Know Your Enemy

 Need to understand how attackers work in

order to defend against attackers
 Understand why people attack a computer
system?
 What are they after (motivations)
 Assets in place
 Critical to understand the person behind the
attack (amateur, government, industry…)
 Friends and Enemies: Alice, Bob, Trudy

 Well-known in network security world

 Bob, Alice want to communicate “securely”

 Trudy (intruder) may intercept, delete, add messages

Alice Bob
channel data, control
messages

data secure secure data

sender receiver

Trudy
 Who might Bob, Alice be?

 Web browser/server for electronic

transactions (e.g., on-line purchases)

 On-line banking client/server

 Routers exchanging routing table updates

 DNS servers exchanging queries and responses

 other examples?
Who might Trudy be?
 Intruder Motives

 Money, profit

 Access to additional resources

 Competitive advantage (economic, political)

 Personal vengeance

 Curiosity

 Mischief: playful misbehavior

 Attention
 Intruder Techniques

 Leverage use of currently available technologies

 Creating easy-to-use exploitation scripts

 Developing increasingly sophisticated toolkits

 Transferring expertise to novice/inexperienced

intruders

 Increasing impact by targeting the infrastructure

 Opportunities for Intrusion
 Rapid adoption of computer and network technology in

government, industry and educational organizations

 Internet explosion and e-commerce

 Thousands of exploitable vulnerabilities in technology

 Lack of awareness regarding information security

 Shortage of qualified information security experts

 Lack of applicable laws and means of enforcement

 International scope
 Steps of Intrusion/Hacking

 Find the targets (motives)

 Locate the target’s computer information assets
(reconnaissance)
 Find any vulnerabilities in the assets (scanning)
 Gain access (intrusion)
 Increasing access privilege (privilege escalation)
 Gathering data
 Making a backdoor
 Cover tracks
 Step 1-Find the targets

 Can be done with the knowledge of the target

 Random targets

 Specific target

 Political

 Military

 Industrial

 Money
 Step 1-Find the targets (2)

 Using public information to locate a target and

information about that target
 Target environments
 Internet
 Intranet
 Remote access
 Extranet (partners, associations of the
target)
 Step 1-Find the targets: Website (3)

 Gather employee info, remote sites,

partnerships, network info, phone numbers

 Check the source code of a site

(comments)

 Use link: www.example.com

 Gives you all sites that have this as a link

 Other web sites

 Step 1-Find the targets: Network
information (4)
 Domain name info

 Organization: address

 Admin contact: email, phone, fax

 Tech contact: email, phone

 Whois will give this info

 Nslookup

 InterNIC/ICANN: Public Information Regarding

Internet Domain Name Registration Services

 Step 1-Find the targets: Network
reconnaissance (5)

 Determine network topology

 Traceroute or tracert

 VisualRoute: graphic traceroute

Step 2 – Locate the target’s assets
 Assets

 Computers

 Routers

 Firewalls

 Dial-in connections

 Remote sites
 WiFi
 Step 2 – Locate the target’s assets (2)

 Lots of tools to find out about devices

 These are active probes of the network

and can be detected

 Some probes are part of normal

communications and are hard to detect

 Social engineering
 Step 2 – Locate the target’s assets:
Network pings (3)
 Use ping, nmap to sweep a network address
range looking for hosts

 Use other ICMP queries like

 Timestamp

 Address mask
 Step 2 – Locate the target’s assets:
Port scanning (4)
 Used to identify service running on a computer, e.g.
 80: www-http
 The port numbers are divided into three ranges
 Well Known Ports: from 0 - 1023
 Registered Ports: 1024-49151
 Dynamic and/or Private Ports: 49152-65535
 More info: http://www.iana.org/assignments/port-
numbers
 Several tools
 Nmap

 Strobe

 Superscan
 Step 2 – Locate the target’s assets:
OS detection (5)
 Based on responses to various packets and which
services are active, you can guess the OS on a
machine
 Active methods involve sending packets and checking
the results

 Passive methods require listening to network traffic

 Try telnet or ftp, or web they sometimes tell

the OS type
 Step 3 – Find any vulnerabilities in
the assets
 OS fingerprinting
 Known OS vulnerabilities

 Known application vulnerabilities

 Known communication vulnerabilities

 Default password

 Shared resources

 Social engineering
 Top Vulnerabilities to Windows Systems

 W6 Microsoft Data Access

 W1 Internet Information Components (MDAC)
Services (IIS)
 W7 Windows Scripting Host
 W2 Microsoft SQL Server (WSH)
(MSSQL)
 W3 Windows  W8 Microsoft Outlook and
Authentication Outlook Express
 W4 Internet Explorer (IE)  W9 Windows Peer to Peer
 W5 Windows Remote File Sharing (P2P)
Access Services  W10 Simple Network
Management Protocol
(SNMP)

http://www.sans.org
 Top Vulnerabilities to Unix Systems

 U1 BIND Domain Name  U6 Sendmail

System
 U7 Simple Network
 U2 Remote Procedure Calls Management
(RPC) Protocol (SNMP)
 U8 Secure Shell (SSH)
 U3 Apache Web Server
 U9 Misconfiguration of
 U4 General UNIX Enterprise Services
Authentication Accounts NIS/NFS
with No Passwords or Weak  U10 Open Secure
Passwords Sockets Layer (SSL)
 U5 Clear Text Services
http://www.sans.org
Step 4 – Gain access

 Password guessing
 Social engineering
 Default password
 Packet sniffing
 Network attacks
 Redirects

 Man-in-the-middle

 Buffer overflows, SQLinj

 Backdoors: Trojan horses, viruses, worms
 Step 5 – Increasing access

 Once they have gained access now what is next…

 Increasing access is done to become the

privileged user on a machine (root): privilege
escalation

 Use you as a launch point for an attack

 DDoS

 IP hiding (spoofing)
 Step 5 – Increasing access

 Password cracking (dictionary attack)

 Known exploits

 Public tools that can be run to increase access

 Password guessing

 Exploiting trust relationships with the target

 Step 6 – Gather data

 Password sniffers
 Sniff the networks, applications and email passwords
back to the hacker

 Look for information in the system

 Other passwords

 Memos, letters, confidential info

 Financial information
 Step 7 – Making a backdoor

 Create user accounts

 Modify password to dormant accounts

 Batch jobs: scheduled program to run on a

computer without user interaction

 Replace applications with Trojan (malware

disguising itself as a standard program)
applications (secret user/password)
 Step 8 – Cover tracks

 Clear log files

 Replace applications (rootkit: software used by

cybercriminals to gain control over a target

computer or network. Very difficult to detect)

 Blow away entire system!!!

 Access to Intermediate Computers

 Attackers rarely attack their target computer

directly.

 In most cases attackers use intermediate

computers as stepping stones to the final
computer.
 The attackers can hide their trail

 It is often difficult to attack the target computer, so the

attacker uses other computer to obtain user accounts, and for
loading attack tools, that may enhance the chance of accessing
the target.