At this stage, you gather publicly available information about the enter-prise network and determine what data will be used to launch the initial scans. This includes identification of the enterprise structure and per sonnel, identification of network domain(s), and identification of network
Chapter 3: Hacking Concepts
39
HackingModel
addresses. In some cases focusing on identification of the enterprise and domain are not necessary; for example, if your enterprise is small to me-dium sized, has had very direct and consistent corporate control, and has not grown as a result of acquisitions.
Scan
The intent of scanning and the different approaches to accomplish your mission are briefly covered here; in Chapter 4 we will look at specific techniques and commands.Scanningis the process of identifying “live”
hosts or devices within the addresses targeted. This is accomplished in phases using a variety of ICMP, TCP, and UDP packets. This is different from enumeration, as the total number of packets sent out across the network is smaller in number, albeit a larger range of hosts.
The first step in scanning is to bombard the potential addresses with ICMP packets, looking for a reply that gives you notification the hosts are “alive.” The next step is to send a limited number of TCP packets to all potential IP addresses using commonly observed services running on the Internet. The final step is to send a very limited number of UDP packets to all potential IP addresses. In some cases TCP and ICMP filter-ing is in place, but network engineers or system administrators sometimes overlook sufficient UDP filtering. Details of techniques and suggested
Figure 3-1. Hacking model
ports for inclusion are provided in Chapter 4. The results of all of this testing will be a list of responding hosts placed into a “live” hosts file, which you will use during the enumeration phase.
Enumerate
The final component in reconnaissance is enumeration. Enumerationis the process of identifying all services running on each “live” host identi-fied, the specific vendor and build, and any additional information openly available from the host. This step involves three perspectives: ex-panded TCP and UDP port scans, full range TCP port scans, and service specific scans. By breaking down enumeration into its subcomponents, you can perform continuous actions toward your goal of hacking the net-work, while running thorough processes in the background.
The expanded TCP and UPD port scans are performed by using the
“live” hosts file as the target range in your TCP port scan. This scan is designed to be run against known “live” machines, so the issues of time-outs and long delays should be mitigated. Consider limiting the ser-vices scanned to a manageable number, somewhere in the range of 20 to 30 services. This list should be developed to include the most common services running as well as the most commonly exploited services. A suggested list is provided in Chapter 4 and a more inclusive list is given in the Reference Center. In addition, the blocks of live addresses should be broken into organizational groups, often by network block owner-ship. This output will be generated rather quickly and will allow you to begin focusing on specific service identification; but first you need to start full port scans to run in the background.
The full port scans will again use the “live” hosts file. This process is exhaustive and time consuming, but will ensure complete host and ser-vice coverage during the assessment. The intent is to identify all serser-vices that may be running on uncommon ports and provide you a picture of your overall exposure on the network.
While the full port scans are running you can begin the service spe-cific scans. Using the results of the expanded service scan, connections should be made to all the responding services to retrieve banners that identify specific service types, versions and operating system type, many of which are provided as ASCII text. In some cases you will have to use specific client applications to produce the banners or enumerate the openly available host and user information.) Once this process has been exhausted, the full port scans should be reviewed to identify any additional services, then proceeding again to service specific scans on any newly identified ports. The final product of this exercise should be a comprehensive list of all the services and versions running and OS plat-forms being used, which you can then research for specific vulnerabilities during the compromise stage.
Compromise
Compromise is the most challenging step of the hacking model. Compro-misinginvolves what the public media callhacking, a generic term that is as misleading as it is broad. Hacking was a term coined to mean the art of identifying issues or items that someone wants to modify in an effort to make it better or do something better. Today hacking is commonly as-sociated with misuse or abuse on networks by exploiting services that have flaws or publicly available exploits.
The goal of almost any compromise is to obtain administrative or root level access to the system. During the compromise stage you focus on three areas: initial compromise, escalation, and maintaining your
“owned” systems. The specific methods and techniques for compro-mising hosts are vast—simply keeping up with exploits is an overwhelm-ing task that has led to a multitude of point-in-time manuals. While these are great as a reference to understand yesterday’s issues, the way to get the most up-to-date information is by using a search engine as well as security sites and looking specifically for vulnerabilities associated with the technologies you have identified. This method will always ensure you have the most recent and complete listing of vulnerabilities identi-fied with the services.