At this point, an attacker has enough information to try active probing or
scanning against a site. After a burglar knows where a house is located
and if it has a fence, a dog, bars on the windows, and so on, he can
perform active probing. This consists of going up to the house and trying
the windows and doors to see if they are locked. If they are, he can look
inside to see what types of locks there are and any possible alarms that
might be installed. At this point, the burglar is still gathering information.
He is just doing it in a more forceful or active way.
With hacking, the same step is performed. An attacker probes the system
to find out additional information. The following is some of the key
information an attacker tries to discover:
• Hosts that are accessible
• Locations of routers and firewalls
• Operating systems running on key components
• Ports that are open
• Services that are running
• Versions of applications that are running
The more information an attacker can gain at this stage, the easier it will
be when he tries to attack the system. Usually, the attacker tries to find
out some initial information covertly and then tries to exploit the system.
If he can exploit the system, he moves on to the next step. If he cannot
exploit the system, he goes back and gathers more information. Why
gather more information than he needs, especially if gathering that extra
information sets off alarms and raises suspicion? It is an iterative process,
where an attacker gathers a little, tests a little, and continues in this
fashion until he gains access.
Keep in mind that, as an attacker performs additional active
reconnaissance, his chances of detection increase because he is actively
performing some action against the company. It is critical that you have
some form of logging and review in place to catch active reconnaissance,
because, in a lot of cases, if you cannot block an attacker here, your
chances of detecting him later decrease significantly.
When I perform an assessment, usually I run some tests to figure out the
IP address of the firewall and routers. Next, I try to determine the type of
firewall, routers, and the version of the operating system the company is
running to see if there are any known exploits for those systems. If there
are known exploits, I compromise those systems. At that point, I try to
determine which hosts are accessible and scan those hosts to determine
which operating system and revision levels they are running. If an
attacker can gain access to the external router or firewall, he can gather a
lot of information and do a lot of damage.
For example, if I find that a server is running Windows NT 4.0 Service
Pack 4, I scan for all vulnerabilities with that version and try to use those
vulnerabilities to exploit the system. Surprisingly, with most companies,
when I perform active reconnaissance, their technical staff fails to detect
that I have probed their systems. In some cases, it is because they are
not reviewing their log files, but in most cases, it is because they are not
logging the information. Logging is a must, and there is no way to get
around it. If you do not know what an attacker is doing on your system,
how can you protect against it?
The goal of a company in protecting its computers and networks is to
make it so difficult for an attacker to gain access that he gives up before
he gets in. Today, because so many sites have minimal or no security,
attackers usually gain access relatively quickly and with a low level of
expertise. Therefore, if a company’s site has some security, the chances of
an attacker exploiting its systems are decreased significantly, because if
he meets some resistance, he will probably move on to a more vulnerable
site. This is only true for an opportunistic attacker who scans the Internet
looking for any easy target.
In cases of corporate espionage, where an attacker is targeting your site,
some security will make the attacker’s job more difficult, but will not
necessarily stop him. In this situation, hopefully the extra security will
make it so difficult that you will detect the attack before he gains access
and stop him before any damage is done.
In most cases, an attacker uses a passive reconnaissance attack first to
properly position himself. Next, he uses an active reconnaissance attack to
gather the information he is after. An example is an attacker breaking into
a machine so that he can sniff passwords off of the network when users
log on each morning. As this example shows, to perform active
reconnaissance, an attacker must have some level of access to the
system.
Each attack has value, but as you will see throughout this book, the real
value is gained when multiple techniques or attacks are combined. Giving
a carpenter a single tool allows him to build part of a house. When a
carpenter is familiar, well-trained, and has several tools in his toolbox, he
can build an entire house. These same principles apply for successfully
breaking into a system—or in our case, successfully preventing a break-in.
