9.12 Other Useful Tools and Techniques

9.12.1 OS Fingerprinting and Port Scanning

Operating System (OS) fingerprinting and port scanning are two of the most common start points for initiating intrusions. Hackers begin by probing to discover what operating systems and open ports exist on a target network. After this information is gathered, known weaknesses can be exploited. Programs such as LANGuard's Network Security Scanner can quickly and thoroughly scan and fingerprint an entire network. LANGuard is used when an auditor begins fingerprinting a network. It begins by scanning the entire network within an IP address range. LANGuard can generate reports on service packs installed, missing security patches, open ports, network shares, services being used, users and groups, relative strength of passwords in use, known vulnerabilities, and where specifically to find the exploit.

If a wired network's resources are protected from intruders using strong authentication, peer attacks can still happen. For example, suppose that an attacker uses an RF jamming device, access point software, and a DHCP server, all running from a laptop. When the intruder jams authorized users, those client devices that were or will attempt to connect to the jammed device will automatically roam and subsequently connect to the rogue lap-top acting as an AP. The clients associate and automatically request an IP address from the rogue device's DHCP server. Once the hijacked client obtains an IP address from the rogue DHCP server, the hacker can use LANGuard and attack target clients in a peer-to-peer attack.

9.12.2 Application Layer Analyzers

Programs that capture and reassemble data packets into their original application format for use by an auditor are referred to as application layer analyzers. An application analyzer can capture data packets transmitted in an IRC session bidirectionally between clients and reassemble them into the actual instant message session of the reciprocal clients. This can be done with e-mail (including attachments), session login information (username and passwords), and HTML pages and Web sites visited by a targeted client. A few application layer analyzers allow real-time decoding, whereas others require the auditor or hacker to go through a process of capture, save, import, and decode to process the data. Auditors typically use information gathered by an application layer analyzer to present findings to a corporate executive as proof of the need for added WLAN security.

9.12.3 Traffic Pattern Analysis

Another type of network information gathering is known as traffic analysis. This involves an understanding of where most of the traffic on the network is going, how much traffic is going in and out, and what time of day certain types of traffic are sent. If an attacker wanted to gather login information and determine what resources on the network were the most important, he or she would likely begin an attack in the morning hours from a location near an access point. The attacker could collect all of the morning login data and use a packet analyzer to determine the location of important network resources. This information helps an attacker determine if a trap (called a honeypot) has been set. Honeypots are software that emulates one or more computers on a network. A honeypot is set up and used to attract hackers. Once the hacker makes an intrusion, the honeypot software will collect information about both the attack and the attacker. In order to avoid this type of trap, intruders use traffic pattern analysis tools and techniques.

9.12.4 Network Management Tools

Network management tools are powerful utilities for managing large enterprise LANs and WANs from a central control station. Using software packages such as Hyena (http://www.systemtools.com/hyena), Solarwinds (http://www.solarwindsoftware.com), and What's Up Gold (http://ipswitch.com/products/whatsup/index.html), an intruder has the potential to take over an enterprise network from a single, mobile workstation. Most intruders are familiar with at least one such software package. They use these packages to make changes on the network that are intended to do substantial damage to the organization.

9.12.5 Peer-to-Peer Attacks

Attacks initiated by one client and aimed at another client of the same network system are known as peer-to-peer attacks. Hackers like to use peer-to-peer attacks to gain sensitive data files, passwords and password files, registry data such as WEP keys or file share properties, and network access information. Peer-to-peer attacks are the most common type of attack because client stations are left vulnerable far more often than are corporate network infrastructures . Two common means of initiating peer-to-peer attacks are by using DSSS RF and infrared. Using a compatible RF technology, such as 802.11b, an intruder can attack a peer node in ad hoc mode or via the shared AP. Many systems have the infrared port enabled by default. Users generally forget or do not know how to disable the infrared port, so they are usually unaware of its existence. The infrared port is generally located on the back of the computer. Anyone sitting in front of the target can gain access to their computer through the infrared port without the victim's knowledge or consent .