(Network Security 3) How and Why Hackers Do It : Active Reconnaissance

At this point, an attacker has enough information to try active probing or

scanning against a site. After a burglar knows where a house is located

and if it has a fence, a dog, bars on the windows, and so on, he can

perform active probing. This consists of going up to the house and trying

the windows and doors to see if they are locked. If they are, he can look

inside to see what types of locks there are and any possible alarms that

might be installed. At this point, the burglar is still gathering information.

He is just doing it in a more forceful or active way.

With hacking, the same step is performed. An attacker probes the system

to find out additional information. The following is some of the key

information an attacker tries to discover:

• Hosts that are accessible

• Locations of routers and firewalls

• Operating systems running on key components

• Ports that are open

• Services that are running

• Versions of applications that are running

The more information an attacker can gain at this stage, the easier it will

be when he tries to attack the system. Usually, the attacker tries to find

out some initial information covertly and then tries to exploit the system.

If he can exploit the system, he moves on to the next step. If he cannot

exploit the system, he goes back and gathers more information. Why

gather more information than he needs, especially if gathering that extra

information sets off alarms and raises suspicion? It is an iterative process,

where an attacker gathers a little, tests a little, and continues in this

fashion until he gains access.

Keep in mind that, as an attacker performs additional active

reconnaissance, his chances of detection increase because he is actively

performing some action against the company. It is critical that you have

some form of logging and review in place to catch active reconnaissance,

because, in a lot of cases, if you cannot block an attacker here, your

chances of detecting him later decrease significantly.

When I perform an assessment, usually I run some tests to figure out the

IP address of the firewall and routers. Next, I try to determine the type of

firewall, routers, and the version of the operating system the company is

running to see if there are any known exploits for those systems. If there

are known exploits, I compromise those systems. At that point, I try to

determine which hosts are accessible and scan those hosts to determine

which operating system and revision levels they are running. If an

attacker can gain access to the external router or firewall, he can gather a

lot of information and do a lot of damage.

For example, if I find that a server is running Windows NT 4.0 Service

Pack 4, I scan for all vulnerabilities with that version and try to use those

vulnerabilities to exploit the system. Surprisingly, with most companies,

when I perform active reconnaissance, their technical staff fails to detect

that I have probed their systems. In some cases, it is because they are

not reviewing their log files, but in most cases, it is because they are not

logging the information. Logging is a must, and there is no way to get

around it. If you do not know what an attacker is doing on your system,

how can you protect against it?

The goal of a company in protecting its computers and networks is to

make it so difficult for an attacker to gain access that he gives up before

he gets in. Today, because so many sites have minimal or no security,

attackers usually gain access relatively quickly and with a low level of

expertise. Therefore, if a company’s site has some security, the chances of

an attacker exploiting its systems are decreased significantly, because if

he meets some resistance, he will probably move on to a more vulnerable

site. This is only true for an opportunistic attacker who scans the Internet

looking for any easy target.

In cases of corporate espionage, where an attacker is targeting your site,

some security will make the attacker’s job more difficult, but will not

necessarily stop him. In this situation, hopefully the extra security will

make it so difficult that you will detect the attack before he gains access

and stop him before any damage is done.

In most cases, an attacker uses a passive reconnaissance attack first to

properly position himself. Next, he uses an active reconnaissance attack to

gather the information he is after. An example is an attacker breaking into

a machine so that he can sniff passwords off of the network when users

log on each morning. As this example shows, to perform active

reconnaissance, an attacker must have some level of access to the

system.

Each attack has value, but as you will see throughout this book, the real

value is gained when multiple techniques or attacks are combined. Giving

a carpenter a single tool allows him to build part of a house. When a

carpenter is familiar, well-trained, and has several tools in his toolbox, he

can build an entire house. These same principles apply for successfully

breaking into a system—or in our case, successfully preventing a break-in.

(Network Security 2) How and Why Hackers Do It : Passive Reconnaissance

Passive Reconnaissance

To exploit a system, an attacker must have some general information;

otherwise, he does not know what to attack. A professional burglar does

not rob houses randomly. Instead, he picks someone, like Bob, and he

begins the passive reconnaissance stage of figuring out where Bob’s house

is located and other general information.

The same thing has to be done with hacking. After an attacker picks a

company to go after, he has to find out the company’s name and where it

is located on the Internet.

Passive information gathering is not always useful by itself, but is a

necessary step, because knowing that information is a prerequisite to

performing the other steps. In one case, I was gathering information to

perform an authorized penetration test for a company.

I pulled up to the company around 4:00 p.m. I chose this time for two

reasons. First, because most people leave between 4:30 p.m. and 5:30

p.m., I could observe a lot of behavior, but to do so I needed to park near

the front of the building. Usually, that late in the day, some people have

already left and you can get a close spot—thus, the second reason. I

parked near the entrance and rolled down my window. Three people came

out and stopped in front of my car to have a smoke. As they smoked, they

talked about business and a new server they just installed. It was set up

for testing file transfer and FTP access to remote offices, but they went on

to explain that, because they were having trouble with authentication,

they allowed anonymous access. As they finished the conversation, they

started joking with the one person on why he named the server Alpha-

Two.

In the course of five minutes, I was given the name of a server that was

accessible from the Internet and the fact that authentication was turned

off, which meant that I had full access to the network! As fictitious as this

story might sound, it actually happened and is quite realistic. It is amazing

what people will say if they think that no one else is listening.

In some cases, passive reconnaissance can provide everything an attacker

needs to gain access. On the surface it might seem like passive

reconnaissance is not that useful, but do not underestimate the amount of

information an attacker can acquire if it is done properly.

Passive attacks, by nature of how they work, might not seem as powerful

as active attacks, but in some cases they can be more powerful. With

passive attacks, you do not directly get access, but sometimes you get

something even better: guaranteed access across several avenues.

One of the most popular types of passive attacks is sniffing. This involves

sitting on a network segment and watching and recording all traffic that

goes by. This can yield a lot of information. For example, if an attacker is

looking for a specific piece of information, he might have to search

through hundreds of megabytes of data to find what he is looking for. In

other cases, if he knows the pattern of the packets he is looking for, it can

be quite easy.

An example of this is sniffing passwords. There are programs that

attackers can run from a workstation that looks for NT authentication

packets. When it finds one, it pulls out the encrypted password and saves

it. An attacker can then use a password cracker to get the plain text

password. To get a single password, this might seem like a lot of work.

But imagine an attacker setting this up to start running at 7:00 a.m. and

stop running at 10:00 a.m. Most people log on to the network in those

three hours, so he can gather hundreds of passwords in a relatively short

time period.

Another useful type of passive attack is information gathering. During this

type of attack, an attacker gathers information that will help launch an

active attack. For example, let’s say that an attacker sits near the loading

dock of a company to watch deliveries. Most companies print their logos

on the sides of boxes and are easy to spot. If an attacker notices that you

receive several Sun boxes, he can be pretty sure that you are running

Solaris. If, shortly after the release of Windows 2000, a company receives

boxes from Microsoft, an attacker could probably guess that the company

is upgrading its servers to the new operating system.

(Network Security 1) How and Why Hackers Do It

Attackers break into systems for a variety of reasons and for a variety of

purposes. Until you understand how attackers break into systems and why

they do it, you will have a hard time defending against the variety of

attacks that are currently being used to compromise systems. This

chapter will take a detailed look at these issues so you can better

understand the processes, methods, and types of attacks that are

currently being used.

What Is an Exploit?

Because the topic of exploits will be addressed throughout the book, this

is probably a good time to cover what an exploit actually is.

If this were a short-answer question, the correct answer would be “an

exploit can be anything.” Basically, anything that can be used to

compromise a machine is considered an exploit. Remember, we are also

using a loose definition of the word compromise. A compromise could

include the following:

• Gaining access

• Simplifying gaining access

• Taking a system offline

• Desensitizing sensitive information

For example, going through a company’s garbage to find sensitive

information can be considered an exploit. If an attacker goes through the

garbage and finds a computer printout of top-secret information about a

company’s new product, he has technically compromised the system

without ever touching it. This is why addressing all the ways a system can

be exploited is so important. Many times, security professionals put on

blinders and look at only one aspect of security. It is important to

remember that a chain is only as strong as its weakest link, and an

attacker will compromise the weakest link in a company’s security.

Therefore, it is critical that security professionals step back and properly

look at and address all the security issues a company might face.

Hollywood Hackers

For a good example of going through a company’s garbage, or the

more technical term dumpster diving, rent the movie Sneakers.

Although it is a very entertaining movie, it also shows the security

threats that companies can face.

Just to whet your appetite, the movie is about a company that

performs penetration testing of other companies’ security

systems—particularly banks.

To look at a more formal definition, www.dictionary.com defines an exploit

as “a security hole or an instance of a security hole.” This brings out a

very important point: For there to be an exploit, there has to be a

weakness that can be compromised. If there are no weaknesses, there is

nothing to exploit. That is why most people would say that a truly secure

system is one that is not plugged into a network or any sort of electricity

and buried in 30 feet of cement under the support beams for the Brooklyn

Bridge. In this case, the number of possible exploits is minimized because

the number of weaknesses is reduced or eliminated. It is also important to

point out that, although the number of exploits is minimized, the

functionality of the system is also severely minimized. One of the main

reasons why companies do not have truly secure servers is that,

whenever you increase security, you reduce functionality, and

functionality is what keeps a company in business. The counter argument

I always make is that functionality might keep a company in business, but

lack of security will put a company out of business.

Therefore, when building secure systems, it is critical that you minimize

the risk while reducing the impact it has on overall functionality. Figure

2.1 shows the constant battle of trying to balance security, functionality,

and ease of use. Imagine that there is a ball in the triangle and you can

move it to whatever corner you want. As you move the ball toward the

corner of security, you are moving farther away from the other two

corners. This means that as you increase security, you reduce

functionality and ease of use.

Figure 2.1. The security, functionality, and ease-of-use triangle.

Now that you have a good idea of what an exploit is and what things to be

careful of when securing your system, let’s take a look at the process that

attackers go through to exploit a system. The following section looks at all

types of exploits, not just computer-or network-based, to give you a

better idea of the threats that exist.

The Attacker’s Process

There are many ways an attacker can gain access or exploit a system. No

matter which way an attacker goes about it, there are some basic steps

that are followed:

1. Passive reconnaissance.

2. Active reconnaissance (scanning).

3. Exploiting the system:

o Gaining access through the following attacks:

Operating system attacks

Application level attacks

Scripts and sample program attacks

Misconfiguration attacks

o Elevating of privileges

o Denial of Service

4. Uploading programs.

5. Downloading Data.

6. Keeping access by using the following:

o Backdoors

o Trojan horses

7. Covering tracks.

Note that it is not always necessary to perform all of these steps, and in

some cases, it is necessary to repeat some of the steps. For example, an

attacker performs the active and passive reconnaissance steps and, based

on the information he gathers about the operating systems on certain

machines, he tries to exploit the system. After unsuccessfully trying all

sorts of operating system attacks (Step 3), he might go back to Steps 1

and 2. At this point, his active reconnaissance will probably be more in

depth, focusing on other applications that are running or possible scripts

that are on the system, and even trying to find out more information

about the operating system, such as revision and patch levels. After he

has more information, he will go back to attacking the system.

You would hope that, by protecting your systems from attack, this process

would take a long time to accomplish, frustrating the attacker enough to

give up before he gains access. Ideally, a company should have proper

Intrusion Detection Systems in place so that it can detect an attack and

protect against it before it does any damage. Most companies should

strive for this, but unfortunately most ignore it.

Let’s briefly run through each of the steps from an attacker’s point of

view. The attacker starts off seeing if he has any general information

about the system. This consists of information like the domain name and

any servers or systems the company might have. After all of the passive

information has been gathered, active reconnaissance begins. This is

where the attacker tries to find out as much information about the

systems, without setting off too many alarms. Then, he gathers things

such as IP addresses, open ports, operating system and version, and so

on. After some initial information is gathered, an attacker steps through

each of the attack areas: operating system, applications, scripts, and

misconfigured systems. For each item, an attacker tries an attack; if

unsuccessful, he tries to gather more information about the component.

After all the information has been gathered for an item, an attacker moves

on to the next item. After an attack has been successful and access has

been gained, the attacker then uploads any necessary programs,

preserves access by installing Trojan horses, and finally cleans up the

system to hide the attack.

The Golden Age of Hacking

Based on everything we know, this truly seems to be the golden age of hacking.

To sum things up, it is a great time to be a hacker. Because there are so many

possible systems to break into and most of them have such weak security,

attackers can pick and choose which machines to go after. To make matters

worse, most companies have insufficient

information or resources to track these attackers, so even if they are detected,

their chances of getting caught are slim. No one polices the Internet, and in terms of

knowledge and experience, attackers have the upper hand. Not only is it a good

time to be a hacker, but it is a good time to be a security professional. There is

plenty of work and a whole lot of challenges ahead.

A recent and well-known example of hacking attacks happened in February of 2000.

Several large sites on the Internet were attacked within in a short period of time. The

type of attack was a distributed Denial of Service attack in which company web sites

became unreachable to legitimate users. From a business perspective, this had a large

impact on the victim companies. For one company, an online bookstore, the attack

resulted in lost revenue—not only did the company lose sales, but it lost customers.

Let’s look at an example. If a customer, intending to buy something online, tries to

connect to a company’s web site at 10:00 p.m. and the web browser displays the

message “Web Site Unavailable,” he might try back at 10:45 p.m. When the customer

tries again at 11:30 p.m. and still receives the same message, more than likely, the

customer will go to a competitor to buy the product. With the amount of competition on

the Internet, if a customer cannot access a site in a matter of seconds, he will quickly

give up and go to a different site.

Ironically, companies were so afraid of the Y2K problem that they dumped large sums of

money into fixing it. In several cases, it seemed like a waste because the problem was

overestimated and hyped by the media. Now there is a problem far worse, but companies

are looking the other way. They do not want to invest the money.

There are several reasons why so many companies are vulnerable, but one of the main

reasons is lack of awareness. Companies have not realized and still do not realize the

threat. One of my goals in writing this book is to make people aware of the threat and

the tools that exist to protect their sites. Ignorance is deadly, but knowledge is power. If

an attacker breaks into your house with an arsenal of guns and you have no weapons,

you cannot defend yourself. On the other hand, if you are properly trained on weapons

and know the limitations of the weapons the intruder is using, you have an upper hand.

Giving IT professionals the tools and techniques attackers use to break into sites, equips them with the proper defenses.