"Though the enemy be stronger in numbers, we may prevent him from fighting. Scheme so as to discover his plans and the likelihood of their success. Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots." Sun Tzu, The Art of War
Hackers attack systems for different reasons, and these reasons determine the specific targets of attack. There are two broad possibilities - random selection and deliberate selection.
Random selection, though seldom strictly random, generally uses some form of scanner to identify a vulnerable target. Deliberate selection is where the hacker is interested in a particular network or system and is willing to spend time to break into it. Target selection is then generally followed or combined with some form of reconnaissance, in which initial details are determined, including available hosts, host type, network, network proximity, operating systems in use, firewalls, and so forth.
Random targeters include kids and crusaders. Kids are simply looking for types of systems that are easy to attack, and they use basic tools. Crusaders are looking for systems that display known vulnerabilities; they are generally looking for high profile sites that will add to their prestige, and they can be expected to use sophisticated tools and systems knowledge in the reconnaissance stage.
Directed targeting is used by thieves, insiders, terrorists and infowarriors. These hackers are looking for specific types of systems, and then seeking points of entry within them. Thieves are looking for financial targets - banks, insurance companies, online commerce. Insiders target weak areas of their own company's systems. Terrorists and infowarriors target sites that control important information or data flows, military or infrastructure resources or those that relate to specific grievances.
Malicious hackers will have access to sophisticated tools and systems knowledge, and may also use destructive techniques and 'social engineering' methods to gain entry, retrieve valuable information, or expose vulnerabilities. These would include viruses, Trojan horses, and contacting naive users to obtain systems information - "I forgot my password, can you supply one?" ranking as the simplest and most obvious such approach.
Hacking attempts of all types depend upon three things:
- Determining a specific target to be accessed. This may be directed, or a result of general scanning, similar to the reconnaissance methods described below.
- Reconnaissance to develop an inventory or fingerprint of the target, finding as much information as possible, including operating systems, server types, firewalls, applications, user names, domains and so forth.
- Location of specific points of attack based on known weaknesses in discovered components, such as bugs in specific versions of operating systems. Lists and attack methods are available on internet hacker bulletin boards and tools are available for cracking specific network components.
Once a likely target is determined, some initial screening is generally performed to see if it is valuable enough to attack and is likely to provide a reasonable point of entry. Passive methods are generally used initially to avoid alerting any security systems that might be in place on within the target.
Once a broad list of targets is selected, specific points of attack are determined by reconnaissance. In reconnaissance, basic details are determined, including available hosts, host type, network, network proximity, operating systems in use and firewalls. There is a whole range of tools and techniques in the reconnaissance toolbox. At a low level, simple investigation of web sites, mail headers and the like can yield a substantial amount of information. A common and easily used method of gaining more information is the 'WHOIS query' using the internet's basic whois utility, provided with every internet client. This can reveal the NIC handle, potential dialup numbers and phone prefixes, and third party domains.
Additional information sources include
- ping sweeps
- web site probing
- FTP site probing
- mail bouncing
- 'finger' probing
- banner collection
As with most areas of hacking, there are a variety of tools available for automatic scanning and data collection, designed specifically to provide information needed to crack systems. Many of these provide active scans, but some use 'passive' techniques which are much more difficult to trace and react to.
Other ways in which targeting data is gathered include queries made by email or even by phone to employees, information provided by company employees on bulletin boards and other public access internet areas, messages from disgruntled insiders, and the like. The hacker's job is made much easier in gathering information from such 'social engineering' sources by the fact that few individuals know what sort of information is of value.
Device identification is greatly helped by the tendency to name network components with valuable information, such as 'oraclesrver1' for an Oracle server, or 'omini-9' probably indicating a Xylan OmniSwitch. Other naming problems are identification of specific organizational areas in domain names. A network operations center might have 'noc' in its name, for example, and owners of specific network subdomains or workgroups may even be identified, such as 'finance.yourdomain.com'.
If you are the target, it is important to note that you are the source of most of the information the hacker requires. Some of the ways to keep your systems off the 'easy target' list include:
- Active scanning for suspicious intruders.
- Avoiding the tendency to provide meaningful names for network domains or devices.
- Use of a strong firewall to separate internal system from systems open to the internet.
- Avoiding release of network information from applications, browsers and mail systems.
- Always keeping operating systems, security systems, and vulnerable network applications up to date, installing all recommended bug fixes pertaining to security holes as they become available.
- Maintaining and enforcing comprehensive security policies.
A wide variety of tools may be used to move from basic reconnaissance to attack. Next week, we will look at the details of the scanning and attack process.
Darren Thomas is a security expert at NetIQ Corp., a provider of systems & security management and web analytics solutions (www.netiq.com).