This
article aims to explain the methodology generally used by hackers to
break into a computer system. It does not explain how to compromise a
system but to understand how it may be better able to withstand them.
Indeed, the best way to protect your system is to proceed in the same
way that hackers to map the vulnerabilities of the system. So this
article gives no details on how vulnerabilities are exploited, but
explains how to make them identify and correct them.
Overall
methodology:
The hackers who intend to break
into computer systems looking for a first time faults, that is to say,
harmful to the security vulnerabilities of the system, the protocols ,
the operating systems , applications or even the staff of an
organization! The terms of vulnerability, breach or language more
familiar security hole are also used to designate security flaws. To
implement a feat (it’s the technical term meaning exploit a
vulnerability), the first step of the hacker is to get as much
information on the network architecture and operating systems and
applications running on it. Most attacks are the work of script kiddies
trying stupidly exploits found on the internet without any knowledge of
the system or the risks associated with their act. Once the hacker has
established a mapping system, it is able to implement deeds relating to
versions of the applications he has identified. First access to a
machine it will expand its efforts to retrieve other information, and
possibly extend its privileges on the machine. When an administrator
access (root is the term generally used) is obtained, it is called
compromise of the machine (or more accurately root compromise) because
the system files may have been modified. The hacker then has the highest
level of duty on the machine. If it’s a cracker, the last step is to
cover his tracks, to avoid any suspicion on the part of the network
administrator and compromise so that they can keep as long as possible
control compromised machines.
Recovering system
information:
Obtaining information about the
target network address, generally referred to as fingerprinting, is a
prerequisite for any attack. It is to gather as much information about
the communications infrastructure of the target network:
* IP
addressing
* Domain Name
* Network protocols
* Enabled
services
* Server architecture
Consulting public
database:
By knowing the public IP address
of a network host or just the domain name of the organization, a hacker
is potentially capable of knowing the address of the entire network,
that is to say range of public IP addresses belonging to the target
organization and its division into sub-networks.
Consultation
Search Engine:
Mere consultation search engines
can sometimes glean information about the structure of a company, the
name of its main products, even the names of certain individuals.
Scanning
the networ:
When the network topology is known
by the attacker, he can scan (sweep the term is also used), that is to
say, determined using a software tool (called a scanner) what IP
addresses are active on the network, open ports corresponding to
services available, and operating system used by these servers. One of
the most popular tools for a network scanner is Nmap , recognized by
many network administrators as an essential tool for securing a network.
This tool works by sending packets of TCP or UDP to a set of machines
on a network (determined by a network address and mask), then analyzes
the responses. According to the shape of the received TCP packets, it is
possible to determine the remote operating system for each machine
scanned. There is another type of scanner, called passive mapper (one of
the best known is Siphon ), to know the physical network topology of
the strand on which the mapper analysis packages. Unlike previous
scanners, this tool does not send packets on the network and is totally
undetectable by the intrusion detection systems . Finally, some tools
can capture X connections (an X server is a server that manages the
display of machine type UNIX ). This system has the characteristic that
they can use the display of the stations on the network, to consider
what is displayed on screens and possibly intercept the keys entered by
users of vulnerable machines.
Banner reading:
When
the network scan is finished, just the cracker to examine the log file
(log) tools used to find the IP addresses of machines connected to the
network and open ports on them. Open port numbers on the machines can
provide information on the type of service and thus open the invite to
ask the service to obtain additional information about the server
version information in so-called “banner”. Thus, to determine the
version of an HTTP server, simply connect to the Web server telnet on
port 80: telnet
www.thecustomizewindows.com
80 then ask the homepage: GET / HTTP/1.0 The server then responds with
the first lines: HTTP/1.1 200 OK Date: Mon, Fev 3 , 2011 6:22:57 p.m.
GMT Server: Apache/1.3.20 (Unix) Debian / GNU The operating system,
server and version are then known.
Social Engineering:
The
social engineering (in English “Social Engineering”) is to manipulate
human beings, that is to say, to use exaggerated naivete and kindness of
network users, for information on it. The method includes contacting a
user of the network, usually posing for someone else to obtain
information on the information system or possibly directly to obtain a
password. Similarly a security hole can be created in the remote system
by sending a Trojan horse for some users. Just a user executes the
attachment to an internal network access is given to the aggressor
outside. That’s why the security policy must be comprehensive and
incorporate human factors (eg user awareness to security issues) because
the security level of a system is characterized by the level of its
weakest link low.
Identifying
vulnerabilities:
After establishing the inventory
of software and possibly hardware, it is the hacker to determine whether
vulnerabilities exist. There are scanners and vulnerability allowing
administrators to submit their network penetration testing to see if
some applications have security vulnerabilities. The two main
vulnerability scanners are:
* Nessus
* SAINT
It is also
recommended that network administrators to check the sites regularly
maintaining a database of vulnerabilities:
SecurityFocus /
Vulnerabilities:
Thus, some agencies, particularly
the CERT (Computer Emergency Response Team), are responsible for
capitalizing on vulnerabilities and federate information on security
issues. CERT STI community dedicated to Industry, Services and Tertiary
French, CERT IST dedicated to the French administration, CERT RENATER
dedicated community members GIP RENATER (National Network of
Telecommunications for Technology, Education and Research).
The
intrusion:
When the attacker has compiled a
resource mapping and machines on the network, it is able to prepare his
intrusion. To enter the network, the attacker needs access to valid
accounts on the machines he has identified. To this end, several methods
are used by hackers: Social engineering is to say by contacting some
network users (by email or by telephone) to extract information about
their login and password. This is usually done by posing as the network
administrator. The consultation of the directory or messaging services
or file sharing, to find valid usernames The exploitation of
vulnerabilities in the Berkeley R commands *. The brute force attacks
(brute force cracking) of trying to automatically different passwords on
a list of account (eg identifier, optionally followed by a digit, or
the password is password or passwd , etc.).
Extension of
privileges:
When the attacker has obtained one
or more network access by accommodating one or more accounts poorly
protected, it will try to increase its privileges by gaining root access
, one speaks well of extension of privileges. Once a root access has
been obtained on a machine, the attacker has the opportunity to examine
the network for additional information. It is possible to install a
sniffer , that is to say, a software capable of listening (the term
reniffler, sniffing or English, is also used) network traffic to or from
destination machines located on the same strand. Using this technique,
the attacker can hope to recover the username / password allowing access
to accounts with extensive privileges on other machines on the network
(eg access to an administrator account) to to be able to control a
larger portion of the network. NIS servers on a network are also prime
targets for hackers because they are full of information on the network
and its users.
Compromise:
Thanks
to the previous steps, the hacker was able to compile a complete map of
the network, machinery therein, their flaws and has root access on at
least one of them. It is then possible to expand further its activities
by exploiting the trust relationships between different machines. This
spoofing technique, called spoofing allows the hacker to enter
privileged networks to which the compromised machine has access.
Backdoor:
When
a hacker managed to infiltrate a corporate network and to compromise a
machine, it can happen that he wants to return. To do this it will
install an application in order to artificially create a security
vulnerability, it is called backdoor.
To Remove:
When
the intruder has obtained a level of control over the network, it has
yet to erase the traces of its passage by deleting the files it created
and cleaning the log files of the machines in which he introduced is to
say, by deleting lines of activity on its shares. Moreover, there is
software called “root kits” to replace the system administration tools
for modified versions to mask the presence of the hacker on the system.
Indeed, if the administrator connects together the hacker, it is likely
to notice that the pirate services launched or just another person that
he is connected simultaneously. The purpose of a rootkit is to deceive
the director in him hiding the reality.
Conclusion:
It
is up to any network manager connected to the Internet to ensure its
security, and therefore to test faults. That’s why a network
administrator must be aware of vulnerabilities in
software
they use and to “get into the shoes of a hacker” to try to break into
his own system and to be continually in the context of paranoia. When
skills within the company are not sufficient to carry out this
operation, it should be an audit by a company specializing in
computer
security.
