본문 바로가기
조회 수 1397 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://www.dba-oracle.com/forensics/t_forensics_network_attack.htm


10 stage Generic attack process in a nutshell (in chronological order)


1.      Reconnaissance 

2.      Network mapping

3.      Port scanning and banner grabbing a host

4.      Vulnerability identification

5.      Exploitation

6.      Privilege escalation

7.      Rootkit installation

8.      Hiding tracks

9.      Monitoring

10.  Using unauthorized privilege gained for benefit


Of course in a single incident the exact order and number of stages may be changed but this is a good framework to work with. 

Now drilling down into the 10 stage list we see more detail about each stage in this generic attack process.

1.    Reconnaissance to find out about the target before attack.

Reconnaissance would be done anonymously so not to tip off the victim. Tor is an encrypted channel for anonymous web browsing http://tor.eff.org/ . Alternatively an attacker could bounce between multiple Internet proxies such aswww.proxify.com .

2.    Network mapping of a subnet.

  • nmap http://insecure.org/nmap/ is the defacto network mapping tool.

  • Paketo keiretsu enables faster scanning of large networks by separating the send and receive functionality of the scanner.

3.    Port scanning of an individual host

  • Nmap again as well as amap http://www.thc.org/thc-amap/ . Nmap, by default, works by using port number to identify the application running so for instance if the Oracle Listener is on port 1522 then nmap will present this port as being rna-lm as per the IANA default port assignments. http://www.iana.org/assignments/port-numbers . By using the additional ?sV switch of nmap it will correctly identify many applications by their banner. 

4.    Banner grabbing a host to identify the actual service being ran and vulnerability     identification from the version gained from the banner. This will allow identification  of likely vulnerabilities.

 5.  Exploitation of a software flaw to gain unauthorized access.

These software exploits often consist of buffer overflows due to incorrect bounds checking of input variables. Another exploit common to Oracle is SQL Injection into Web Front end, Forms and PLSQL packages which can result in privilege escalation. These will be looked at it in greater detail later on in the book.

 6.  Cracking passwords and user names is basically the process of taking an encrypted password and then decrypting it or guessing it correctly by attempting many times until the correct password is gained.

7.   Rootkit installation enables covert access at a later date and generally involves the installation of software by the attacker to hide their presence after they have gained privileged access to the target server.

  • http://www.rootkit.com/ which has links to AFX and hacker-defender rootkits for example.

  • The concept of root kits has been transferred to databases as will be discussed.

8.   Hiding tracks to clear up evidence involves deletion of logs and tools as well as resetting timestamps.

  • Change timestamps to show that files have not been changed using  timestamps for instance

  • Secure deletion of files so that recycle bin or forensic data recovery cannot bring the attackers tools back after they have deleted them. Oracle now has a Recycle bin which uses the PURGE keyword to empty or avoid it. We will look in detail at this command.

9.    Monitoring the system over time which typically requires a covert channel.

  • Loki sends shell commands over ICMP 

  • Time based covert channels also exist.

10. Using unauthorized privilege for benefit

  • Credit card numbers and Social security IDs form a saleable resource to a commercially minded hacker.

  • An attacker might blackmail a bank if they were able to gain customers data.

  • A competitor may seek advantage in hiring a hacker to subvert another company or spy upon them to gain their intellectual property or list of customers.

  • Internally an employee may seek advantage over an internal competitor by taking an unauthorized action that disadvantages their adversary e.g. causing a mistake to occur and making it look like their adversary did it.

Lists always come in groups of 10 but the 11th stage in this case should be ?getting caught?, which is the responsibility of the reader once this book is finished. This person will collect all the evidence and attempt to deduce the knowable information from an incident with the aim of identifying the culprit and recovering any losses legally if necessary. 

Further detail on general computer security in general can be found in a book which has been made available free of charge by the Author who is Professor Ross Anderson of Cambridge University. http://www.cl.cam.ac.uk/~rja14/book.html


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
46 Install crunch on Mac and examples Hojung 2015.02.18 2332
45 Create Kali Live USB Persistence from Mac file Hojung 2015.02.18 2637
44 Firewall Assessment with Prometheus file Hojung 2015.02.04 1855
43 Install WebGoat 5.3 in Kali file Hojung 2015.02.02 3187
42 brute-force HTTP/S basic access authentication with hydra file Hojung 2015.01.07 2843
41 Session Cookie 세부항목에 대해 (secure, Http Only flag) Hojung 2015.01.06 4104
40 쉘코드(shell code)란 payload로 사용되는 작은 코드조각 Hojung 2014.12.23 3793
39 Netcat (nc) guide (port scan, file transfer, backdoor, reverse shell, source port/ip) Hojung 2014.12.16 2022
38 SSH Tunnels (ssh -L localport:host:hostport user@ssh_server -N) Hojung 2014.12.16 1333
37 How to install Damn Vulnerable Linux (DVL) file Hojung 2014.11.26 2751
36 Five Steps of a Hacking Attack Hojung 2014.11.24 1205
35 How to install Snorby in Kali (snort) Hojung 2014.11.19 2499
34 TightVNC on Kali Hojung 2014.11.18 1985
» 10 stage Generic attack process in a nutshell (in chronological order) Hojung 2014.11.07 1397
32 Send HEAD request with netcat (nc - banner grabbing) Hojung 2014.11.05 1537
31 Birthday Attack, Birthday Paradox Hojung 2014.11.03 1449
30 Discovering rogue AP with nmap Hojung 2014.11.03 1398
29 DoS (Denial of Service) 공격에 대해 (Ping of Death, Syn Flooding 공격/탐지/대응, Tear Drop, Smurf/Fraggle, LAND Attack) file Hojung 2014.11.02 4531
28 DNS Spoofing from GUI (ip forwarding + arp spoofing + dns spoofing with ettercap) file Hojung 2014.10.06 2447
27 DNS Spoofing from CLI (ip forwarding + arp spoofing + dns spoofing with ettercap) file Hojung 2014.10.06 4117
Board Pagination ‹ Prev 1 2 ... 3 Next ›
/ 3

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5