"Though the enemy be stronger in numbers, we may prevent him from fighting. Scheme so as to discover his plans and the likelihood of their success. Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots." Sun Tzu, The Art of War

Last week, we looked at the motivations and initial operations of hackers when they are attempting to break into a network. Now, we will begin to examine the specific actions that are undertaken to break into targeted systems.

Once a hacker has performed a basic reconnaissance and zeroed in upon a victim, a deeper form of examination is undertaken to facilitate the break in. This stage is often called scanning and enumeration, and it involves gaining detailed information on resources, locating vulnerable entrance routes, and preparing for the attack.

The first step in the process is to scan the target network, looking for basic network information. This includes locating the servers, determining which ports are open on those servers and identifying server operating systems. Information of this type provides basic details for building an attack. Different operating systems and operating system versions have different vulnerabilities, and finding server locations makes it possible to focus further strategies upon known addresses.

One of the methods of scanning is to perform a 'Ping sweep' using the Ping utility available with most internet clients. Ping is legitimately used to determine if systems are alive and IP addresses are active. It sends and receives simple internet control message protocol (ICMP) echo and echo request messages, though other types of messages may also be exploited. This protocol is built into the basic internet infrastructure.

A clean sweep

A Ping sweep involves sending Ping requests to every possible address within a range; the echo response that is returned indicates a host, server or workstation is present at that address. There are numerous tools available to automate these scans and use ICMP to provide additional information. This is an easy method to gather information on active servers and server addresses within the network. This may be followed by port scanning, to locate open ports. There are several freely available utilities that will aid in this, including SuperScan. Port scanning includes TCP port scans using a simple handshake or a TCP SYN or FIN scan, and UDP port scans using the UDP control protocol, which is faster, but less reliable than TCP, though still part of the TCP suite.

One major distinction is between active and passive scanning. In active scanning, IP packets are sent to the host and replies are then monitored for information on operating systems. In passive scanning, the scanner is able to obtain information without actually sending any packets directly to the target. Each method has advantages and limitations. In general, active scanning is quicker, easier, but more likely to be spotted, while passive scanning is very difficult for intrusion detection systems to track but it is slower and more difficult.

Once the initial scan is completed, the attack proceeds with enumeration, or focusing in upon specific server resources that can be exploited. These include locating shares, users, groups and network applications running on the server hardware, and identifying major platforms such as Microsoft Internet Information Server, Apache Server, Sendmail or Microsoft Exchange.

Enumeration involves use of a combination of legitimate and hacker tools. A frequent starting place is the toolkit provided with the operating system, such as the Windows NT Resource Kit and Windows 2000 Resource Kit. These provide a variety of network diagnostic utilities that yield important information about a network.

Digging for information

The 'null session' using TCP port 139 can also be used to provide an anonymous login capable of revealing all shares, showing domain names and listing computers in the domain through utilities such as Net View. Once connected to a null session, the hacker can learn the names of all shares (even hidden ones) - all domain names, all computers within the domain, and all NetBIOS names and user names. The null session also provides an opening for a number of hacker utilities, including NAT, which dumps all shares and attempts to guess passwords on administration and other accounts. In addition, Legion scans an entire Class C IP network, revealing all shares, combined with a 'brute force' (try everything) attempt to guess passwords.

For Windows 2000 systems, the Win2K LDP.exe tool provides another route for enumeration. With LDP, a single query can dump all users and groups. Although an account must be compromised for this to work, any account will suffice - even 'Guest.' Another tool is 'banner grabbing,' making use of a simple Telnet session to the address of interest, which provides response information that includes version names and other details, which may then be used by the hacker.

Even the mail protocol, SNMP, can be used to reveal data, such as services that are running, usernames and shares. This, of course, is but the tip of the iceberg. Most networks readily spill critical information at the slightest excuse. The reason is that they were built this way to simplify problem resolution. Good security measures require correction of this default behavior.

After enumeration, the hacker knows:

  • all the names of all your servers
  • all the shares on each server
  • the passwords on many of those shares (default passwords, and through password seeking utilities)
  • the active directory hierarchy
  • all user IDs
  • which servers are domain controllers
  • which servers are running which types of targetable network applications
  • the version numbers of that software

Now the attack can proceed with relative ease. The hacker can log in as a user and gain access to data; log in as an administrator and make network level changes or gain access to user information; or simply let everyone know how to access your site. Not a pretty picture.

Next time, we will begin to look at concrete strategies for avoiding or mitigating the effects of attacks. There are seven basic steps, and we will begin with Step 1 - defining security policies.

Darren Thomas is a security expert at NetIQ Corp., a provider of systems & security management and web analytics solutions ().