I l @ ve RuBoard |
Exploiting known vulnerabilities is the most common method of attack. Exploit tools are widely available and can be run without any knowledge of the vulnerability being exploited. These tools make it point-and-hack. There are basically two groups of tools: the tools which find systems with known vulnerabilities and those that attack the known vulnerability. Scanners and ProfilersScanners will look at many systems, making a preliminary evaluation of the software being run on them. They will usually sweep through address spaces looking for systems which are running services which may be able to be compromised. They are often able to determine the system hardware and what operating system is running, including the version of that operating system. They can determine what services are available on each system and what software is servicing those services. This information is often put into a database so when a new vulnerability is discovered in a specific version of software, all the systems which are running that software can be retrieved to create a list of systems which are likely to be able to be compromised. Some scanners can have the speed at which they scan a network adjusted to reduce the likelihood of detection. Profilers take a more in-depth evaluation of a specific system to determine the type of hardware and software being used. They will attempt to identify the versions and patch levels so that a specific attack can be crafted. The processes of scanning and profiling are often combined. Sniffers and SnoopersA snooper is a program that watches data travel through the system looking for a particular type of information. The snooper may be attached to a network interface to watch all the network traffic or to a disk interface to watch all the data flowing to or from the disk. Snoopers can also be parasites, inserted inside a system, like the print spooler or login system, secretly gathering information. To protect yourself from these types of attacks, you must monitor what is running on your system and the programs that are on your system, so you know if something is running that shouldn't be, or if programs have changed unexpectedly. You may also want to investigate an encrypted file system, that is, a system that stores all the files in an encrypted form. Encrypted networking can also be employed, so all the transmissions from your system are encrypted. Generally, a system listens only to the network address which is for that system. However, a network sniffer put the network interface into promiscuous mode, so it will listen to all the packets. Then the sniffer decodes these packets. Snort, created by Martin Roesch and included on the CD-ROM, is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content matching, and real-time alerting. It utilizes a flexible rules language and a modular plug-in mechanism which allows it to be easily expanded. Since Snort is freely available, it is quite popular with the hacker community for the very reasons it is popular with system administrators ” it is easy to use and very powerful. Security ToolsThere are a large number of very useful security tools that test your system's configuration and permissions on critical files, as well as test for known security holes. These are excellent for identifying where your system has shortcomings and where to spend your resources to close these security holes. They are also invaluable tools to hackers. If you haven't run these programs or have neglected to repair a defect, a hacker can run these tools to determine how to compromise your system. Security tools should be kept on removable disk media, or on a disk that can be unmounted and powered off when not in use. You should not keep security auditing tools on the system; make the hacker bring his own tools. More prudently, use all available security auditing tools to discover all security problems and fix them! Then continue to monitor and audit the security of your system. Buffer OverflowsBuffer overflows are the result of faulty programs that do not adequately manage strings or buffers. Programmers tend not to test for overflows, since good data will not be a problem and the testing slows down the program. A buffer overflow occurs when a program writes data beyond the bounds of allocated memory. This can occur when indexing beyond the end of an array, or indexing a pointer beyond allocated memory, or passing more data to a routine than it can handle. In each case, data is written in an unexpected location, causing unexpected results. Often the program will abort. However, there are cases where the overflow can cause data to be written to a memory mapped file, or cause security problems through stack-smashing attacks. Stack-smashing attacks target a specific programming fault: careless use of data buffers allocated on the program's run-time stack, namely, local variables and function arguments. A creative attacker can take advantage of a buffer overflow vulnerability through stack-smashing and then run any arbitrary code. Common attackers exploit buffer overflows to get an interactive shell on the machine. In the most common attack, an intruder attempts to overflow the buffer of a remote daemon or service to inject his code into the program's address space and overwrite the return address of some function. When this function returns, it will jump into the intruder's code and perform the illicit code. The resultant shell will have the privileges of the program which was exploited. File PermissionsA hacker can compromise a system by exploiting inadequately protected files. As we have seen, there are a great number of files that will open security problems if they are not properly secured. You should monitor the status of the file system with a tool that monitors file size , permissions, ownership, timestamps, and computes a strong checksum of the contents of the file. If you, the system manager, are not monitoring file permissions regularly, you will be susceptible to a permissions attack.
|
I l @ ve RuBoard |