ANATOMY OF A HACK

The Objective Methodology The Techniques The Tools

Target address range and naming Open Source Search USENet, Search Engines, Edgar
Whois Any UNIX Client
acquisition and information gathering
Footprinting Web Interface to Whois http://www.networksolutions.com/cgi-
are estential to a surgical attack. The ARIN Whois bin/whois/whois
key here is not to miss any details. DNS Zone Transfer http://www.arin.net/whois

Bulk Target Assessment and

identification if listening services Ping Sweep fping, WS_Ping ProPack
focuses the attackers attention on Scanning TCP/UDP Port Scan nmap, scan.exe
most promising avenues of entry.

More intrusive probing now begins

List User Accounts DumpACL, sid2user, null sessions, OnSite Admin
as attackers are identifying valid List File Shares showmount, NAT, Legion
user accounts or poorly Enumeration
Identify Application banner grabbing with telnet or netcat, rcpinfo
resource shares.

Enough data has been gathered at Password eavesdropping tcpdump, l0phtcrack, readsmb
this point to make an informed Gaining File Share Brute Forcing NAT, Legion
attempt to access the target. Access Password File Grab tftp, pwdump2 (NT)
Buffer Overflows ttdb, eEye, IISHack

If only user-level access was

in the last step, the attacker will Escalating Password Cracking crack, l0phtcrack
seek to gain complete control of the Privilege Known Exploits rdist, getadmin, sechole
system.

The information-gathering process

beings again to identify mechanisms Evaluate Trusts rhosts, LSA Secrets
to gain access to trusted Pilfering Search for cleartext passwords user data, configuration files, Registry

Once total ownership of the target is

secured, hiding this fact from the Covering Clear Logs zap, Event Log GUI, elsave
system administrators becomes Hide tools hidden directories, file streaming
Tracks
paramount, lest they end the romp
Create Rogue User Accounts members of wheel, Administrators
Trap doors will be laid in various Schedule Batch Jobs cron, AT
parts of the system to ensure Creating Back Infect Startup Files rc, startup folder, Registry keys
privileged access is easily regained Doors Plant Remote Control Services netcat, remote.exe, VNC
Install Monitoring Mechanisms keystroke loggers, add acct. to secadmin mail
at the whim of the intruder. Replace apps with trojans aliases
If an attacker is unsuccessful SYN Flood synk3
ICMP Techniques ping of death, smurf
gaining access, they may use readily Denial of Identical src/dst SYN Requests land, latierra
available exploit code to disable a Service Overlapping Fragment/Offset bugs
teardrop, bonk, newtear
target as a last resort. Out of Bounds, TCP supernuke.exe

Source: “Hacking Exposed: Network Security Secrets and Solutions”, S.

McClure, J. Scambray & G. Kurtz, Osborne/McGraw Hill, 1999
 TOP 14 SECURITY VULNERBILITIES
5. Weak, easily guessed, and
reused passwords at the
7. Misconfigured Internet workstation level can doom
4.Hosts running servers, especially, CGI your servers to compromise.
unnecessary services scripts on web servers,
(such as sunpc, FTP, and anonymous FTP.
3. Information leakage DNS, SMTP) leaves a
can provide the attacker way in.
with operating system
and application versions, 12. Unauthenticated
users, groups, shares, services like X
Windows Workstation
DNS information via
zone transfers and 10. Excessive
running services like file and
SNMP, finger, SMTP, directory
Internal
telnet, rusers, sunrpc Internet DMZ Servers LAN access controls
and NetBIOS (NT/95 Shares,
UNIX NFS
Exports.)
13. Inadequate logging, monitoring, 8. Misconfigured firewall or router ACL can allow
and detection capabilities at the access to internal systems directly or once a DMZ 14. Lack of
network and host level server is compromised. accepted and
well-
promulgated
Internet
security
Border Router Firewall Internal Router policies,
uits

procedures,
1. Inadequate router guidelines, and
Circ

access control: minimum

ted

Misconfigured router baseline

dica

ACLs can allow Internal standards.

information leakage
De

LAN
through ICMP, IP
NetBIOS, and lead to
unauthorized access to
services on your DMZ
Servers.

Workstation
Branch Office
Tower box
11. Excessive trust 9. Software that is
2. Unsecured and relationships such as unpatched, outdated,
p
alu

unmonitored remote NT Domain Trusts vulnerable or left in

Di

access points provides and UNIX .rhosts default configurations.

one of the easiest and hosts.equiv files
means of access to can provide attackers
with unauthorized 6. User or test
your corporate accounts with
network. access to sensitive
systems excessive privileges.

Laptop computer

Source: “Hacking Exposed: Network Security Secrets and Solutions”, S.

McClure, J. Scambray & G. Kurtz, Osborne/McGraw Hill, 1999