The Attacker’s Process
Objective: State the process or methodology hackers use to attack networks
Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it’s important to understand the methodology. The steps a hacker follows can be broadly divided into six phases, which include pre-attack and attack phases:
- Performing Reconnaissance
- Scanning and enumeration
- Gaining access
- Escalation of privilege
- Maintaining access
- Covering tracks and placing backdoors
Let’s look at each of these phases in more detail so that you better understand the steps.
Reconnaissance is consideredthe first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. This first step is considered a passive information gathering. As an example, many of you have probably seen a detective movie in which the policeman waits outside a suspect’s house all night and then follows him from a distance when he leaves in the car. That’s reconnaissance; it is passive in nature, and, if done correctly, the victim never even knows it is occurring.
Hackers can gather information in many different ways, and the information they obtain allows them to formulate a plan of attack. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim’s trash. If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash. Organizations should inform employees to shred sensitive information or dispose of it in an approved way.
Don’t think that you are secure if you take adequate precautions with paper documents. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.
If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool, the Internet. That’s right; the Internet offers the hacker a multitude of possibilities for gathering information. Let’s start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses.
Scanning and Enumeration
Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. The hacker might use techniques to lessen the chance that he will be detected by scanning at a very slow rate. As an example, instead of checking for all potential applications in just a few minutes, the scan might take days to verify what applications are running. Many organizations use intrusion detection systems (IDS) to detect just this type of activity. Don’t think that the hacker will be content with just mapping open ports. He will soon turn his attention to grabbing banners. He will want to get a good idea of what type of version of software applications you are running. And, he will keep a sharp eye out for down-level software and applications that have known vulnerabilities. An example of down-level software would be Windows 95.
One key defense against the hacker is the practice of deny all. The practice of the deny all rule can help reduce the effectiveness of the hacker’s activities at this step. Deny all means that all ports and applications are turned off, and only the minimum number of applications and services are turned on that are needed to accomplish the organization’s goals.
Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim’s network. Although the activities of the blackhat hacker can be seen as a single shot in the night, the script kiddies scan will appear as a series of shotgun blasts, as their activity will be loud and detectable. Programs such as Nessus are designed to find vulnerabilities but are not designed to be a hacking tool; as such, they generate a large amount of detectable network traffic.
As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses.
Access can be achieved in many different ways. A hacker might find an open wireless access point that allows him a direct connection or the help desk might have given him the phone number for a modem used for out-of-band management. Access could be gained by finding a vulnerability in the web server’s software. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker. These things do happen to the company that has failed to establish good security practices and procedures.
The factors that determine the method a hacker uses to access the network ultimately comes down to his skill level, amount of access he achieves, network architecture, and configuration of the victim’s network.
Escalation of Privilege
Although the hacker is probably happy that he has access, don’t expect him to stop what he is doing with only a "Joe user" account. Just having the access of an average user probably won’t give him much control or access to the network. Therefore, the attacker will attempt to escalate himself to administrator or root privilege. After all, these are the individuals who control the network, and that is the type of power the hacker seeks.
Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an application or operating system to gain access to resources that normally would have been protected from an average user. The end result of privilege escalation is that the application performs actions that are running within a higher security context than intended by the designer, and the hacker is granted full access and control.
Would you believe that hackers are paranoid people? Well, many are, and they worry that their evil deeds might be uncovered. They are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user’s accounts.
Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes. Rootkits have the capability to mask the hacker, hide his presence, and keep his activity secret. They are discussed in detail in Chapter 5, "Linux and Automated Security Assessment Tools."
Sometimes hackers might even fix the original problem that they used to gain access, where they can keep the system to themselves. After all, who wants other hackers around to spoil the fun? Sniffers are yet another option for the hacker and can be used to monitor the activity of legitimate users. At this point, hackers are free to upload, download, or manipulate data as they see fit.
Covering Tracks and Placing Backdoors
Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. This might include using rootkits or other tools to cover their tracks. Other hackers might hunt down log files and attempt to alter or erase them.
Hackers must also be worried about the files or programs they leave on the compromised system. File hiding techniques, such as hidden directories, hidden attributes, and Alternate Data Streams (ADS), can be used. As an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.
Backdoors are methods that the hacker can use to reenter the computer at will. The tools and techniques used to perform such activities are discussed in detail in Chapter 6, "Trojans and Backdoors." At this point, what is important is to identify the steps.