Modern Exploits | Inside the Security Mind: Making the Tough Decisions

An exploit run against a vulnerable object will result in a hacker being able to perform actions without authorization. What exactly a hacker can do really depends on the type of exploit used against our weaknesses. There are several classifications for exploits; we will take a look at the most common and important ones in this section:

DoS
Penetration
Entry-point searching
Back doors
Cracking
Social engineering
Chained exploits

DoS Exploits

DoS attacks are by far the most commonly practiced exploits. The reason for this is quite simple; they are the easiest and quickest ways to affect an object. Anyone at all can run a successful DoS attack using only a low-end desktop and some easily obtainable hacker tools. It is simply a matter of finding a target and choosing the proper tool, or vice versa.

The Process

The first task when performing a DoS attack is to match a particular vulnerability to a particular device. While attempting to be friendly and easy-to-use, computers and devices have the unfortunate tendency to give out far more information than is desirable (again, in violation of the Rule of Least Privilege). For example, by default, someone across the Internet can often determine the operating system used by an email, DNS, or Web service. To make matters worse, common services often advertise an application's name and revision to anyone opening a connection, so for the hacker, it is simply a matter of:

Probing a system for its information, trying to find as many services, applications, and version numbers as possible.
Going to one of thousands of hacker sites and searching each service or application for known vulnerabilities. This will usually result in a list of vulnerabilities and exploits that are known to work with such devices, and links to download the tools that perform the DoS attack.
Run the application and check to see if the attack was successful.

The Threat

DoS attacks are the easiest to understand in terms of the threat they pose to an organization. By definition, the purpose of a DoS attack is to stop a system or service from functioning properly, thus denying service to all users. To assess the threat a DoS attack poses to an environment, we must be able to calculate the negative impacts of a successful at tack at the most critical time using worst-case scenarios. Add in variables like potential data lost and rebuild time and we can quickly assess the damage a DoS attack could do. We will discuss this in more detail in Chapter 8, Practical Security Assessments.

It is important to keep the proper frame of mind in light of redundancy and its ability to defend against this common form of attack. When an exploit is run that forces a service to stop responding, a redundant stand-by system may become active to keep the service running. However, by running the same exact exploit again, the hacker can then take out all redundant instances of a system. Thus, redundancy by itself offers little assistance in this situation.

Penetration Exploits (Breaking and Entering)

A penetration attack is where someone attempts to gain access to systems or resources beyond his or her privilege level, thus penetrating or bypassing security. Someone on the Internet trying to gain access to an intranet server is performing a penetration attack, just like an officemate trying to bypass Human Resources security checks to modify his or her hourly rate.

The Process

Penetration attacks range widely in execution and effect. Most often they will follow this pattern:

Find a service that is accessible to the hacker, such as a mail server, DNS server, or end-user workstation. These are either services that the attacker is authorized to access as a public user, or services that were installed and are operating unknown to the administrator.
Attempt to trick the service into allowing more access than is authorized. Oftentimes, this will involve executing a hacker tool that causes the service to grant file execution or other forms of access to the attacker.
Once exploited, use the system as a bridge to the internal network, allowing the hacker to bypass other security measures and further compromise the internal network.

Performing a penetration attack requires slightly more work than the common DoS attack, and it can be more difficult to find a target. Vulnerabilities are, however, discovered every week that allow an attacker to bypass security and execute code, making penetration attacks very common.

The Threat

Successful penetration attacks grant access to those who are not supposed to have it. The level of access granted and what the hacker can do with it are different for each type of vulnerability and exploit. All too often, vulnerabilities lead to the hacker gaining some form of administrative access, at which point, we can consider a system to be in his or her pocket. In the worst-case scenario, once a system has been penetrated, not only is its security compromised, but so is the security of the entire network and all the systems. Hackers will most often make themselves "at home" in a penetrated system, patching up the vulnerabilities so others can't get in using the same exploit, and then laying dormant, passively watching all the traffic passing by, looking for keys, passwords, and other sensitive materials. More on assessing this threat in an environment is included in Chapter 8.

Entry Point Searching

There are two forms of entry point searching commonly experienced: targeted and random. Targeted means that the hacker has chosen an organization specifically and is attempting to find as many entry points as possible from which to attempt an attack. Random entry point searching is when an individual uses a particular medium, such as war-dialer or network scanner, to perform random searches until finding something interesting.

Entry point searches normally precede other attacks. Here, the hacker probes for the "weakest link" within an organization's perimeter. This goal of this process is to find as many entry points as possible and attack each until the hacker is able to contact an internal system.

The Process

When performing a targeted entry point search, the hacker will first perform a study of the environment, much like a professional thief snooping for the one window without an alarm. A hacker will probe systems, make phone calls, and look up public records to find any information of value for determining a perimeter weakness. Through this process, the hacker will usually try to find information such as:

The IP address ranges assigned to the organization
The phone numbers assigned to the organization
Where the organization is located, and the names of the key players
The name, operating system, address, and services of publicly accessible servers, such as Web, DNS, and email servers

Using this information, the attacker will begin probing for vulnerabilities while trying not to set off any serious alarms. Given a few days, an attacker can usually:

Scan all the publicly accessible servers for vulnerabilities
Have a war-dialer call the organization's phone numbers, looking for modems
Visit the office, or call and talk to individuals within the organization

Performing these steps will frequently yield good results. One system may be unpatched, a modem installed on a router or desktop, or an employee may be perfectly willing to divulge a password given the right story. If, however, none of these entry points works, the attacker can simply move on to the next target and then return in a month or so to find new vulnerabilities, new modems, or new employees willing to give out sensitive information.

The Threat

When a hacker is successful in finding vulnerable entry points into a network, all of the hacker's capabilities become magnified. A hacker attacking from inside a network is the greatest security challenge we will face. Though the entry point search itself will probably yield no damage, it could very well result in the hacker accessing the network from the inside.

Sneak Attacks and Back Doors

Getting an end-user to execute malicious code on his or her system is another commonly practiced form of hacking. The moment we double-click on that little executable file that was sent to us from Russia, we are at the complete and utter mercy of the programmer who created it. Sure, virus checkers and other applications do their part to protect us, but there is no good security measure that will prevent new malicious code execution on a system. This is why executable Trojan horses and other similar back doors are so popular.

The Process

Creating malicious code is quite simple to do and there are many hackers out there doing it. Since common desktop computers are designed to be as user-friendly as possible, they readily accept almost anything a program asks them to do. If a hacker is able to execute, or convince someone else to execute, code on a standard desktop computer, the hacker can grant himself or herself unlimited access and establish a remote connection with his/her own system. In such a situation, firewalls and IDSs are of little help to the penetrated organization.

The Threats

Trojan horses A Trojan horse is an application that masquerades as something common and harmless to trick the user into trusting it. If, for example, we were to launch a Windows Trojan, the application could overshadow the normal authentication process. Thus, the next time the login and password prompt appears, it is actually a Trojan disguised as a Windows prompt. The information would then be relayed back to the hacker via our own network connection or through an automated email message.
Back doors Back doors open up hidden holes in a system that allow a hacker to gain access. Sometimes, back doors simply wait to be accessed by a particular network request, while others will proactively establish an outbound session with the hacker's computer. Once a back door is installed on a computer, the hacker is often able to do as he or she pleases with it.
Other malicious code There is a lot of code out there that cannot be properly described as a back door, Trojan horse, worm, virus, or other classification. This is code that is intended to be simply entertaining for the hacker or cause damage to a system or network without attempting to break in or capture authentication information or spread itself to others. Such malicious code could be programmed to simply erase files, format a disk, corrupt an operating system, or take advantage of one of millions of possibilities.

An interesting, yet tragic example of malicious code was an application designed to hide in the background of a computer and, at odd hours of the night, use the modem to make phone calls to various 1-900 numbers. In any given night, 10 100 phone calls could be made, ranging from $200 $5,000 in charges. It is very likely that the victim would have no clue that there was any issue until the monthly phone bill arrived, with a very large surprise!

Authentication Cracking Attacks

Cracking refers to someone attempting to gain access to a system by determining the proper key or password for access. Here, we are not trying to trick a service into granting us access, we are simply trying to work the combination lock until it clicks into place and we can enter without obstruction.

The Process

Cracking requires that the attacker have access to the authentication mechanism or authentication information through which access is granted. For example, if the hacker can go to a Web page and get prompted for a login and password, he or she can then attempt to crack it; if a hacker can gain access to a file with authentication information in it, he/she can attempt to crack it.

Once a connection has been established with a device, whether authorized or unauthorized, a hacker will try to guess the authentication requirement. For example, if a password is required for accessing a Web site, the hacker may instruct his/her computer to continually guess passwords until one is accepted. This is a crude, but simple example of cracking.

Most often, cracking is performed after basic access to a system has already been acquired. Systems hold their passwords and keys inside of files located somewhere within the operating system. Such files are usually stored in some form of one-way encrypted hash that keeps the information somewhat secure from prying eyes. Many utilities focus on gaining access to these password files so that they can be transferred to the hacker's computer. Once there, password files are then cracked using dictionary-guessing utilities (attempting to use all the words in a standard dictionary), brute-force crackers (guessing every possible combination of letter, number, and symbol), or a customized combination of the two. Many crackers also allow a hacker to enter details such as the name of the organization, address, birthday, and other relative information that may be used. Password crackers often substitute basic symbols to find passwords such as "p@ssw0rd." This entire process is performed at amazing speed and the average password can often be guessed quickly by a standard home desktop trying thousands of words per second. Once a password is cracked, the attacker then logs into that account and attempts to gain more access until the files or resources that he or she is after have been obtained.

In my history of performing audits for various organizations, I have had to perform password cracking against many thousands of accounts. I have never entered an organization where I did not find at least one password within the first minute of running a cracker. The vast majority of organizations I have visited host thousands of bad passwords that did not even require a cracking program to uncover.

The Threat

Cracking itself poses no direct threat to an organization. The theft of the data that has been cracked, however, may be of some interest. The most common version of cracking is when someone gains just enough access to a system to be able to download the password file. Once cracked, the password file may yield information that will allow the hacker to gain a higher level of access. Usurping this account will allow the hacker to further penetrate the organization.

The most common account cracking comes from system administrators. By the nature of the account, system administrators with administrative privileges have access to the password file. Thus, administrators only have to download the password file to a disk, take it home, and run a cracker against it for a few hours. One may ask why an administrator who has access to users' files would bother cracking accounts. And while on the subject, why should we even care? There are several reasons:

Further compromising the user How many users think of one password and use it for everything? The administrator who successfully cracks a user's password may now have access to other systems he or she could not normally get to. Oftentimes, a user will use the same password for his/her computer at work and his/her online bank account! This makes password cracking a very tempting prospect for internal administrators.
Deniability If an administrator wants to perform an illegal action, he/she would want to do it using an account other than his/her own. This helps to ensure he/she does not get caught. If, however, the administrator simply creates a bogus account or modifies another user's password and takes over the account, there will often be a trail of logs leading back to the administrator. If, however, the administrator logs in using the end-user's password, there will be no way to determine who usurped the account and performed the actions.

Social Engineering

Social engineering is not an attack against technology, but rather an attack against the more human aspects of an organization. In such an exploit, a hacker works to attack what is considered to be the weakest link in most organizations, the employees. This all goes back to the concept of training and how end-user security training is of great importance to information security practices. Social engineering can be performed against everyone, including employees, executives, partners, and customers.

The Process

Social engineering is an ever-creative and changing process. The goal is to extract important information from an organization by either finding someone who does not know the information is important, or by tricking someone into giving it out. The most common form of social engineering seems to be accomplished via email. A hacker generates an account on some anonymous email server and sends an official-looking message to an employee asking for the employee's password or other sensitive information. Quite often, such email messages are forged with the administrator's name, or the name of an executive within the organization. Sometimes, such emails don't ask for the information directly, but rather convince the end-user to download and execute a program that steals the information from the computer.

Other practices include phone calls from people claiming to be performing maintenance or some form of technical support; walk-ins, where someone tours the office looking for important information written on desks, printed in faxes, or otherwise written in the open.

The Threat

The threat of a successful social engineering attack often goes unconsidered within an organization. Most of the time, employees are provided with significant information in relation to the security of the organization. Employees, for example, know passwords, procedures, names, phone numbers, email addresses, important people, important events, key holders, and the positions of alarms. Hackers can often gain a tremendous amount of information from an organization by making a few phone calls and visiting the site. Such information can amplify an attacker's ability to compromise the organization.

Chained Exploits

Earlier in this book, I discussed the concept of thinking in chains and relationships. Unfortunately for us, good hackers follow the same concept when creating exploits. At any given moment, there is a multitude of newly discovered vulnerabilities, each with its own unique method of exploitation, and each with its own impact. Common hackers are limited in the degree to which an exploit can take advantage of a non-critical vulnerability. This creates a difficulty for hackers in determining how they want to damage the specific vulnerabilities they are exploiting. An effective hacker, however, will not limit an attack to a single vulnerability, but rather a chain of vulnerabilities that work together to perform a crippling attack.

The Process

A chained exploit takes advantage of a series of vulnerabilities that exist within an environment. Most companies spend the majority of their time and effort securing their perimeters, especially those connecting to the Internet. A chained exploit is a program or process that is developed to take advantage of one or more front-end vulnerabilities, and then on successful penetration, use a wide variety of exploits that are effective on the internal network. With most organizations, once perimeter security is breached, the entire internal network becomes fair game.

In explaining a chained exploit, it is best to provide an example. Chained exploits can be performed manually in hopes of bypassing the security of a particular location, or through an automated virus or worm as shown in our example:

Example

The NIMDA worm launched in 2000, and other worms that followed a similar path, illustrate how well a chained exploit operates. The NIMDA worm would attempt to breach perimeters through one of two methods: by passing an email infected with NIMDA, or by attaching to browsers that came into contact with an infected Web server. These two exploits took advantage of simple and well-known vulnerabilities that most companies had not bothered to patch, or only patched one and not the other. The trick was simply propagating through perimeters that had not secured themselves.

Once inside, the NIMDA worm had much more room to work. Taking a few picks from a countless number of internal vulnerabilities, NIMDA was programmed to exploit vulnerabilities in Microsoft Outlook, Microsoft file-sharing, and Microsoft Web service products.

The Threat

Chained exploits are a serious threat because they transform seemingly meaningless vulnerabilities into gaping security holes. Complex chained exploits are most often applications, such as worms and viruses, which work to automatically propagate and exploit new systems. Because they are somewhat more difficult and time-consuming to create, the attacker will attempt to target the greatest number of victims as possible. Depending on the nature of the exploit, quite a bit of damage could potentially be done very rapidly across an entire organization.

Chained exploits can be very difficult to protect against since they often take advantage of numerous smaller exploits that may not have made the headlines. Such exploits often combine multiple effects, including DoS, penetration attacking, entry point searching, and authentication cracking. When used in combination, such exploits can turn a series of minor vulnerabilities into a gaping security hole.