Thursday, March 3, 2011

Network intrusion methodology

The goal of this article is to explain the methodology that pirates generally use to infiltrate a computer system. Its purpose is not to explain how to compromise a system but to help you understand how the process works so you can better protect yourself. The best way to protect your system is to use the same approach pirates do in order to map the system's vulnerabilities. As such, this article does not provide specific information about how flaws are exploited, but rather it explains how to detect and correct them.




General methodology

Hackers intending to hack into computer systems firstly look for flaws, that is, vulnerabilities that can harm the system's security, in protocols, operating systems, applications or even an organization's employees! The terms vulnerability, breach and the more informal security hole are also used to refer to security flaws.
To be able to implement an exploit (the technical term that means to exploit a vulnerability), the hacker firstly has to retrieve a maximum amount of information about the network's architecture and about the operating systems and applications running on this network. Most attacks are the work of script kiddies foolishing trying out exploits found on the internet, with no knowledge of the system or of their related risks.
Once the hacker has established a map of the system, he is capable of applying exploits related to the versions of the applications he has indexed. Initial access to a machine will let him extend his action to retrieve other information and possibly escalate his privileges on the machine.
When administrator access (the term root access is generally used) is obtained, we say that the machine has been compromised (or more precisely, that a root compromise has occurred), since system files may have been modified. At this point the hacker has maximum rights on the machine.
If the intruding party is a pirate, he finishes by erasing his tracks, to avoid suspicion on the part of the compromised network's administrator and to be able to retain control over the compromised machines for as long as possible.
The following outline summarizes the full methodology: 


Retrieval of system information

Information about the targeted network's addressing, generally referred to as fingerprinting, must be obtained before an attack can be launched. This involves gathering a maximum amount of information about the target network's communication infrastructures:
  • IP addressing,
  • Domain names,
  • Network protocols,
  • Activated services,
  • Server architecture,
  • etc. 

Consultation of public bases

By obtaining the public IP address of one of the network's machines or simply the organization's domain name, a pirate is potentially capable of knowing the addressing of the entire network, that is, the range of public IP addresses belonging to the targeted organization and its breakdown into sub-networks. To do so, all he needs to do is consult the public bases that attribute IP addresses and domain names:
Consultation of search engines


The simple consultation of search engines sometimes makes it possible to gather information about a company's structure, the names of its main products and even the names of some of its employees. 

Network scanning

When the network's topology is known by the pirate, he can scan it, that is, use a software tool (called a scanner ) to determine the IP addresses active on the network, the open ports corresponding to accessible services and the operating system used by its servers.
One of the most widely known network scanning tools is Nmap, which many network administrators recognize as an essential tool for securing networks. This tool acts by sending TCP and/or UDP packets to a group of machines on a network (determined by a network address and a mask) and then analyzing the responses. Depending on the speed of the received TCP packets, it can determine the remote operating system for each scanned machine.
There is another type of scanner, called a passive mapper (one of the most well-known is Siphon), that makes it possible to find out the network topology of the physical thread on which the mapper analyzes packets. Unlike the previous scanners, this tool does not send packets over the network and therefore cannot be detected by intrusion detection systems.
In addition, some tools make it possible to receive X connections (an X server is a server that manages the display of UNIX type machines). This system is designed to be able to use the display of stations present on the network to study what is posted on the screens and to possibly intercept the keys entered by users of vulnerable machines.


Banner grabbing

When the network scan is finished, the pirate simply needs to examine the log file of tools used to find out the IP addresses of the machines connected to the network and the open ports on the network.
The numbers of open ports on the machines can provide information about the type of open service and invite him to interrogate the service to obtain additional information about the server version in the so-called "banner" information.
As such, to find out the version of an HTTP server, a pirate can just Telnet to the web server on port 80:
telnet www.commentcamarche.net 80
then request the welcome page:
GET / HTTP/1.0
The server then responds with the following header:
HTTP/1.1 200 OK
Date: Thu, 21 Mar 2002 18:22:57 GMT
Server: Apache/1.3.20 (Unix) Debian/GNU
The operating system, server and its version are then known.

Social engineering

Social engineering involves manipulating human beings, that is, taking advantage of the naivety and excessive kindness of network users, to obtain information about the network. This process involves making contact with a network user, usually by impersonating someone else, so as to obtain information about the information system and possibly to directly obtain a password. Similarly, a security flaw can be created in the remote system by sending a Trojan horse to some of the network's users. All it takes is for one of the users to open the attachment for internal network access to be given to the external attacker.
This is why security policies should be comprehensive and incorporate human factors (for example, raising user awareness about security problems), since a system's security level is characterised by its weakest link.


Spotting flaws

After drawing up an inventory of the software and possibly the hardware present, the hacker needs to determine whether or not there are flaws.
Vulnerability scanners are available that let administrators subject their networks to intrusion tests to find out whether certain applications have security flaws. The two main vulnerability scanners are:
Network administrators are also advised to regularly visit websites that keep a vulnerability database up to date:
In addition, some associations, particularly CERTs (Computer Emergency Response Teams), are in charge of capitalising on vulnerabilities and gathering together information concerning security problems.
  • CERT IST dedicated to the French Industry, Services and Tertiary community,
  • CERT IST dedicated to the French administration,
  • CERT Renater dedicated to the community of GIP RENATER members (Réseau National de télécommunications pour la Technologie, l'Enseignement et la Recherche). 

Intrusion

When the pirate has drawn up a map of resources and machines present on the network, he is ready to prepare his intrusion.
To be able to infiltrate the network, the pirate needs to access valid accounts on the machines he has indexed. To do so, pirates use several methods:
  • Social engineering, that is, by directly contacting certain network users (by email or telephone) in order to squeeze out information concerning their user ID or password. This is generally implemented by impersonating the network administrator.
  • Consultation of the directory or of messaging or file sharing services making it possible to find valid user names
  • Exploitation of vulnerabilities in Berkeley R* commands.
  • Brute force cracking, which involves automatically trying out various passwords on an account list (for example, the ID possibly followed by a number, or the password password or passwd, etc). 

Privilege escalation

When the pirate has obtained one or more accesses to the network by working off of one or more accounts with low protection levels, he will look to increase his privileges by obtaining root access; this is called privilege escalation.
As soon as root access has been obtained on a machine, the attacker can examine the network to look for additional information.
He can then install a sniffer, that is, a software program capable of monitoring (the term sniffing is also used) network traffic coming from or directed at machines located on the same thread. Thanks to this technique, the pirate can hope to retrieve ID/password pairs giving him access to accounts with privileges extended to other network machines (for example, access to an administrator's account) in order to be able to control a majority of the network.
NIS servers present on a network are also preferred targets of pirates since they are packed with information about the network and its users.


Compromise

Thanks to the previous steps, the pirate has been able to draw up a complete map of the network, of its machines and of their flaws and has root access to at least one of them. He can now extend his action even further by exploiting the trust relationships that exist among the various machines.
This identity spoofing technique lets the pirate penetrate privileged networks the compromised machine has access to.


Backdoor

When a pirate has successfully infiltrated a company network and compromised a machine, he may want to be able to come back. To do so, he will install an application in order to artificially create a security flaw. This referred to as a backdoor; the term trapdoor is also sometimes used.

Covering tracks

When the intruder has obtained sufficient control over the network, he needs to erase evidence of his visit by deleting the files he created and by clearing the log files of the machines he intruded, that is, by deleting activity lines relating to his actions.
There are also software programs, called "rootkits", that make it possible to replace the system's administration tools with modified versions in order to hide the pirate's presence on the system. If the administrator connects at the same time as the pirate, he is likely to notice the services the pirate has launched or simply see that someone else is connected simultaneously. The goal of a rootkit is therefore to fool the administrator by hiding the reality.


Conclusion

All managers of networks connected to the internet are responsible for the network's security and should test its flaws.
This is why a network administrator should keep informed of vulnerabilities in the software programs he uses by "putting himself in the shoes of a pirate" in order to try to infiltrate his own system and continuously operate in a context of paranoia.
When the company's own skills are not adequate to carry out this operation, an audit can be performed by a company specialized in computer security.

More

Article written by Jean-François PILLOU, based on an article by GomoR.

No comments:

Post a Comment