2008年1月21日星期一

Anatomy of Attack

Now we come to some real fun. What does an hacker do?

In general, a hacker attack can be dissected into five phases.

  1. Reconnaissance
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Covering Tracks
Reconnaissance
Reconnaissance refers to the very initial stage where the hacker try to collect as much information as possible about the target before start any attack. The hacker will use both technical knowledge and social skill to learn more about the target. Social skill or social engineering can be surprisingly efficient in collect internal information.

Technical skill can be categorized into Active and Passive reconnaissance. Active reconnaissance involve using tools to interact with the target, while passive reconnaissance will collect the publicly available information, social engineering, dumpster diving etc. Active reconnaissance is usually used by newbie who discern a low threat to his reconnaissance activity to be detected.

As an ethical hacker, you must be able to identify different reconnaissance methods and able to advise preventive measure in respect of the potential threat.

Scanning
Scanning refers to pre-attacking stage when the attack scans the target with specific information gathered during reconnaissance. Scanning can be considered as an extension of active reconnaissance which involve automated tools such as network/host scanners, war dialer to discover any vulnerability. Attack can gather information such as mapping of system, router and firewall by using simple tool such as traceroute or Cheops to add sweeping functionality along with that rendered by traceroute.

Port scanner can be used to detect listening port to find information of the services running on the target machine. The primary defense is to shut down services that are not needed. Vulnerability scanner can be used to detect vulnerabilities on the target network. This gives attack advantage of time become he has to find just one vulnerability to enter while the system professional need to apply several patches.

Organizations that deploy intrusion detection system still have to worry as attacker can use evasion techniques at both application and network level. However a probably configured NIDS cannot be detected and all the better ones do anomaly detection, making to difficult for evasion.

Gaining Access
Gaining access refers to the true attack stage. Attacker can exploit the target over LAN, locally, internet, offline as deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking etc.

Spoofing is a technique to exploit the system by pretending to be someone else or a different system. The attack can use this technique to send malformed packet containing bug to the target system to exploit the vulnerability. Packet flooding can b used to remotely stop the availability of essential services. Smurf attacks try to elicit the available user on the network and the use their legitimate address of services.

The perceived risk involved when attacker gains access is high; as attacker can gain access at operating system level, application level or even network level.


Maintaining Access
Maintaining access refer to the phase when the hacker try to retain his "ownership" of the system. Once gaining access to the target system, the attacker can choose to use the system and resources to launch another attack to other system, or keep a low profile and continue exploit the system. Both are damaging to the organization. For instance the attack can install a sniffer to capture all the network traffic.

Sometimes, attackers harden the system from other hacker to secure their exclusive access with Backdoor, RootKits, Trojans and Trojan horse backdoors.

Attackers try to remain undetected by removing evidence of their entry and use backdoor or other Trojan to gain repeat access.

Covering Tracks
Covering Tracks refer to the activities to remove evidence of his presence and activities so that he can maintain access or evading criminal punishment. This normally entail removing log files and replacing system binaries with trojan, such as ps or netstate, so that system administrator cannot detect the intruder on the attacked system. Just as there are automated scripts for hacking, there are also automatic script for hiding intruders, often called rootkits.

Other techniques including Steganography, tunneling etc. Steganography is the process of hiding data. Tunneling take advantage of transmission protocol by carrying one over the other. Even extra space in TCP and IP header can be used for hiding information.

沒有留言: