Hackers Beware

oScripts and sample program attacks

oMisconfiguration attacks

oElevation of privileges

oDenial of Service

4.Upload programs

oKeep access—backdoors and Trojans

oCovering tracks

For an initial attack against a system, an attacker has to go through all of these steps. Therefore, if a company properly understands the tools and techniques used to accomplish these steps, it has a better chance of detecting the attacker and stopping him before he causes any damage. Remember defense in depth, the more levels of defense and the more levels of understanding a company has, the higher the chance they will stop an attacker before he compromises a company’s network.

To finish up the book, we are going to cover several scenarios of how an attacker might get into a system. Keep in mind that most of these are not that technical or sophisticated. In fact, after reading each one, you should be saying, “This seems easy enough to defend against.” The problem with network security is not that any given vulnerability is that complex; the problem is the sheer number of them. When a company has a dynamic environment with a large number of systems, it loses control of security by not keeping up with it. One vulnerability is all it takes for an attacker to compromise a system. Hopefully, by seeing how straightforward some of these attacks are, you can build better security for your company.

Attack Scenarios

Let’s go through several attack scenarios to show you how an attacker typically compromises a site. In reality, an attacker often performs several of these attacks in parallel, but we will break them out to make it easier to follow. To give you an idea of what attackers are doing to break into systems, the attacks range from non-technical to technical. Attackers will always take the path of least resistance to break into a system. This is why it is so important to look at all aspects of a company’s security. Just because a company has top-notch network security, does not mean that an attacker will not take advantage of a weakness in physical security.

These scenarios depict the range and type of attacks that are being performed against companies.

Scenario 1—Rogue Modem

This scenario illustrates how an attacker takes advantage of a rogue modem at a company. These types of attacks against modems are quite common among attackers. The following are the steps for this attack:

1.Acquire company information. To perform the attack, an attacker needs to know the general phone number for the company so he knows what range of addresses to scan. This information can easily be obtained in many different fashions. First, a quick call to the operator or scan of a telephone book usually gives this information. Second, a company’s web site usually has contact information that provides numbers. Third, an attacker can call the company and try to social engineer the information out of the help desk or IT staff.

2.Run a war dialer. This attack can be performed manually, but is very time consuming. Instead, an attacker uses a war dialer program like THC and enters the general exchange for the company obtained in the previous step. Depending on the range of numbers, the attacker might start with a small range of numbers and slowly increase the numbers. For example, through analysis, let’s say the attacker finds the general number to be 555-5000, but notices that all IT numbers start with 555-5200 and all finance numbers start with 555-5400. Because most finance departments have non-technical people and usually require phone lines to access banks, he thinks this might be a good place to start. Most attackers start small and work their way up.

War Dialers

A war dialer is a program that, given a list of phone numbers, goes through and dials the numbers looking for a modem to answer. If a modem answers, it records the number and moves on to the next number. If a person answers, it hangs up. To prevent a war dialer from being blocked by the phone company for too many sequential numbers dialed in a row, war dialers usually randomly dial a string of numbers

3.Analyze information. After the scans are complete, the attacker looks through the information identifying modems. He is looking for rogue modems, not the dial-in modem pool. A rogue modem is a modem that is connected to a workstation or server and usually can be dialed without permission from security or IT. If an attacker runs across a string of several numbers with modems attached, that is probably the modem pool and should be put off until later.

4.Connect to each modem. After the rogue modems that are connected to individual servers or workstations have been identified, the attacker tries to connect to each, probing the system when it answers to see what program answered the connection. Most war dialers also perform this step, known as nudging, but in some cases, attackers can perform more sophisticated steps.

5.Find PC Anywhere. PC Anywhere is an application that lets users access a remote computer, as if they were sitting in front of it.

Finding and unprotected copy of PC Anywhere or a similar program would give an attacker all kinds of options. During the previous probing stage, PC Anywhere was found on a user’s computer, with no password required. This is not a negative aspect against PC Anywhere, it is just a negative aspect of how users configure the program.

6.Connect via the modem. The attacker connects to the system via the modem and installs Back Orifice onto the computer and disconnects.

7.Connect via the Internet. Using Back Orifice, the attacker connects to the client via the Internet and now has full control of the machine with an easy-to-use GUI.

8.Run a sniffer. Using Back Orifice, the attacker runs a sniffer on the network to gather information.

9.Gather passwords. One of the pieces of information the attacker gathers is the password for an administrator account.

10.Take over systems. The attacker uses this password to compromise the server and set up several backdoor accounts on the system. The attacker also installs backdoor listening agents on the system.

11.Compromise the network. The attacker has full access to the network and all machines that reside on the network.

Scenario 2—Social Engineering

This scenario shows a social engineering attack. Even though these attacks are non-technical, they are usually highly effective. The following are the steps for this attack:

1.Search the web. Usually, to perform social engineering type attacks, some initial research needs to be performed. Two places that provide a lot of information are a company’s web site and employment web sites. From a company’s web site, you can infer information about its growth plans and busiest offices. Also, from going to employment web sites, you can get an idea of the positions a company is posting, which also tells you which departments are hiring. Usually, these advertisements also list hiring managers and department names.

2.Analyze information. By going through the open source information, an attacker can put together a story on why he needs access. In this case, based on the information that was acquired, the attacker finds out that the New York office is really growing and is near Central Park. It just won a big contract with WCT Company and is hiring a lot of people. The hiring manager is Eric C and is probably overworked because he is trying to hire three managers under him and two assistants.

3.Call the help desk. Now that the attacker has a story, he calls up the help desk and explains to the help desk person that he just started in the New York City office and is amazed at how quick the office is growing. The attacker explains that he works for Eric C who told him to call up the help desk and ask for an account because he’s so swamped with interviews today. If the attacker sprinkles in information on how amazed he is with how much Eric C is doing, the nice view of Central Park, and other information, the attacker can convince the help desk person that he really does work for the company.

4.Acquire account. With a little persistence, you would be amazed at how quickly the attacker hears those magic words “Please wait while I set up an account for you.”

5.Acquire dial-up number. After the account information is set up, the attacker explains that, because he is going to be so busy and will have to work at night, he will need the dial-up number for modem access.

6.Log into system. The attacker gets a cup of coffee and logs into the network.

Scenario 3—Physical Breach of Security

The following scenario is another example of a non-technical attack, but is illustrated to show you that even the simplest attacks can be very effective. The following are the steps for this attack:

1.Search company information. To perform a physical security attack, an attacker needs to find the location of the company. He can do that by searching the company’s web site or a phone book.

2.Find the location. After the location is found, maps or web sites can be used to find directions and the specific location of the company.

3.Sit outside the company. An attacker drives to the company and sits outside, usually in the morning, around lunch, and/or in the afternoon. The goal is to find patterns of behavior on how people enter and exit the building and the best possible way into the building, without getting detected.

4.Follow users through a back entrance. After careful analysis, the attacker finds a back door that most people use to enter the building in the morning. There is usually a steady stream of people between 8:30 and 9:00 am. At around this time, the attacker dresses according to the dress code for the company and carries a box that appears to be heavy. He follows someone into the building who will graciously hold the door open for him because he is carrying a heavy box. Again, by engaging in some casual conversation, an attacker can bypass any physical access controls that have been installed in the building.

5.Find an unattended system. When inside the building, the attacker wanders around looking for an unlocked terminal. This can be a little risky first thing in the morning because he does not know when people come in. Also, many people turn their machines off when they leave for the evening. The best time for an attacker to look for an unlocked terminal is during lunch. Most people leave their computers on and do not lock the terminal. Even if someone comes by, an attacker can always use the excuse “I work for the help desk and I heard this user was having problems with his computer.” Because users frequently have problems with their computers, this works most of the time.

6.Copy sensitive files. The attacker now has whatever access the user has, which usually means access to most of the company’s data. Because the attacker is technically logged in as that user, he can access shares and sensitive information and copy it to removable media.

7.Install backdoor program. If the attacker does not want access to the company’s data, but to the resources, the attacker can install a backdoor program. Software like reverse www shell can be installed to open up a connection to the attacker’s machine at a given time every day. This way, the attacker can check if web surfing is allowed; if it is, reverse www shell is also allowed out of the network.

Scenario 4—Attacking NT

Now let’s combine some of the tools to cover an attack for NT. This is just one of the many possible scenarios an attacker can use to compromise a system:

1.Run reconnaissance against the network. From the Internet, the attacker performs the information gathering and scanning steps that were covered in Chapter 2. This information is used to identify which systems are active on the network.

2.Identify NT systems. After active systems are found, an operating system fingerprinting program like queso or nmap is used to identify NT systems.

3.Exploit the Null session. A program such as hunt for NT, which is part of the NT Forensics toolkit, can be used to exploit the Null session and connect to the system. The tool can be found at http://www.foundstone.com/rdlabs/tools.php.

4.Gather information. By using a variety of tools, the attacker can extract information about the system including user accounts and passwords.

5.Access password information. The information gathered in the previous step can be used to acquire password information and guess a user’s password.

6.Log in to the system. After an attacker has access to a user’s ID and password, he can access the system and compromise the network.

Scenario 5—Attacking UNIX

In this scenario, you will see how an attacker does some basic reconnaissance against the system and, through port scanning, identifies a vulnerable service and exploits it to gain access. The following are the steps for this attack:

1.Run reconnaissance against the network. From the Internet, the attacker performs the information gathering and scanning steps that are covered in 2. This information is used to identify which systems are active on the network.

2.Identify UNIX systems. After active systems are found, an operating system fingerprinting program like nmap is used to identify UNIX or Linux systems.

3.Run port scan. nmap can be used to not only identify the operating system, but also run a port scan of the system.

4.Exploit vulnerable ports. After a list of open ports has been found, a program called netcat can be run to connect to the ports and probe for information. In this case, imapd is running on the system. The attacker downloads the IMPAD exploit source code, compiles it, and runs it against the box. After the exploit has been run, the attacker can run whatever command he wants against the system.

5.Create an account. The attacker creates an account with root access so that he can get back into the system whenever he wants.

6.Install a Trojan. Because an attacker wants as many avenues in and out of the system, the attacker connects back to the machine and installs a kernel level root kit or loadable kernel module like knark on the system. He configures a backdoor into the logging program, so that he can get back in with minimal effort.

Summary

As you can see, there is a variety of ways an attacker can get into a system. Most of these are not very complicated, but that is the point. It does not take a lot for an attacker to get into a system. On a recent attack I worked on, from initial scanning to root compromise took the attacker 150 seconds. Also, in most cases, after the attacker gains access, he installs backdoors and performs steps to cover his tracks.

There are numerous ways an attacker can break into a system. Most of the time, after an attacker does initial probing, he determines the easiest way to compromise a system and goes after that vulnerability. Based on the type and variety of tools, an attacker can pick an exploit from column A and combine it with an exploit from column B to come up with a unique

way to compromise a machine. A simple example is password cracking. To crack a password, I have to obtain the password file. This can be accomplished many different ways. First, an attacker can run a buffer overflow compromise to obtain the root password, try to guess a password for FTP, or breach the physical security. So even if you fix one of these vulnerabilities, an attacker will just try another way in.

Having a 70-percent secure system is not good enough, because that still leaves a variety of ways to get in. The trick is to follow some general principles that we have highlighted throughout the book and will summarize in the next chapter

Chapter 20. Summary

Hopefully, this book has increased your awareness of the threats that exist and has shown you what can be done to protect against them. When it comes to network security and protecting your site, ignorance is deadly and knowledge is power. A company can only defend its network and systems from attackers if it understands what it is up against. A company must understand how attackers break into systems and what tools they use to compromise a network. The attacker tools on the Internet are only dangerous to a site if the attackers are the only ones using them. If companies run these tools against their sites on a regular basis—to see what information can be obtained and to minimize the damage—then the overall value to attackers is decreased. Use the tools that exist on the Internet and the ones covered in this book to make your job easier and your systems more secure.

Warning—Use at Your Own Risk

Throughout this book I emphasized that if a company uses the attack methods and tools discussed, then the overall values to attackers decrease. I just want to insert a warning that these tools should be used at your own risk. Remember the Trojan horses: It is easy for someone to insert a hidden feature into a program. Because some of the tools are written by unknown entities, a company should use caution when running these tools. I am not saying you should not use them, however, you need to be aware of the potential damaging code that could lie below the surface. These tools could very well contain malicious code that would do harm or create backdoors on your computers. As long as you use these tools with caution and take some preventive measures, you minimize the potential impact of any malicious code.

Whenever I download new tools, I usually connect to the Internet from a separate machine. I then perform some quick analysis of the tool. I call it the smell test. If something doesn’t look right, doesn’t taste right, and doesn’t smell right, it's probably not okay. If I find anything that looks suspicious, I proceed with caution. Before I install the tool, I either take a snapshot of the system or run tripwire against key files. This way, I can tell exactly what the installation program has changed and what files it has installed. This gives you a good idea of what is going on. If a program modifies the log in script when it installs, you should be concerned. I also perform the same analysis when I run the program, so I can get an idea of what the program is changing when it runs on a particular computer or network.

The next step I perform is running the tool in a lab environment. This can be nothing more than a couple of machines on an isolated network. Because this is a test machine and network, even if the program does damage, there is not a big concern of it compromising the entire network. Also, when I run the tool, I use a sniffer on the test network and analyze the packets. Once again, I am looking for anything that looks suspicious. At that point, I consider using it. When you use these tools to perform a security assessment of your system, you should always run them on a separate machine that has minimal access, so you can minimize the potential damage.

As I stated before, security professionals need to embrace these tools, otherwise, the attackers are the only ones with power tools. On the other hand, power tools can be dangerous, so common sense should be used to verify and validate the tools before they are used.

Security Cannot Be Ignored

I have come across too many companies that are so overwhelmed by security that they feel if they ignore it, it will just go away. Unfortunately, your company will go out of business if you ignore security for too long. The only way to address security is to start somewhere. If you have ignored security and have no idea where to start, a good place is to flip back to Chapter 18, “SANS Top 10”. The chapter summarizes the tips that a company can use to start providing an adequate level of protection.

For most companies that start addressing security, it is extremely overwhelming. The analogy I like to give is that it is like drinking from a fire hose. All you want is a little water and the fire hose blasts so much water at you that very little water actually gets in your mouth. Even though this is the case with security because there are so many points of vulnerability, a company needs to start somewhere. Remember, you are not going to get it right the first time, but when you start securing a company, you will eventually get there. It might take a while, but if you have a game plan and follow it, you will be amazed by how quickly it can happen. To help get you started down the correct road, let’s look at some general tips for protecting a company’s resources

General Tips for Protecting a Site

This book has covered a wide range of exploits and specifics that can be used to fix each exploit. In this final chapter, I will summarize six key points that must be done to have a proper level of security. No matter how large or small your organization is, these tips are critical to having a secure infrastructure:

•Defense in depth

•Principle of least privilege

•Know what is running on your system

•Prevention is ideal but detection is a must

•Apply and test patches

•Regular system checks

When it comes to security, everyone is looking for the silver bullet—the one technology that will solve all of a company’s security problems. Guess what? It does not exist. Like anything in life, there is no free lunch. If you want to achieve a goal, you have to work hard and make a lot of sacrifices. Security is no exception. To have a secure enterprise, companies not only have to spend money, but use people and resources as well. The more protective measures a company has in place, the better. This is the fundamental concept of the defense in depth principle. A company must have multiple measures in place to secure its organization. A good example of defense in depth are medieval castles.

The people who designed and built those castles knew a thing or two about defense in depth. Let’s briefly look at all the protection measures they built into the castle:

1.Castles are always built on a hill to make it more difficult for someone to attack. It also makes it easier to see if someone is trying to attack you.

2.At the bottom of the hill is a stone fence, usually only a couple of feet high. This fence is not meant to stop the attackers but slow them down.

3.Around the castle is a moat, which also makes it more difficult for someone to get access.

4.At periodic intervals around the perimeter, there are fortified towers where defenders of the castle can lookout and are also in a better position to fight back.

5.Notice there is only one way in and one way out of the castle. Having a single point of entry makes it easier to defend. Now you do not have to spread out your resources and defend four different areas; you can concentrate all your resources in one area.

I am sure there are several other protective measures we could name, but the key point is not to rely on one measure to protect yourself. Remember that any single measure could be defeated. However, by putting several measures together, you achieve a much higher level of security. Ideally, the goal is to prevent attackers. In cases when they cannot be prevented, having enough measures intact, so attackers are detected before they gain full access, is the next best thing.

The principle that was used to build castles must be used when building a com-pany’s network security. So many companies install a firewall and think they are secure. A firewall is a good starting point, but you must combine firewalls with an intrusion detection system, host-based protection, encryption, and any new technologies that come along. Figure 20.1 shows that only by combining multiple technologies can you truly achieve defense in depth and have a secure network.

Figure 20.1. An overview of applying multiple technologies to achieve defense in depth. Provided by Andrea Houtkin