Network Attacks - Part 1
Before going to attacks you need to understand difference
between Hacker and a Cracker?
Hacker: Eric
Raymond, compiler of The New Hacker's Dictionary, defines a hacker as a clever
programmer. A "good hack" is a clever solution to a programming
problem and "hacking" is the act of doing it. Raymond lists five
possible characteristics that qualify one as a hacker, which we paraphrase
here:
A person who enjoys learning details of a programming
language or system
- A person who enjoys actually doing the programming rather than just theorizing about it
- A person capable of appreciating someone else's hacking
- A person who picks up programming quickly
- A person who is an expert at a particular programming language or system, as in "UNIX hacker"
Cracker: A
cracker is someone who breaks into someone else's computer system, often on a
network; bypasses passwords or licenses in computer programs; or in other ways
intentionally breaches computer security.
Introduction:
A network attack occurs when an attacker or cracker uses
certain methods or technologies to maliciously attempt to compromise the
security of a network. Crackers attack corporate networks to use data for
financial gain or for industrial espionage, to illegally use user accounts and
privileges, to run code to damage and corrupt data, to steal data and software,
to prevent legitimate authorized users from accessing network services, and for
a number of other reasons.
External attacks are performed by individuals who are
external to the target network or organization. External threats are usually
performed by using a predefined plan and the skills of the attacker(s). One of
the main characteristics of external threats is that they usually involve
scanning and gathering information.
Three Generalized category of Attacks on basis of origin:
Structured external threats originate from crackers and are
usually initiated by attackers that have a premeditated thought on the actual
damages and losses which they want to cause. Possible motives for structured
external threats include greed, politics, terrorism, racism and criminal
payoffs. Criminal hackers are highly skilled on network design, the methods on
avoiding security measures, Intrusion Detection Systems (IDSs), access
procedures, and hacking tools.
Unstructured external threats originate from an inexperienced
attacker, typically from a script kiddie. A script kiddie is an inexperienced
attacker who uses cracking or scripted tools readily available on the Internet,
to perform a network attack.
Remote external attacks are usually aimed at the services
which an organization offers to the public. Remote external attacks can also be
aimed at the services available for internal users, aimed at locating modems to
access the corporate network, and attempts to brute force password
authenticated systems. Local external attacks originate from situations where
computing facilities are shared, and access to the system can be obtained.
Internal threats originate from dissatisfied or unhappy
internal employees or contractors. Internal attackers have some form of access
to the system and usually try to hide their attack as a normal process.
Basic steps used by a cracker (Pre-Attack):
Footprinting:
It is the initial step in hacking a corporate network. The purpose of
footprinting is to create a map of the network to determine what operating
systems, applications and address ranges are being utilized.
Port scanning:
It is done when a cracker collects information on the network services on a
target network. The cracker attempts to find open ports on the target system.
Enumeration:
A cracker might use Enumeration to collect information on applications and
hosts on the network, and on the user accounts utilized on the network.
Enumeration is particularly successful in networks that contain unprotected
network resources and services. A network attacker can launch an Access attack
to exploit a security weakness in order to gain access to a system or the
network. The programs generally used are:
a.) Trojan horses: capable of creating backdoors. For
e.g.. Trojan program named as "Beast"
b.) Password hacking programs: Typically used to
obtain system access. When access is obtained, the intruder is able to modify
or delete data and add, modify or remove network resources. Unauthorized
privilege escalation is another common type of attack. For e.g.. tools like
"John the ripper", Cain and Abel"
Privilege escalation:
It occurs when an intruder attempts to obtain a higher level of access such as
administrative privileges to gain control of the network system. A cracker can
also implement a mechanism such as some form of access granting code with the
intent of using it at some future stage. Backdoors are installed by attackers
so that they can easily access the system at some later date. After a system is
compromised, you can remove any installed backdoors by reinstalling the system
from a backup which is secure.This step is a post-attack activity.
Common types of network attacks initiated by Crackers are
listed here:
Eavesdropping attack:
It occurs when an attacker monitors or listens to network traffic in transit,
and then interprets all unprotected data. Hackers only need a sniffer
technology to eavesdrop on a Internet Protocol (IP) based network to capture
traffic in transit.
IP address spoofing:
It occurs when an attacker assumes the source IP address of IP packets to make
it appear as though the packet originated from a valid IP address. The aim of
an IP address spoofing attack is to identify computers on a network.
Sniffing: It
occurs when attackers capture and analyze network traffic. The tools used for
sniffing are called sniffers or protocol analyzers. A Sniffer attack occurs
when hackers use Sniffers to monitor, capture and obtain specific network
information, such as passwords and valuable customer information.
Password attacks:
It are aimed at guessing the password for a system until the correct password
is determined. Network attackers can obtain user ID and password information
and can then pose as authorized users and attack the corporate network.
Attackers can utilize attacks such as dictionary attacks or brute force attacks
to obtain access to resources with the same rights as the authorized user.
Brute force attack:
attacker attempts to decode a cipher by attempting each possible key to find
the correct one. This type of network attack systematically utilizes all
possible alpha, numeric, and special character key combinations to discover a
password that is valid for a user account. Brute force attacks are also
typically used to compromise networks that utilize Simple Mail Transfer
Protocol (SNMP).
Denial of Service (DoS) attack: It is aimed at preventing authorized, legitimate users
from accessing services on the network. A DoS attack can be initiated by
sending invalid data to applications or network services until the server hangs
or simply crashes. The most common form of a DoS attack is TCP attacks.
A network attacker can increase the enormity of a DoS attack
by initiating the attack against a single network from multiple computers or
systems. This type of attack is known as a distributed denial of service (DDoS)
attack. Network administrators can experience great difficulty in fending off
DDoS attacks, simply because blocking all the attacking computers, can also
result in blocking authorized users.
Man-in-the-middle (MITM) attack: It occurs when a cracker eavesdrops on a secure
communication session and monitors, captures and controls the data being sent
between the two parties communicating. The attacker attempts to obtain
information so that he/she can impersonate the receiver and sender.
Distributed Denial of Service (DDoS)
attack: It is also a form of DoS attack
but in this scenario attacker is not one individual, Multiple attackers launch
DoS simultaneously at a common victim.
Network Attacks - Part 2
INTRODUCTION:
This is the second part to the network attacks. Here i will
be talking about a technique named as "Scanning" which is very
important for attacker as the result obtained by conducting scans he/she
decides the way to attack on the network.
Port scanning is the process of connecting to TCP and UDP
ports for the purpose of finding what services and applications are open on the
target device. Once open, applications or services can be discovered. At this
point, further information is typically gathered to determine how best to
target any vulnerabilities and weaknesses in the system.
Port Scanning is one of the most popular reconnaisance techniques
crackers use to discover services they can break into. A potential victim
computer runs many 'services' that listen at well-known 'ports'. By scanning
which ports are available on the victim, the hacker finds potential weaknesses
that can be exploited.
PORT SCANNING TYPES:
1.) TCP Connect/ Full Open Scan:
•TCP Connect is the most reliable form of TCP Scans. TCP
Connect will check whether a Port is open or closed by using TCP protocol
flags.
•If the port is open then the connect() command will work
whereas, if the port is closed then the connect will be unreachable.
Note: The Operating System provides the connect system call
which is used by TCP Connect method to check whether the port is open or
closed.
2.) SYN Stealth/ Half Open Scan:
•SYN/Stealth scan is also known as half open scan because it
does not establish a full connection with the Target system.
•During this Scan, The Attacked will first send the SYN
packet to a particular port of the Target as a Request to Create a New
Connection and then wait for a reply.
•If that port replies back with a SYN/ACK flag set, this
would confirm that the Port is open and being used.
•However, if we receive a RST Flag Set then this would mean
that the port is closed.
•One Advantage of this Particular Scan is that, in many
Services and Systems, Unsuccessful Connections are not Logged, which means that
the scan would go un-detected.
3.) FIN Stealth Scan:
•During a FIN Stealth scan, The Attacker will send a FIN
flag set Data Packet.
•If that port is open it would not send any data packet
back, while if it is closed it will reply you back with Fin Packet.
•Advantage: It is also seen that some application or
services do not reply to SYN request during TCP connect( ) Scan, So during this
Scenario, It will be beneficial to use FIN Stealth Scan.
4.) FTP Bounce Scan:
•This type of port scanning is only possible when there is a
Bounce Attack vulnerability on the FTP Server.
•Bounce Attack Vulnerability allows the attacker to use the
FTP Server to Port Scan the Target System acting as a sort of Proxy in between.
This type of scan provides anonymity to the attacker and is hard to trace back
comparatively.
5.) SYN/FIN Scanning - IP fragments
•During a SYN/FIN scan the TCP headers are split into
various fragments.
•SYN/Fin is type of scan which is not a new but instead it
is a combination of SYN stealth scan and FIN stealth Scan.
6.) UDP Scanning:
•This scanning process simply uses the UDP protocol instead
of the TCP protocol which has been mentioned in the previous examples.
•The scanning process is much more complicated then TCP
Scanning, since UDP is a connection less protocol.
Note: During UDP scans. open ports do not send any
acknowledgement in reply to our request, while, closed ports send a
ICMP_PORT_UNREACH error when we send a request to a closed UDP port.
7.) ICMP Scanning:
•ICMP scanning is a type of scanning methods which sends
ICMP packets to all machines on the network to determine active hosts on the
network.
•In order to quickly complete the process, ICMP Packets are
sent to multiple nodes at the same time.
•Time can be further reduced by altering the timeout value
of the Scan.
8.) Reverse Ident Scanning:
•Reverse Ident scans help attacker in identifying the user
who own the process i.e. it determines the username of the owner of any process
connected via TCP.
•Please note that it can work in the reverse manner as well.
The Server can also run a Ident query on the user connecting to it.
9.) Idle Scan:
Idle scan is a blind port scanning technique. The Attacker
can create a botnet of zombies which in turn Scan the ports of the target
machines. Intrusion Detection Systems, if they are installed on the target
machines, will point to the innocent zombies as Attackers. So, basically
attackers scan a large target network without sending a single packet to the
target network, themselves. This provides high degree of Stealth.
10.) OS Fingerprinting:
OS fingerprinting is a technique of scanning which is used
to determine the Operating System on the Target System. There are various
methods by which one can detect the underlying operating system. Banner
grabbing the ftp, ssh, http server, by evaluation the TTL value in the ICMP
packets, or even by TCP and UDP response behavior. OS fingerprinting can be
classified as:
1. Passive Fingerprinting:
In Passive Fingerprinting, Attacker do not directly scan the
ports of the target machine, instead of that attacker sniff the data packets
being transferred to and from target the machine. During passive fingerprinting
all attacker need to do is, capture the data packets and then analyze them to
determine the operating system of the target machine.
In Passive fingerprinting , attacker analyze and identify
operating System’s captured data for IP stack Analysis to identify the
operating system of the target.
2. Active Fingerprinting:
Active fingerprinting is based on the usage of a Intelligent
Database of General Operating System Reponses to particular Malformed Data
Packets. During Active OS Fingerprinting, attacker will send malformed packets
to the target machine and predict the operating system after analyzing the
Responses to determine the type of Operating System on the target machine.
11.) Ping Sweep:
•Ping sweep is a process which is used to enlist live hosts
in the network. It consists of ICMP ECHO requests sent to multiple hosts. If a
system is live, it will send back a ICMP ECHO reply.
•Ping utility is often used to check if a network device is
functioning or not.
•To disable ping sweeps on a network, administrators can
block ICMP ECHO requests using firewalls.
12.) Wardialing:
•Wardialing is a technique of using a modem to automatically
scan a list of telephone numbers, segregating between Telephone numbers which
are connected to a Computer and Regular Phone connections which are being
answered by Humans and Answering Machines.
•Once a List of Active Computer System (on the Phone
Network) is obtained, Attackers can use many techniques to hack into the
System.
These are the some scanning method
used by attacker to scan the network for gathering the information about the
network.
No comments:
Post a Comment