Attack Scenarios.

[instronics]

Attack Scenarios.

Hello everyone. I have created a small list of brief descriptions of a few attack possibilities, and how to defend yourself from them. I have found similar posts on AO concerning this issue, but not one with an actual detailed explanation. This information is what i have found in the last few years, and i will try to make it as understandable as possible. I would like to point out that im in no ways into attacking other computers, so my experience on this issue is not very big. I hope that the way i attempt to write this post makes sense to you. By the way... This is NOT A TUTORIAL, so please done let me get any comments, that this should have been posted in the tutorials section. This is far from being anything near a tutorial.


1 Denial of Service (DoS)

A DoS is done to disturb or block one or more network service(s) so that the user behind the service or the service itself becomes unavailable to the network. A DoS targets mainly system resources. The endangered services are systems which have little bandwidth, and/or have insecure applications that offer any kind of service towards the network. A way to minimize this kind of threat is to use intelligent bandwidth management, firewalls, and continuous software updates. Be aware that any wannabe hacker/cracker/whatever is able to launch these kinds of attack without any special knowledge.

DoS can be categorized into the following:


a) Flooding.

Sending data garbage or useless requests to a server, so that the server cannot respond properly to real requests anymore.

b) Smurfing.

Misuse of the IP broadcast System in combination with fake source ip (IP-Spoofing) to strengthen flooding. This means that ICMP echo packets (pings) with spoofed source are sent via broadcast to many systems. The spoofed ip in this case is the same with the targets IP. Sending this to the broadcast services, will make other computers respond the pings to the fake source (in this case the target itself) resulting in resource loss of the target, since its very busy responding and the entire bandwidth it used up, making the target unavailable to serve any requests.

c) OutOFBand/Fragment Attacks.

This kind of attack uses bugs/errors within the TCP/IP implementation to disable services or complete systems.

d) SYN/RST Flooding.

A weakness within the TCP implementation is misused by sending many SYN/RST packets resulting in a buffer overflow for incoming packets, which then makes the target unavailable to serve requests.

e) Specific DoS.

Specific DOS attacks targets' known weaknesses of a service, for example buffer overflows within web servers.


2 Malicious Software.

Malicious software can always access a system if the security policy is not setup correctly, is not existent, or is being ignored. An example is Virus scanners. They help to keep out viruses from a system. Application Level Firewalls stop trojan horses, and the distribution of worms.

Malicious software can be categorized into the following:

a) Logical Bomb.

These are programs that damage systems under certain conditions. They are usually triggered by program errors, or operating system errors when they occur. (bugs in applications for example.)

b) Backdoors.

A backdoor is a program that is built inside a program/application, which opens a door for an attacker to enter your system. Open source software is relative secure against this since the source code is available to the users. A way to be secured from binary applications is to make sure that the program or its source is digitally signed, so that any manipulation done to it would be noticed.

c) Worms.

A worm is a program that multiplies by itself and spreads over many networks gaining access to many systems it finds in its way.

d) Virii.

A virus is a program which attaches itself to files, and activates once other software is launched, executing its malicious code.

e) Trojans.

A trojan is a program which enters a system and activates by itself (does not need a user or another application to activate).


3 Exploiting Vulnerabilities.

An exploit vulnerability is the misuse of a known weakness within a target system, to gain unauthorized access or to damage it. Vurnable weak points are thanks to the internet (both attackers and system administrators) an easy thing to investigate, so that well administered system are at least pretty safe from newbies. The only counter measure for this is to make sure that your systems are always up to date.

Exploiting Vulnerabilities can be categorized into the following:

a) Access Permissions.

An attacker tries to use weak file permissions on important system files. This is normally system files that have write permissions which are normally not needed.

b) Brute Force.

Brute force means to systematically try many combinations of Pins, passwords, and username/passwords in order to access a system or service. This process is usually automated.

c) Overflows.

A programing code is created which activates upon a buffer overflow on a remote system. Many novice programmers actually set the buffer for input data statically, meaning that the size of the buffer is fixed. Input data which require more buffer are then written over the reserved input buffer location, to memory. Depending on the programing language and the used file types, you can overwrite the active memory, where the original code is working in. (oh god, i hope im making sense here. This is not my thing.) If the edited code is then put into the memory (since the buffer is full), it would activate at once. Endangered here are programs which are written in C, and where the input functions forces the input buffer to read from the local strings which tries to parse the declared input functions. These buffers are located on the stack, where also the source addresses of the functions are located. Attackers who know their way round these kind of things, can easily change the results of what the program is supposed to do. An example is a badly configured web server. This can be very rewarding for an attacker using this kind of attack. Also CGI scripts are endangered here.

(Note: i am really having a hard time with this overflow example. All my sources for my information is in German, plus the fact that im not a programmer. Please let me know if what i have written here is wrong, or does'nt make any sense. This is just not what im into.)

d) Race Condition.

This form of attack uses a temporary instable state whilst a program is launched, to gain access to sensitive files.


4 IP Packet Manipulation.

The manipulation of IP Packets go back a very long way in the history of TCP/IP. The TCP/IP protocols family was originally created more towards the fact of being available than secure. The creation of new attacks on IP Stacks require very much skills, making this form of attack very rare, but also very very dangerous.

IP Packet Manipulation can be categorized into the following.

a) Port Spoofing.

The use of well known ports (ports 20/53/80 etc..) as source ports can be used to bypass the rules set for packet filtering. (firewalls)

b) Tiny Fragments.

Packets which are only 8 bytes small, can be used to “fool” the protocol-flag/port-size-monitoring in packet filtering firewalls.

c) Blind IP Spoofing.

An attacker changes his source IP address, in order to gain access to UDP services which are not password protected, but which depend on source IP as authorization.

d) Nameserver ID 'Snooping'.

This is a form of IP Spoofing with predictable ID numbers, to send faked data into a nameserver (DNS)-Cache. This attack is also known as DNS-Spoofing.

e) Sequence Number Guessing.

TCP-SEQ/ACK numbers are being generated in order to get a connection to computers where the TCP sequence numbers are predictable. All modern IP stacks should therefore generate their sequence numbers randomly. The predictable sequence numbers were for a long time a big problem for most IP stacks.

f) Remote Session Hijacking.

With the help of fake packets, active TCP/UDP connections are being disconnected, in order to forward them to another host. This means that the target thinks he's still connected with the original server, but in reality is connected with the attacker.


5 Attacks from the inside.

Attacks from the inside makeup 80% of all attacks on the entire internet. The best way to fight against this problem is to be well organized on how you setup your system, making sure its always up to date and well maintained.

Inside attacks can be categorized into the following.

a) Backdoor Daemons.

A background process is started, which will open a port (door) for an attacker to enter the system at a later time.

b) Log Manipulation.

The log files are edited or even erased to hide the tracks of what has been done.

c) Cloaking.

System programs are replaced by trojans, which give them unauthorized access to parts of a system.

d) Sniffing.

Packet sniffers locally installed to capture packets which might contain critical information such as clear text passwords/user names and where they can be used.

e) Non Blind Spoofing.

Through monitoring of data transfers, the attacker can gain a lot of information, which he can use to hijack active connections, or even to create fake connections.



I hope this list does help explain how some attacks are being formed. I was inspired by the AO headlines- “Hackers know the weaknesses in your system, shouldn't you?” So, in order to help defend yourself from these attacks, its essential that you know what they are and how they work. Please forgive me if some things here are hard to understand the way i have described them. Its not easy to put mind into words, since in my head i think in Greek, and my notes are all in German....so its not easy for me to find the right words in English. Please correct me on any mistakes i may have made, and also contribute any other forms of attack that i may have left out.

Cheers everyone.

[tampabay420]

Hardcore Homie!
Wow- this deserves to be in the tutorials forum

I'm very impressed.... Good Work!

-take it easy

[mathgirl32]

Nice comprehensive list of attacks, instronics. You are correct about buffer overflows -- An easy exploit that sadly could be a non-issue with better programming practices.

Here's a nice descritpion of how a buffer overflow works. Yes, it's an older article but the c language is the still the same.

Here is the link.

ANATOMY OF A BUFFER OVERFLOW

Buffer overflows occur mainly because of the C language and partially because of poor programming practices. The C language is not going to change, but programming practices could undergo some improvement.

The C programming language appeared in the early 1970s as a tool for porting the Unix operating systems and utilities to multiple architectures. While Unix was initially written in assembly, porting it to C made Unix the first really portable operating system. C was designed to be tight and fast, just a step above assembly.

The C language is also a structured programming language. Object-oriented languages, such as Java, are organized around data. Structured programming languages use the function call as their unit of organization. While the designers of C made a great leap forward, they also created the framework for the buffer overflows.

Each time a function is called, arguments to the function get copied to an area of memory called the stack. In assembly, you store things on the stack by pushing them and retrieve them by popping them off the stack. All CPU architectures currently in use support the notion of a stack and have a special register (the stack pointer) and operations for pushing and popping. There is also an operator that takes an address off the stack and copies it into the program counter, the register that determines the address of the next instruction to execute. Calling a function always pushes the return address onto the stack.

The problem with this design shows up within the called function. Any variables defined within this function are also stored in space allocated on the stack. For example, if a string, such as the name of a file to open, needs to be defined in the function, a number of bytes will be allocated on the stack. The function can then use this memory, but it will automatically be unallocated after the function returns—quite a neat design. But C does no bounds checking when data is stored in this area, opening a narrow window for an attacker.

C subroutine calls that copy data but do no bounds checking are the culprits (as well as the programmers who use these calls). The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(), gets(), and scanf() calls can be exploited because these functions don’t check to see if the buffer, allocated on the stack, will be large enough for the data copied into the buffer. It is up to the programmer to either use a version that makes the check (such as strncpy() ) or to count the bytes of data before copying them onto the stack.

[instronics]

Wow, thanx ever so much for that reply on the overflow. Now thats what i call a description. Way to go.

Cheers.

[r3b00+]

Very good post instronics, ive bookmarked this for future reference!

Cheers

r3b007

[EaseZE]

The book hacking exposed explains most or all of those topics in detail. attacking the vulnerabilities and the countermeasures against them. just thought i'd mention it in case ppl wanted more details on the subject.

p.s. nice post

[Shrekkie]

Wow, instronics.. nice post , but why didn't you put it in the Tut Forum.
Can't you move this one ?

Mathgirl, nice update as well...

Greetz,

[instronics]

Hello everyone...

I have posted out in this thread that this information is not a tutorial. Its just a brief explenation. Nothing more. Thanks for your kind words everyone.

Cheers.