reconnaissance, will be covered
in detail here, while the remaining phases will be covered in the
What is a "Cyber Attack"?
- Violating a Pillar of Information Assurance. As we've discussed, "security" for an information system means its ongoing ability to provide its services while maintaining the properties described as the "Pillars of Cyber Security". So an attack is an action that violates one of the pillars. So what kind of nefarious goals might we have, what kind of evil action might someone want to undertake that would require violating an Cyber Security pillar. Here are some examples:
|Evil goal: I want to ...||pillar violated|
|steal a file||confidentiality|
|deface a web page||integrity|
|bring down a DNS server||availability|
|send a malicious e-mail from someone else's account||non-repudiation|
|steal login credentials||authentication|
- Using Security Tools for Defense. So, suppose you are a wannabe attacker, meaning that you have a goal — either a particular goal that requires violating a pillar, or the general goal of violating as many pillars as possible — and a target system. The target could be a single host or a network, or a large information system infrastructure. What's stopping you? Well, we just finished looking at tools we can use to protect the Cyber Security pillars:
These are the things that are stopping you from achieving your evil goal.
- Encryption (symmetric & asymmetric)
- Hashing & Salting
- Password authentication
- Confidentiality Examples. Let's look at some very simple examples in which we just want to steal some data, i.e. to violate confidentiality:
- You know that George from Accounting keeps the secret recipe for his award-winning chili on his office computer, and your goal is to steal the recipe. What's stopping you? Password authentication! You need his username and password to log in to his computer and access the recipe.
- You want to view a web page with secret planning information housed on your competitor's internal web server. What's stopping you? A firewall! Your competitor's network sits behind a firewall that doesn't allow port-80-bound traffic in.
- There's a guy on your Wifi network whom you want to discredit. You want to snoop in on his browser traffic to see what pages he's looking at. What's stopping you? Encryption! He's accessing sites via HTTPS and all the traffic is AES encrypted!
- Bottom Line. The moral here is this: If you want to attack a system, you need to violate a pillar. In order to violate a pillar, you need to defeat the tools that being used to protect the pillars.
Conceptual View of an Attack
- Defining Barriers. Consider an attack from the attacker's perspective. We can define different "barriers" where the security tools we've mentioned are normally employed. The attacker wants to overcome these barriers, and the defender wants to keep him out.
- Network Barrier (Outermost). This is the barrier between the Internet at large and the target host's network. The tool we normally use here is the Perimeter Firewall. However, we also discussed the security value of tools like Network Address Translation; firewalls are important, but may not be the only tool employed here. An attacker might penetrate the Network Barrier using a phishing e-mail or a remote code execution attack against a publicly accessible server.
- Host Barrier (Middle). If an attacker has gained access to the network, what protects the host? Usually, a combination of Authentication and a Host-Based Firewall. Users will require credentials to access this host. There will probably also be a Host-Based Firewall (like the one Windows runs on your laptop). The Host-Based Firewall is especially important if the host is a server, since it helps restrict what ports are open. An attacker could penetrate the Host Barrier using password cracking tools, network packet-sniffing tools, or again employ a phishing attack or remote code execution attack against a running service.
- The Privilege Barrier (Inside). This barrier separates unprivileged users from privileged users, like those with Administrator (Windows) or root (UNIX) credentials, on the same host. The operating system enforces this barrier in a number of ways. Here, the attacker is trying to perform a "privilege escalation" if he has access to the host, but lacks privileged access. An attacker could penetrate this barrier using password cracking tools (if he can crack an Administrator account), or "privilege escalation" attacks, in which specially designed malware attacks flaws in the operating system. This would allow the attacker, for example, to bypass protections based on file ownership.
- This idea of barriers is conceptual, and not meant to be all-encompassing. For example, we can provide added deterrence to attackers by simply encrypting our sensitive files. This would represent, in a way, another barrier to the attacker.
- Gaps in the Barriers. Ports allowed through by the firewall and services running on hosts are like gaps in the barriers. Potentially, such a gap can be exploited to provide access that an attacker shouldn't have.
A more accurate picture would reflect the fact that there are (generally) more hosts on the target host's network than just the target host itself. Also, different hosts on the network might have different services running, thus allowing different potential paths in from the outside. Consider the diagram to the right, which shows that there are two hosts: the target and a host running a web server.
- "Pivoting" to a Target Host. In our diagram, outsiders have no way to access our target host directly. The only service it runs is SSH on port 22, but the firewall does not let port 22 traffic in. However, we could imagine an attack proceeding by sending port 80 traffic into the network (which the firewall allows) to the web server with some carefully crafted content that exploits a bug in the web server, ultimately allowing the attacker to execute commands on it. The attacker can then make an SSH connection to the target host from the web server. This type of attack is sometimes referred to as a "pivot" attack, because the attacker pivots from one host to another (either because the first host was more accessible from the outside, or because it was more vulnerable for some other reason).
Phases of an Attack
The following sections discuss these three phases, with an emphasis on reconnaissance
For this class, we define a cyber attack as occurring in three basic phases:
- Reconnaissance. In this phase, the attacker finds out the information he needs to actually get in: what traffic the firewall lets through, what hosts are in the network, what services they actually have running, etc. In the previous example, reconnaissance would have discovered that the firewall lets in port 80 traffic, that there's this other host running a web server, that the target has an SSH server, etc.
- Infiltration & Maneuver. In this phase, the attacker gains the access needed to achieve his goal. This might involve multiple steps, as it did in the example where the attacker first gained access to the "other host", and then used that access to get into the target host.
- Exfiltrate & Maintaining Access. In this phase, the attacker takes the action that actually violates a Pillar of Cyber Security, and takes whatever steps are necessary to cover his tracks.
Phase I: Reconnaissance
The goal of the reconnaissance phase is to identify weak points of the target. A successful military strategist would dedicate ample resources on reconnaissance to find weaknesses in the enemy's defenses or to assess the enemy's capabilities. In either case, any
information gathered about the target may be the crucial piece needed to reveal a critical weakness in defense or an unknown offensive capability of the enemy.
A cyber attack is not all that different than a military attack. A
cyber attacker will dedicate a significant amount of time observing
and probing the target computer network to find weaknesses in its
defense. Any weakness found may lead to infiltration of the target
network. Here is a list of some critical information that should be
obtained during the reconnaissance phase:
- Network Information.
- IP Addresses
- subnet mask
- network topology
- domain names
- Host Information.
- user names
- group names
- architecture type (e.g. x86 vs SPARC)
- operating system family and version
- TCP and UDP services running with versions
- Security Policies.
- password complexity requirements
- password change frequency
- expired/disabled account retention
- physical security (e.g. locks, ID
- intrusion detection systems
- Human Information.
- home address
- home telephone number
- frequent hangouts (physical and online)
- computer knowledge
- hobbies and interests
This information is obtained by scouring all the resources
available to the attacker using two distinct methods: passive
- Passive Reconnaissance: gathering information, often indirectly, in a manner unlikely to alert the subject of the surveillance. This is the natural start of any reconnaissance because, once alerted, a target will likely react by drastically increasing security in anticipation of an attack. This is like casing a place prior to robbing it.
- In passive reconnaissance, the attacker minimizes any interaction with the target network which may raise flags in the computer logs. For example, visiting the target's website may leave behind a trace that your IP Address established a TCP connection to the target's web server, but it will be one of millions of connections that day - probably not going to stand out to the administrator in the periodic review of server logs. On the other hand, visiting the target's website so frequently that the server becomes overloaded is certain to alert an administrator.
- Banner Grabbing from Open Ports and Services.
netkitten can be used to probe version information from open ports.
The following example demonstrates this technique on port 80 of Verizon.net's web server:
$ nk verizon.net 80
GET / HTTP/1.1
HTTP/1.1 302 Found
Date: Wed, 27 Jul 2011 20:21:06 GMT
Set-Cookie: ASP.NET_SessionId=rurvikyswhz0xijy4p1hzt55; path=/; HTTPOnly
Content-Type: text/HTML; charset=utf-8
Via: 1.1 localhost.localdomain
. . .
Highlighted in yellow is the name and version of the HTTP service running on Verizon's web server.
This also hints at the web server's operating system.
It must be running Microsoft Windows, since it has Microsoft's IIS web server software running.
Additionally banner grabbing information is often available from the normal utility used for that service; e.g. you can view the HTTP Headers via the Web Developer Console in modern browsers.
Modern Web Browser Features
Modern web browsers come with a lot of standard features.
Any of the following web browsers, and many others, can be used for passive reconnaissance:
- Apple Safari
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
Banner Grabbing with a Web Browser:
- Open Google Chrome.
These directions are for Google Chrome, other browsers have similar features, just different ways to show the same data.
- Open a new tab and go to a web page, on the web, of your choosing.
- Open the Web Developer Console (
- Navigate to the Network pane.
- Reload the web page (
- In the tree view select one of the source documents in the Name column.
- Select the Header tab.
- Explore the information returned by the web server:
- Remote Address: IP address of the web server.
- Date: Date the server thinks it is, includes time zone location.
- Server: Information about the web server prorgram, and likely operating system of the web server.
- Google is an Attacker's Ally. There is a lot of information freely available via the Internet. It can all be yours with a web browser and some of patience. The best starting place is the target's public website. View the source HTML files to find any clues. Users may provide personal information on their company website or a social media site, which could give hints as to what their user account password is. Names can be entered in a white pages search to reveal home addresses and telephone numbers, which can expand footprinting to an employee's home. There are special ways to use search engines, like Google, to gather vulnerability information (may be blocked inside USNA by WebSense) as well.
- Public Network Information. Network information can also be obtained freely via public records online (example here). Every IP Address and Domain Name must be registered in a public database. As a result, a few queries to the right places will provide anyone with the target domain's IP Address range, DNS servers, and a contact address and telephone number.
- Active Reconnaissance: gathering information while interacting with the subject directly, in a way that usually can be discovered. If footprinting is like casing a place, then active reconnaissance would be actually trying to open doors and windows to see which ones are unlocked. We already know about a number of tools that can be used for active network recon: ping, traceroute, and netkitten (nk). If we know the range of potential IP Addresses for our target network, we can use ping to determining which IP's are actually in use by hosts on the network. We can use traceroute to figure out the topology of the network: i.e. were the routers are with respect to the hosts. Finally, we can use netkitten (nk) to determine which ports are open with servers listening on them.
- Scanning. Active reconnaissance is commonly referred to as scanning. A simple scan would be to
ping every IP Address owned by the target network to see which ones belonged to real hosts. More sophisticated scans attempt a TCP connection with every port number of a specific IP Address to determine which ports are open and, therefore, which services are running on the host at that IP Address. Scanning is more intrusive than footprinting, but provides more specific information. There is also more risk that the target may be alerted to a potential attack since scanning results in more abnormal connections to target hosts, so it must be done carefully to avoid alertment.
- NMAP - The Network Mapper. One of the best tools for network scanning is a program called
nmap. Nmap is a very powerful network scanner that we will be using to discover hosts on a target network during the Network Reconnaissance lab. We will discuss more detail on nmap during that lab.
- Common Tools. Some other tools used for network scanning should already be familiar to you. Tools such as traceroute, ping, and netkitten are commonly used to discover information about networks and their hosts. Let's analyze the traceroute information to Verizon.net.
traceroute to verizon.net (188.8.131.52), 30 hops max, 60 byte packets
1 184.108.40.206 (220.127.116.11) 11.327 ms 11.378 ms 11.456 ms
2 usna-c2-v726.net.usna.edu (10.0.2.21) 11.515 ms 11.550 ms 11.568 ms
3 border-d1-v722.net.usna.edu (10.0.2.6) 17.075 ms 16.930 ms 16.797 ms
4 border-f1-gi1_0.net.usna.edu (18.104.22.168) 11.016 ms 16.153 ms 16.112 ms
5 border-r1-po1.net.usna.edu (22.214.171.124) 16.058 ms 6.819 ms 3.974 ms
6 dren-sdp.net.usna.edu (126.96.36.199) 3.913 ms 1.319 ms 1.209 ms
7 so48-2-1-0.ray.dren.net (188.8.131.52) 3.969 ms 3.894 ms 4.435 ms
8 pos1-1-1.gw8.dca6.alter.net (184.108.40.206) 4.363 ms 4.298 ms 4.234 ms
9 0.xe-3-0-3.xt1.dca6.alter.net (220.127.116.11) 4.171 ms 4.114 ms 4.046 ms
10 0.so-1-2-0.xl3.dfw7.alter.net (18.104.22.168) 268.630 ms 268.637 ms 267.884 ms
11 pos6-0.gw2.dfw13.alter.net (22.214.171.124) 265.903 ms 266.073 ms 267.466 ms
12 verizon-gw.customer.alter.net (126.96.36.199) 267.530 ms 264.703 ms 264.601 ms
13 po121.ctn-core1.vzlink.com (188.8.131.52) 280.754 ms 280.736 ms 280.663 ms <== this is Verizon's router
14 * * *
Line 13 begins Verizon's network, marked by vzlink.com. It's IP Address is given along with it's domain name, which can be probed later for open TCP ports. At line 14, we see three asterisks. That means that there was no response from the next router within Verizon's network - this is a common security practice to make reconnaissance more difficult. In this case, we do not get much information about the internal network topology on Verizon, but we do know the existence of packet filtering by their network.
Phase II: Infiltration & Maneuver
- The goal of this phase is to gain control of a host on the target's network. This is typically done by gaining remote access to a shell or terminal as the administrator on that host.
- Knowing a weakness is not enough to infiltrate the target; an attacker must discover a way to take advantage of that weakness. This does not necessarily require advanced knowledge and skill of computer programming, but having it can significantly improve the probability of success. Anyone can guess weak passwords to gain access, but developing a custom made program to exploit poorly written code in software requires advanced programming knowledge and skill. But not everyone needs to develop exploits in order to use them. Do you have the knowledge and skill to build a car? Probably not, but that knowledge is not required to obtain a driver's license. The same goes for cyber exploits. As long as someone possess the knowledge and skill to create exploitation programs, others can use them with little or no understanding of how they work.
- There are many automated tools for exploitation of known computer weaknesses freely available on the Internet. The most popular exploitation program is actually a framework, or collection of programs called Metasploit, which you will use in the Attack portion of the course.
Phase III: Exfiltrate & Maintaining Access
In this lecture we will discuss the fundamental phases of a cyber
attack. The first phase,
- The goal of the final phase is to achieve the intended objective and back out leaving no trace of the trespass. In practice, this is very difficult because computers keep records of every logon, logoff, startup, shutdown, network connection, program execution, and error received. With so many records left on every computer accessed, including routers, it is nearly impossible to eliminate all traces of an intrusion. Often times, an attacker will use techniques to deceive authorities as to the actual origin of the attack.
Flame Covered its Tracks
The "Flame" malware came to light in the summer of 2012. It's a
very sophisticated piece of malware, probably produced by some
nation-state, not by random hackers, terrorists or criminals.
One of the many interesting aspects of the Flame malware was
that it was designed to "cover its tracks", i.e. to erase traces
of its existence on computers that it had infected, but was
finished with. The article Flame
authors order infected computers to remove all traces of the
, from CIO Magazine,
describes in some detail how Flame did this.
- An attacker driven by monetary gains may sell credit card information obtained with privileged access on the black market. Or, an attacker motivated by political gains may expose private, and embarrassing, information about a political opponent to hurt the opponent's popular opinion. There are many possible examples.
- Finally, the attacker may either terminate the connection, if no further access is required, or create a backdoor for future access to the target.