Attackers break into systems for a variety of reasons and for a variety of purposes. Until you understand how attackers break into systems and why they do it, you will have a hard time defending against the variety of
attacks that are currently being used to compromise systems. This chapter will take a detailed look at these issues so you can better understand the processes, methods, and types of attacks that are currently being used.
What Is an Exploit?
Because the topic of exploits will be addressed throughout the book, this is probably a good time to cover what an exploit actually is.
If this were a short-answer question, the correct answer would be “an exploit can be anything.” Basically, anything that can be used to
compromise a machine is considered an exploit. Remember, we are also using a loose definition of the word compromise. A compromise could include the following:
• Gaining access
• Simplifying gaining access
• Taking a system offline
• Desensitizing sensitive information
For example, going through a company’s garbage to find sensitive
information can be considered an exploit. If an attacker goes through the garbage and finds a computer printout of top-secret information about a company’s new product, he has technically compromised the system
without ever touching it. This is why addressing all the ways a system can be exploited is so important. Many times, security professionals put on blinders and look at only one aspect of security. It is important to remember that a chain is only as strong as its weakest link, and an attacker will compromise the weakest link in a company’s security.
Therefore, it is critical that security professionals step back and properly look at and address all the security issues a company might face.
Hollywood Hackers
For a good example of going through a company’s garbage, or the more technical term dumpster diving, rent the movie Sneakers. If you are reading this book and have not seen the movie, you should rent it immediately. Although it is a very entertaining
movie, it also shows the security threats that companies can face.
Just to whet your appetite, the movie is about a company that performs penetration testing of other companies’ security systems—particularly banks.
To look at a more formal definition, www.dictionary.com defines an exploit as “a security hole or an instance of a security hole.” This brings out a very important point: For there to be an exploit, there has to be a
weakness that can be compromised. If there are no weaknesses, there is nothing to exploit. That is why most people would say that a truly secure system is one that is not plugged into a network or any sort of electricity and buried in 30 feet of cement under the support beams for the Brooklyn Bridge. In this case, the number of possible exploits is minimized because the number of weaknesses is reduced or eliminated. It is also important to point out that, although the number of exploits is minimized, the
functionality of the system is also severely minimized. One of the main reasons why companies do not have truly secure servers is that,
whenever you increase security, you reduce functionality, and
functionality is what keeps a company in business. The counter argument I always make is that functionality might keep a company in business, but lack of security will put a company out of business.
Therefore, when building secure systems, it is critical that you minimize the risk while reducing the impact it has on overall functionality. Figure 2.1 shows the constant battle of trying to balance security, functionality, and ease of use. Imagine that there is a ball in the triangle and you can move it to whatever corner you want. As you move the ball toward the
corners. This means that as you increase security, you reduce functionality and ease of use.
Figure 2.1. The security, functionality, and ease-of-use triangle.
Now that you have a good idea of what an exploit is and what things to be careful of when securing your system, let’s take a look at the process that attackers go through to exploit a system. The following section looks at all types of exploits, not just computer-or network-based, to give you a
better idea of the threats that exist.
The Attacker’s Process
There are many ways an attacker can gain access or exploit a system. No matter which way an attacker goes about it, there are some basic steps that are followed:
1. Passive reconnaissance.
2. Active reconnaissance (scanning).
3. Exploiting the system:
o Gaining access through the following attacks:
Operating system attacks Application level attacks
Scripts and sample program attacks Misconfiguration attacks
o Elevating of privileges
o Denial of Service 4. Uploading programs.
5. Downloading Data.
6. Keeping access by using the following:
o Backdoors
o Trojan horses
7. Covering tracks.
Note that it is not always necessary to perform all of these steps, and in some cases, it is necessary to repeat some of the steps. For example, an attacker performs the active and passive reconnaissance steps and, based on the information he gathers about the operating systems on certain machines, he tries to exploit the system. After unsuccessfully trying all sorts of operating system attacks (Step 3), he might go back to Steps 1 and 2. At this point, his active reconnaissance will probably be more in depth, focusing on other applications that are running or possible scripts that are on the system, and even trying to find out more information about the operating system, such as revision and patch levels. After he has more information, he will go back to attacking the system.
You would hope that, by protecting your systems from attack, this process would take a long time to accomplish, frustrating the attacker enough to give up before he gains access. Ideally, a company should have proper Intrusion Detection Systems in place so that it can detect an attack and protect against it before it does any damage. Most companies should strive for this, but unfortunately most ignore it.
Let’s briefly run through each of the steps from an attacker’s point of view. The attacker starts off seeing if he has any general information about the system. This consists of information like the domain name and any servers or systems the company might have. After all of the passive information has been gathered, active reconnaissance begins. This is where the attacker tries to find out as much information about the systems, without setting off too many alarms. Then, he gathers things such as IP addresses, open ports, operating system and version, and so on. After some initial information is gathered, an attacker steps through each of the attack areas: operating system, applications, scripts, and misconfigured systems. For each item, an attacker tries an attack; if unsuccessful, he tries to gather more information about the component.
After all the information has been gathered for an item, an attacker moves on to the next item. After an attack has been successful and access has been gained, the attacker then uploads any necessary programs,
preserves access by installing Trojan horses, and finally cleans up the system to hide the attack.
Passive Reconnaissance
To exploit a system, an attacker must have some general information;
otherwise, he does not know what to attack. A professional burglar does not rob houses randomly. Instead, he picks someone, like Bob, and he begins the passive reconnaissance stage of figuring out where Bob’s house is located and other general information.
The same thing has to be done with hacking. After an attacker picks a company to go after, he has to find out the company’s name and where it is located on the Internet. Chapter 3, “Information Gathering,” covers this in detail. The sections in this chapter on reconnaissance are meant to lay the groundwork for Chapter 3.
Passive information gathering is not always useful by itself, but is a necessary step, because knowing that information is a prerequisite to performing the other steps. In one case, I was gathering information to perform an authorized penetration test for a company.
I pulled up to the company around 4:00 p.m. I chose this time for two reasons. First, because most people leave between 4:30 p.m. and 5:30 p.m., I could observe a lot of behavior, but to do so I needed to park near the front of the building. Usually, that late in the day, some people have already left and you can get a close spot—thus, the second reason. I
parked near the entrance and rolled down my window. Three people came out and stopped in front of my car to have a smoke. As they smoked, they talked about business and a new server they just installed. It was set up for testing file transfer and FTP access to remote offices, but they went on to explain that, because they were having trouble with authentication, they allowed anonymous access. As they finished the conversation, they started joking with the one person on why he named the server Alpha-Two.
In the course of five minutes, I was given the name of a server that was accessible from the Internet and the fact that authentication was turned off, which meant that I had full access to the network! As fictitious as this story might sound, it actually happened and is quite realistic. It is amazing what people will say if they think that no one else is listening.
In some cases, passive reconnaissance can provide everything an attacker needs to gain access. On the surface it might seem like passive
reconnaissance is not that useful, but do not underestimate the amount of information an attacker can acquire if it is done properly.
Passive attacks, by nature of how they work, might not seem as powerful as active attacks, but in some cases they can be more powerful. With passive attacks, you do not directly get access, but sometimes you get something even better: guaranteed access across several avenues.
One of the most popular types of passive attacks is sniffing. This involves sitting on a network segment and watching and recording all traffic that goes by. This can yield a lot of information. For example, if an attacker is looking for a specific piece of information, he might have to search
through hundreds of megabytes of data to find what he is looking for. In
other cases, if he knows the pattern of the packets he is looking for, it can be quite easy.
An example of this is sniffing passwords. There are programs that attackers can run from a workstation that looks for NT authentication packets. When it finds one, it pulls out the encrypted password and saves it. An attacker can then use a password cracker to get the plain text password. To get a single password, this might seem like a lot of work.
But imagine an attacker setting this up to start running at 7:00 a.m. and stop running at 10:00 a.m. Most people log on to the network in those three hours, so he can gather hundreds of passwords in a relatively short time period.
Another useful type of passive attack is information gathering. During this type of attack, an attacker gathers information that will help launch an active attack. For example, let’s say that an attacker sits near the loading dock of a company to watch deliveries. Most companies print their logos on the sides of boxes and are easy to spot. If an attacker notices that you receive several Sun boxes, he can be pretty sure that you are running Solaris. If, shortly after the release of Windows 2000, a company receives boxes from Microsoft, an attacker could probably guess that the company is upgrading its servers to the new operating system.
Active Reconnaissance
At this point, an attacker has enough information to try active probing or scanning against a site. After a burglar knows where a house is located and if it has a fence, a dog, bars on the windows, and so on, he can perform active probing. This consists of going up to the house and trying the windows and doors to see if they are locked. If they are, he can look inside to see what types of locks there are and any possible alarms that might be installed. At this point, the burglar is still gathering information.
He is just doing it in a more forceful or active way.
With hacking, the same step is performed. An attacker probes the system to find out additional information. The following is some of the key
information an attacker tries to discover:
• Hosts that are accessible
• Locations of routers and firewalls
• Operating systems running on key components
• Ports that are open
• Services that are running
• Versions of applications that are running
The more information an attacker can gain at this stage, the easier it will
out some initial information covertly and then tries to exploit the system.
If he can exploit the system, he moves on to the next step. If he cannot exploit the system, he goes back and gathers more information. Why gather more information than he needs, especially if gathering that extra information sets off alarms and raises suspicion? It is an iterative process, where an attacker gathers a little, tests a little, and continues in this
fashion until he gains access.
Keep in mind that, as an attacker performs additional active
reconnaissance, his chances of detection increase because he is actively performing some action against the company. It is critical that you have some form of logging and review in place to catch active reconnaissance, because, in a lot of cases, if you cannot block an attacker here, your chances of detecting him later decrease significantly.
When I perform an assessment, usually I run some tests to figure out the IP address of the firewall and routers. Next, I try to determine the type of firewall, routers, and the version of the operating system the company is running to see if there are any known exploits for those systems. If there are known exploits, I compromise those systems. At that point, I try to determine which hosts are accessible and scan those hosts to determine which operating system and revision levels they are running. If an
attacker can gain access to the external router or firewall, he can gather a lot of information and do a lot of damage.
For example, if I find that a server is running Windows NT 4.0 Service Pack 4, I scan for all vulnerabilities with that version and try to use those vulnerabilities to exploit the system. Surprisingly, with most companies, when I perform active reconnaissance, their technical staff fails to detect that I have probed their systems. In some cases, it is because they are not reviewing their log files, but in most cases, it is because they are not logging the information. Logging is a must, and there is no way to get around it. If you do not know what an attacker is doing on your system, how can you protect against it?
The goal of a company in protecting its computers and networks is to make it so difficult for an attacker to gain access that he gives up before he gets in. Today, because so many sites have minimal or no security, attackers usually gain access relatively quickly and with a low level of expertise. Therefore, if a company’s site has some security, the chances of an attacker exploiting its systems are decreased significantly, because if he meets some resistance, he will probably move on to a more vulnerable site. This is only true for an opportunistic attacker who scans the Internet looking for any easy target.
In cases of corporate espionage, where an attacker is targeting your site, some security will make the attacker’s job more difficult, but will not
necessarily stop him. In this situation, hopefully the extra security will make it so difficult that you will detect the attack before he gains access and stop him before any damage is done.
In most cases, an attacker uses a passive reconnaissance attack first to properly position himself. Next, he uses an active reconnaissance attack to gather the information he is after. An example is an attacker breaking into a machine so that he can sniff passwords off of the network when users log on each morning. As this example shows, to perform active
reconnaissance, an attacker must have some level of access to the system.
Each attack has value, but as you will see throughout this book, the real value is gained when multiple techniques or attacks are combined. Giving a carpenter a single tool allows him to build part of a house. When a carpenter is familiar, well-trained, and has several tools in his toolbox, he can build an entire house. These same principles apply for successfully breaking into a system—or in our case, successfully preventing a break-in.
Exploiting the System
Now comes the scary part for a security professional. When most people think about exploiting a system, they only think about gaining access, but there are actually two other areas: elevation of privileges and denial of services. All three are useful to the attacker depending on the type of attack he wants to launch. There are also cases where they can be used in conjunction with each other. For example, an attacker might be able to compromise a user’s account to gain access to the system, but because he does not have root access, he cannot copy a sensitive file. At this point, the attacker would have to run an elevation of privileges attack to
increase his security level so that he can access the appropriate files.
It is also important to note that an attacker can exploit a system to use it as a launching pad for attacks against other networks. This is why system break-ins are not always noticed, because attackers are not out to do direct harm or steal information. In these cases, a company’s valuable resources are being used and, technically, that company is hacking into other companies.
Think about this for a minute: Whether it is authorized or not, if someone is using Company A’s computers to break into Company B, when Company B investigates, it will point back to Company A. This is called a
downstream liability problem. This can have huge legal implications for a company if it is not careful—especially if the attackers want to have some fun and carefully pick the two companies so that Company A and B are major competitors. If you are the head of security for Company A, you
Gaining Access
Because one of the most popular ways of exploiting a system is gaining access, let’s start with this type of attack. There are several ways an
Because one of the most popular ways of exploiting a system is gaining access, let’s start with this type of attack. There are several ways an