10 stage Generic attack process in a nutshell (in chronological order)
2. Network mapping
3. Port scanning and banner grabbing a host
4. Vulnerability identification
6. Privilege escalation
7. Rootkit installation
8. Hiding tracks
10. Using unauthorized privilege gained for benefit
Of course in a single incident the exact order and number of stages may be changed but this is a good framework to work with.
Now drilling down into the 10 stage list we see more detail about each stage in this generic attack process.
1. Reconnaissance to find out about the target before attack.
WhoIs Internet searches for administrative contact phone numbers and emails
DNS Lookup for ISP detailshttp://www.networksolutions.com/whois/index.jsp
Reconnaissance would be done anonymously so not to tip off the victim. Tor is an encrypted channel for anonymous web browsing http://tor.eff.org/ . Alternatively an attacker could bounce between multiple Internet proxies such aswww.proxify.com .
2. Network mapping of a subnet.
nmap http://insecure.org/nmap/ is the defacto network mapping tool.
Paketo keiretsu enables faster scanning of large networks by separating the send and receive functionality of the scanner.
3. Port scanning of an individual host
Nmap again as well as amap http://www.thc.org/thc-amap/ . Nmap, by default, works by using port number to identify the application running so for instance if the Oracle Listener is on port 1522 then nmap will present this port as being rna-lm as per the IANA default port assignments. http://www.iana.org/assignments/port-numbers . By using the additional ?sV switch of nmap it will correctly identify many applications by their banner.
4. Banner grabbing a host to identify the actual service being ran and vulnerability identification from the version gained from the banner. This will allow identification of likely vulnerabilities.
nessus will identify applications running and then match vulnerabilitieshttp://www.nessus.org/
Typhon is a commercial banner grabbing network/host scanner.
CANVAS is a commercially available tool that comes with exploits written by Dave Aitel?s ImmunitySechttp://www.immunitysec.com/products-canvas.shtml
CORE Impact is a similar commercially available tool. http://www.coresecurity.com/?module=ContentMod&action=item&id=32
For Oracle protocol detection, can use tnsping utility to tell if a port that is listening is talking in the TNS protocol or not. Tnsping is usually found in the $ORACLE_HOME/bin
5. Exploitation of a software flaw to gain unauthorized access.
Metasploit has pre-coded exploits for many OS and applications http://www.metasploit.com/
Research web sites such as http://www.argeniss.com/research.html and
Commercial software such as NGS SQuirreL for Oracle have new vulnerability advisories contained within.
These software exploits often consist of buffer overflows due to incorrect bounds checking of input variables. Another exploit common to Oracle is SQL Injection into Web Front end, Forms and PLSQL packages which can result in privilege escalation. These will be looked at it in greater detail later on in the book.
6. Cracking passwords and user names is basically the process of taking an encrypted password and then decrypting it or guessing it correctly by attempting many times until the correct password is gained.
JTR (John the Ripper) is a good password crackerhttp://www.openwall.com/john/ . There is now a patch for John to be able to crack Oracle hashes.
Also ?Cain? is an easy to use Windows based password crackerhttp://www.oxid.it/cain.html
Rainbow crack is a tool used to pre-compute hash-to-cleartext correlations i.e. ?you give me the hash I will give you the password because I have already computed all the possible permutations?. Rainbow crack has been converted to allow generation of hashes for the Oracle usernames as discussed at this URLhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049569.html.These correlations can accessed online at http://www.rainbowcrack-online.com/
7. Rootkit installation enables covert access at a later date and generally involves the installation of software by the attacker to hide their presence after they have gained privileged access to the target server.
http://www.rootkit.com/ which has links to AFX and hacker-defender rootkits for example.
The concept of root kits has been transferred to databases as will be discussed.
8. Hiding tracks to clear up evidence involves deletion of logs and tools as well as resetting timestamps.
Change timestamps to show that files have not been changed using timestamps for instance
Secure deletion of files so that recycle bin or forensic data recovery cannot bring the attackers tools back after they have deleted them. Oracle now has a Recycle bin which uses the PURGE keyword to empty or avoid it. We will look in detail at this command.
9. Monitoring the system over time which typically requires a covert channel.
Loki sends shell commands over ICMP
Time based covert channels also exist.
10. Using unauthorized privilege for benefit
Credit card numbers and Social security IDs form a saleable resource to a commercially minded hacker.
An attacker might blackmail a bank if they were able to gain customers data.
A competitor may seek advantage in hiring a hacker to subvert another company or spy upon them to gain their intellectual property or list of customers.
Internally an employee may seek advantage over an internal competitor by taking an unauthorized action that disadvantages their adversary e.g. causing a mistake to occur and making it look like their adversary did it.
Lists always come in groups of 10 but the 11th stage in this case should be ?getting caught?, which is the responsibility of the reader once this book is finished. This person will collect all the evidence and attempt to deduce the knowable information from an incident with the aim of identifying the culprit and recovering any losses legally if necessary.
Further detail on general computer security in general can be found in a book which has been made available free of charge by the Author who is Professor Ross Anderson of Cambridge University. http://www.cl.cam.ac.uk/~rja14/book.html
Designed by sketchbooks.co.kr / sketchbook5 board skin