewall is to lock down access to prevent network scanners from learning information about services operating on the network.
Other network-level attack strategies operate on the open Internet to intercept and subvert TCP/IP traffic. Session hijacking, for instance, is an advanced technique that exploits a vulnerability in the TCP protocol. As you learned in Hour 6, the TCP protocol establishes a session between network hosts. Session hijacking calls for the intruder to eavesdrop on a TCP session and insert packets into the stream that appear to be part of the TCP session. The intruder can use this technique to slip commands into the security context of the original session. One common use of session hijacking is to get the system to reveal or change a password.
Of course, an attacker does not manually compose spoofed TCP segments on-the-fly. Session hijacking requires special tools. One famous tool used for session hijacking is a freeware application called Juggernaut. Juggernaut listens on a local network, maintaining a database of TCP connections. An intruder can monitor TCP traffic to play back the connection history or hijack an active session by injecting arbitrary commands. As you learn in Hour 23, the best defense against session hijacking and other protocol-based techniques is to secure the session using a VPN or some other form of encryption communication.
Application-Level Attacks
You might expect that, if the software is configured properly and you can keep the passwords out of enemy hands, you won’t have any problem with Internet intruders. Unfortunately, the real situation is a bit more complicated. Many programs running on the Internet today were written years ago, before the art of intrusion had even evolved, and they contain some program code that is intrinsically insecure. Even programs written today are too often written in way too much of a hurry—by programmers with vastly varying reserves of training and expertise. Intruders have developed a number of techniques for exploiting insecure program code to breach system security.
One popular example of an application-level attack technique is buffer overflow. When a computer receives data over a network connection (or for that matter, even when it receives data from a keyboard), the computer must reserve enough memory space to receive the complete data set. This reception space is called a buffer. If user input overflows the buffer, strange things happen. If the input is not properly managed, the data that overflows the buffer can become resident in the CPU’s execution area, which means that commands sent to the computer through a buffer overflow can actually be executed (see Figure 22.2). The commands execute with the privileges of the application that received the data. Other buffer overflow attacks capitalize on the fact that some applications run in an elevated security context that can remain active when the application terminates unexpectedly.
Figure 22.2. A buffer overflow attack overflows the memory space reserved for program input, causing the program to crash, behave strangely, or execute arbitrary code.
To avoid buffer overflow problems, applications must provide a means for receiving and checking the size of the data before inserting the data into an application buffer. The solutions are largely a matter of good programming practice. Poorly designed applications are especially susceptible to buffer overflow attacks.
Some popular and famous network applications have buffer overflow vulnerabilities. Many of these exploits are well known around the Internet, so intruders know exactly how and where to launch an attack. The Unix-based email server Sendmail is a common target for buffer overflow attacks. Microsoft’s Internet Information Server (IIS) and other Microsoft products have also been victim to buffer overflow attacks in recent years. When a vendor discovers a possible buffer overflow vulnerability, the vendor often releases a patch that fixes the problem. Because of the huge public relations problems caused by public notice of a buffer overflow vulnerability, vendors have become vigilant about quickly repairing their software when an exploit is discovered. It is not surprising for a vendor to publish a patch within days or even hours of when a security problem is discovered. And good system administrators pay close attention to security alerts from organizations such as the Common Vulnerabilities and Exposures project (http://cve.mitre.org) so that they’ll know when and where to obtain the latest patches for their systems. Organizations such as SANS (http://www.sans.org) also provide email newsletters with information on recent security threats.
Part of the solution to problems like buffer overflow is good programming—not just in vendor-based software but also in the homegrown scripts created by web developers and IT staff. Another part of the solution is to keep your system up to date by installing all patches and updates. Some operating systems let you limit the scope of privileges available to the remote user who is attempting to exploit a buffer overflow. If possible, don’t let network applications run with root or administrative privileges. (In some cases, you might not have a choice.) For applications that require a high privilege level to function, applications such as the Unix/Linux tool chroot can create a limited security environment that prevents the intruder from gaining access to the rest of the system.