To exploit a system, an attacker must have some general information;
otherwise, he does not know what to attack. A professional burglar does
not rob houses randomly. Instead, he picks someone, like Bob, and he
begins the passive reconnaissance stage of figuring out where Bob’s house
is located and other general information.
The same thing has to be done with hacking. After an attacker picks a
company to go after, he has to find out the company’s name and where it
is located on the Internet.
Passive information gathering is not always useful by itself, but is a
necessary step, because knowing that information is a prerequisite to
performing the other steps. In one case, I was gathering information to
perform an authorized penetration test for a company.
I pulled up to the company around 4:00 p.m. I chose this time for two
reasons. First, because most people leave between 4:30 p.m. and 5:30
p.m., I could observe a lot of behavior, but to do so I needed to park near
the front of the building. Usually, that late in the day, some people have
already left and you can get a close spot—thus, the second reason. I
parked near the entrance and rolled down my window. Three people came
out and stopped in front of my car to have a smoke. As they smoked, they
talked about business and a new server they just installed. It was set up
for testing file transfer and FTP access to remote offices, but they went on
to explain that, because they were having trouble with authentication,
they allowed anonymous access. As they finished the conversation, they
started joking with the one person on why he named the server Alpha-
Two.
In the course of five minutes, I was given the name of a server that was
accessible from the Internet and the fact that authentication was turned
off, which meant that I had full access to the network! As fictitious as this
story might sound, it actually happened and is quite realistic. It is amazing
what people will say if they think that no one else is listening.
In some cases, passive reconnaissance can provide everything an attacker
needs to gain access. On the surface it might seem like passive
reconnaissance is not that useful, but do not underestimate the amount of
information an attacker can acquire if it is done properly.
Passive attacks, by nature of how they work, might not seem as powerful
as active attacks, but in some cases they can be more powerful. With
passive attacks, you do not directly get access, but sometimes you get
something even better: guaranteed access across several avenues.
One of the most popular types of passive attacks is sniffing. This involves
sitting on a network segment and watching and recording all traffic that
goes by. This can yield a lot of information. For example, if an attacker is
looking for a specific piece of information, he might have to search
through hundreds of megabytes of data to find what he is looking for. In
other cases, if he knows the pattern of the packets he is looking for, it can
be quite easy.
An example of this is sniffing passwords. There are programs that
attackers can run from a workstation that looks for NT authentication
packets. When it finds one, it pulls out the encrypted password and saves
it. An attacker can then use a password cracker to get the plain text
password. To get a single password, this might seem like a lot of work.
But imagine an attacker setting this up to start running at 7:00 a.m. and
stop running at 10:00 a.m. Most people log on to the network in those
three hours, so he can gather hundreds of passwords in a relatively short
time period.
Another useful type of passive attack is information gathering. During this
type of attack, an attacker gathers information that will help launch an
active attack. For example, let’s say that an attacker sits near the loading
dock of a company to watch deliveries. Most companies print their logos
on the sides of boxes and are easy to spot. If an attacker notices that you
receive several Sun boxes, he can be pretty sure that you are running
Solaris. If, shortly after the release of Windows 2000, a company receives
boxes from Microsoft, an attacker could probably guess that the company
is upgrading its servers to the new operating system.
No comments:
Post a Comment