Introduction
To Network Security
Tools An Attacker Uses
Now that we've concluded a brief introduction to the types of threats
faced by both home users and the enterprise, it is time to have a look
at some of the tools that attackers use.
Keep in mind that a lot of these tools have legitimate purposes and
are very useful to administrators as well. For example I can use a network
sniffer to diagnose a low level network problem or I can use it to collect
your password. It just depends which shade of hat I choose to wear.
General Network Tools
As surprising as it might sound, some of the most powerful tools especially
in the beginning stages of an attack are the regular network tools available
with most operating systems. For example and attacker will usually query
the 'whois' databases for information on the target. After that he might
use 'nslookup' to see if he can transfer the whole contents of their
DNS zone (called a zone transfer -- big surprise !!). This will let
him identify high profile targets such as webservers, mailservers, dns
servers etc. He might also be able to figure what different systems
do based on their dns name -- for example sqlserver.victim.com would
most likely be a database server. Other important tools include traceroute
to map the network and ping to check which hosts are alive. You should
make sure your firewall blocks ping requests and traceroute packets.
Exploits
An exploit is a generic term for the code that actually 'exploits'
a vulnerability in a system. The exploit can be a script that causes
the target machine to crash in a controlled manner (eg: a buffer overflow)
or it could be a program that takes advantage of a misconfiguration.
A 0-day exploit is an exploit that is unknown to the security community
as a whole. Since most vulnerabilities are patched within 24 hours,
0-day exploits are the ones that the vendor has not yet released a patch
for. Attackers keep large collections of exploits for different systems
and different services, so when they attack a network, they find a host
running a vulnerable version of some service and then use the relevant
exploit.
Port Scanners
Most of you will know what portscanners are. Any system that offers
TCP or UDP services will have an open port for that service. For example
if you're serving up webpages, you'll likely have TCP port 80 open,
FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so
on.
A portscanner scans a host or a range of hosts to determine what ports
are open and what service is running on them. This tells the attacker
which systems can be attacked.
For example, if I scan a webserver and find that port 80 is running
an old webserver -- IIS/4.0, I can target this system with my collection
of exploits for IIS 4. Usually the port scanning will be conducted at
the start of the attack, to determine which hosts are interesting.
This is when the attacker is still footprinting the network -- feeling
his way around to get an idea of what type of services are offered and
what Operating Systems are in use etc. One of the best portscanners
around is Nmap (http://www.insecure.org/nmap).
Nmap runs on just about every operating system is very versatile in
how it lets you scan a system and has many features including OS fingerprinting,
service version scanning and stealth scanning. Another popular scanner
is Superscan (http://www.foundstone.com)
which is only for the windows platform.
Network Sniffers
A network sniffer puts the computers NIC (network interface card or
LAN card) into 'promiscuous mode'. In this mode, the NIC picks up all
the traffic on its subnet regardless of whether it was meant for it
or not. Attackers set up sniffers so that they can capture all the network
traffic and pull out logins and passwords. The most popular network
sniffer is TCPdump as it can be run from the command line -- which is
usually the level of access a remote attacker will get. Other popular
sniffers are Iris and Ethereal.
When the target network is a switched environment (a network which
uses layer 2 switches), a conventional network scanner will not be of
any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net)
is very popular. It allows the attacker to collect passwords, hijack
sessions, modify ongoing connections and kill connections. It can even
sniff secured communications like SSL (used for secure webpages) and
SSH1 (Secure Shell - a remote access service like telnet, but encrypted).
There are also programs that allow an admin to detect whether any NICs
are running in promiscuous mode.
Vulnerability Scanners
A vulnerability scanner is like a portscanner on steroids, once it
has identified which services are running, it checks the system against
a large database of known vulnerabilities and then prepares a report
on what security holes are found. The software can be updated to scan
for the latest security holes. These tools are very simple to use unfortunately,
so many script kiddies simply point them at a target machine to find
out what they can attack. The most popular ones are Retina (http://www.eeye.com),
Nessus (http://www.nessus.org)
and GFI LanScan (http://www.gfi.com).
These are very useful tools for admins as well as they can scan their
whole network and get a detailed summary of what holes exist.
Password Crackers
Once an attacker has gained some level of access, he/she usually goes
after the password file on the relevant machine. In UNIX like systems
this is the /etc/passwd or /etc/shadow file and in Windows it is the
SAM database. Once he gets hold of this file, its usually game over,
he runs it through a password cracker that will usually guarantee him
further access. Running a password cracker against your own password
files can be a scary and enlightening experience. L0phtcrack cracked
my old password fR7x!5kK after being left on for just one night !
There are essentially two methods of password cracking :
Dictionary Mode - In this mode, the attacker
feeds the cracker a word list of common passwords such as 'abc123' or
'password'. The cracker will try each of these passwords and note where
it gets a match. This mode is useful when the attacker knows something
about the target. Say I know that the passwords for the servers in your
business are the names of Greek Gods (yes Chris, that's a shout-out
to you ;)) I can find a dictionary list of Greek God names and run it
through the password cracker.
Most attackers have a large collection of wordlists. For example when
I do penetration testing work, I usually use common password lists,
Indian name lists and a couple of customized lists based on what I know
about the company (usually data I pick up from their company website).
Many people think that adding on a couple of numbers at the start or
end of a password (for example 'superman99') makes the password very
difficult to crack. This is a myth as most password crackers have the
option of adding numbers to the end of words from the wordlist. While
it may take the attacker 30 minutes more to crack your password, it
does not make it much more secure.
Brute Force Mode - In this mode, the password
cracker will try every possible combination for the password. In other
words it will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack
every possible password -- its just a matter of how long it takes. It
can turn up surprising results because of the power of modern computers.
A 5-6 character alphanumeric password is crackable within a matter of
a few hours or maybe a few days, depending on the speed of the software
and machine. Powerful crackers include l0phtcrack
for windows passwords and John
the Ripper for UNIX style passwords.
For each category, I have listed one or two tools as an example. At
the end of this article I will present a more detailed list of tools
with descriptions and possible uses.
Next
- What Is Penetration-Testing?
|
