The Attack Process

James Walden

University of Toledo
LCCC University Partnership

The Attack Process

• Reconnaissance
• Exploitation
• Reinforcement
• Covering Tracks

Reconnaissance

• Passive Reconnaissance
• Active Reconnaissance

Passive Reconnaissance

• Scope the Attack
• Search the Web
• Network Enumeration
• Network Mapping

Reconnaissance: Scoping

• What targets are you interested in?
  
  
  • Organizations
  
  
  • Locations
  
  
  • Networks
  
  
  • Machines
  
  
• What is the goal of the attack?

Reconnaissance: Search the Web

• Read the organization's web site:
  
  
  • Related entities
  • Contacts: names, phone numbers, email addresses
  • Privacy or security policies
  • Links to other related web servers
  • Check HTML comments for information leaks
• Search web for information about organization:
  
  
  • Search for open directory listings, passwd files (googledorks)
  • Search USENET postings on groups.google.com
  • Search finance.yahoo.com and www.sec.gov

Reconnaissance: Network Enumeration

• Query Registrar Database
  
  
  • Registrant address
  • Administrative and technical contacts
  • DNS servers
  
  
• Query ARIN (American Registry for Internet Numbers)
  
  
  • IP address ranges for Organization
  • Reverse query: organization for IP address ranges
  
  

Reconnaissance: Network Mapping

• Query DNS servers
  
  
  • Zone transfer of all DNS records (if allowed)
  
  
  • Query IP addresses found in previous reconnaissance
  
  
  • Look for MX records to discover mail servers
  
  
• Traceroute
  
  
  • Determine paths into target network

Active Reconnaissance

• Ping Sweeps
• Port Scans
• Firewall Analysis
• Vulnerability Scanning
• War Dialing
• Social Engineering
• Physical Reconnaissance

Reconnaissance: Ping Sweeps

• Send packets to range of IP addresses to find hosts
  
  
  • Regular ping: ICMP packets
  
  
  • Modified ping: nmap offers ability to ping using TCP and UDP protocols with many options
  
  

Reconnaissance: Port Scans

• Determine active network services and operating system


• nmap offers many scan types for bypassing firewalls/IDS
  
  
  • TCP connect scan
  
  
  • TCP SYN scan
  
  
  • TCP flag variant scans
  
  
  • Fragment scans

Reconnaissance: Firewall Analysis

• Map firewall rules with tools like firewalk


• Use nmap to OS fingerprint firewall

Reconnaissance: Vulnerability Scanning

• Search for user lists and data with finger


• Identify users and mailing lists via SMTP


• Find RPC services with rpcinfo


• Search for NFS volumes with showmount


• Get SNMP database information (OS, CPU) with snmpwalk


• Scan for exploitable vulnerabilities with nessus or sara

Reconnaissance: War Dialing

• Scan phone number range for modems
  
  
  • Find phone number range from registrar numbers or other sources
  
  
  • Use THC-Scan or another war dialer to scan range for modems

Reconnaissance: Social Engineering

• Impersonate
  
  
  • Clueless user calling help desk
  • Technical support calling a user
  • Manager calling technical support or a user
  
  
• Information/actions to request:
  
  
  • Obtain remote access information: phone number, software, and credentials
  • Someone's username and password
  • Get an known account's password reset
  
  

Reconnaissance: Physical Reconnaissance

• Dumpster diving
• Get a job
• Physical break-in

Countering Active Reconnaissance

• Detection
  
  
  • An IDS system like snort can detect many active reconnaissance techniques.
  
  
  • Teach security awareness to users.
• Prevention
  
  
  • Properly configured firewalls can block many active reconnaissance types.
  
  
  • Teach security awareness to users.
  
  
  • Procedures for securely disposing of data, paper and digital.

Exploitation

• Physical Attacks
• Network Attacks
• Local Attacks
• Denial of Service Attacks

Exploitation: Physical Attacks

• Boot access is root access
• Remove the hard disk
• Connect your computer to their network

Exploitation: Network Attacks

• Network sniffing
• IP spoofing
• TCP hijacking

Network Sniffing

• Collecting all data on the wire to which the network interface is connnected


• Switched networks can be sniffed
  
  
  • ARP spoofing
  • MAC flooding
  • Route table modifications


• Sniffers can be detected by suspicious ARP or DNS lookups

IP Spoofing

• Forge IP addresses of outgoing packets
  
  
  • Conceal attacker's identity
  • Bypass IP-based ACLs
  • Feints: hide real attack in flood of forged packets
• How to get response packets?
  
  
  • Source routing
  • Network sniffing
  • Blind spoofing: use an attack where you can predict response

TCP Hijacking

• Select interesting connection to hijack
• Inject data with spoofed source IP to desynchronize connection
• ACK storm
  • Receiver of injection sends ACK to apparent sender
  • Apparent sender ACKs with expected sequence number
  • Receiver considers ACK out of sequence and does same...
• Insert packets with correct expected sequence numbers with desired commands

Exploitation: Local Attacks

• Buffer Overflows
• Canonicalization
• Password Cracking
• Race Conditions
• SQL Injection

Buffer Overflows

• Most common software security flaw
• C/C++ are unsafe languages
  • No bounds checking on arrays, pointer references
  • Unsafe library functions like strcpy, sprintf, gets
• What happens when write a 256-char string to this buffer?

  char buffer[64];

  • Strange behavior
  • Crash
  • Nothing visible

Buffer Overflows: Security Implications

• What is in memory after buffer?
  • Privilege flags
  • Function return address
  • Executable code
• Goals:
  • Get program to run your injected code with privilege
  • Change flag setting to permit operation instead of denying

Canonicalization

Resources (files, URLs) can be referenced by many names:

• ftp://home/ftp/public: anonymous access
• ftp://home/ftp/private: private files
• Is ftp://home/ftp/Private private?
• Is ftp://home/ftp/private. private?
• Is ftp://home/ftp/public/../private private?
• Is ftp://home/ftp/public/%2e%2e/private private?
• Can I run ftp://home/ftp/public/../../../bin/sh?

Password Cracking

• Common password lists
• Dictionaries
• Permutation engines
• Brute force

Race Conditions

• Order of events varies by system load on multitasking OS
  • Private resources (memory) are protected
  • Shared resources (filesystem, network) are not
• Time of check, time of use flaws (TOCTOU)
  • Check access of resource, e.g., access()
  • Use resource, e.g., open()
• What if attacker?
  • Deletes file after step 1.
  • Replaces with link to privilege-access file like /etc/passwd

SQL Injection

• Example query:
  sprintf(query, "select count(*) from users where username = '%s' and password = '%s' ", name, pass);
• What if user supplies one of the following passwords?
  • ' or 1=1 --
    which turns the query into
    select count(*) from users where username = 'user' and password = '' or 1=1 --'
  
  
  • foo'; delete from table users where username like '%'
    which turns the query into
    select count(*) from users where username = 'user' and password = 'foo';
    delete from table users where username like '%'

Denial of Service Attacks

• Exhausting local resources
• Bandwidth consumption
• Remotely exhausting resources
• Distributed Denial of Service

Exhausting Local Resources

• Fill the disk with dd
• Fill disk by generating error messages that are logged
• Fill disk by emailing many large attachments
• Execute fork() in an infinite loop
• Terminate services if you have root access

Bandwidth Consumption

• Send flood of packets to destination host
• Use spoofing to get two targets to DoS each other via chargen and echo or other services
• Spoof packets from target network in a way that generates multiple responses (Smurf)
• Packets can be blocked by firewall if number of sources is limited

Remotely Exhausting Resources

• SYN Flood: Initiate many 3-way handshakes without completion
• IP Fragmentation attacks: Use many small or overlapping fragments to exhaust reassembly resources

Distributed Denial of Service

• Attackers controls many "zombie" hosts, each running the DDoS agent
• Attacker server(s) sends instructions to all zombies, causing them to launch a DoS attack against a specific target
• Agents like TFN and Stacheldraht offer multiple types of DoS attacks for zombies to carry out

Reinforcement

• Backdoors
• Rootkits
• Kernel Rootkits

Backdoors

• Add a new account
• Add a shell listener to inetd on a high port
• Run an extra copy of sshd on a high port
• Replace login with a version containing a backdoor
• Start an xterm on victim host which displays on your host
• Use netcat to create a reverse telnet connection through the firewall

Rootkits

• Everything an attacker needs in one bundle
  
  
  • Trojan programs such as login, ls, ps, and netstat
  
  
  • Tools to set file timestamps, checksums, and size to original values
  
  
  • Back doors
  
  
  • Network sniffers
  
  
  • Log cleaners
  
  
• Use chkrootkit to detect

Kernel Rootkits

• Advantages over user-level rootkits:
  
  
  • Complete control over machine at all times.
  • Stealth: rootkit will cause kernel to lie about files, processes, and sockets
  • Open backdoors and network sniffers without a running process.
• Modify system calls
  
  
  • Modify exec to return Trojan binary for execution, while letting open return original binary.
  • Modify setuid to automatically give root.

Covering Tracks

• Modifying system logs
• Hiding files
• Covert channels

Modifying System Logs

• Delete log files
• Turn off syslog and accounting services
• Remove specific entries from log and accounting files

Hiding Files

• Start filenames with a "."
• Hide files in out of the way or very full directories like /dev
• Use filenames similar to existing filenames in directory like /dev/hdd
• Embed spaces or control characters in filenames, i.e., ".. "
• Open file then unlink it
• Hide files in unused sectors or slack space
• Use a rootkit which hides files from listing
• Install rootkit into flash ROM

Covert Channels

• Use loki as a backdoor connection via ICMP or UDP
• Use backdoor services which only listen after correct port knocking signature

Who are the Attackers?

While hackers come from various backgrounds, they have different motives:

• Money
  • Extortion
  • Credit card and identity theft
  • Sale of compromised system resources
• Entertainment
• Ego
• Ideology
• Status

Hacking for Fun

• hackerslab.org is a multi-level UNIX hacking game site
• www.hack.ae
• www.hackthissite.org
• www.hackergames.net is a site that indexes security wargames on the net

References

• Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2003
• Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2004
• Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004
• The Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004
• Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 4th edition, McGraw-Hill, 2003
• Ed Skoudis, Counter Hack, Prentice Hall, 2001