|Evil goal: I want to ...||pillar violated|
|steal a file||confidentiality|
|deface a webpage||integrity|
|bring down a DNS server||availability|
|send a bad e-mail from some else's account||non-repudiation|
|steal login credentials||authentication|
So, suppose you are a wanna-be attacker, meaning that you have a goal — either a particular goal that requires violating a pillar, or the general goal of violating as many pillars as possible — and a target system. The target could be a single host or a network, or a large information system infrastructure. What's stopping you? Well, we just finished looking at tools we can use to protect the IA pillars: firewalls, encryption, hashing, password authentication, and certificate-based authentication. These are the things that are stopping you from achieving your evil goal.
Let's look at some very simple examples in which we just want to steal some data, i.e. to violate confidentiality:
secret.txt, which is in the account of a user named
timvicon a host within the 18.104.22.168 network. Conceptually, our situation is illustrated by the diagram to the right, with the file
secret.txtresiding within the innermost circle. Each circle represents some barrier built by the tools we've discussed.
secret.txt? Recall that both files and processes have an owner, and the operating system doesn't allow a process to access a file unless its owner matches the file's owner, or the process owner is Administrator. Thus, the operating system's authentication is what provides a barrier between regular user processes and the users Administrator and
timvic, which have the priveleges necessary to access the file
secret.txtbefore storing it, there would be yet another barrier (created by encryption) and yet another circle in the very center of our conceptual diagram.
secret.txtmeans getting control of a process running as a user with elevated priveleges relative to that data, i.e. Administrator or the user
timivc. Ports allowed through by the firewall and services running on hosts are like gaps in the barriers. Potentially, such a gap can be exploited to provide access we shouldn't have.
A more accurate picture would reflect the fact that there are
(generally) more hosts on the target host's network than just
the target host himself. Moreover, different hosts on the
network might have different services running, thus allowing
different potential paths in from the outside. Consider the
diagram to the right, which shows that there are two hosts: the
target and a host running a webserver.
As outsiders, we have no way to access our target host directly:
the only service it runs is SSH on port 22, but the firewall
does not let port 22 traffic in.
However, we could imagine an attack
proceeding by sending port 80 traffic into the network
(which the firewall allows) to the
webserver with some carefully crafted content that exploits a
bug in the webserver, ultimately allowing us to execute commands
on it. We use this to make an SSH connection from the webserver
to the target host, which is allowed since both parties are
inside the firewall. Now we have some some degree of access to
our target host. Subsequent steps in the attack would have to
take advantage of that to pursue the ultimate goal of stealing a
What's important to note is that there are three basic phases of an attack like this:
secret.keyin this example). This might involve multiple steps, as it did in this example in which we first gained access to the "other host", and then used that access to get into the target host.
secret.key) and take whatever steps necessary to cover our tracks.
A cyber attack is not all that different than a military attack. A cyber attacker will dedicate a significant amount of time observing and probing the target computer network to find weaknesses in its defense. Any weakness found may lead to infiltration of the target network. Here is a list of some critical information that should be obtained during the reconnaissance phase:
This information is obtained by scouring all the resources available to the attacker using two distinct methods: passive and active.Passive Reconnaissance
Passive reconnaissance is commonly referred to as footprinting and, in context of a cyber attack, means minimizing any interaction with the target network which may raise flags in the computer logs. For example, visiting the target's website may leave behind a trace that your IP address established a TCP connection to the target's web server, but it will be one of millions of connections that day - probably not going to stand out to the administrator in the periodic review of server logs. On the other hand, visiting the target's website so frequently that the server becomes overloaded is certain to alert an administrator.
There is a lot of information freely available via the Internet. It can all be yours with a web browser and a lot of patience. The best starting place is the target's public website. View the source html files to find any clues. Users may provide personal information on their company website or a social media site, which could give hints as to what their user account password is. Names can be entered in a white pages search to reveal home addresses and telephone numbers, which can expand footprinting to an employee's home.
Network information can also be obtained freely via public records online. Every IP address and Domain Name must be registered in a public database. As a result, a few queries to the right places will provide anyone with the target domain's IP address range, DNS servers, and a contact address and telephone number.
Active reconnaissance is commonly referred to as
scanning. A simple scan would be to
IP address owned by the target network to see which ones belonged to
real hosts. More sophisticated scans attempt a TCP connection with
every port number of a specific IP address to determine which ports
are open and, therefore, which services are running on the host at
that IP address. Scanning is more intrusive than footprinting, but
provides more specific information. There is also more risk that the
target may be alerted to a potential attack since scanning results in
more abnormal connections to target hosts, so it must be done
carefully to avoid alertment.
One of the best tools for network scanning is a program called
nmap. Nmap is a very powerful network scanner that we
will be using to discover hosts on a target network during the
Network Reconnaissance lab. We will discuss more detail on nmap
during that lab.
Some other tools used for network scanning should already be familiar to you. Tools such as traceroute, ping, and netcat are commonly used to discover information about networks and their hosts. Let's analyze the traceroute information to Verizon.net.
traceroute to verizon.net (22.214.171.124), 30 hops max, 60 byte packets 1 126.96.36.199 (188.8.131.52) 11.327 ms 11.378 ms 11.456 ms 2 usna-c2-v726.net.usna.edu (10.0.2.21) 11.515 ms 11.550 ms 11.568 ms 3 border-d1-v722.net.usna.edu (10.0.2.6) 17.075 ms 16.930 ms 16.797 ms 4 border-f1-gi1_0.net.usna.edu (184.108.40.206) 11.016 ms 16.153 ms 16.112 ms 5 border-r1-po1.net.usna.edu (220.127.116.11) 16.058 ms 6.819 ms 3.974 ms 6 dren-sdp.net.usna.edu (18.104.22.168) 3.913 ms 1.319 ms 1.209 ms 7 so48-2-1-0.ray.dren.net (22.214.171.124) 3.969 ms 3.894 ms 4.435 ms 8 pos1-1-1.gw8.dca6.alter.net (126.96.36.199) 4.363 ms 4.298 ms 4.234 ms 9 0.xe-3-0-3.xt1.dca6.alter.net (188.8.131.52) 4.171 ms 4.114 ms 4.046 ms 10 0.so-1-2-0.xl3.dfw7.alter.net (184.108.40.206) 268.630 ms 268.637 ms 267.884 ms 11 pos6-0.gw2.dfw13.alter.net (220.127.116.11) 265.903 ms 266.073 ms 267.466 ms 12 verizon-gw.customer.alter.net (18.104.22.168) 267.530 ms 264.703 ms 264.601 ms 13 po121.ctn-core1.vzlink.com (22.214.171.124) 280.754 ms 280.736 ms 280.663 ms <== this is verizon's router 14 * * *
Line 13 begins Verizon's network, marked by vzlink.com. It's IP address is given along with it's domain name, which can be probed later for open TCP ports. At line 14, we see three asterisks. That means that there was no response from the next router within Verizon's network - this is a common security practice to make reconnaissance more difficult. In this case, we do not get much information about the internel network topology on Verizon, but we do know the existence of packet filtering by their network.
Netcat can be used to probe version information from open ports. The following example demonstrates this technique on port 80 of Verizon.net's web server:
$ nc verizon.net 80 GET / HTTP/1.1 HTTP/1.1 302 Found Date: Wed, 27 Jul 2011 20:21:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.verizon.net/central Set-Cookie: ASP.NET_SessionId=rurvikyswhz0xijy4p1hzt55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 147 Age: 25 Via: 1.1 localhost.localdomain . . .
Highlighted in yellow is the name and version of the http service running on Verizon's web server. This also hints at the web server's operating system. It must be running Microsoft Windows, since it has Microsoft's IIS running.
Knowing a weakness is not enough to infiltrate the target; an attacker must discover a way to take advantage of that weakness. This does not necessarily require advanced knowledge and skill of computer programming, but having it can significantly improve the probability of success. Anyone can guess weak passwords to gain access, but developing a custom made program to exploit poorly written code in software requires advanced programming knowledge and skill. But not everyone needs to develop exploits in order to use them. Do you have the knowledge and skill to build a car? Probably not, but that knowledge is not required to obtain a driver's license. The same goes for cyber exploits. As long as someone possess the knowledge and skill to create exploitation programs, others can use them with little or no understanding of how they work.
There are many automated tools for exploitation of known computer weaknesses freely available on the Internet. The most popular exploitation program available is called Metasploit, which you will use later in the course.
An attacker driven by monetary gains may sell credit card information obtained with privileged access on the black market. Or, an attacker motivated by political gains may expose private, and embarrassing, information about a political opponent to hurt the opponent's popular opinion. The examples go on and on.
Finally, the attacker may either terminate the connection, if no further access is required, or create a backdoor for future access of the target.