Tutorial

Network security, lesson 4: A walk-through of an attack

Our last lesson in this series describes how an attacker in the real world might go about trying to exploit your system. There is no fixed way to attack a system, but a large number will follow a similar methodology or chain of events.

We assume here that the attacker is moderately skilled and motivated to break into your network. He has targeted you due to a specific motive -- perhaps you sacked him or didn't provide adequate customer support. Hopefully this will help you figure out where your network might be attacked, and what an attacker might do once he is on the inside.

Remember that attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies.

Reconnaissance and footprinting

Here the attacker will try to gather as much information about your company and network as he can without making a noise. He will first use legitimate channels, such as Google and your company Web page to find out as much about you as he can. He will look for the following information:

  • Technical information is a gold mine; things like a Web page to help your employees log in from home will be priceless information to an attacker. So also will newsgroup postings by your IT department asking how to set up particular software, as he now knows that you use this software with any vulnerabilities inherent in it.

  • Personal information about the company and its corporate structure. He will want information

      • Requires Free Membership to View

      Login

    • on the heads of IT departments, the CEO and other people who have a lot of power. He can use this information to forge e-mail or social engineer information out of subordinates.

    • Information about your partners. This might be useful information for him if he knows you have some sort of network connection to a supplier or partner. He can then include the supplier's systems in his attack and find a way in to your network from there.

    • General news. This can be useful information to an attacker as well. If your Web site says that it is going down for maintenance because you are changing your Web server, it might be a clue that the new setup will be in its teething stages and the administrator may not have fully secured it yet.
      
    Administrator's notebook
    Need a quick review? Here are the main points:
    • Attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies.
    • Attackers use public information to learn about your systems and what the easiest targets will be.
    • Once an attacker gets into your network, he will install many backdoors to allow him future access.
    • Attackers will attempt to get security clearance and find sensitive information. Encrypt this or store it without a connection to the network.
    • The best way to deal with network security is to know the network inside and out.
    • Becoming a part of the security community and following trends will help you understand and prevent attacks.

    He will also query the whois databases to find out what block of IP addresses you own. This will give him a general idea of where to start network level scans. After this hewill start a series of network probes. The most basic of these will determine if you have a firewall and what it protects. He will try to identify any systems you have that are accessible from the Internet.

    The most important targets will be the ones that provide public services. These will be:

  • Web servers -- These are usually the front door into the network. All Web server software has some bugs in it, and if you're running homemade CGI scripts, such as login pages, they might be vulnerable to techniques such as SQL injection.

  • Mail servers -- Sendmail is very popular and most versions have at least one serious vulnerability. Many IT heads don't like to take down the mail server for maintenance because doing without it is very frustrating for the rest of the company (especially when the CEO doesn't get his mail).

  • DNS servers -- Many implementations of BIND are vulnerable to serious attacks. The DNS server can be used as a base for other attacks, such as redirecting users to other Web sites.

  • Network infrastructure -- Routers and switches may not have been properly secured and may have default passwords or a Web administration interface running. Once controlled, they can be used for anything from a simple denial of service attack to channelling all your data through the attacker's machine to a sniffer.

  • Database servers -- Many database servers have the default systems admin account password blank and other common misconfigurations. These are very high-profile targets because the criminal might be looking to steal anything from your customer list to credit card numbers. As a rule, a database server should never be Internet-facing.

    The more naive of the lot (or the ones who know that security logs are never looked at) may run a commercial vulnerability scanner such as Nessus or Retina over the network. This will ease their work.

    Exploitation phase

    After determining which are valid targets and figuring out what OS and version of software you are using (example which version of Apache or IIS is the web server running), the attacker can look for an exploit targeting your particular version. For example, if he finds you are running an out of date version of Sendmail, he will look for an exploit targeting that version or below.

    Attackers will first look in their collection of exploits because they have tested these. If they cannot find one, they will look to public repositories such as http://www.packetstormsecurity.nl. They will probably try to choose common exploits, as these are more likely to work and they can probably test them in their own labs. They will run these exploits on the target (say the Web server) and if they work, they will have some kind of access to the network.

    From here the attacker has already won half the game -- he is behind your firewall and can probably see a lot more of the internal network than you ever intended for him to. Many networks tend to be very hard to penetrate from the outside, but are woefully unprotected internally. This hard exterior with a mushy interior is a recipe for trouble -- an attacker who penetrates the first line of defense will have the full run of your network.

    After getting in, he will also probably install backdoors on this first compromised system to provide him with many access points, in case his original hole gets shut down. This is why when you identify a machine that has been broken into, it should be built up again from scratch. There is no way of knowing what kind of backdoors might be installed. It could be tricky to find a program that runs itself from 2:00 am to 4:00 am every night and tries to connect to the attacker's machine. Once the attacker has successfully guaranteed his access, the hard part of the intrusion is usually over.

    Privilege escalation phase

    Now the attacker will attempt to increase his security clearance on the network. he will usually target the administrator accounts or perhaps a CEO's account. If he is focused on a specific target (say your database server) he will look for the credentials of anyone with access to that resource. He will most likely set up a network sniffer to capture all the packets as they go through the network.

    He will also start manually hunting around for documents that will give him some interesting information or leverage. Thus, any sensitive documents should be encrypted or stored on systems with no connection to the network.

    Attackers will also look for Windows machines with file sharing enabled and see what they can get out of these. Chances are if they didn't come in with a particular objective in mind (for example stealing a database), they will take whatever information they deem to be useful in some way.

    Clean up phase

    Now the attacker has either found what he was looking for or is satisfied with the level of access he's gained. He's made sure that he has multiple paths into the network in case you close the first hole. He will now try to cover up any trace of an intrusion. He will manually edit log files to remove entries about his actions and will make sure to hide any programs he has installed in hard to find places.

    Remember, we are dealing with an intruder who is moderately skilled and is not just interested in defacing your Web site. He knows that the only way to keep access will be if you never know something is amiss. In the event that there is a log he is unable to clean up, he may risk leaving it there, or flood the log with bogus attacks, making it difficult for you to single out the real attack.

    Where can I find more information?

    One of the best place for answers to questions relating to this article is in the Firewall.cx forums. The Security/Firewalls Forum is the best place to do this -- you can ask anything from the most basic to the most advanced questions concerning network security there. A lot of common questions have already been answered in the forums, so you will quite likely find answers to questions like "Which firewall should I use?"

    Network security is a very vast field and there is seemingly limitless information on the subject. You will never find information at so-called hacker sites full of programs. The best way to learn about network security is to deal with the first word first -- you should be able to talk networking in and out, from packet header to checksum, Layer 1 to Layer 7.

    Once you've got that down, you should start on the security aspect. Start by reading articles on the Internet. Take in the basics first, and make sure you keep reading. Wherever possible, try to experiment with what you have read. If you don't have a home lab, you can build one virtually. See the posts in the Firewall.cx Cool Software forum about VMware.

    Also, start reading the security mailing lists such as bugtraq and security-basics. Initially, you may find yourself unable to understand a lot of what happens there, but the newest vulnerabilities are always announced on these lists. If you follow a vulnerability from the time its discovered to when someone posts an exploit for it, you'll get a very good idea of how the security community works, and you'll also learn a lot in the process.

    If you're serious about security, it is imperative that you learn a programming language, or at least are able to understand code if not write your own. The best choices are C and Assembly language. However, knowing PERL and Python are also valuable skills as you can write programs in these languages very quickly.

    For now, here are a few links that you can follow for more information:

  • securityfocus.com
    A very good site with all the latest news, a very good library and tools collection as well as sections dedicated to basics, intrusion detection, penetration testing etc. Also home of the Bugtraq mailing list.
  • sans.org - A site with excellent resources in its reading room, people who submit papers there are trying for a certification and as a result its mostly original material and of a very high calibre.
  • security-portal.com - A good general security site.
  • firewall.cx - Another site with excellent resources for network and security administrators.
  • SearchSecurity.com - A TechTarget site -- I don't think the references could be much better.
  • cert.org - The CERT coordination center provides updates on the latest threats and how to deal with them. Also has very good best practice tips for admins.
  • securityfocus.com/archive/1 - This is the link to Bugtraq, the best full disclosure security mailing list on the net. Here all the latest vulnerabilities get discussed way before you see them being exploited or in the press.
  • insecure.org - The mailing lists section has copies of bugtraq, full disclosure, security-basics, security news, etc. Also the home of nMap, the wonderful port scanner.
  • seclists.org - This is a direct link to the security lists section of insecure.org.
  • grc.com - For windows home users and newbies just interested in a non technical site. The site is home to Shields Up, which can test your home connection for file sharing vulnerabilities, do a port scan etc, all online. It can be a slightly melodramatic site at times though.
  • eeye.com - Home of the Retina Security Scanner. Considered the industry leader. The E-Eye team also works on a lot of the latest vulnerabilities for the windows platform.
  • nessus.org - Open source vulnerability scanner, and IMNSHO the best one going. If you're a tiger team penetration tester and you don't point Nessus at a target, you're either really bad at your job or have a very large ego. If there's a vulnerability in the system, Nessus will find it.
  • zonelabs.com - ZoneAlarm personal firewall for windows, considered the best, and also the market leader.
  • sygate.com - Sygate Personal Firewall, provides more configuration options than ZoneAlarm, but is consequently harder to use.
  • secinf.net - Huge selection of articles that are basically windows security related.
  • antioffline.com - A very good library section on buffer overflows, etc.
  • packetstormsecurity.nl - The largest selection of tools and exploits possible.

    Missed lesson one, two or three? You can find them here:

  • Network security, lesson one: Introduction to security
  • Network security, lesson two: Common security measures
  • Network security, lesson three: Penetration testing

    Click over to Firewall.cx for more articles like this one. You don't have to register or jump through any hoops. All you do is get the networking information you want. Copyright 2004 Firewall.cx.

    This was first published in March 2004

    • Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top