Network security. Methods of penetration into corporate networks

There is still no precise definition of the term “attack” (invasion, attack). Each security specialist interprets it differently. I consider the following definition to be the most correct and complete.

Attack attacks on an information system are deliberate actions by an attacker that exploit vulnerabilities of the information system and lead to a violation of the availability, integrity and confidentiality of the processed information.

If we eliminate the vulnerabilities of the information system, we will also eliminate the possibility of attacks.

It is currently considered unknown how many attack methods exist. They say that there is still no serious mathematical research in this area. But back in 1996, Fred Cohen described the mathematical basis of viral technology. This work proved that the number of viruses is infinite. Obviously, the number of attacks is infinite, since viruses are a subset of many attacks.

Attack Models

Traditional attack model is built according to the principle (Fig. 1) or (Fig. 2), i.e. the attack comes from a single source. Developers of network security tools (firewalls, attack detection systems, etc.) are focused specifically on the traditional attack model. Agents (sensors) of the protection system are installed at various points of the protected network, which transmit information to the central management console. This makes it easier to scale the system, provides ease of remote management, etc. However, this model does not cope with a relatively recently (in 1998) discovered threat - distributed attacks.
Figure 1. One-to-one relationship

The distributed attack model uses different principles. Unlike the traditional model in a distributed model relations (Fig. 3) and (Fig. 4) are used.

Distributed attacks are based on "classic" denial-of-service attacks, and more specifically on a subset of them known as Flood attacks or Storm attacks(these terms can be translated as “storm”, “flood” or “avalanche”). The point of these attacks is to send a large number of packets to the attacked node. The attacked node may fail because it will be “choked” in the avalanche of sent packets and will not be able to process requests from authorized users. The attacks SYN-Flood, Smurf, UDP Flood, Targa3, etc. work on this principle. However, if the bandwidth of the channel to the attacked node exceeds the bandwidth of the attacker or the attacked node is incorrectly configured, then such an attack will not lead to “success”. For example, it is useless to try to disrupt your ISP using these attacks. But a distributed attack no longer occurs from one point on the Internet, but from several at once, which leads to a sharp increase in traffic and disables the attacked node. For example, according to Russia-Online, for two days, starting at 9 a.m. on December 28, 2000, the largest Internet provider in Armenia, Arminco, was subjected to a distributed attack. In this case, more than 50 machines from different countries joined the attack and sent meaningless messages to the Arminco address. It was impossible to establish who organized this attack and in what country the hacker was located. Although it was mainly Arminco that was attacked, the entire highway connecting Armenia with the World Wide Web was overloaded. On December 30, thanks to the cooperation of "Arminco" and another provider - "ArmenTel" - the connection was completely restored. Despite this, the computer attack continued, but with less intensity.

Stages of attack implementation

The following stages of the attack can be distinguished:

Usually, when they talk about an attack, they mean the second stage, forgetting about the first and last. Gathering information and completing an attack (“covering tracks”), in turn, can also constitute an attack and can be divided into three stages (see Fig. 5).
Figure 5. Stages of attack implementation

Collection of information is the main stage of the attack. It is at this stage that the attacker’s efficiency is the key to the “success” of the attack. First, the target of the attack is selected and information about it is collected (operating system type and version, open ports and running network services, installed system and application software and its configuration, etc.). Then the most vulnerable points of the attacked system are identified, the impact of which leads to the desired result for the attacker. The attacker tries to identify all channels of interaction between the attack target and other nodes. This will allow you to not only select the type of attack to be implemented, but also the source of its implementation. For example, the attacked node interacts with two servers running Unix and Windows NT. The attacked node has a trusted relationship with one server, but not with the other. The server through which the attacker will implement the attack determines what attack will be used, what means of implementation will be chosen, etc. Then, depending on the information received and the desired result, the attack that gives the greatest effect is selected. For example:
SYN Flood, Teardrop, UDP Bomb - to disrupt the functioning of the node;
CGI script - to penetrate a node and steal information;
PHF - for stealing a password file and remotely guessing a password, etc.

Traditional means of protection, such as firewalls or filtering mechanisms in routers, come into effect only at the second stage of the attack, completely “forgetting” about the first and third. This leads to the fact that the attack is often very difficult to stop, even with powerful and expensive defenses. An example of this is distributed attacks. It would be logical for the protective equipment to start working at the first stage, i.e. would prevent the possibility of collecting information about the attacked system. This would allow, if not completely prevent the attack, then at least significantly complicate the attacker’s work. Traditional means also do not allow detecting attacks that have already been committed and assessing the damage after their implementation, i.e. do not work at the third stage of the attack. Therefore, it is impossible to determine measures to prevent such attacks in the future.

Depending on the desired result, the attacker concentrates on one or another stage of the attack. For example:
for denial of service, the attacked network is analyzed in detail, loopholes and weaknesses are looked for;
for information theft, the main focus is on silent penetration of attacked nodes using previously discovered vulnerabilities.

Let's consider the main mechanisms for implementing attacks. This is necessary to understand how to detect these attacks. In addition, understanding how attackers operate is the key to successful network defense.

1. Collection of information

The first stage of implementing attacks is collecting information about the attacked system or node. It includes such actions as determining the network topology, the type and version of the operating system of the attacked node, as well as available network and other services, etc. These actions are implemented using various methods.

Exploring the environment

At this stage, the attacker explores the network environment around the intended target of the attack. Such areas, for example, include the hosts of the victim's Internet provider or the hosts of the remote office of the attacked company. At this stage, the attacker may try to determine the addresses of "trusted" systems (for example, a partner's network) and nodes that are directly connected to the target of the attack (for example, an ISP router), etc. Such actions are quite difficult to detect because they are performed over a fairly long period of time and outside the area controlled by security measures (firewalls, intrusion detection systems, etc.).

Network Topology Identification

There are two main methods used by attackers to determine network topology:

  1. TTL change (TTL modulation),
  2. record route.

The first method uses the traceroute for Unix and tracert for Windows programs. They use a Time to Live field in the IP packet header, which varies depending on the number of routers the network packet traverses. The ping utility can be used to record the route of an ICMP packet. Often the network topology can be determined using the SNMP protocol installed on many network devices whose security is not configured correctly. Using the RIP protocol, you can try to obtain information about the routing table on the network, etc.

Many of these methods are used by modern management systems (for example, HP OpenView, Cabletron SPECTRUM, MS Visio, etc.) to build network maps. And these same methods can be successfully used by attackers to build a map of the attacked network.

Node identification

A host is identified, as a rule, by sending the ECHO_REQUEST ICMP command using the ping utility. The ECHO_REPLY response message indicates that the node is accessible. There are freely available programs that automate and speed up the process of parallel identification of a large number of nodes, for example, fping or nmap. The danger of this method is that ECHO_REQUEST requests are not recorded by standard node tools. To do this, you need to use traffic analysis tools, firewalls or attack detection systems.

This is the simplest method for identifying nodes. However, it has two disadvantages.

  1. Many network devices and programs block ICMP packets and do not allow them to enter the internal network (or, conversely, do not allow them to pass outside). For example, MS Proxy Server 2.0 does not allow packets to pass through the ICMP protocol. The result is an incomplete picture. On the other hand, blocking an ICMP packet tells the attacker about the presence of a “first line of defense” - routers, firewalls, etc.
  2. The use of ICMP requests makes it easy to detect their source, which, of course, cannot be the task of an attacker.

There is another method for identifying nodes - using the "mixed" mode of the network card, which allows you to identify different nodes in the network segment. But it is not applicable in cases in which the network segment traffic is not accessible to the attacker from its node, i.e. This method is only applicable on local networks. Another way to identify network nodes is the so-called DNS reconnaissance, which allows you to identify corporate network nodes by contacting the name service server.

Service identification or port scanning

Identification of services is usually carried out by detecting open ports (port scanning). Such ports are very often associated with services based on the TCP or UDP protocols. For example:

  • open port 80 implies the presence of a Web server,
  • Port 25 - SMTP mail server,
  • 31337th - server part of the Trojan horse BackOrifice,
  • 12345th or 12346th - server part of the NetBus Trojan horse, etc.
Various programs can be used to identify services and scan ports, incl. and freely distributed. For example, nmap or netcat.

Operating system identification

The main mechanism for remote OS detection is the analysis of responses to requests, taking into account different implementations of the TCP/IP stack in different operating systems. Each OS implements the TCP/IP protocol stack in its own way, which allows you to determine, using special requests and responses to them, which OS is installed on the remote host.

Another, less effective and extremely limited, way to identify host OSes is to analyze the network services discovered at the previous stage. For example, an open port 139 allows us to conclude that the remote host is most likely running a Windows operating system. Various programs can be used to determine the OS. For example, nmap or queso.

Defining a Node Role

The penultimate step at the stage of collecting information about the attacked host is to determine its role, for example, performing the functions of a firewall or Web server. This step is performed based on already collected information about active services, host names, network topology, etc. For example, an open port 80 may indicate the presence of a Web server, blocking an ICMP packet indicates the potential presence of a firewall, and the DNS host name proxy.domain.ru or fw.domain.ru speaks for itself.

Determining host vulnerabilities

The last step is to search for vulnerabilities. At this step, the attacker, using various automated means or manually, identifies vulnerabilities that can be used to carry out an attack. ShadowSecurityScanner, nmap, Retina, etc. can be used as such automated tools.

2. Implementation of the attack

From this moment an attempt to access the attacked node begins. In this case, access can be either direct, i.e. penetration of a node, or indirectly, for example, when implementing a denial of service attack. The implementation of attacks in the case of direct access can also be divided into two stages:

  • penetration;
  • establishing control.

Penetration

Penetration involves breaking through perimeter defenses (for example, a firewall). This can be realized in various ways. For example, exploiting a vulnerability in a computer service that looks outward or by transmitting hostile content via email (macro viruses) or through Java applets. Such content can use so-called “tunnels” in the firewall (not to be confused with VPN tunnels), through which the attacker then penetrates. This stage also includes selecting the password of an administrator or another user using a specialized utility (for example, L0phtCrack or Crack).

Establishing control

After penetration, the attacker establishes control over the attacked node. This can be done by introducing a Trojan horse program (eg NetBus or BackOrifice). After establishing control over the desired node and “covering” his tracks, the attacker can carry out all the necessary unauthorized actions remotely without the knowledge of the owner of the attacked computer. In this case, the establishment of control over the corporate network node must be maintained even after the operating system is rebooted. This can be done by replacing one of the boot files or inserting a link to hostile code into the startup files or system registry. There is a known case where an attacker was able to reprogram the EEPROM of a network card and even after reinstalling the OS, he was able to re-implement unauthorized actions. A simpler modification to this example is to embed the required code or snippet into a network boot script (for example, for Novell Netware OS).

Goals of attacks

The final stage of the attack is to “cover traces” on the part of the attacker. This is typically accomplished by deleting the corresponding entries from the host's logs and other actions that return the attacked system to its original, "pre-attacked" state.

Classification of attacks

There are different types of attack classifications. For example, the division into passive and active, external and internal, intentional and unintentional. However, in order not to confuse you with a wide variety of classifications that are of little use in practice, I propose a more “life-like” classification:

  1. Remote penetration. Attacks that allow remote control of a computer over a network. For example, NetBus or BackOrifice.
  2. Local penetration. An attack that results in unauthorized access to the host on which it is launched. For example, GetAdmin.
  3. Remote denial of service. Attacks that disrupt or overload a computer over the Internet. For example, Teardrop or trin00.
  4. Local denial of service. Attacks that allow you to disrupt or overload the computer on which they are implemented. An example of such an attack is a “hostile” applet that loads the CPU into an infinite loop, making it impossible to process requests from other applications.
  5. Network scanners. Programs that analyze the network topology and detect services that can be attacked. For example, the nmap system.
  6. Vulnerability scanners. Programs that look for vulnerabilities on network nodes and that can be used to carry out attacks. For example, the SATAN system or ShadowSecurityScanner.
  7. Password crackers. Programs that “guess” user passwords. For example, L0phtCrack for Windows or Crack for Unix.
  8. Protocol analyzers (sniffers). Programs that “listen” to network traffic. Using these programs, you can automatically search for information such as user IDs and passwords, credit card information, etc. For example, Microsoft Network Monitor, Network Associates' NetXRay, or LanExplorer.

Internet Security Systems, Inc. further reduced the number of possible categories, bringing them to 5:

  1. Information gathering.
  2. Unauthorized access attempts.
  3. Denial of service.
  4. Suspicious activity.
  5. System attacks.

The first 4 categories relate to remote attacks, and the last - to local ones, implemented on the attacked node. It may be noted that this classification does not include a whole class of so-called “passive” attacks (“traffic eavesdropping,” “false DNS server,” “ARP server spoofing,” etc.).

The classification of attacks implemented in many attack detection systems cannot be categorical. For example, an attack whose implementation on Unix OS (for example, statd buffer overflow) can have the most dire consequences (highest priority), on Windows NT OS may not be applicable at all or have a very low degree of risk. In addition, there is confusion in the very names of attacks and vulnerabilities. The same attack may have different names from different manufacturers of attack detection systems.

One of the best databases of vulnerabilities and attacks is the X-Force database, located at: http://xforce.iss.net/. It can be accessed either by subscribing to the freely distributed X-Force Alert mailing list or by interactively searching the database on the ISS Web server.

Conclusion

Without vulnerabilities in information system components, many attacks would not be possible and, therefore, traditional security systems would be quite effective at dealing with possible attacks. However, programs are written by people who tend to make mistakes. As a result, vulnerabilities appear that are used by attackers to carry out attacks. However, this is only half the story. If all attacks were based on a one-to-one model, then it would be a bit of a stretch, but firewalls and other security systems would be able to withstand them too. But coordinated attacks have emerged, against which traditional means are no longer so effective. And this is where new technologies appear on the scene - attack detection technologies. The above systematization of data on attacks and the stages of their implementation provides the necessary basis for understanding attack detection technologies.

Computer attack detection tools

Intrusion detection technology must solve the following problems:

  • Recognize known attacks and alert appropriate personnel to them.
  • “Understanding” the often obscure sources of attack information.
  • Relieving or reducing the burden on security personnel from routine routine monitoring of users, systems and networks that are components of the corporate network.
  • Ability to manage security controls by non-security experts.
  • Control of all actions of corporate network subjects (users, programs, processes, etc.).

Often attack detection systems can perform functions that significantly expand the range of their applications. For example,

  • Monitoring the effectiveness of firewalls. For example, installing an attack detection system after firewall(within a corporate network) allows you to detect attacks missed by the firewall and, thereby, determine the missing rules on the firewall.
  • Monitoring network nodes with uninstalled updates or nodes with outdated software.
  • Blocking and controlling access to certain Internet sites. Although attack detection systems are far from firewalls and access control systems for various URLs, for example, WEBsweeper, they can perform partial control and block access of some corporate network users to certain Internet resources, for example, to Web servers with pornographic content. This is necessary when the organization does not have the money to purchase both a firewall and an attack detection system, and the firewall functions are distributed between the attack detection system, the router and the proxy server. Additionally, intrusion detection systems can monitor employee access to servers based on keywords. For example, sex, job, crack, etc.
  • Email control. Intrusion detection systems can be used to monitor untrustworthy employees who use email to perform tasks outside of their functional responsibilities, such as sending out resumes. Some systems can detect viruses in email messages and, although they are far from real anti-virus systems, they still perform this task quite effectively.

The best use of information security professionals' time and experience is to discover and eliminate the causes of attacks, rather than to detect the attacks themselves. By eliminating the causes of attacks, i.e. By identifying and eliminating vulnerabilities, the administrator thereby eliminates the very fact of potential attacks. Otherwise, the attack will be repeated over and over again, constantly requiring the efforts and attention of the administrator.

Classification of intrusion detection systems

There are a large number of different classifications of intrusion detection systems, but the most common is the classification based on the principle of implementation:

  1. host-based, that is, detecting attacks aimed at a specific network node,
  2. network-based, that is, detecting attacks aimed at an entire network or network segment.

Intrusion detection systems that monitor an individual computer typically collect and analyze information from operating system logs and various applications (Web server, DBMS, etc.). RealSecure OS Sensor operates on this principle. However, recently systems that are tightly integrated with the OS kernel have become widespread, thereby providing a more effective way to detect security policy violations. Moreover, such integration can be implemented in two ways. Firstly, all OS system calls can be monitored (this is how Entercept works) or all incoming/outgoing network traffic (this is how RealSecure Server Sensor works). In the latter case, the intrusion detection system captures all network traffic directly from the network card, bypassing the operating system, which reduces dependence on it and thereby increases the security of the intrusion detection system.

Network level attack detection systems collect information from the network itself, that is, from network traffic. These systems can run on regular computers (for example, RealSecure Network Sensor), on specialized computers (for example, RealSecure for Nokia or Cisco Secure IDS 4210 and 4230) or integrated into routers or switches (for example, CiscoSecure IOS Integrated Software or Cisco Catalyst 6000 IDS module). In the first two cases, the analyzed information is collected by capturing and analyzing packets using network interfaces in a promiscuous mode. In the latter case, traffic is captured from the network equipment bus.

Detection of attacks requires the fulfillment of one of two conditions - either an understanding of the expected behavior of the monitored system object or knowledge of all possible attacks and their modifications. The first case uses technology to detect anomalous behavior, and the second case uses technology to detect malicious behavior or abuse. The second technology is to describe the attack in the form of a pattern or signature and search for this pattern in a controlled space (for example, network traffic or a log). This technology is very similar to virus detection (antivirus systems are a prime example of an attack detection system), i.e. the system can detect all known attacks, but it is poorly equipped to detect new, as yet unknown, attacks. The approach implemented in such systems is very simple and it is on this that almost all attack detection systems offered on the market today are based.

Almost all attack detection systems are based on a signature approach.

Advantages of intrusion detection systems

We could go on and on about the various advantages of attack detection systems operating at the host and network levels. However, I will only focus on a few of them.

Switching allows large-scale networks to be managed as multiple small network segments. As a result, it can be difficult to determine the best location to install a system that detects attacks in network traffic. Sometimes span ports on switches can help, but not always. Host-specific attack detection enables more efficient operation of switched networks by allowing detection systems to be placed only on those hosts where they are needed.

Network layer systems do not require intrusion detection software to be installed on every host. Since the number of places in which IDS are installed to monitor the entire network is small, the cost of operating them in an enterprise network is lower than the cost of operating attack detection systems at the system level. In addition, to monitor a network segment, only one sensor is needed, regardless of the number of nodes in a given segment.

Once a network packet leaves the attacker's computer, it can no longer be returned. Systems operating at the network layer use live traffic to detect attacks in real time. Thus, the attacker cannot remove traces of his unauthorized activities. The analyzed data includes not only information about the attack method, but also information that can help in identifying the attacker and proving it in court. Because many hackers are familiar with system logging mechanisms, they know how to manipulate these files to hide traces of their activities, reducing the effectiveness of the system-level systems that require this information in order to detect an attack.

Systems operating at the network level detect suspicious events and attacks as they occur and therefore provide much faster notification and response than systems that analyze logs. For example, a hacker launching a TCP-based network denial-of-service attack can be stopped by a network-layer intrusion detection system that sends a TCP packet with the Reset flag set in the header to terminate the connection with the attacking host before the attack causes destruction or destruction. damage to the attacked node. Log analysis systems do not recognize attacks until a corresponding log entry is made and take counteraction after the entry has been made. By this point, the most critical systems or resources may have already been compromised or the system running the host-level attack detection system may have been disrupted. Real-time notification allows you to quickly respond according to predefined parameters. These reactions range from allowing infiltration in a surveillance mode in order to gather information about the attack and the attacker, to immediately ending the attack.

And finally, intrusion detection systems operating at the network level are independent of the operating systems installed on the corporate network, since they operate on network traffic that is exchanged between all nodes on the corporate network. The intrusion detection system does not care which OS generated a particular packet, as long as it complies with the standards supported by the detection system. For example, Windows 98, Windows NT, Windows 2000 and XP, Netware, Linux, MacOS, Solaris, etc. can be running on the network, but if they communicate with each other via IP, then any of the attack detection systems that support this protocol will be able to detect attacks aimed at these operating systems.

The combined use of network-level and host-level attack detection systems will improve the security of your network.

Network attack detection systems and firewalls

Most often, attempts are made to replace network attack detection systems with firewalls, relying on the fact that the latter provide a very high level of security. However, keep in mind that firewalls are simply rules-based systems that allow or deny traffic through them. Even firewalls built using "" technology do not allow one to say with certainty whether an attack is present in the traffic they control or not. They can tell whether traffic matches a rule or not. For example, the firewall is configured to block all connections except TCP connections on port 80 (that is, HTTP traffic). Thus, any traffic through port 80 is legal from the point of view of the ITU. On the other hand, an intrusion detection system also monitors traffic, but looks for signs of an attack in it. It doesn't care much about which port the traffic is destined for. By default, all traffic is suspicious for the intrusion detection system. That is, despite the fact that the intrusion detection system works with the same data source as the firewall, that is, with network traffic, they perform complementary functions. For example, the HTTP request "GET /../../../etc/passwd HTTP/1.0". Almost any ITU allows this request to pass through itself. However, the attack detection system will easily detect this attack and block it.

We can draw the following analogy. A firewall is a regular turnstile installed at the main entrance to your network. But in addition to the main doors, there are other doors, as well as windows. By masquerading as a real employee or gaining the trust of the guard at the turnstile, an attacker can carry an explosive device or pistol through the turnstile. Little of. An intruder can climb into your window. That is why we need attack detection systems that enhance the protection provided by firewalls, which are, albeit a necessary, but clearly insufficient element of network security.

Firewall- not a panacea!

Options for responding to a detected attack

It is not enough to detect an attack; it is necessary to respond to it accordingly. It is the response options that largely determine the effectiveness of an attack detection system. Currently, the following response options are offered:

  • Notification to the console (including backup) of the intrusion detection system or to the console of an integrated system (for example, a firewall).
  • Sound notification of an attack.
  • Generation of SNMP control sequences for network management systems.
  • Generating an attack report via email.
  • Additional notifications by pager or fax. A very interesting, although rarely used, opportunity. An alert about detection of unauthorized activity is sent not to the administrator, but to the attacker. According to supporters of this response option, the violator, upon learning that he has been discovered, is forced to stop his actions.
  • Mandatory registration of detected events. The following may serve as a log book:
    • text file,
    • syslog (for example, in a Cisco Secure Integrated Software system),
    • a text file of a special format (for example, in the Snort system),
    • local MS Access database,
    • SQL database (for example, in the RealSecure system).
    You just need to take into account that the volume of recorded information usually requires a SQL database - MS SQL or Oracle.
  • Event trace, i.e. recording them in the sequence and speed with which the attacker implemented them. Then, at any given time, the administrator can replay (replay or playback) the required sequence of events at a given speed (in real time, with acceleration or deceleration) in order to analyze the attacker’s activity. This will allow you to understand his qualifications, the means of attack used, etc.
  • Interrupting the attacker's actions, i.e. ending the connection. This can be done like:
    • intercepting a connection (session hijacking) and sending a packet with the RST flag set to both participants in the network connection on behalf of each of them (in an attack detection system operating at the network level);
    • blocking the user account carrying out the attack (in the host-level attack detection system). Such blocking can be carried out either for a specified period of time, or until the account is unlocked by the administrator. Depending on the privileges with which the attack detection system is running, blocking can operate both within the computer itself, which is the target of the attack, and within the entire network domain.
  • Reconfiguration of network equipment or firewalls. If an attack is detected, a command is sent to the router or firewall to change the access control list. Subsequently, all connection attempts from the attacking node will be rejected. Like blocking an attacker's account, changing the access control list can be carried out either for a specified period of time or until the change is canceled by the administrator of the reconfigurable network equipment.
  • Blocking network traffic in the same way as is implemented in firewalls. This option allows you to limit traffic, as well as recipients who can access the resources of the protected computer, allowing you to perform functions available in personal firewalls.

Methods for malware to penetrate a system

A necessary task for virus writers and cyber criminals is to inject a virus, worm or Trojan into a victim computer or mobile phone. This goal is achieved in various ways, which are divided into two main categories:

social engineering (the term “social engineering” is also used - tracing paper from the English “social engineering”);

technical methods of introducing malicious code into an infected system without the user’s knowledge.

Often these methods are used simultaneously. At the same time, special measures to counteract antivirus programs are also often used.

Social engineering

Social engineering methods somehow force the user to launch an infected file or open a link to an infected website. These methods are used not only by numerous email worms, but also by other types of malicious software.

The task of hackers and virus writers is to attract the user’s attention to an infected file (or an HTTP link to an infected file), to interest the user, and to force him to click on the file (or a link to a file). A “classic of the genre” is the LoveLetter email worm, which was sensational in May 2000, and still remains the leader in terms of the scale of financial damage caused, according to data from Computer Economics. The message that the worm displayed on the screen looked like this:

Many people reacted to the “I LOVE YOU” confession, and as a result, the mail servers of large companies could not withstand the load - the worm sent copies of itself to all contacts in the address book every time an attached VBS file was opened.

The Mydoom mail worm, which exploded on the Internet in January 2004, used texts that imitated technical messages from a mail server.

It is also worth mentioning the Swen worm, which posed as a message from Microsoft and disguised itself as a patch that eliminated a number of new vulnerabilities in Windows (it is not surprising that many users succumbed to the call to install “another patch from Microsoft”).

There are also incidents, one of which occurred in November 2005. In one of the versions of the Sober worm it was reported that the German criminal police were investigating cases of visiting illegal websites. This letter ended up in the hands of a child pornographer who mistook it for an official letter and obediently surrendered to the authorities.

Recently, it is not files attached to emails that have gained particular popularity, but rather links to files located on an infected website. A message is sent to a potential victim - by mail, via ICQ or another pager, or less often - via Internet chats IRC (in the case of mobile viruses, the usual delivery method is an SMS message). The message contains some attractive text that entices the unsuspecting user to click on the link. This method of penetrating victim computers is by far the most popular and effective, as it allows you to bypass vigilant anti-virus filters on mail servers.

The capabilities of file-sharing networks (P2P networks) are also used. A worm or Trojan is posted on a P2P network under a variety of tasty names, for example:

AIM & AOL Password Hacker.exe

Microsoft CD Key Generator.exe

play station emulator crack.exe

While searching for new programs, users of P2P networks come across these names, download the files and launch them for execution.

“Scams” ​​are also quite popular, when the victim is given a free utility or instructions for hacking various payment systems. For example, they offer to get free access to the Internet or a mobile operator, download a credit card number generator, increase the amount of money in your personal Internet wallet, etc. Naturally, victims of such fraud are unlikely to contact law enforcement agencies (after all, in fact, they themselves tried to make money through fraudulent means), and Internet criminals take full advantage of this.

An unknown attacker from Russia used an unusual method of deception in 2005-2006. The Trojan program was sent to addresses found on the job.ru website, which specializes in employment and personnel search. Some of those who published their resumes there allegedly received a job offer with a file attached to the letter, which they were asked to open and familiarize themselves with its contents. The file was, naturally, a Trojan horse. It is also interesting that the attack was carried out mainly on corporate email addresses. The calculation was apparently based on the fact that company employees were unlikely to report the source of infection. And so it happened - Kaspersky Lab specialists were unable to obtain clear information about the method of penetration of the Trojan program into user computers for more than six months.

There are also quite exotic cases, for example, a letter with an attached document in which a bank client is asked to confirm (or rather, report) their access codes - print the document, fill out the attached form and then fax it to the phone number specified in the letter.

Another unusual case of spyware being delivered to people's homes occurred in Japan in the fall of 2005. Some attackers sent CDs infected with a Trojan spyware to the home addresses (city, street, house) of clients of one of the Japanese banks. In this case, information was used from the previously stolen client database of this very bank.

Implementation technologies

These technologies are used by attackers to sneak malicious code into the system without attracting the attention of the computer owner. This is done through security vulnerabilities in operating systems and software. The presence of vulnerabilities allows a network worm or Trojan program manufactured by an attacker to penetrate a victim computer and launch itself for execution.

Vulnerabilities are, in fact, errors in the code or in the logic of the operation of various programs. Modern operating systems and applications have a complex structure and extensive functionality, and it is simply impossible to avoid errors in their design and development. This is what virus writers and computer attackers take advantage of.

Vulnerabilities in Outlook email clients were exploited by the Nimda and Aliz email worms. In order to launch the worm file, it was enough to open the infected letter or simply hover over it in the preview window.

Malware also actively exploited vulnerabilities in the network components of operating systems. The worms CodeRed, Sasser, Slammer, Lovesan (Blaster) and many other worms running under Windows were used to spread such vulnerabilities. Linux systems also came under attack - the Ramen and Slapper worms penetrated computers through vulnerabilities in this operating environment and applications for it.

In recent years, one of the most popular methods of infection has been the injection of malicious code through web pages. This often exploits vulnerabilities in Internet browsers. An infected file and a script program that exploits a vulnerability in the browser are placed on a web page. When a user visits an infected page, a script program is triggered, which, through a vulnerability, downloads the infected file to the computer and launches it there for execution. As a result, to infect a large number of computers, it is enough to lure as many users as possible to such a web page. This is achieved in various ways, for example, by sending spam indicating the page address, sending similar messages through Internet pagers, sometimes even search engines are used for this. The infected page contains a variety of text, which is sooner or later calculated by search engines - and the link to this page appears in the list of other pages in the search results.

A separate class are Trojan programs that are designed to download and run other Trojan programs. Typically, these Trojans, which are very small in size, in one way or another (for example, using another vulnerability in the system) are “slipped” onto the victim computer, and then independently download from the Internet and install other malicious components into the system. Often such Trojan programs change browser settings to the most insecure ones in order to “make the road easier” for other Trojans.

Vulnerabilities that become known are quickly corrected by development companies, but information constantly appears about new vulnerabilities, which are immediately beginning to be used by numerous hackers and virus writers. Many Trojan “bots” use new vulnerabilities to increase their numbers, and new errors in Microsoft Office immediately begin to be used to introduce new Trojan programs into computers. At the same time, unfortunately, there is a tendency to shorten the time interval between the appearance of information about the next vulnerability and the beginning of its use by worms and Trojans. As a result, vulnerable software companies and antivirus software developers find themselves under time pressure. The first need to fix the error as quickly as possible, test the result (usually called a “patch” or “patch”) and distribute it to users, and the second need to immediately release a tool for detecting and blocking objects (files, network packets) that exploit the vulnerability.

Simultaneous use of implementation technologies and social engineering methods

Quite often, computer attackers use both methods at once. The method of social engineering is to attract the attention of a potential victim, and the technical method is to increase the likelihood of an infected object penetrating the system.

For example, the Mimail email worm spread as an attachment to an email. In order for the user to pay attention to the letter, specially designed text was inserted into it, and to launch a copy of the worm from the ZIP archive attached to the letter, a vulnerability in the Internet Explorer browser was used. As a result, when opening a file from an archive, the worm created a copy of itself on the disk and launched it for execution without any system warnings or additional user actions. By the way, this worm was one of the first designed to steal personal information from users of e-gold system Internet wallets.

Another example is sending spam with the subject “Hello” and the text “Look what they write about you.” The text was followed by a link to a web page. Upon analysis, it turned out that this web page contains a script program that, taking advantage of another vulnerability in Internet Explorer, downloads the LdPinch Trojan program onto the user’s computer, designed to steal various passwords.

Counteracting antivirus programs

Since the goal of computer attackers is to inject malicious code into victim computers, to do this they need to not only force the user to run an infected file or penetrate the system through some vulnerability, but also sneak past the installed anti-virus filter. Therefore, it is not surprising that attackers deliberately target antivirus programs. The techniques they use are very diverse, but the most common are the following:

Packaging and encryption of code. A significant portion (if not most) of modern computer worms and Trojan horses are packaged or encrypted in one way or another. Moreover, the computer underground creates packaging and encryption utilities specifically designed for this purpose. For example, absolutely all files found on the Internet that were processed by the utilities CryptExe, Exeref, PolyCrypt and some others turned out to be malicious.

To detect such worms and Trojans, antivirus programs have to either add new unpacking and decryption methods, or add signatures to each sample of malware, which reduces the quality of detection, since not always all possible samples of modified code end up in the hands of the antivirus company.

Code mutation. Diluting the Trojan code with “junk” instructions. As a result, the functionality of the Trojan program is preserved, but its “appearance” changes significantly. Periodically, there are cases when code mutation occurs in real time - every time a Trojan program is downloaded from an infected website. Those. all or a significant part of the Trojan samples that reach computers from such a site are different. An example of the use of this technology is the Warezov email worm, several versions of which caused significant epidemics in the second half of 2006.

Hiding your presence. The so-called “rootkit technologies” (from the English “rootkit”), usually used in Trojan programs. System functions are intercepted and replaced, thanks to which the infected file is not visible either by standard operating system tools or by anti-virus programs. Sometimes the registry branches in which a copy of the Trojan is registered, and other system areas of the computer are also hidden. These technologies are actively used, for example, by the HacDef backdoor Trojan.

Stopping the antivirus and the system for receiving antivirus database updates (updates). Many Trojans and network worms take special actions against anti-virus programs - they look for them in the list of active applications and try to stop their work, corrupt anti-virus databases, block receiving updates, etc. Antivirus programs have to protect themselves in adequate ways - monitor the integrity of databases, hide their processes from Trojans, etc.

Hiding your code on websites. The addresses of web pages containing Trojan files sooner or later become known to antivirus companies. Naturally, such pages come under the close attention of anti-virus analysts - the contents of the page are periodically downloaded, new versions of Trojan programs are included in anti-virus updates. To counteract this, the web page is modified in a special way - if the request comes from the address of an antivirus company, then some non-Trojan file is downloaded instead of the Trojan one.

Attack by numbers. Generation and distribution on the Internet of a large number of new versions of Trojan programs in a short period of time. As a result, antivirus companies find themselves inundated with new samples that take time to analyze, giving malicious code an additional chance to successfully infiltrate computers.

These and other methods are used by the computer underground to counter antivirus programs. At the same time, the activity of cybercriminals is growing year after year, and now we can talk about a real “technology race” that has unfolded between the antivirus industry and the virus industry. At the same time, the number of individual hackers and criminal groups, as well as their professionalism, is growing. All this together significantly increases the complexity and amount of work required by antivirus companies to develop sufficient level of protection.

Email

Email remains one of the main sources of malware penetration into corporate networks. There are several main ways to use email as a means of transporting malware:

sending malware “in its pure form” - in this case, the malware is an attachment to the letter and its automatic launch is not provided. The malicious program is launched by the user himself, for which elements of social engineering are often used in the letter. Attached malware is not necessarily an executable file - malicious scripts, such as Worm.Win32.Feebs, are often mailed as HTA files containing an encrypted script that downloads an executable file from the Internet;

a malicious program with a modified extension - this method differs from the previous one in that the executable file attached to the letter has a double extension, for example Document.doc .pif. In this case, spaces are used to mask the real file extension and their number can vary from 10-15 to hundreds. A more original method of disguise is to use the *.com extension - as a result, the attached file may be mistakenly considered by the user as a link to a site, for example www.playboy.com the user will most likely consider a link to the site, and not an attached file named www.playboy and extension *.com;

malicious program in the archive - archiving is an additional level of protection against anti-virus scanners, and the archive can be deliberately damaged (but not so much that a malicious file cannot be extracted from it) or encrypted with a password. If the archive is protected with a password, the latter is placed in the body of the letter in the form of text or an image - a similar technique, for example, was used in the Bagle mail worm. In this case, launching a malicious program is possible solely due to the curiosity of the user, who needs to manually enter a password and then run the extracted file;

an email in html format with an exploit to launch an attached malicious program - nowadays such email viruses are rare, but in 2001-2003 they were widespread (typical examples are Email-Worm.Win32.Avron, Email-Worm.Win32. BadtransII, Net-Worm.Win32.Nimda);

Emails with a link to a malicious object have become widespread recently, so this method deserves a more detailed consideration. It is based on the fact that the letter does not contain malicious code, and therefore the mail antivirus cannot detect it and block the forwarding of the letter. The text of the letter is prepared using social engineering methods and is aimed at persuading the user to open the link in the body of the letter. Typical examples are disguised as a greeting card (Fig. 1).

Rice. 1. "Greeting Card"

The picture shows a very crude fake: it is clearly visible that the letter came from some unknown address, and a link with an IP address instead of a site name does not inspire confidence. However, according to the author’s statistics, thousands of users are “caught” by such letters. A better version of a fake greeting card message is shown in Fig. 2.

Rice. 2. Better quality fake postcard

In this case, recognizing a fake is much more difficult: visually, the letter actually came from the postcard.ru service and the link to the postcard page leads to this site. In this case, the deception is based on the fact that the letter is in html format and the link is made with a standard tag . As you know, the design of a link using this tag looks like this:

text description

The text description can be arbitrary, since it has nothing to do with the URL being opened. Therefore, in this letter the text description of the link is www.postcard.ru/card.php?4295358104, and the real link points to a completely different resource. This technique is simply implemented and easily misleads the user.

the link leads directly to the executable file of the malicious program - this is the simplest case. When opening this link, the user will be asked what to do with the file at this link: save or run. Selecting “run” causes the malicious code to run and damage the PC. Practice shows that users usually do not think about the danger. The most recent example is the malicious program Virus.VBS.Agent.c, which destroys files on the disk (in fact, because of this it is classified as a Virus) and spreads itself by sending “greeting cards” by e-mail with a link to its executable a file posted directly on the website of the virus developer. The large number of users affected by this virus is a clear example of the effectiveness of this method;

a link to a website disguised as a legitimate program website. A typical example is programs for “hacking” cellular providers and mailboxes, which often have a home page, credible documentation and an installation package;

the link leads to an html page with the exploit. This is a common option (at the time of writing the article, the author recorded a real epidemic of such letters), and it is more dangerous than a direct link to an executable file, since such a link is very difficult to detect using proxy server protocols and to block. If successful, the exploit downloads malicious code, which can result in more than ten malicious programs being installed on the affected computer. The usual set: email worms, a password-stealing Trojan program, a set of Trojan-Spy and Trojan-Proxy class Trojan programs.

Measures to protect against malware distributed by email are quite obvious. At a minimum, you need to install an antivirus on your mail server (or when choosing a hoster, pay attention to the antivirus mail protection it offers). In addition, it is worth carrying out a number of other activities:

Explain to users the dangers of opening programs attached to letters and links contained in them. It is very useful to teach users to determine the real URL of links;

if technically possible, block the sending and receiving of emails with attached executable files and encrypted archives. In Smolenskenergo, for example, such blocking has been in effect for a long time and has shown to be highly effective (in this case, blocked letters are quarantined and can be retrieved by the administrator);

install filters to block emails based on content and keep them up to date. Such filters are effective against emails containing links to malware; they are usually easy to filter using keywords like Animated card or postcard. A side effect is the blocking of real greeting cards and similar letters; a compromise solution is to install such a filter in antispam systems and mark the letters as spam.

Internet

Based on the number of incidents investigated, the Internet is also one of the main sources of malware penetration into the network. There are several main methods widely used by attackers:

all kinds of cracks and serial number generators - statistics show that when searching for a key or crack on hacker sites, the likelihood of your computer being damaged by malware is very high. Moreover, such a program can be downloaded in an archive with crack or obtained while working with the site as a result of exploits and malicious scripts on hacker sites. Countermeasures - blocking access to hacker sites at the proxy server level and prohibiting visiting them at the level of the company's security policy and other governing documents;

hacked legitimate sites - according to statistics, recently site hacks have become more frequent and are carried out according to standard patterns. A small code is inserted into the html code of the pages of the infected site - usually an IFRAME tag leading to the page with the exploit or an encrypted script that in one way or another redirects the user to the infected site (dynamic insertion of an IFRAME tag into the body of the page, redirection to the exploit page, etc. is possible). P.). The main danger is that website hacking cannot be predicted and, accordingly, it is very difficult to protect the user from it (Fig. 3).

Rice. 3. Exploit code added to the end of the HTML page

hacked site

As you can see in the figure, the exploit code is added to the end of the html page by automatic means and is an encrypted script. Script encryption is a measure of protection against research, but its main purpose is protection against signature detection. In more complex cases, hacker inserts may be placed in the page code, making them difficult to detect.

Protection against exploits in web pages comes down to prompt installation of operating system and browser updates. In addition, running the browser with the lowest possible privileges gives good results, which can significantly reduce the damage in the event of an exploit.

Flash media

Media of this type are currently very widely used - these are flash drives and flash cards, HDD drives with a USB interface, cell phones, cameras, voice recorders. The proliferation of these devices leads to an increase in the number of malicious programs that use these media as a means of transmission. There are three basic ways to infect a flash drive:

creating an autorun.inf file in the root of the disk to launch a malicious program and placing it anywhere on the disk (not necessarily in the root of the disk). The operation of autorun.inf on a flash drive is identical to the operation of a similar file on a CD-ROM; accordingly, when you connect or open the disk in Explorer, a malicious program is launched;

creating files in the root of the disk or in folders existing on the disk that resemble files or folders in their names and icons. The author conducted an experiment: a harmless executable file with an icon visually indistinguishable from the folder icon and with the name MP3 was placed on the flash drives of the users participating in the experiment. Experience has shown that users immediately showed interest in the new folder and decided to view its contents by double-clicking on the “folder”, which led to the launch of the executable file;

using the “companion virus” principle. In essence, this method is identical to the previous one, but in this case the malicious program creates many copies of itself, and their names match the names of files or folders on the flash drive.

Methods for protecting against the spread of malware on flash media are quite simple:

Anti-virus protection should be installed on user computers with a monitor that scans files in real time;

An effective protective measure is to disable autorun;

On strategically important PCs, a good security measure is to block the use of flash media. Blocking can be carried out mechanically (by disconnecting USB ports and sealing them) and logically using special software;

writing local security policies that block applications from running from a flash drive.

Laptops and PDAs

Mobile computers provide another vector for malware. A typical situation is using a laptop on a business trip, when it is usually connected to someone else's network. During work, your laptop may become infected, most often with a network worm. When an infected laptop connects to its “native” network, PCs on it can be infected. It is difficult to protect against this; a set of security measures can be reduced to the following:

installation of an antivirus and firewall on a laptop with mandatory periodic monitoring of their performance by the administrator;

checking the laptop before connecting it to the network, although this operation is not always technically possible, requires a lot of time and reduces the user’s mobility;

creating a special “guest” subnet for laptops and taking measures to protect the main LAN from this subnet.

Penetration testing(jarg. pentest) - a method for assessing the security of computer systems or networks by means of simulating an attack by an attacker. The process involves actively analyzing the system for potential vulnerabilities that could cause the target system to malfunction or cause a complete denial of service. The analysis is carried out from the perspective of a potential attacker and may include active exploitation of system vulnerabilities.

The objects of testing can be either individual information systems, for example: CMS (content management system), CRM (customer relationship management system), Internet client bank, or the entire infrastructure as a whole: network perimeter, wireless networks, internal or corporate network, as well as the outer perimeter.

Penetration Testing Challenge- search for all possible known software vulnerabilities, shortcomings in the password policy, shortcomings and subtleties of the IS configuration settings. During such a test, a tester launches a pseudo-attack on a corporate network, simulating the actions of real attackers or an attack carried out by malicious software without the direct participation of the tester himself. The purpose of these tests is to identify weaknesses in the protection of a corporate network from such attacks and eliminate vulnerabilities found during pseudo-attacks.

Penetration testing is usually divided into BlackBox, WhiteBox and GreyBox:

BlackBox- "black box". The specialist has only publicly available information about the purpose of the research, its network and parameters. This option is as close as possible to the real situation. As initial data for testing, the contractor is provided only with the name of the company or its website, and the contractor will have to find out all other information, such as the IP addresses used by the company, websites, access points of the company’s offices and branches to the Internet.

WhiteBox– the complete opposite of BlackBox. In this case, the specialist is provided with the maximum information necessary for him, including administrative access to any server. This method allows you to obtain the most complete study of the vulnerability of an object. With WhiteBox, the performer will not have to spend time collecting information, drawing up a network map, and other actions before starting testing, and will also reduce the time of testing itself, because Some checks simply won’t have to be done. The advantage of this method is a more complete and integrated approach to research. The downside is that this is less close to the situation of a real attack by an attacker.

GrayBox– this is a middle option between WhiteBox and BlackBox, when the performer acts according to the BlackBox option and periodically requests information about the system under test in order to reduce research time or apply their efforts more efficiently. This option is the most popular, as it allows testing without wasting extra time collecting information and spending more time searching for vulnerabilities, while this option remains fairly close to the real situation of an attacker’s actions.

1. FEATURES OF PENETRATION OF A REMOTE COMPUTER SYSTEM.

Any objective and complete penetration testing has a number of features and must be carried out taking into account the recommendations and rules.

The rules and framework for information penetration testing are presented in the OSSTMM and OWASP methodologies. Subsequently, the obtained data can be easily adapted to conduct conformity assessment with any industry standards and “world best practices”, such as Cobit, ISO/IEC 2700x series standards, CIS/SANS/NIST/etc recommendations and PCI DSS standard.

To carry out such an assessment in full, technological data alone will not be enough. A full assessment requires interviewing employees of various departments of the company being assessed, analysis of administrative documentation, various information technology (IT) and information security (IS) processes, and much more.

As for penetration testing in accordance with the requirements of the Payment Card Industry Information Security Standard, it is not much different from conventional testing conducted using OSSTMM and OWASP methods. Moreover, the PCI DSS standard recommends following OWASP rules when conducting both a pentest (AsV) and an audit (QSA).

The main differences between PCI DSS testing and penetration testing in the broad sense of the word are as follows:

  • The standard does not regulate (and therefore does not require) attacks using social engineering.
  • All tests performed should minimize the threat of Denial of Service (DoS) as much as possible. Therefore, testing must be carried out using the “gray box” method with mandatory warning to the administrators of the relevant systems.
  • The main purpose of such testing is to attempt to implement
    unauthorized access to payment card data (PAN, Cardholder Name, etc.).

The GrayBox method allows you to reduce the risk of denial of service when carrying out such work in relation to information resources operating 24/7.

In general, PCI penetration testing must meet the following criteria:

  • clause 11.1(b) – Security analysis of wireless networks
  • clause 11.2 – Scanning the information network for vulnerabilities (AsV)
  • clause 11.3.1 – Carrying out checks at the network level (Network-layer
    penetration tests)
  • clause 11.3.2 – Application-layer penetration tests

Determining the boundaries of the research being carried out. First of all, it is necessary to identify the boundaries of penetration testing, determine and agree on the sequence of actions to be performed. In the best case, the information security department can obtain a network map, which schematically shows how the processing center interacts with the general infrastructure. At worst, you will have to communicate with a system administrator who knows his own shortcomings and obtaining comprehensive data about the information system will be difficult due to his reluctance to share his information about the IP. One way or another, to conduct a PCI DSS pentest, at a minimum, you need to obtain the following information:

  • network segmentation (user, technological, DMZ, processing, etc.);
  • firewalling at subnet boundaries (ACL/ITU);
  • used Web applications and DBMS (both test and productive);
  • wireless networks used;
  • any security details that need to be taken into account during the survey (for example, blocking accounts after N attempts of incorrect authentication), infrastructure features and general wishes when conducting testing.

2. PENETRATION TESTING STEPS

Let's look at the possible stages of penetration testing. Depending on the available information (BlackBox/WhiteBox/GreyBox), the sequence of actions may be different: data collection, network scanning, system hacking, malware, social engineering.

2.1 Data collection.

Collection of data from open sources of information. Open sources are sources of information that are accessed legally and legally. The search for necessary information using open sources has been adopted by many civilian and military structures working in the field of intelligence and industrial espionage.

Access to the necessary information on the Internet can be achieved in various ways. This can be clicking on hyperlinks, searching in various directories (sites, blogs, etc.), you can view search results. For certain purposes, it is impossible to do without searching specialized databases.

Information can also be provided by internal website URLs, e-mail addresses, telephone numbers, faxes, DNS server, IP address range, routing information.

With the development of the Internet, WHOIS services have become widespread. Whois (from the English “who is” - “who is”) is a network protocol based on the TCP protocol. Its main purpose is to obtain information about the “registrant” (domain owner) and “registrar” (the organization that registered the domain), DNS server names, registration date and expiration date. Records about IP addresses are grouped by ranges (for example, 8.8.8.0 - 8.8.8.255) and contain data about the organization to which this range is delegated.

2.2 Network scanning.

Network scanning can be divided into components:

1. Scanning a range of IP addresses to determine “live” hosts

2. Port scanning

3. Discovery of services and their versions

4. Scan to determine OS

5. Vulnerability scanning

1. Scanning a range of IP addresses.

A fundamental task when exploring any network is to reduce the set of IP ranges to a list of active hosts. Scanning every port of every IP address is slow and unnecessary. Interest in studying certain hosts is largely determined by the purposes of scanning. Administrators' goals of discovering running hosts on a network can be satisfied with regular ICMP pings, but people testing a network's ability to withstand external attacks need to use a variety of query sets to bypass the firewall.

The task of discovering hosts is sometimes called a ping scan, but it is far superior to the usual ICMP requests associated with the ubiquitous ping utilities. It is preferable to scan the network using arbitrary combinations of multiport TCP SYN/ACK, UDP and ICMP requests. The purpose of all these requests is to obtain responses indicating that the IP address is currently active (in use by the host or network device). On most networks, only a small percentage of IP addresses are active at any given time. This is especially true for address spaces like 10.0.0.0/8. Such networks have 16 million IP addresses, but there are cases when they are used by companies with no more than a thousand machines. Host discovery can find these machines in this vast sea of ​​IP addresses.

2. Port scanning.

There are many different port scanning techniques and the appropriate one (or a combination of several) is selected for a specific task. Let's look at the most popular scanning techniques:

TCP SYN scan
SYN is the default and most popular scan type. It can be launched quickly, is capable of scanning thousands of ports per second over a fast connection, and is not hampered by restrictive firewalls.

Various types of UDP scanning
While most Internet services use the TCP protocol, UDP services are also widespread. The three most popular are DNS, SNMP and DHCP (use ports 53, 161/162 and 67/68). Because UDP scanning is generally slower and more complex than TCP scanning, so many security professionals ignore these ports. This is an error because There are UDP services that are used by attackers.

TCP NULL, FIN and Xmas scans
These three types of scans use a subtle loophole in the TCP RFC to differentiate between open and closed ports.\

TCP ACK scanning
This type of scan is very different from all others in that it is not able to detect an open port. It is used to identify firewall rules, determine whether they are stateful or not, and to determine the ports they filter.

3. Discovery of services and their versions.

When scanning a remote system, it may be revealed that ports 25/tcp, 80/tcp, and 53/udp are open. Using the information, you can find out that these ports probably correspond to the mail server (SMTP), web server (HTTP), and domain name server (DNS), respectively. This information is usually correct because... the vast majority of services using TCP port 25 are, in fact, mail servers. However, you should not rely entirely on this information. People can and do run services using non-standard ports.

After detecting any TCP and/or UDP ports, a procedure for identifying them occurs in order to determine which applications (services) use them. Using a database of requests to contact various services and corresponding expressions to recognize and analyze responses, it is possible to determine the service protocols (e.g. FTP, SSH, Telnet, HTTP), application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), version number, hostname, device type (eg printer, router), OS family (eg Windows, Linux) and sometimes various details such as whether it is possible to connect to the X server, SSH protocol version, or username.

4. Scan to determine the OS.

It is possible to determine the OS on a remote system based on analysis of the TCP/IP stack. A series of TCP and UDP packets are sent to the remote host and virtually every bit in the responses is examined. After conducting many tests such as TCP ISN sampling, TCP option support, IP ID sampling, and analyzing the duration of the initialization procedure, the results are compared with a database containing known sets of typical results for different OSes and, if matches are found, a conclusion can be drawn about the installed OS.

5. Vulnerability scanning.

Vulnerability scanning is a fully or partially automated process of collecting information about the availability of a network node of an information network (personal computers, servers, telecommunications equipment), network services and applications used on this node and their identification, ports used by these services and applications, in order to determine existing or possible vulnerabilities.

2.3 Hacking the system.

The success of implementing a particular hacking algorithm in practice largely depends on the architecture and configuration of the specific operating system that is the target of this hack.

However, there are approaches that can be applied to almost any operating system:

  1. Password theft.
  2. Monitoring the user as he enters a password that gives him the right to work with the operating system.
  3. Retrieving a password from the file in which the password was saved by the user.
  4. Search for a password, which users often write down on paper.
  5. Theft of an external storage medium for password information (floppy disk or electronic key on which the user's password is stored for logging into the operating system).
  6. Complete search of all possible password options.
  7. Selection of a password based on the frequency of occurrence of symbols and bigrams, using personal dictionaries and the most frequently used passwords.
  8. Scanning computer hard drives.
  9. Garbage collection.
  10. Excess of authority (by exploiting errors in the software or in the administration of the operating system, the researcher obtains authority that exceeds the authority granted to him under the current security policy).
  11. Running a program as a user with the necessary permissions, or as a system program (driver, service, daemon, etc.).
  12. Substituting a dynamically loaded library used by system programs or changing environment variables that describe the path to such libraries.
  13. Modification of the code or data of the security subsystem of the operating system itself.
  14. Denial of service (the purpose of this attack is to partially or completely disable the operating system).
  15. Capture resources (the controlled program captures all resources available in the operating system, and then enters an endless loop).
  16. Bombardment with requests (a controlled program constantly sends requests to the operating system, the response to which requires the involvement of significant computer resources).
  17. Exploiting bugs in software or administration.

2.4 Malicious software.

Very often, malware is used to gain access to an infected system. Typically malware that has the functionality backdoor posted on a file-sharing resource under the guise of a legitimate program.

Malicious software is software that is developed to gain unauthorized access to computer computing resources, as well as data stored on it. Such programs are intended to cause damage to the owner of information or a computer by copying, distorting, deleting or substituting information.

Trojans are malicious programs that perform actions that are not authorized by the user. Such actions may include:

  1. Deleting data
  2. Data blocking
  3. Changing data
  4. Copying data
  5. Slowdown of computers and computer networks.

Trojans are classified according to the type of actions they perform on a computer.

  1. Backdoors. The backdoor Trojan program allows attackers to remotely control infected computers. Such programs allow the author to perform any actions on the infected computer, including sending, receiving, opening and deleting files, displaying data and restarting the computer. Backdoor Trojans are often used to unite a group of victim computers into a botnet or zombie network for criminal use.
  2. Exploits. Exploits are programs with data or code that exploit a vulnerability in applications running on a computer.
  3. Rootkits . Rootkits are programs designed to hide certain objects or actions within a system. Often their main purpose is to prevent antivirus software from detecting malware in order to increase the operating time of these programs on the infected computer.

2.5 Social engineering.

In order for malware to end up on the attacked IP, social engineering is used. Social engineering is a method of unauthorized access to information resources, based on the characteristics of human psychology. The main goal of social engineers is to gain access to secure systems in order to steal information, passwords, credit card information, etc. It is not the machine that is chosen as the target of attack, but its operator. Therefore, all methods and techniques of social engineers are based on exploiting the weaknesses of the human factor.

There are several common techniques and types of attacks that social engineers use. But the common feature of all these methods is misleading, with the aim of forcing a person to perform some action that is not beneficial to him and is necessary for the social engineer. To achieve the desired result, the social engineer uses a number of various tactics: impersonating another person, distracting attention, inflating psychological tension, etc. The ultimate goals of deception can also be very diverse.

Social engineering techniques:

  • Pretesting. Pretexting is a set of actions carried out according to a specific, pre-prepared scenario (pretext).
  • Phishing. Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. The purpose of phishing is to illegally obtain confidential information.
  • Quid pro quo. Quid about quo (lat. Quid pro quo- “this for that”) - in English this expression is usually used in the meaning of “quid pro quo.” Often, a social engineer introduces himself as a technical support employee who reports technical problems at the employee's workplace and offers assistance in resolving them.

A 2003 Information Security study found that 90% of office workers would be willing to divulge confidential information, such as their passwords, in exchange for a favor or reward.

  • Trojan horse. A Trojan is a malicious program used by attackers to collect, destroy or modify information, disrupt computer performance, or use user resources for their own purposes. This technique often exploits the target's curiosity and other emotions.

Organization of a pseudo-attack.

To organize a pseudo-attack on a computer system we use software Social Engineering Toolkit(SET) and Metasploit Framework(MFS). These utilities are included by default in the Backtrack 5 distribution, designed to test the possibility of system and network hacking. We also use two virtual machines with the following operating systems:Windows7 and Backtrack 5.

Backdoor generation. We will use SET to create a reverse TCP backdoor, and MFS to create a handler to process packets from the created backdoor, which will maintain a communication channel between a potential attacker and the system on which the backdoor will be launched.

All actions are performed in console mode on Backtrack 5 OS. Payload creation is achieved through the SET utility, step 4 Create a Payload and Lister

Creating a payload with reverse TCP (to establish feedback) is done by selecting step 2 Windows ReverseTCP Meterpreter and then point 16 Backdoored Executable. This operation completes the creation of the backdoor. When creating it, the port number through which feedback will occur is also indicated. In folder / pentest/ exploits/ SET msf.exe will be generated based on the options we selected.

Setting up the exploit. The exploit is designed to receive TCP requests from a created backdoor. Its configuration is done by launching MFS and selecting the handler exploit (listener): use exploit/multi/handler.

As a result, MFS switches to the exploit handler context. The next task is to configure the payload for this exploit. Since the backdoor is oriented (created) with Revers_TCP Meterpretor, information is exchanged via a TCP connection: set/ payload windows/ meterpreter/ reverse_ tcp. In addition, it is necessary to indicate Local Host (the IP address of a potential attacker) in the options.

Running handler brings you into the meterpretor context, where sessions will be presented to which you can connect. The appearance of a session will occur after the backdoor is launched on a remote machine, which in some cases is achieved in practice through social engineering.

To simulate this process, the backdoor is launched on a second virtual machine. After this, a session to this system will be available in meterpretor, that is, our backdoor provides a communication channel, and we gain control over the infected machine.

It is traditionally believed that system security testing is performed only from the outside, when a remote penetration attack into the network is simulated. In most cases, companies make efforts to protect against remote intrusion by using firewalls and other security enhancements.

It is traditionally believed that system security testing is performed only from the outside, when a remote penetration attack into the network is simulated. In most cases, companies make efforts to protect against remote intrusion by using firewalls and other security enhancements. However, given the proliferation of smartphones and Wi-Fi networks, there are ways to penetrate the network inside an office building.

Mobile phones have many functions: Wi-Fi support, a video camera, a hard drive, a constant connection to 3G and 4G networks and a large number of applications. Moreover, if the phone has root access, its hardware and network capabilities are not only comparable to a desktop computer, but even surpass it in some respects. All this allows smartphones to be used for network penetration testing just like computers, and even more effectively, since the mobile device can be easily hidden in a pocket or inside an office building.

Warning: The information in this article is provided for informational purposes only. The presented tools should only be used to research and test your own networks and/or with the consent of the administrator. Some of the programs can disrupt the operation of both the phone and the network. DO NOT USE THESE METHODS ON PRODUCTION NETWORKS OR WHERE YOU ARE NOT AUTHORIZED TO DO SO.

Phone setup

In my experiments, I use a phone running the Android operating system, or more precisely, a Samsung Galaxy S with privileged user rights. I highly recommend getting root access by installing new firmware, e.g. Cyanogen(I used Cyanogen 7). Many of the applications mentioned in the article require root user rights. It is also advisable to conduct experiments on something other than your work phone, since a rooted phone is less protected from malware.

You can install most Linux distributions on Android phones, including Backtrack 5, using GitBrew. However, using Linux on an Android phone is a bit confusing, and you may be more comfortable using a netbook. Although in this article, I will be using some specific Android OS apps that provide certain hardware benefits to smartphones. If you have successful experience using other platforms, share it in the comments.

Network and vulnerability scanners

The first application I used during tests was the network browser. There are many such programs on the Android Marketplace. One of them is Network Discovery, which is free and does not require root user rights. The developers of this application have created a convenient design that allows you to take a look at network objects at a glance, which is not so easy to do given the limited screen area of ​​​​a mobile phone. The program determines the operating system, type and manufacturer of the network device. Network Discovery is compatible with Wi-Fi networks, allowing you to connect to both open networks and password-protected networks.

In addition to connecting to the network, you must be able to search for available networks, open device ports, vulnerabilities, and so on and so forth. This is time consuming and requires a lot of tools. Two utilities will help us here. One of them is created by the Israeli company Zimperium. The second is , an open source project. The latest product has not been fully explored as bugs arose during testing, but once I have a working version of dSploit I will write a follow-up article.

Anti and dSploit utilities allow you to automate tasks to find vulnerabilities. When launched, they search for open networks, scan devices on the network, and attempt to test each device for vulnerabilities. If a flaw is detected, Anti tries to gain access to that device by running exploits from the Metasploit and ExploitDB database, after which you can perform remote administration, such as taking a screenshot of the screen or removing the disk from the device (to ensure that you have administrator rights in system).

The basic version of Anti supports a small number of exploits, although the extended version, which the developers kindly provided me, has a much larger list. In addition, this utility allows you to select passwords using various dictionaries and other functions, some of which are included in the paid version of the program.

The “Cracker” function finds passwords for all open ports, and its operating time depends on the number of ports and the size of the loaded dictionary. While testing the network, I was able to discover several vulnerabilities. These were mainly public directories, as well as a router that had a standard password in the settings.

The built-in monitor allows you to get a list of Wi-Fi networks, find out the signal strength and network availability. The network scanner is quite fast, and I was able to scan a fairly large network in about 30 seconds. When you start the scan, the program will ask whether you need to conduct an additional detailed examination of your devices for vulnerabilities.

Anti and dSploit utilities are excellent tools for searching for vulnerabilities using mobile devices. The testing itself starts in one click, allowing you to find unprotected Wi-Fi networks and receive more detailed information automatically. In fact, you can run a search and put your phone in your pocket, making mobile devices a powerful tool for checking network security.



Article rating:
1 Star2 Stars3 Stars4 Stars5 stars(No ratings yet)
Loading...
Share with friends:
Articles on a similar topic
Close
Find on the site
For example: types of drywall