Attack Phase

The Five Phases

Reconnaissance
Scanning
Gaining access
Maintaining access
Covering the tracks
 Phase I
Reconnaissance
Low Technology
Reconnaissance

Social engineering

Physical
break in /
Piggybacking

Dumpster Diving
 Computer Based Reconnaissance
Information Gathered on line through the use of tools such as Sam
Spade.

Tools available to the hacker in this program include but are not limited
to:

Ping
Traceroute
Finger Client
Multiple Whois databases
DNS lookup
DNZ Zone transfer
IP block registration
View web site source code
Crawl a web site
Notepad for taking system notes
What the Hacker Hopes to
Gain at This Stage of Attack:
Domain name
Contacts at the target organization
DNS server IP addresses
Other target system addresses
A glimpse of technologies in use
User names and passwords (or their format)
Basic Defenses at This Stage

Disabling Ping on border routers

Split DNS
Keep Whois database records up to date
Do not use OS type or system function in
domain names
Create, implement, and enforce a user
password policy
Split DNS
Phase II
Scanning
Typical Scanning
Techniques
War dialing using THC-Scan
Network mapping using
Cheops-ng
Port Scanning using Nmap
Vulnerability scanning using
Nessus
What the Hacker Hopes to
Gain at This Stage of Attack:
List of telephone #s with active modems
List of open ports
Map of the network
List of vulnerabilities
Basic Defenses Against War
Dialing
Create, Implement, and enforce a
Dial up policy

Use of Call back service on server

Removal of banner from dial up

connection
Basic Defenses Against
Network Mapping
Remove telnet and web server from firewall
Implement ACLs on all border routers
Use ACLs to block ICMP to internal net
Disable unused ports / services on routers
Basic Defenses Against Port
Scanning
Run a port scan against your own system to find open
ports and close them
Disable unneeded services through the services control
panel
Use software firewalls and proxy servers
Basic Defenses for Vulnerability
Scanning

Routinely update servers with latest patches and service

packs
Run multiple vulnerability scanners against your
network to find the Holes before they do
Ensure that all software installed on firewalls and
servers is from a reputable source
 Phase III
Gaining Access
Typical Methods of Gaining
System Access

On site Hacking
Stolen user IDs and Passwords
Running Brute force attacks
Trojan horses
Cracking password files
 Access Methods Continued

Utilization of data gathered while

Sniffing

IP spoofing and ARP cache poisoning

Exploiting buffer overflows in software

 What the Hacker Hopes to Gain at
This Stage of the Attack:

Access!!!

Just making sure you were still awake ;)

LAN Sniffing (HUB)
LAN Sniffing (Switch)
 Basic Defenses Against Sniffing

Use Secure Shell instead of Telnet

Use VPN tools to encrypt data between
systems
Install Switches instead of Hubs
Create VLANS on switches
Hard code the ARP tables on your systems
Buffer Overflow
Basic Defenses Against Buffer
Overflows

Implement a non-executable stack

(Ex: set noexec_user_stack=1)
On windows 2000 use SecureStack

Use automated code examining

tools like ITS4
Basic Defenses Against Password
Cracking

Create and implement a strong PW policy

(At least 8 characters alpha and numeric)
Force users to change passwords regularly by using
Windows Users policy
Install PW filtering software to ensure integrity of user
chosen passwords
Conduct PW audits with their programs
(L0phtCrack or John the Ripper)
 Phase IV
Maintaining Access
Methods of maintaining
access

TrojanHorses
Backdoors
Basic Defenses against Trojans and Backdoors

Routinely scan for Trojans on your network

Ensure definition files for Anti-virus software
are up to date
Look for changes in the system
Install anti-virus software on both server and
client machines
Create fingerprints of key files and run an
integrity checker against them on a regular
basis
 Phase V
Covering the tracks
Methods of avoiding
detection
NTFS alternate data streams and
hidden files
Reverse WWW shell
Altering, Replacing, or Moving log
files
NTFS alternate data streams and
hidden files

NTFS supports file streaming

(each filename is like a chest of drawers)

1.) Name of file viewed in explorer

2.) Normal Stream
(Contains the expected contents of the file)
3.) Alternate Data Streams hidden under normal file
Why are Streams Stealthy?

Streams dont show up in windows explorer (only

Normal streams are displayed)
Length of file displayed in explorer only includes
Normal stream
When files are copied all streams follow the name if
copied into an NTFS partition
Basic Defenses Against File Hiding in
Windows

Most commercial anti-virus

packages detect malicious code

LADS
Reverse WWW Shell

Client / server implemented in a

single program
Carries a command shell over HTTP
Attacker uses client to access server
from off site
Software appears to be surfing the
web but, is really polling client for
commands to be executed on the
server
Reverse WWW Shell
Basic defenses against Reverse WWW
Shell

Physical security of Servers

Utilization of intrusion detection
systems
Investigate Strange or unknown
processes (especially those running
with root privileges)
Basic Defenses against log file
tampering

Setup logs to track failed logons attempts

(Dont just set them up .. USE THEM!!!)

Periodically review logs for any anomalies

Use logs as a baseline to periodically review if new

security measures need to be implemented
Web Resources for Keeping
Up to Date
SANS: http://www.sans.org

Security Focus:
http://www.securityfocus.com

Search Security:
http://www.searchsecurity.com
Acquisition of Software Resources

Sam Spade:
http://www.samspade.org
THC-Scan:
http://www.pimmel.com/thcfiles.php
3
Cheops-ng
http://cheops-ng.sourceforge.net
Nmap
http://www.insecure.org/nmap
Acquisition of Software
Resources
NESSUS:
http://www.nessus.org
SecureStack: http://www.securewave.com/products/securestack/secure_stack.html

ITS4:
http://www.cigital.com/its4
John the Ripper:
http://www.Openwall.com/john
Acquisition of Software
Resources
L0phtCrack:
http://www.atstake.com/research/lc3
Sniffit:
http://reptile.rug.ac.be/~coder/sniffit/sniffit.ht
ml
Secure Shell (Open Source):
http://www.openssh.com
Netcat:
http://www.atstake.com/research/tools/index.ht
ml
Acquisition of Software
Resources
AIDE (Advanced Intrusion Detection
Environment):
http://www.cs.tut.fi/~rammer/aide.html
LADS (Locate Alternate Data Streams):
http://www.heysoft.de/index.htm
Reverse WWW Shell:
http://www.megasecurity.org/Sources/rwwwshell
-1_6_perl.txt