Sysadmin News

A typical scenario might be:
1. Information Gathering
An attacker will normally start by finding out as much information as possible on his target. At this point the attacker will want to be as stealthy as possible and will usually make use of less direct methods. Some of these methods include doing a whois lookup and DNS Zone transfers as well as normal browsing of websites gathering e-mail addresses and similar important information belonging to the target.
2. Further Information Gathering
In an attempt to gather more information an attacker will usually perform ping sweeps, port scanning and check Web servers for vulnerable CGI scripts. The intruder will also check the versions of running applications and services on your host - normally done using Banner Grabbing techniques. Typically banner grabbing consists of connecting to a service (for example SMTP on port 25) and parsing the response. In the response one would usually get the version of the application or a typical pattern of that application. A good IDS will catch some of this activity.
3. Attack!!
Having a list of possible loopholes, the intruder will start trying out different attacks on the system. He will for example try to launch the UNICODE attack if he previously found out that the target has IIS installed. Apart from launching exploits for well known vulnerable software, a typical attacker will also try to find out misconfigured running services. For example he will try to guess passwords for known users on the system.
4. Successful intrusion
After a successful intrusion, attackers will usually install their own backdoors in the system and delete log files in order to hide their tracks. They may install ‘toolkits’ such as rootkits that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts. System Integrity Checkers such as Tripwire have the task of detecting this kind of activity and alerting the administrator. From here an attacker will usually launch further attacks to other hosts especially those that are trusted by the compromised machine.
5. Fun and profit
Different classes of system intruders have different goals. Some steal confidential information such as Credit cards, passwords etc: while others just use the compromised host to launch further attacks on sites (such as DDoS attacks). A few others will just deface a website.
A growing trend is to make use of a different pattern of attack. Intruders are increasingly randomly scanning internet addresses looking for a specific hole or number of holes. For example an intruder may scan for hosts having port 80 open and running a misconfigured / unpatched IIS server. Attackers will make a list of the vulnerable hosts and then launch attacks against each one of the hosts.

Trackback URI | Comments RSS