|
There are many ways an attacker can gain access or exploit a system. No matter which way an attacker goes about it, there are some basic steps that are followed:
* Reconocimiento pasivo
* Passive reconnaissance.
* ActiveReconocimiento reconnaissanceactivo (scanning)
* "Exploiting" theel sistema system:
* Ganar acceso atraves de uno de lo siguientes ataques:
* Gaining access through the following attacks:
*** Ataque a nivel de sistema operativo
*** Operating system attacks
*** Ataque a nivel de aplicaciones
*** Application level attacks
*** Ataque a una mala configuración
*** Scripts and sample program attacks
* Escalada de privilegios
** Misconfiguration attacks
* Denegar servicio
* Elevating of privileges
* Subir programas
* Denial of Service
* Descargar datos
* Uploading programs
* Mantener el acceso atraves de las siguientes técnicas:
* Downloading Data.
*** Puertas traseras
* Keeping access by using the following:
*** BackdoorsTroyanos
* Ocultar el ataque.
** Trojan horses
*Covering tracks.
Note that it is not always necessary to perform all of these steps, and in some cases, it is necessary to repeat some of the steps. For example, an attacker performs the active and passive reconnaissance steps and, based on the information he gathers about the operating systems on certain machines, he tries to exploit the system. After unsuccessfully trying all sorts of operating system attacks (Step 3), he might go back to Steps 1 and 2. At this point, his active reconnaissance will probably be more in depth, focusing on other applications that are running or possible scripts that are on the system, and even trying to find out more information about the operating system, such as revision and patch levels. After he has more information, he will go back to attacking the system.
You would hope that, by protecting your systems from attack, this process would take a long time to accomplish, frustrating the attacker enough to give up before he gains access. Ideally, a company should have proper Intrusion Detection Systems in place so that it can detect an attack and protect against it before it does any damage. Most companies should strive for this, but unfortunately most ignore it.
Let's briefly run through each of the steps from an attacker's point of view. The attacker starts off seeing if he has any general information about the system. This consists of information like the domain name and any servers or systems the company might have. After all of the passive information has been gathered, active reconnaissance begins. This is where the attacker tries to find out as much information about the systems, without setting off too many alarms. Then, he gathers things such as IP addresses, open ports, operating system and version, and so on. After some initial information is gathered, an attacker steps through each of the attack areas: operating system, applications, scripts, and misconfigured systems. For each item, an attacker tries an attack; if unsuccessful, he tries to gather more information about the component. After all the information has been gathered for an item, an attacker moves on to the next item. After an attack has been successful and access has been gained, the attacker then uploads any necessary programs, preserves access by installing Trojan horses, and finally cleans up the system to hide the attack.
Passive Reconnaissance
To exploit a system, an attacker must have some general information; otherwise, he does not know what to attack. A professional burglar does not rob houses randomly. Instead, he picks someone, like Bob, and he begins the passive reconnaissance stage of figuring out where Bob's house is located and other general information.
The same thing has to be done with hacking. After an attacker picks a company to go after, he has to find out the company's name and where it is located on the Internet. Chapter 3, "Information Gathering," covers this in detail. The sections in this chapter on reconnaissance are meant to lay the groundwork for Chapter 3.
Passive information gathering is not always useful by itself, but is a necessary step, because knowing that information is a prerequisite to performing the other steps. In one case, I was gathering information to perform an authorized penetration test for a company.
I pulled up to the company around 4:00 p.m. I chose this time for two reasons. First, because most people leave between 4:30 p.m. and 5:30 p.m., I could observe a lot of behavior, but to do so I needed to park near the front of the building. Usually, that late in the day, some people have already left and you can get a close spot—thus, the second reason. I parked near the entrance and rolled down my window. Three people came out and stopped in front of my car to have a smoke. As they smoked, they talked about business and a new server they just installed. It was set up for testing file transfer and FTP access to remote offices, but they went on to explain that, because they were having trouble with authentication, they allowed anonymous access. As they finished the conversation, they started joking with the one person on why he named the server Alpha-Two.
In the course of five minutes, I was given the name of a server that was accessible from the Internet and the fact that authentication was turned off, which meant that I had full access to the network! As fictitious as this story might sound, it actually happened and is quite realistic. It is amazing what people will say if they think that no one else is listening.
In some cases, passive reconnaissance can provide everything an attacker needs to gain access. On the surface it might seem like passive reconnaissance is not that useful, but do not underestimate the amount of information an attacker can acquire if it is done properly.
Passive attacks, by nature of how they work, might not seem as powerful as active attacks, but in some cases they can be more powerful. With passive attacks, you do not directly get access, but sometimes you get something even better: guaranteed access across several avenues.
One of the most popular types of passive attacks is sniffing. This involves sitting on a network segment and watching and recording all traffic that goes by. This can yield a lot of information. For example, if an attacker is looking for a specific piece of information, he might have to search through hundreds of megabytes of data to find what he is looking for. In other cases, if he knows the pattern of the packets he is looking for, it can be quite easy.
An example of this is sniffing passwords. There are programs that attackers can run from a workstation that looks for NT authentication packets. When it finds one, it pulls out the encrypted password and saves it. An attacker can then use a password cracker to get the plain text password. To get a single password, this might seem like a lot of work. But imagine an attacker setting this up to start running at 7:00 a.m. and stop running at 10:00 a.m. Most people log on to the network in those three hours, so he can gather hundreds of passwords in a relatively short time period.
Another useful type of passive attack is information gathering. During this type of attack, an attacker gathers information that will help launch an active attack. For example, let's say that an attacker sits near the loading dock of a company to watch deliveries. Most companies print their logos on the sides of boxes and are easy to spot. If an attacker notices that you receive several Sun boxes, he can be pretty sure that you are running Solaris. If, shortly after the release of Windows 2000, a company receives boxes from Microsoft, an attacker could probably guess that the company is upgrading its servers to the new operating system.
Active Reconnaissance
At this point, an attacker has enough information to try active probing or scanning against a site. After a burglar knows where a house is located and if it has a fence, a dog, bars on the windows, and so on, he can perform active probing. This consists of going up to the house and trying the windows and doors to see if they are locked. If they are, he can look inside to see what types of locks there are and any possible alarms that might be installed. At this point, the burglar is still gathering information. He is just doing it in a more forceful or active way.
With hacking, the same step is performed. An attacker probes the system to find out additional information. The following is some of the key information an attacker tries to discover:
*
Hosts that are accessible
*
Locations of routers and firewalls
*
Operating systems running on key components
*
Ports that are open
*
Services that are running
*
Versions of applications that are running
The more information an attacker can gain at this stage, the easier it will be when he tries to attack the system. Usually, the attacker tries to find out some initial information covertly and then tries to exploit the system. If he can exploit the system, he moves on to the next step. If he cannot exploit the system, he goes back and gathers more information. Why gather more information than he needs, especially if gathering that extra information sets off alarms and raises suspicion? It is an iterative process, where an attacker gathers a little, tests a little, and continues in this fashion until he gains access.
Keep in mind that, as an attacker performs additional active reconnaissance, his chances of detection increase because he is actively performing some action against the company. It is critical that you have some form of logging and review in place to catch active reconnaissance, because, in a lot of cases, if you cannot block an attacker here, your chances of detecting him later decrease significantly.
When I perform an assessment, usually I run some tests to figure out the IP address of the firewall and routers. Next, I try to determine the type of firewall, routers, and the version of the operating system the company is running to see if there are any known exploits for those systems. If there are known exploits, I compromise those systems. At that point, I try to determine which hosts are accessible and scan those hosts to determine which operating system and revision levels they are running. If an attacker can gain access to the external router or firewall, he can gather a lot of information and do a lot of damage.
For example, if I find that a server is running Windows NT 4.0 Service Pack 4, I scan for all vulnerabilities with that version and try to use those vulnerabilities to exploit the system. Surprisingly, with most companies, when I perform active reconnaissance, their technical staff fails to detect that I have probed their systems. In some cases, it is because they are not reviewing their log files, but in most cases, it is because they are not logging the information. Logging is a must, and there is no way to get around it. If you do not know what an attacker is doing on your system, how can you protect against it?
The goal of a company in protecting its computers and networks is to make it so difficult for an attacker to gain access that he gives up before he gets in. Today, because so many sites have minimal or no security, attackers usually gain access relatively quickly and with a low level of expertise. Therefore, if a company's site has some security, the chances of an attacker exploiting its systems are decreased significantly, because if he meets some resistance, he will probably move on to a more vulnerable site. This is only true for an opportunistic attacker who scans the Internet looking for any easy target.
In cases of corporate espionage, where an attacker is targeting your site, some security will make the attacker's job more difficult, but will not necessarily stop him. In this situation, hopefully the extra security will make it so difficult that you will detect the attack before he gains access and stop him before any damage is done.
In most cases, an attacker uses a passive reconnaissance attack first to properly position himself. Next, he uses an active reconnaissance attack to gather the information he is after. An example is an attacker breaking into a machine so that he can sniff passwords off of the network when users log on each morning. As this example shows, to perform active reconnaissance, an attacker must have some level of access to the system.
Each attack has value, but as you will see throughout this book, the real value is gained when multiple techniques or attacks are combined. Giving a carpenter a single tool allows him to build part of a house. When a carpenter is familiar, well-trained, and has several tools in his toolbox, he can build an entire house. These same principles apply for successfully breaking into a system—or in our case, successfully preventing a break-in.
Exploiting the System
Now comes the scary part for a security professional. When most people think about exploiting a system, they only think about gaining access, but there are actually two other areas: elevation of privileges and denial of services. All three are useful to the attacker depending on the type of attack he wants to launch. There are also cases where they can be used in conjunction with each other. For example, an attacker might be able to compromise a user's account to gain access to the system, but because he does not have root access, he cannot copy a sensitive file. At this point, the attacker would have to run an elevation of privileges attack to increase his security level so that he can access the appropriate files.
It is also important to note that an attacker can exploit a system to use it as a launching pad for attacks against other networks. This is why system break-ins are not always noticed, because attackers are not out to do direct harm or steal information. In these cases, a company's valuable resources are being used and, technically, that company is hacking into other companies.
Think about this for a minute: Whether it is authorized or not, if someone is using Company A's computers to break into Company B, when Company B investigates, it will point back to Company A. This is called a downstream liability problem. This can have huge legal implications for a company if it is not careful—especially if the attackers want to have some fun and carefully pick the two companies so that Company A and B are major competitors. If you are the head of security for Company A, you better hope that your resume is updated.
Gaining Access
Because one of the most popular ways of exploiting a system is gaining access, let's start with this type of attack. There are several ways an attacker can gain access to a system, but at the most fundamental level, he must take advantage of some aspect of an entity. That entity is usually a computer operating system or application; but if we are including physical security breaches, it could be a weakness in a building. If a burglar were going to break into a house, he would have to exploit a weakness in the house to gain access—for example, an unlocked window, no alarm system, or a non-secure lock. The bottom line is this: If the house had no weaknesses, it could not be compromised. As we all know, for a house to be useful to its owners, it is going to have weaknesses. Windows and doors make a house useful, but can be turned against the owner and used to break into the house. Eliminating all weaknesses would produce a house with no usefulness to the owner. What good is a house with no windows or doors made of solid concrete and steel? This same principle holds for computer systems. As long as they provide usefulness to a company, they will have weaknesses that can be compromised. The key is to minimize those weaknesses to provide a secure environment. The following are some ways that an attacker can gain access to a system:
*
Operating system attacks
*
Application-level attacks
*
Scripts and sample program attacks
*
Misconfiguration attacks
Operating System Attacks
Previously, we compared an operating system to the doors and windows of a house. The doors and windows of an operating system are the services it is running and the ports it has open. The more services and ports, the more points of access; the less ports and services, the less points of access. Based on this one would hope that a default install of an operating system would have the least number of services running and ports open (if you need more, you can install them on your system). This way, you control the points of compromise in a system.
In reality, the opposite is true. The default install of most operating systems has large numbers of services running and ports open. The reason most manufacturers do this is simple, money. They want a consumer of their product to be able to install and configure a system with the least amount of effort and trouble. The reason for this is every time a consumer has a problem with their product they have to call for support, which costs the company large amounts of revenue. The less calls, the less number of technical support staff, and the lower their costs. Also, the less calls, the less frustration a user experiences, which increases satisfaction with the product. If someone installs an operating system and the services they need such as web and authentication are not present, most of the time they will call for help. Therefore it makes more sense in terms of functionality, to just have everything installed by default, if someone needs it, it's there.
From a software manufacturers standpoint, this makes sense. From a security standpoint, it does not make sense. Why would anyone install a non-secure operating system by default? Most of the time this is unintentional, because users are not familiar enough with an operating system to realize how vulnerable it really is. To make matters worse, once the operating system is installed, companies think their job is done and fail to apply patches and updates. This leaves a company with outdated operating systems, which have a large number of vulnerabilities—not a good position to be in from a security perspective.
Application-Level Attacks
Application-level attacks take advantage of the less-than-perfect security found in most of today's software. The programming development cycle for many applications leaves a lot to be desired in terms of security.
One major problem with most software that is currently being developed is that the programmers and testers are under very tight deadlines to release a product. Because of this, testing is not as thorough as it should be. To add to this, the problem becomes worse since software that is being developed has so much added functionality and complexity that even if there were more time to test, the chances of testing every feature would still be small. Also, until very recently, consumers were not concerned about security. If it had all of the great features they needed they were happy, regardless of the number of security vulnerabilities that existed in the software. Security should not be an add-on component. To provide a high level of security, it has to be designed into the application from the beginning.
Another major problem found in most programs is error-checking. Poor or nonexistent error-checking accounts for a large number of security holes found in today's programs. Buffer overflows are just one example of this problem. Other examples will be covered later in the book. Chapter 9, "Buffer Overflow Attacks," explains how buffer overflows exploit this weakness when malicious users ask "What if?"
Scripts and Sample Program Attacks
Especially on the UNIX side of the house, extraneous scripts are responsible for a large number of entries and exploits. When the core operating system or application is installed, the manufacturers distribute sample files and scripts so that the owner of the system can better understand how the system works and can use the scripts to develop new applications. From a developer's standpoint, this is extremely helpful. Why invent the wheel when you can use someone else's script and just build onto it? In one of my jobs, I programmed and developed source code. Being able to use sample source code as a template helped increase the development time tremendously.
One of the main areas where there are a lot of sample scripts is in web development. The earlier versions of Apache web server and some web browsers came with several scripts and most of them had vulnerabilities. Also, a lot of the new scripting tools that come with web browsers enable developers with minimal programming knowledge to develop applications in a relatively short period of time.
In these cases, the applications work, but what's going on behind the scene is usually pretty scary from a security standpoint. There is usually a lot of extraneous code and poor error-checking, which create an open door for attackers. Active Server Pages (ASPs) are a perfect example. Much of the early development that occurred with ASPs left a lot of backdoors that attackers are exploiting. An example is the default web site that ships with IIS. It has the remote admin tools available from the main page. These tools can be used by an attacker to compromise a system.
Misconfiguration Attacks
In several cases, systems that should be fairly secure are broken into because they were not configured correctly. I see this happen so often: An administrator is working on a system and is not sure how to set it up, so he tries a bunch of options and when something works he stops. The problem with this is that he never goes back to figure out what made it work and to clean up the extraneous work that he did. This is one of the reasons why some systems are broken into and others are not.
In order to maximize your chances of configuring a machine correctly, remove any unneeded services or software. This way, the only thing left on your system is the core components you need and you can concentrate on securing those. Misconfiguration is one area that you can control since you are the one configuring the system. Therefore, make sure you spend the time necessary and do it right. Remember, if you think that you do not have time to do it right the first time, attackers might break in and there might not be a second time.
Elevating Privileges
The ultimate goal of an attacker is to gain either root or administrator access to a system. In some cases, an attacker can directly acquire this access. In other cases, an attacker has to gain a minimal amount of access and then elevate that to full access. For example, an attacker might acquire guest access and then use that access to gain additional information. After the additional information has been gained, the attacker uses this knowledge to increase his access to root or administrator access. This type of attack, where an attacker indirectly gains root or administrator access through several levels of access, is called elevating privileges.
Denial of Service
The two main types of active attacks are Denial of Service and breaking in. Because Chapter 6 is dedicated to Denial of Service attacks, this section will only cover a broad overview. Denial of Service attacks are attacks that deny legitimate users access to a resource. These can range from blocking users from going to a particular web site to disabling accounts so that users cannot log on to a network. For example, if you telecommute and dial in to your company's server to work every day and a trespasser cuts the phone wire outside your house, he causes a Denial of Service attack, which prevents you from performing your work. Unfortunately, these attacks are fairly easy to perform on the Internet because they require no prior access. If you are connected to the Internet, you are vulnerable to a Denial of Service attack. Also, tools for performing these types of attacks are readily available and easy to run.
Uploading Programs
After an attacker has gained access, he usually performs some set of actions on the server. There are few cases where an attacker gains access just for the sake of gaining access. Most often, he either uploads or downloads files or programs to or from the system. Why else would an attacker waste time to gain access if he was not going to do anything with it? If an attacker is looking to steal information, after access is gained, the goal is to download information as covertly as possible and exit the system.
In most cases, the attacker will load some programs to the system. These programs can be used to either increase access, compromise other systems on the network, or upload tools that will be used to compromise other systems. Why should an attacker use his own machine to attack another company, when he can use someone else's faster machines, making it harder to trace the attack?
To cause damage or acquire information, an attacker must successfully break into a site and retrieve the necessary information. The Internet, however, adds a new dimension to this. As we discussed, in some cases, the sole reason for breaking into a site is to use the resources for the attacker's own personal gain or to break into another site. Some of the tools that are used by attackers require significant processing power and a large connection to the Internet. What better way to acquire these resources than to break into a large site, upload those programs, and run them?
An added benefit for the attacker is that it is much harder to trace the attack. If an attacker is launching an attack from Company A and he covers his tracks and breaks into Company B, Company B can see only that Company A attacked it. Because an attacker was able to break into Company A in the first place usually means that Company A has lax security, which makes it extremely difficult to trace it back to the originator.
Downloading Data
With some attacks, like corporate espionage, an attacker is after information. This information can range from data about a new research and development product, a customer list, or future direction of the company. In all of these cases, the attacker wants access to download data to another location. After the data is downloaded to another location, an attacker can perform whatever analysis he needs to on the information. The key to remember with this type of attack is that if you do not detect the attacker when he is downloading the data, you have no chance of stopping the attack. After the data has been downloaded, the remainder of the attack is done offline.
Keeping Access
In most cases, after an attacker gains access to a system, he will put in a back door so that he can return whenever he wants. If he goes through all of the work to get into a system, why repeat the work the next time he needs to get in? In most cases, an attacker has gained root equivalent access and he can do whatever he wants on the system, so why not put in a back door? As we discussed, another reason attackers want to maintain access is to use those computers as a staging area to launch attacks against other companies.
A back door can be as simple as adding an account to the system. This is simple, but if the company reviews its active accounts, it has a high chance of detecting it. However, if it is a system with thousands of users, chances are that no one will notice. I did a security assessment for one company that had more than 2,000 active accounts but only 1,000 employees and 200 consultants. It turned out that when users left, accounts were never disabled or deleted. After you had an account with this company, you had it for life. In this case, attackers broke in and created backdoor accounts, and the company never knew it. One problem employee was terminated. After further investigation, we realized that this person created more than five different accounts on the system. Only after the company experienced problems did we go back in and notice the additional accounts.
It is scary that most companies do not track what is on their systems or who has access to their systems. If an attacker gains access and discovers this lack of tracking, he is guaranteed that he will have access for a long time.
A more sophisticated type of back door is to overwrite a system file with a version that has a hidden feature. For example, an attacker can overwrite the logon daemon that processes requests when people log on to the system. For most users, it works properly, but if you provide a certain user ID, it automatically allows you into the system with root access. These modified programs that are installed are commonly referred to as Trojan versions, because they have a hidden feature. Another way an attacker can creat a backdoor is to install a program that runs on a certain port. If the attacker connects to that port, he can gain full access to the system or even the network. Programs such as Back Orifice that perform these features will be discussed in Chapter 15, "Preserving Access."
Usually with a back door, an attacker has already gained access to a system and he just wants to restore his access for a later time. What if an attacker wants to gain access and create a back door at the same time? A common way to do this is for an attacker to give a legal user a program, which, upon running, has a hidden feature that creates a way for the attacker to gain access. These programs are commonly referred to as Trojan horses. A Trojan horse is a program that has an overt and a covert feature. An example is when a user receives an email that has an executable attachment. When he double-clicks it he sees dancing chipmunks. The user thinks this is funny and sends it to all of his friends. He does not realize that the program also runs a program that adds an account to the system so that an attacker can log on at any time. In this case, the dancing chipmunks is the overt program that the user is aware of, and the program that creates the accounts is a covert program that the user does not even know is running.
It is important to point out that there are some cases where an attacker does not want to keep access. Most of these cases involve some form of corporate espionage, where an attacker gains access to acquire a certain piece of data and leaves. In most cases of corporate espionage, an attacker knows what he wants and when he gets it, he has no desire to regain access to a system at a later time. The main goal in this scenario is not to maintain access but to cover his tracks so that he will remain undetected.
Covering Tracks
After an attacker compromises a machine and creates a back door, the last thing he does is make sure he does not get caught. What good is creating a back door if someone can easily spot it and close it? Therefore, the attacker's last step is to cover his tracks.
The most basic thing to do is clean up the log files. The log files keep a record of who accessed what and when, so if anyone looks at the log file, that person can tell that an unauthorized person was in the system, and the file tells exactly what the person did. From an attacker's standpoint, this is a bad thing. So, to cover his tracks, he first finds out where the log file is and cleans out the entries that relate to his attack.
Why doesn't he go in and delete the entire contents of the log file to ensure that he doesn't miss anything? There are two major drawbacks to total deletion. First, empty log files raise immediate suspicion that something is wrong. Second, most systems put an entry in the log file indicating that the file has been cleared. This also sets off a red flag that raises fear in the heart of any system administrator. That is why it is so important to send logging to a different machine and ideally have the log information go to a write-only medium. This way, the chances of someone being able to go back and clean it up are minimized.
Another common hacker technique is to turn off logging as soon as he gains access to a machine. Why worry about having to go back and clean up the log files when he can just turn off logging? This way, no one will know what he has done. This requires additional expertise, but, it is extremely effective. The thing to remember is that if logging is done correctly, even if an attacker turns off logging, the system still records the fact that he entered the system, where he entered, and other useful information.
If an attacker modifies or overwrites files, part of his cleaning-up process is to make sure that the changed files do not raise suspicion. Most files have dates of when they were last accessed and the size of the file. There are programs that, when run, raise flags if information has been changed. To overcome this, an attacker can go in and fool the system. Even though the file has been modified and the size has changed, he can go into the properties of the files and set them back to their previous settings, which make it much harder to detect.
I recommend that if you are going to run a program to make sure key files on a system were not changed, use a program that calculates checksums. A checksum is a calculation performed on the file, and two checksums can only be the same if the files are identical. This means that even if an attacker goes in and tries to cover his tracks, because the file changed, the checksum should be different. These types of programs are much harder to hide from. These checksum programs are covered in detail in Chapter 16, "Covering the Tracks," along with much more information about how attackers cover their tracks.
| 