14. Network Attack Phases Flashcards
Classic model phases of compromise
Reconnaissance Exploitation Reinforcement Consolidation Pillage
Sophisticated attacks will also
Come from a variety of IPs/locations
Be spread over a considerable period of time
Not all attacks will use all five phases
Reconnaissance
Attacker scopes out network looking for - services - vulnerabilities - connectivity methods Options; - port scan - banner grabbing - DNS brute forcing - Google
Port scan
One to one
- trivial or difficult to spot depending on speed of scan
One to many
- trivial or difficult to spot depending on speed of scan
Many to one
- difficult to spot, most likely coordinated from a botnet; each client may test a different port
IPv6 Port Scan
Less feasible because;
- 128 bits of IPv6 address space is considerably bigger than 32 bits of IPv4
- IPV6 subnets to which hosts attach will by default have 64 bits of host address space.
- traditional methods of remote TCP or UDP port scanning to discover open or running services on a host - less computationally feasible because - larger search space in the subnet
- can be reduced in two ways
1. if an admin numbers their hosts in a predictable way [prefix]::1 upwards
2. In case of statelessly autoconfiguring hosts, the host part of the address takes a well-known format including Ethernet vendor prefix and fffe stuffing
In 2nd case, search space less to 24bits (one probe per sec = takes 194 days)
Comparison IPv4 IPv6 port scanning
to see if a particular open service is running on a host in that subnet
IPv4 - 8bits reserved for host addressing
Attacker probe 256 addresses
One probe per second; may take 5 mins to complete
IPv6 - 64 bits reserved for host addressing
Attacker probe 2^64 addresses
One probe per second; may take 5 billion years
Mitigating reduction of space in IPv6 host addressing
- Use IPv6 Privacy extensions - hosts in network only ever connect to external sites using their temporary privacy address
Even if scanned, risk is reduced - Admin to configure DHCPv6 so that first addresses allocated from pool begine much higher in address space than [prefix]::1
Banner grabbing
Services give away their version, normally in the form of a banner
- might be a part of a port scan by tools such as nmap
Apache 2.2.24+ fixes some cross-site scripting issues
DNS brute force
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains
Take commonly used system / service / server names and try them against the target domain
- get a list of potential targets
Often not detected - won’t trigger an IDS if not watching DNS traffic
Use Google
Detecting vulerabilities with google (without tripping IDS) eg find vulnerable wiki installation using gg search options - to look on Janet domains site:ac.uk - to look for a specific wiki name inurl:twiki or combine site:ac.uk inurl:twiki
Detecting reconnaissance
Attackers sniffing around for attack avenues? How to detect?
Can’t
Traffic may look normal
Too much ‘background’ noise
Unless very rapid scans from a single or small no of sources
Exploitation
After detecting poss attack path
Try to exploit, to gain level of contro over system;
- remote command execution
- buffer overflow
- SQL injection (poss if input filtering is not robust)
- Cross-site scripting (XSS) attack (insert malicious code into content of site - poss if server doesn’t check the input from a user that is reuses)
- brute force (eg pw dictionary attacks)
Detecting exploitation
Primary tool - IDS/IPS
- can block if observe a known attack
a 0-day attack wont have corresponding signature so not detected (attackers tend to save 0-day for prime targets)
Prudent to scan own network for known vulnerabilities, to detect & address them before exploited
Reinforcement
Attacker may Retrieve tools - wget from another compromised system Escalate privileges - exploit a kernel vulnerability Install rootkit - to allow back door in later
Detecting reinforcement
Network flow tools
Session statistics
Extrusion detection (web server connecting to an FTP server)
Consolidation
Attacker returns later via some covert channel or backdoor
- perhaps irc
- backdoor may be clear text or encrypted
- may be long time after exploitation that attacker abuses the compromised system
Detecting consolidation
Network flow or session data
- look for protocol anomalies
- poss the back door is encrypted
- may need to look at full packet captures
Pillage
Attacker may:
- Steal
- Damage
- Attack other systems
- DoS, DDoS
Pillage detection
network flow data is valuable
traffic accounting tools
Summary of phases
Five phases - NSM Tools:
Reconnaissance - Portscan, netflow
Exploitation - IDS signatures
Reinforcement - Netflow / extrusion
Consolidation - Pcap, netflow
Pillage - Netflow, mrtg
NSM
Network Security Monitoring
portscan
A port scanner is a software application designed to probe a server or host for open ports.
netflow
Netflow is a feature that was introduced on Cisco routers that give the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data that is provided by Netflow a network administrator can determine things such as the source and destination of the traffic, class of service, and the cause of congestion. Netflow consists of three components: flow caching, Flow Collector, and Data Analyzer.
IDS signatures
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.
extrusion
Extrusion detection or outbound intrusion detection is a branch of intrusion detection aimed at developing mechanisms to identify successful and unsuccessful attempts to use the resources of a computer system to compromise other systems.
eg web server contacting an FTP server
pcap
pcap (packet capture) consists of an application programming interface (API) for capturing network traffic.
mrtg
free software for monitoring and measuring the traffic load on network links. It allows the user to see traffic load on a network over time in graphical form.
