An exploit run against a vulnerable object will result in a hacker being able to perform actions without authorization. What exactly a hacker can do really depends on the type of exploit used against our weaknesses. There are several classifications for exploits; we will take a look at the most common and important ones in this section:
DoS ExploitsDoS attacks are by far the most commonly practiced exploits. The reason for this is quite simple; they are the easiest and quickest ways to affect an object. Anyone at all can run a successful DoS attack using only a low-end desktop and some easily obtainable hacker tools. It is simply a matter of finding a target and choosing the proper tool, or vice versa. The ProcessThe first task when performing a DoS attack is to match a particular vulnerability to a particular device. While attempting to be friendly and easy-to-use, computers and devices have the unfortunate tendency to give out far more information than is desirable (again, in violation of the Rule of Least Privilege). For example, by default, someone across the Internet can often determine the operating system used by an email, DNS, or Web service. To make matters worse, common services often advertise an application's name and revision to anyone opening a connection, so for the hacker, it is simply a matter of:
The ThreatDoS attacks are the easiest to understand in terms of the threat they pose to an organization. By definition, the purpose of a DoS attack is to stop a system or service from functioning properly, thus denying service to all users. To assess the threat a DoS attack poses to an environment, we must be able to calculate the negative impacts of a successful at tack at the most critical time using worst-case scenarios. Add in variables like potential data lost and rebuild time and we can quickly assess the damage a DoS attack could do. We will discuss this in more detail in Chapter 8, Practical Security Assessments. It is important to keep the proper frame of mind in light of redundancy and its ability to defend against this common form of attack. When an exploit is run that forces a service to stop responding, a redundant stand-by system may become active to keep the service running. However, by running the same exact exploit again, the hacker can then take out all redundant instances of a system. Thus, redundancy by itself offers little assistance in this situation. Penetration Exploits (Breaking and Entering)A penetration attack is where someone attempts to gain access to systems or resources beyond his or her privilege level, thus penetrating or bypassing security. Someone on the Internet trying to gain access to an intranet server is performing a penetration attack, just like an officemate trying to bypass Human Resources security checks to modify his or her hourly rate. The ProcessPenetration attacks range widely in execution and effect. Most often they will follow this pattern:
Performing a penetration attack requires slightly more work than the common DoS attack, and it can be more difficult to find a target. Vulnerabilities are, however, discovered every week that allow an attacker to bypass security and execute code, making penetration attacks very common. The ThreatSuccessful penetration attacks grant access to those who are not supposed to have it. The level of access granted and what the hacker can do with it are different for each type of vulnerability and exploit. All too often, vulnerabilities lead to the hacker gaining some form of administrative access, at which point, we can consider a system to be in his or her pocket. In the worst-case scenario, once a system has been penetrated, not only is its security compromised, but so is the security of the entire network and all the systems. Hackers will most often make themselves "at home" in a penetrated system, patching up the vulnerabilities so others can't get in using the same exploit, and then laying dormant, passively watching all the traffic passing by, looking for keys, passwords, and other sensitive materials. More on assessing this threat in an environment is included in Chapter 8. Entry Point SearchingThere are two forms of entry point searching commonly experienced: targeted and random. Targeted means that the hacker has chosen an organization specifically and is attempting to find as many entry points as possible from which to attempt an attack. Random entry point searching is when an individual uses a particular medium, such as war-dialer or network scanner, to perform random searches until finding something interesting. Entry point searches normally precede other attacks. Here, the hacker probes for the "weakest link" within an organization's perimeter. This goal of this process is to find as many entry points as possible and attack each until the hacker is able to contact an internal system. The ProcessWhen performing a targeted entry point search, the hacker will first perform a study of the environment, much like a professional thief snooping for the one window without an alarm. A hacker will probe systems, make phone calls, and look up public records to find any information of value for determining a perimeter weakness. Through this process, the hacker will usually try to find information such as:
Using this information, the attacker will begin probing for vulnerabilities while trying not to set off any serious alarms. Given a few days, an attacker can usually:
Performing these steps will frequently yield good results. One system may be unpatched, a modem installed on a router or desktop, or an employee may be perfectly willing to divulge a password given the right story. If, however, none of these entry points works, the attacker can simply move on to the next target and then return in a month or so to find new vulnerabilities, new modems, or new employees willing to give out sensitive information. The ThreatWhen a hacker is successful in finding vulnerable entry points into a network, all of the hacker's capabilities become magnified. A hacker attacking from inside a network is the greatest security challenge we will face. Though the entry point search itself will probably yield no damage, it could very well result in the hacker accessing the network from the inside. Sneak Attacks and Back DoorsGetting an end-user to execute malicious code on his or her system is another commonly practiced form of hacking. The moment we double-click on that little executable file that was sent to us from Russia, we are at the complete and utter mercy of the programmer who created it. Sure, virus checkers and other applications do their part to protect us, but there is no good security measure that will prevent new malicious code execution on a system. This is why executable Trojan horses and other similar back doors are so popular. The ProcessCreating malicious code is quite simple to do and there are many hackers out there doing it. Since common desktop computers are designed to be as user-friendly as possible, they readily accept almost anything a program asks them to do. If a hacker is able to execute, or convince someone else to execute, code on a standard desktop computer, the hacker can grant himself or herself unlimited access and establish a remote connection with his/her own system. In such a situation, firewalls and IDSs are of little help to the penetrated organization. The Threats
Authentication Cracking AttacksCracking refers to someone attempting to gain access to a system by determining the proper key or password for access. Here, we are not trying to trick a service into granting us access, we are simply trying to work the combination lock until it clicks into place and we can enter without obstruction. The ProcessCracking requires that the attacker have access to the authentication mechanism or authentication information through which access is granted. For example, if the hacker can go to a Web page and get prompted for a login and password, he or she can then attempt to crack it; if a hacker can gain access to a file with authentication information in it, he/she can attempt to crack it. Once a connection has been established with a device, whether authorized or unauthorized, a hacker will try to guess the authentication requirement. For example, if a password is required for accessing a Web site, the hacker may instruct his/her computer to continually guess passwords until one is accepted. This is a crude, but simple example of cracking. Most often, cracking is performed after basic access to a system has already been acquired. Systems hold their passwords and keys inside of files located somewhere within the operating system. Such files are usually stored in some form of one-way encrypted hash that keeps the information somewhat secure from prying eyes. Many utilities focus on gaining access to these password files so that they can be transferred to the hacker's computer. Once there, password files are then cracked using dictionary-guessing utilities (attempting to use all the words in a standard dictionary), brute-force crackers (guessing every possible combination of letter, number, and symbol), or a customized combination of the two. Many crackers also allow a hacker to enter details such as the name of the organization, address, birthday, and other relative information that may be used. Password crackers often substitute basic symbols to find passwords such as "p@ssw0rd." This entire process is performed at amazing speed and the average password can often be guessed quickly by a standard home desktop trying thousands of words per second. Once a password is cracked, the attacker then logs into that account and attempts to gain more access until the files or resources that he or she is after have been obtained.
The ThreatCracking itself poses no direct threat to an organization. The theft of the data that has been cracked, however, may be of some interest. The most common version of cracking is when someone gains just enough access to a system to be able to download the password file. Once cracked, the password file may yield information that will allow the hacker to gain a higher level of access. Usurping this account will allow the hacker to further penetrate the organization. The most common account cracking comes from system administrators. By the nature of the account, system administrators with administrative privileges have access to the password file. Thus, administrators only have to download the password file to a disk, take it home, and run a cracker against it for a few hours. One may ask why an administrator who has access to users' files would bother cracking accounts. And while on the subject, why should we even care? There are several reasons:
Social EngineeringSocial engineering is not an attack against technology, but rather an attack against the more human aspects of an organization. In such an exploit, a hacker works to attack what is considered to be the weakest link in most organizations, the employees. This all goes back to the concept of training and how end-user security training is of great importance to information security practices. Social engineering can be performed against everyone, including employees, executives, partners, and customers. The ProcessSocial engineering is an ever-creative and changing process. The goal is to extract important information from an organization by either finding someone who does not know the information is important, or by tricking someone into giving it out. The most common form of social engineering seems to be accomplished via email. A hacker generates an account on some anonymous email server and sends an official-looking message to an employee asking for the employee's password or other sensitive information. Quite often, such email messages are forged with the administrator's name, or the name of an executive within the organization. Sometimes, such emails don't ask for the information directly, but rather convince the end-user to download and execute a program that steals the information from the computer. Other practices include phone calls from people claiming to be performing maintenance or some form of technical support; walk-ins, where someone tours the office looking for important information written on desks, printed in faxes, or otherwise written in the open. The ThreatThe threat of a successful social engineering attack often goes unconsidered within an organization. Most of the time, employees are provided with significant information in relation to the security of the organization. Employees, for example, know passwords, procedures, names, phone numbers, email addresses, important people, important events, key holders, and the positions of alarms. Hackers can often gain a tremendous amount of information from an organization by making a few phone calls and visiting the site. Such information can amplify an attacker's ability to compromise the organization. Chained ExploitsEarlier in this book, I discussed the concept of thinking in chains and relationships. Unfortunately for us, good hackers follow the same concept when creating exploits. At any given moment, there is a multitude of newly discovered vulnerabilities, each with its own unique method of exploitation, and each with its own impact. Common hackers are limited in the degree to which an exploit can take advantage of a non-critical vulnerability. This creates a difficulty for hackers in determining how they want to damage the specific vulnerabilities they are exploiting. An effective hacker, however, will not limit an attack to a single vulnerability, but rather a chain of vulnerabilities that work together to perform a crippling attack. The ProcessA chained exploit takes advantage of a series of vulnerabilities that exist within an environment. Most companies spend the majority of their time and effort securing their perimeters, especially those connecting to the Internet. A chained exploit is a program or process that is developed to take advantage of one or more front-end vulnerabilities, and then on successful penetration, use a wide variety of exploits that are effective on the internal network. With most organizations, once perimeter security is breached, the entire internal network becomes fair game. In explaining a chained exploit, it is best to provide an example. Chained exploits can be performed manually in hopes of bypassing the security of a particular location, or through an automated virus or worm as shown in our example:
The ThreatChained exploits are a serious threat because they transform seemingly meaningless vulnerabilities into gaping security holes. Complex chained exploits are most often applications, such as worms and viruses, which work to automatically propagate and exploit new systems. Because they are somewhat more difficult and time-consuming to create, the attacker will attempt to target the greatest number of victims as possible. Depending on the nature of the exploit, quite a bit of damage could potentially be done very rapidly across an entire organization. Chained exploits can be very difficult to protect against since they often take advantage of numerous smaller exploits that may not have made the headlines. Such exploits often combine multiple effects, including DoS, penetration attacking, entry point searching, and authentication cracking. When used in combination, such exploits can turn a series of minor vulnerabilities into a gaping security hole. |