Attack Tools and Methods (Attack Taxonomy)

[ LiB ]  

Attack Tools and Methods (Attack Taxonomy)

Intrusion detection systems rely on the analysis of attack tools and structure. This analysis, sometimes referred to as attack taxonomy , is key to effectively implementing an IDS on your network. Hackers can use any of the following tools or methods to launch an attack:

  • Packet sniffers

  • IP spoofing

  • Password attacks

  • Man-in-the-middle attacks

  • Application layer attacks

  • Viruses

  • Management protocols

The following sections discuss each of these tools and methods.

Packet Sniffers

Packet sniffers are tools that are used to capture and analyze network traffic for monitoring and maintenance purposes and can be based on software, hardware, or both. Although common and intended for network monitoring and maintenance purposes, packet sniffers can compromise the network when used for malicious purposes. Table 2.1 describes attacks based on packet sniffers, lists examples, and provides ways to mitigate the risks of these types of attacks.

Table 2.1. Packet Sniffer Attacks




Network adapter card in promiscuous mode to capture all packets passing through a local area network (LAN)

Exploit cleartext data transfer used by FTP, Telnet, Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), and PostOffice Protocol (POP)

Monitoring of user ID and password data from File Transfer Protocol (FTP), Telnet, and database access

Internal threat presented by network administrators using a legitimate tool for prohibited purposes



Switches instead of hubs

Antisniffer tools

Encryption: IP Security (IPSec), Secure Socket Layer (SSL), Secure Shell (SSH)

IP Spoofing

IP spoofing describes a technique where an attacker gains access to your network by pretending to be from a source that is trusted within your network. IP spoofing, like packet sniffers, can be employed from both within the network and outside its boundaries. Table 2.2 describes attacks based on IP spoofing, lists examples, and provides ways to mitigate the risks of these types of attacks.

Table 2.2. IP Spoofing




Exploits IP addressbased authentication by using legitimate internal or external IP addresses to access network resources

Can be used in conjunction with changes to routing tables to allow packets to be routed to the spoofed IP address

Access control lists (ACLs): deny external traffic with a source address that falls within the range of internal addresses

Encrypted authentication


RFC 2827 filtering

Password Attacks

Password attacks , not surprisingly, use any of the tools shown in Table 2.3 to acquire login and password information. If the hacker gets access to an administrator account, he or she can use these privileges to leave open a back door for future access to system resources. Table 2.3 describes password attacks, lists examples, and provides ways to mitigate the risks of these types of attacks.

Table 2.3. Password Attacks




Brute force

Trojan horse programs

IP spoofing

Packet sniffers exploiting cleartext login traffic

Dictionary hacking, a quick method where a dictionary of hashed passwords is compared against password hashes of user accounts to crack simple passwords.

Brute-force password computation, where the hash is computed for every password possible for a given set of characters , such as AZ plus 09. This attack is very slow.

Policy enforcement: Disallow the same password on multiple systems

Disable accounts after unsuccessful logins

Require OTP or encrypted passwords

Require "strong" passwords


Strong passwords have at least eight characters and contain uppercase and lowercase letters , numbers , and special characters.

Man-in-the-Middle Attacks

A hacker attacking a network by accessing packets as they traverse a network is performing what's called a man-in-the-middle attack . Sniffers and routing and transport protocols are often used as tools for preventing and detecting man-in-the-middle attacks. Table 2.4 describes man-in-the-middle attacks, lists examples, and provides ways to mitigate the risks of these types of attacks.

Table 2.4. Man-in-the-Middle Attacks




Data theft or corruption

Session hijacking

Traffic analysis

A systems integration consultant using a packet sniffer to analyze traffic from a specific host computer

Data encryption neutralizes a man-in-the-middle attack by rendering the traffic meaningless to the attacker.

Application Layer Attacks

Application attacks take advantage of Layer 7 vulnerabilities, such as FTP, sendmail, HTTP, and PostScript, and typically use well-known ports to traverse a firewall. Application layer attacks will always be a threat because new weaknesses in commonly used programs are continuously being discovered .

Table 2.5 describes application layer attacks and gives examples and mitigation techniques.

Table 2.5. Application Layer Attacks

Attack Type



Exploitation of HTTP, HTML, ActiveX controls, and Java applets to launch malicious programs from a user's browser

Trojan horse attacks, where a common application is replaced with one that performs an attack function

A Trojan horse program that ooks to the user llike a valid login sequence, using recognized prompts and banners; as the user "logs in," the information is captured and transmitted to the hacker.

Stay aware of application vulnerabilities

Read and analyze log files

Test and install patches

Automate the process with an IDS


A Trojan horse uses an application that mimics a legitimate application component to gain "backdoor" access into a host.


A computer virus , much like a biological virus that is contained within a cell , attaches itself to a program that is used to transmit the virus to users' workstations. When the program is executed, the virus is released and carries out an attack on the end-user workstation.

A Trojan horse is similar to a virus; rather than use a different program as a means of transmission, a Trojan horse mimics a legitimate program to gain access to end-user workstations.

Worms such as Nimda and Slammer, which multiply and self-propagate themselves throughout a network, are also notorious for their efficiency in causing a great deal of damage to large networks.

Antivirus software implemented at the host or network level can detect and in most cases contain the spread of viruses.

Management Protocols

Management protocols , because they're used to configure, monitor, and log network devices and their activities, provide hackers with the opportunity to cause serious damage. Table 2.6 summarizes common management protocols, their weaknesses, and ways to prevent hackers from taking advantage of these necessary tools.

Table 2.6. Management Protocol Vulnerabilities




Configuration management protocols such as Telnet and HTTP, used for device-level configuration

Telnet and HTTP traffic is transmitted in cleartext, potentially exposing any sensitive information if the traffic is intercepted.

Encryption: IPSec, SSH, or SSL

ACLs to allow only management servers to connect to network devices

Logging to record failed connection attempts

RFC 2827 filtering

SNMP, used for centralized management of network devices

SNMP uses passwords called community strings to transmit messages. Community strings are typically transmitted in cleartext.

SNMP can be configured to allow read-write access, allowing a hacker to reconfigure a network device.

Use device-level access control to limit the management hosts that are allowed access via SNMP.

Configure SNMP with read-only community strings.

Syslog, data generated by a device that is configured for logging

Syslog data is sent as cleartext on UDP port 514.

Lack of packet-level integrity checking.

Syslog data can be altered or flooded with false data as a distraction during an attack.

Encrypt syslog traffic

RFC 2827 filtering at the perimeter router when allowing syslog access from outside hosts

ACLs to filter access to the syslog server

Trivial File Transfer Protocol (TFTP), used to back up network device configuration files to a TFTP server

TFTP traffic is sent as cleartext. Configuration files, if intercepted, will be exposed.

Encrypt TFTP traffic with an IPSec tunnel when possible

Network Time Protocol (NTP), used for clock synchronization

Valid digital certificates can be forced to expire by changing network clocks.

Network attacks can be masked by changing device clocks and logging timestamps.

Public NTP servers often require no authentication.

Use a private network clock as the NTP server

Use NTP version 3 and above, which allow encrypted authentication

Use ACLs to control which devices are allowed to synchronized clocks with other network devices

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: