Applying Attack Patterns
Attacking a system is a process of discovery and exploitation. Attackers progress through a series of discovery phases before actually finding and exploiting a software vulnerability. What follows is a very high-level overview of the steps commonly used. Later in the book we,
• |
Table of Contents |
by and large, pass over repeating these ideas in favor of focusing more attention on technical |
|
• |
Index |
discussion of exploits.
Exploiting Software How to Break Code
A successful attack takes several logical steps. First, qualify the target, mainly to learn what
ByGreg Hoglund,Gary McGraw
input points exist. Next, figure out the kinds of transactions that are accepted at the input
points. Each kind of transaction must be explored to determine what kinds of attacks will
Publisher: Addison Wesley
work. You can then use attack patterns to construct malformed but "legal" transactions that
Pub Date: February 17, 2004
manipulate the software in interesting ways. This requires close observation of the results of
ISBN: 0-201-78695-8
each transaction you send to determine whether you might have discovered a possible vulnerabilityP ges: 512. Once a vulnerability is discovered, you can try to exploit it and thereby gain access to the system.
In this section, we cover several broad categories of attack patterns. Particular attack patterns can be found in each of these categories. A seasoned attacker will have working
attack patterns for all the categories. In combination, a set of attack patterns becomes the How does software break? How do attackers make software break on purpose? Why are
tool kit of the successful attacker.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
NetworkExploiting Scanningoftwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
There are many special-purpose tools for network scanning. Rather than discuss a particular
set of tools or hacker scripts, we encourage you to explore the network protocols themselves, This must-have book may shock you—and it will certainly educate you.Getting beyond the
considering how they can be leveraged to acquire targets and to determine the structure of a script kiddie treatment found in many hacking books, you will learn about
network. Start with a book like Firewalls and Internet Security [Cheswick et al., 2003]. New attack patterns are still being discovered in protocols that are more than 20 years old
(consider, for example, ICMP ping, SYN ping, UDP ping, and firewalking). Newer protocols Why software exploit will continue to be a serious problem
provide even easier targets. We suggest that you examine Ofir Arkin's work on ICMP
scanning.[13]
When network security mechanisms do not work
[13] Search for ICMP on Ofir Arkin's Web page at http://www.sys-security.com.
Attack patterns
Network scanning can be thought of as something quite simple (and best left to tools) or it Reverse engineering
can be treated as a science in and of itself. Network scans can almost always be detected by
remote sites manned by paranoid administrators who will call upstream on the red phone if Classic attacks against server software
their network sees a single rlogin port request, so watch out for that. On the other hand, a typicalSurprismachinge attacksonthe Interagainste clienttodaysofgetsware10 to 20 port scans a day without noticing a thing. Tools that perform basic port scans are classic script kiddie tools. Even professional (and
Techniques for crafting malicious input
expensive) applications like Foundstone's FoundScan and NAI's CyberCop are very close in
spirit to collections of freely available technologies. 
The technical details of buffer overflows
Sometimes port scans can be very sophisticated and sneaky, spreading over thousands of
Rootkits
networks in a hard-to-detect drip-scan configuration. A target site may only get one or two
strange packets an hour, but at the end of the week their systems will have been entirely
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break scanned! Firewalls cause some minor inconvenience in this process, but port scans may be
software.
clever, using broadcast or multicast source addresses and clever port and flag combinations to defeat typical (lame) firewall filters.
OS Stack Identification
Once a target machine is discovered, additional tricks can be applied using standard protocols to discern the OS version on the target device. This includes techniques to tweak
TCP options, perform IP fragmentation and reassembly, set TCP flags, and manipulate ICMP behavior. There are an incredible number of queries that can be used to determine the target OS. Most provide only a piece of the answer, but together they can be analyzed to come to a reasonable theory regarding the target OS.
It's nearly impossible to hide the identity of a system when there are so many possible probes and responses. Any attempt to mask normal responses by sending out false information would, in effect, create a strange variation, but with enough determined probing,
•Table of Contents
the system is almost always identifiable. Furthermore, certain settings applied to a network
• Index
interface or stack are often remotely detectable. One example is the use of network sniffers.
Exploiting Software How to Break Code
In many cases, the behavior of a machine that is running a sniffer is unique and can be ByremotelyGreg Hoglunddetected,Gary McGraw(for more information go to http://packetstormsecurity.nl/sniffers/antisniff). Machines running in promiscuous mode are
more open to network-level attacks because the system ends up processing all packets on the
Publisher: Addison Wesley
network, even ones destined for other hosts.
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Port Scans
Primarily a network-layer function, port scans can be run against the target to determine which services are running. This includes both TCP and UDP ports. If a listening port is
discovered, transactions can be run against the port to determine the service running on the How does software break? How do attackers make software break on purpose? Why are
port and the protocols it appears to understand. Many hackers cut their programming teeth firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
by writing port scanners. Thus, there are thousands of port scanners available, but most of What tools can be used to break software? This book provides the answers.
them are really bad designs. The most common port scanner is so well-known it doesn't requireExploitingmuchSoftwarediscussionloadedhere. Itwithis calledexamplesnmapof(forrealmoreattacks,informationattack patterns,go to tools, and http://wwwtechniques used.insecureby bad.org/nmap/guys to break). If yousoftwarehave never. If youplayedwantaroundto protectwithyourportsoftwarescanning,fromthen nmapattack,isyoua goodmustchoicefirst learnto starthowwithrealsinceattacksit supportsare reallysocarriedmany variationsout. of scanning. Go a step further than normal by using a network sniffer to analyze the scans produced by nmap. This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Traceroute and Zone Transfers
Why software exploit will continue to be a serious problem
Traceroute packets are a clever way to determine the physical layout of network devices. DNS
When network security mechanisms do not work
servers provide a great deal of information about IP addresses and the purpose of machines
that are connected to them. OS identification data and port scans can be overlaid to provide
Attack patterns
a surprising amount of detail for an attacker. When used together, a very accurate map of a
target network can be built. In effect, this activity results in a detailed map of the network
Reverse engineering
and clearly illustrates input points where attack data will be accepted into application-layer
software. At this stage, the application software can be probed directly. Be aware that zone
Classic attacks against server software
files can be very large. Several years ago, one of the authors (Hoglund) received a zone file
for the entire country of France. (It was big.) 
Surprising attacks against client software
Techniques for crafting malicious input
Target Components
The technical details of buffer overflows
If the target system includes public file or Web services, these should be examined for Rootkits
possible low-hanging fruit. Target components such as cgi programs, scripts, servlets, and
EJBs are notoriously easy to knock over. Each component may accept transactions and thus Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
presents an interesting input point to investigate further. You can query the target to learn software.
about and even craft working transactions, or you can launch network sniffers that record real-world transactions executed against the target. These can be used as baseline transactions that can later be tweaked according to more specific attack patterns described in this book.
Choosing Attack Patterns
Once a valid transaction pattern is discovered, it can be mutated using a variety of attack patterns. You might try command injection, file system API injection, database Structured Query Language (SQL) insertion, application-layer denial of service, or network-based denial of service. You might also explore the input space looking for buffer overflows. If a vulnerability is discovered, then it can be leveraged to gain access to the system.
Leveraging• TableFaultsof Contentsin the Environment
•Index
Exploiting Software How to Break Code
Once a vulnerability is uncovered, a variety of attack payloads can be applied to gain remote accessByGreg Hoglundto the,systemGary McGraw. Common attack payloads are covered throughout this book. The advantage to our systematic systems-level approach is that the visibility of particular
problems can be determined. A certain problem may only be exploitable from inside the
Publisher: Addison Wesley
firewall. Because we have a large network view of the target, we may be able to find other
Pub Date: February 17, 2004
neighboring servers that can be exploited, and thus take advantage of our knowledge of the
ISBN: 0-201-78695-8
system to circle back later. This allows us to take a number of subtle steps to infiltrate a
Pages: 512
target system. Consider, for example, a target on a DSL line. The DSL provider may have a DSLAM that serves many clients. The DSLAM may forward all broadcast traffic to all downstream subscribers. If the target is well protected or has few input points, it might make more sense to attack another nearby system. Once that is compromised, the nearby system can be used to ARP hijack the hard target.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Using Indirection
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
A clear goal when penetrating a system is to hide the attacker's identity. This is very easy to techniques used by bad guys to break software. If you want to protect your software from
accomplish today using uplinks to unprotected 802.11 wireless networks.[14] A Starbucks attack, you must first learn how real attacks are really carried out.
coffee shop with a wireless link may present an incredibly comfortable place from which to
launch attacks. The last thing you need to do is to pick up your "double-short dry cap" in a This must-have book may shock you—and it will certainly educate you.Getting beyond the
drive-thru on your way to some cold alleyway! Indirection techniques let you keep your safe script kiddie treatment found in many hacking books, you will learn about
zone warm and dry, corporate even. Geopolitics also help with indirection. You're fairly safe if
you're drinking coffee in a Houston Starbucks while launching an attack from New Dehli over
Why software exploit will continue to be a serious problem
the border into China. There will be no Internet Service Providers (ISPs) sharing log files
across those borders. And extradition is out of the question. 
When network security mechanisms do not work
[14] See 802.11 Security [Potter and Fleck, 2003].
Attack patterns
Reverse engineering
Planting Backdoors
Classic attacks against server software
Once an exploit has been successful, chances are that you will attain complete access to a
Surprising attacks against client software
host inside the target network. Establishing secure tunnel over the firewall and cleaning up
any possible log files is the next step. If you cause a noticeable fault in the target system, the
Techniques for crafting malicious input
fault will, by definition, have observable effects. Your goal is to remove any trace of these
observable effects. Reboot anything that may have crashed. Clear all logs that show program
The technical details of buffer overflows
violations or packet traces. You will typically want to leave a rootkit program or backdoor
shell that will enable access at any time. Chapter 8 is all about such tricks. A rootkit program
Rootkits
can be hidden on the host. Kernel modifications make it possible to hide a rootkit completely
from the systems administrators or auditing software. Your backdoor code can even be Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
hidden within the BIOS or within the EEPROM memory of peripheral cards and equipment. software.
A good backdoor may be triggered by a special packet or it may be active only at certain times. It may perform duties while you are away, such as keystroke logging or packet sniffing. A favorite of the military seems to be reading e-mail. The FBI appears to like keystroke monitors. What your remote monitor does depends on your goals. Data can be fed out of the network in real time or stored in a safe place for later retrieval. Data can be encrypted for protection in case of discovery. Storage files can be hidden using special kernel modifications. Data can be fed out of the network using packets that appear to be standard protocols (using steganographic tricks). If a network has a great deal of DNS activity, then
hiding outgoing data in DNS look-alike packets is a good idea. Sending bursts of completely normal traffic along with your disguised packets can also make the special packets harder to locate. If you really want to get fancy, you can use classic steganography tricks, even at the packet level.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.