As such, this article does not provide specific information about how flaws are exploited, but rather it explains how to detect and correct them.
Hackers who intend to infiltrate IT systems first look for flaws, i.e. vulnerabilities that are harmful to the security of the system, in the protocols, operating systems, applications and even an organisation's employees! The terms vulnerability, breach and the more informal security hole are also used to refer to security flaws.
To be able to implement an exploit (the technical term that means to exploit a vulnerability), the hacker firstly has to retrieve a maximum amount of information about the network's architecture and about the operating systems and applications running on this network. Most attacks are the work of script kiddies foolishing trying out exploits found on the Internet, with no knowledge of the system or of their related risks.
Once the hacker has established a map of the system, he is capable of applying exploits related to the versions of the applications he has indexed. Initial access to a machine will let him extend his action to retrieve other information and possibly escalate his privileges on the machine.
When administrator access (the term root access is generally used) is obtained, we say that the machine has been compromised (or more precisely, that a root compromise has occurred), since system files may have been modified. At this point the hacker has maximum rights on the machine.
If the intruding party is a hacker, he finishes by erasing his tracks to avoid suspicion on the part of the compromised network's administrator and to be able to retain control over the compromised machines for as long as possible.
Information about the targeted network's addressing, generally referred to as fingerprinting, must be obtained before an attack can be launched. This involves gathering a maximum amount of information about the target network's communication infrastructures:
By obtaining the public IP address of one of the network's machines or simply the organisation's domain name, a pirate is potentially capable of knowing the addressing of the entire network, that is, the range of public IP addresses belonging to the targeted organization and its breakdown into sub-networks. To do so, all he needs to do is consult the public bases that attribute IP addresses and domain names:
When the network's topology is known by the hacker, he can scan it, i.e. use a software tool (called a scanner ) to determine the IP addresses active on the network, the open ports corresponding to accessible services and the operating system used by its servers.
One of the most widely known network scanning tools is Nmap, which many network administrators recognise as an essential tool for securing networks. This tool acts by sending TCP and/or UDP packets to a group of machines on a network (determined by a network address and a mask) and then analysing the responses. Depending on the speed of the received TCP packets, it can determine the remote operating system for each scanned machine.
There is another type of scanner, called a passive mapper (one of the most well-known is Siphon), that makes it possible to find out the network topology of the physical thread on which the mapper analyses packets. Unlike the previous scanners, this tool does not send packets over the network and therefore cannot be detected by intrusion detection systems.
In addition, some tools make it possible to receive X connections (an X server is a server that manages the display of UNIX type machines). This system is designed to be able to use the display of stations present on the network to study what is posted on the screens and to possibly intercept the keys entered by users of vulnerable machines.
When the network scan is finished, the hacker simply needs to examine the log file of tools used to find out the IP addresses of the machines connected to the network and the open ports on the network.
The numbers of open ports on the machines can provide information about the type of open service and invite him to search the service to obtain additional information about the server version in the so-called "banner" information.
As such, to find out the version of an HTTP server, a pirate can just Telnet to the web server on port 80:
telnet www.commentcamarche.net 80then request the home page:
GET / HTTP/1.0The server then responds with the following header:
HTTP/1.1 200 OK Date: Thu, 21 Mar 2002 18:22:57 GMT Server: Apache/1.3.20 (Unix) Debian/GNUThe operating system, server and its version are then known.
Social engineering involves manipulating human beings, i.e. taking advantage of the naivety and excessive kindness of network users to obtain information about the network. This process involves making contact with a network user, usually by impersonating someone else, so as to obtain information about the information system and possibly to directly obtain a password. Similarly, a security flaw can be created in the remote system by sending a Trojan horse to some of the network's users. All it takes is for one of the users to open the attachment for internal network access to be given to the external attacker.
This is why security policies should be comprehensive and incorporate human factors (e.g. raising user awareness about security problems), since a system's security level is only as strong as its weakest link.
After drawing up an inventory of the software and possibly the hardware present, the hacker needs to determine whether or not there are flaws.
Vulnerability scanners are available that let administrators subject their networks to intrusion tests to find out whether certain applications have security flaws. The two main vulnerability scanners are:
Network adminstrators are also advised to regularly visit websites that keep a vulnerability database up to date:
When a hacker has drawn up a map of resources and machines present on the network, he is ready to prepare his intrusion.
To be able to infiltrate the network, the pirate needs to access valid accounts on the machines he has indexed. To do so, hackers use several methods:
When the pirate has obtained one or more accesses to the network by working off of one or more accounts with low protection levels, he will look to increase his privileges by obtaining root access; this is called privilege escalation.
As soon as root access has been obtained on a machine, the attacker can examine the network to look for additional information.
He can then install a sniffer, i.e. a software program capable of monitoring (or sniffing) network traffic coming from or directed at machines located on the same thread. Thanks to this technique, the hacker can hope to retrieve ID/password pairs giving him access to accounts with privileges extended to other network machines (e.g. access to an administrator's account) in order to be able to control a majority of the network.
NIS servers present on a network are also preferred targets of pirates since they are packed with information about the network and its users.
Thanks to the previous steps, the hacker has been able to draw up a complete map of the network, of its machines and of their flaws and has root access to at least one of them. He can now extend his action even further by exploiting the trust relationships that exist among the various machines.
This identity spoofing technique lets the hacker penetrate privileged networks to which the compromised machine has access.
When a hacker has successfully infiltrated a company network and compromised a machine, he may want to be able to come back. To do so, he will install an application in order to artificially create a security flaw. This is referred to as a backdoor. The term trapdoor is also sometimes used.
When the intruder has obtained sufficient control over the network, he needs to erase evidence of his visit by deleting the files he created and by clearing the log files of the machines he intruded, that is, by deleting activity lines relating to his actions.
There are also software programs, called "rootkits", that make it possible to replace the system's administration tools with modified versions in order to hide the pirate's presence on the system. If the administrator connects at the same time as the hacker, he is likely to notice the services the hacker has launched or simply see that someone else is connected simultaneously. The goal of a rootkit is therefore to fool the administrator by hiding the reality.
All managers of networks connected to the Internet are responsible for the network's security and should test its flaws.
This is why a network administrator should keep informed of the vulnerabilities in the software programmes he uses by "putting himself in the shoes of a hacker" in order to try to infiltrate his own system and continuously operate in a context of paranoia.
When the company's own skills are not adequate to carry out this operation, an audit can be performed by a company specialised in computer security.
Article written by Jean-François PILLOU, based on an article by GomoR.
Last update on Thursday October 16, 2008 02:43:14 PM.
A way to piggy back on sumone elses secure network Belkin wireless g mimo router securing network How do i get vista to find a security network? How do i reset my network security key How to finde network name and security password How to secure your wireless network d-link 1310 I have a secured wireless network and my xbox 360 cant connect Net frame networks sp 1 security upgrade Network does not connect after uninstalling norton internet security Orange livebox network security key Password reset secure network linksys router windows xp Securing home network allowing some pc access not others Stopping helkern network intrusions Time out error to access secure network Wifi network security Win vista security policy network access Windows xp sharing files access file network security privilege Worry free business security advanced makes network slow