This article aims to explain the methodology generally used by hackers to break into a computer system. It does not explain how to compromise a system but to understand how it may be better able to withstand them. Indeed, the best way to protect your system is to proceed in the same way that hackers to map the vulnerabilities of the system. So this article gives no details on how vulnerabilities are exploited, but explains how to make them identify and correct them. Overall methodology The hackers who intend to break into computer systems looking for a first time faults, that is to say, harmful to the security vulnerabilities of the system, the protocols , the operating systems , applications or even the staff of an organization! The terms of vulnerability, breach or language more familiar security hole are also used to designate security flaws. To implement a feat (it’s the technical term meaning exploit a vulnerability), the first step of the hacker is to get as much information on the network architecture and operating systems and applications running on it. Most attacks are the work of script kiddies trying stupidly exploits found on the internet without any knowledge of the system or the risks associated with their act. Once the hacker has established a mapping system, it is able to implement deeds relating to versions of the applications he has identified. First access to a machine it will expand its efforts to retrieve other information, and possibly extend its privileges on the machine. When an administrator access (root is the term generally used) is obtained, it is called compromise of the machine (or more accurately root compromise) because the system files may have been modified. The hacker then has the highest level of duty on the machine. If it’s a cracker, the last step is to cover his tracks, to avoid any suspicion on the part of the network administrator and compromise so that they can keep as long as possible control compromised machines. Recovering system information Obtaining information about the target network address, generally referred to as fingerprinting, is a prerequisite for any attack. It is to gather as much information about the communications infrastructure of the target network:
- IP addressing
- Domain Name
- Network protocols
- Enabled services
- Server architecture
Consulting public databases By knowing the public IP address of a network host or just the domain name of the organization, a hacker is potentially capable of knowing the address of the entire network, that is to say range of public IP addresses belonging to the target organization and its division into sub-networks. Consultation Search Engine Mere consultation search engines can sometimes glean information about the structure of a company, the name of its main products, even the names of certain individuals. Scanning the network When the network topology is known by the attacker, he can scan (sweep the term is also used), that is to say, determined using a software tool (called a scanner) what IP addresses are active on the network, open ports corresponding to services available, and operating system used by these servers. One of the most popular tools for a network scanner is Nmap , recognized by many network administrators as an essential tool for securing a network. This tool works by sending packets of TCP or UDP to a set of machines on a network (determined by a network address and mask), then analyzes the responses. According to the shape of the received TCP packets, it is possible to determine the remote operating system for each machine scanned. There is another type of scanner, called passive mapper (one of the best known is Siphon ), to know the physical network topology of the strand on which the mapper analysis packages. Unlike previous scanners, this tool does not send packets on the network and is totally undetectable by the intrusion detection systems . Finally, some tools can capture X connections (an X server is a server that manages the display of machine type UNIX ). This system has the characteristic that they can use the display of the stations on the network, to consider what is displayed on screens and possibly intercept the keys entered by users of vulnerable machines. Banner reading When the network scan is finished, just the cracker to examine the log file (log) tools used to find the IP addresses of machines connected to the network and open ports on them. Open port numbers on the machines can provide information on the type of service and thus open the invite to ask the service to obtain additional information about the server version information in so-called “banner”. Thus, to determine the version of an HTTP server, simply connect to the Web server telnet on port 80: telnet www.thecustomizewindows.com 80 then ask the homepage: GET / HTTP/1.0 The server then responds with the first lines: HTTP/1.1 200 OK Date: Mon, Fev 3 , 2011 6:22:57 p.m. GMT Server: Apache/1.3.20 (Unix) Debian / GNU The operating system, server and version are then known. Social Engineering The social engineering (in English “Social Engineering”) is to manipulate human beings, that is to say, to use exaggerated naivete and kindness of network users, for information on it. The method includes contacting a user of the network, usually posing for someone else to obtain information on the information system or possibly directly to obtain a password. Similarly a security hole can be created in the remote system by sending a Trojan horse for some users. Just a user executes the attachment to an internal network access is given to the aggressor outside. That’s why the security policy must be comprehensive and incorporate human factors (eg user awareness to security issues) because the security level of a system is characterized by the level of its weakest link low. Identifying vulnerabilities After establishing the inventory of software and possibly hardware, it is the hacker to determine whether vulnerabilities exist. There are scanners and vulnerability allowing administrators to submit their network penetration testing to see if some applications have security vulnerabilities. The two main vulnerability scanners are:
It is also recommended that network administrators to check the sites regularly maintaining a database of vulnerabilities: SecurityFocus / Vulnerabilities Thus, some agencies, particularly the CERT (Computer Emergency Response Team), are responsible for capitalizing on vulnerabilities and federate information on security issues. CERT STI community dedicated to Industry, Services and Tertiary French, CERT IST dedicated to the French administration, CERT RENATER dedicated community members GIP RENATER (National Network of Telecommunications for Technology, Education and Research). The intrusion When the attacker has compiled a resource mapping and machines on the network, it is able to prepare his intrusion. To enter the network, the attacker needs access to valid accounts on the machines he has identified. To this end, several methods are used by hackers: Social engineering is to say by contacting some network users (by email or by telephone) to extract information about their login and password. This is usually done by posing as the network administrator. The consultation of the directory or messaging services or file sharing, to find valid usernames The exploitation of vulnerabilities in the Berkeley R commands *. The brute force attacks (brute force cracking) of trying to automatically different passwords on a list of account (eg identifier, optionally followed by a digit, or the password is password or passwd , etc.). Extension of privileges When the attacker has obtained one or more network access by accommodating one or more accounts poorly protected, it will try to increase its privileges by gaining root access , one speaks well of extension of privileges. Once a root access has been obtained on a machine, the attacker has the opportunity to examine the network for additional information. It is possible to install a sniffer , that is to say, a software capable of listening (the term reniffler, sniffing or English, is also used) network traffic to or from destination machines located on the same strand. Using this technique, the attacker can hope to recover the username / password allowing access to accounts with extensive privileges on other machines on the network (eg access to an administrator account) to to be able to control a larger portion of the network. NIS servers on a network are also prime targets for hackers because they are full of information on the network and its users. Compromise Thanks to the previous steps, the hacker was able to compile a complete map of the network, machinery therein, their flaws and has root access on at least one of them. It is then possible to expand further its activities by exploiting the trust relationships between different machines. This spoofing technique, called spoofing allows the hacker to enter privileged networks to which the compromised machine has access. Backdoor When a hacker managed to infiltrate a corporate network and to compromise a machine, it can happen that he wants to return. To do this it will install an application in order to artificially create a security vulnerability, it is called backdoor. To Remove When the intruder has obtained a level of control over the network, it has yet to erase the traces of its passage by deleting the files it created and cleaning the log files of the machines in which he introduced is to say, by deleting lines of activity on its shares. Moreover, there is software called “root kits” to replace the system administration tools for modified versions to mask the presence of the hacker on the system. Indeed, if the administrator connects together the hacker, it is likely to notice that the pirate services launched or just another person that he is connected simultaneously. The purpose of a rootkit is to deceive the director in him hiding the reality. Conclusion It is up to any network manager connected to the Internet to ensure its security, and therefore to test faults. That’s why a network administrator must be aware of vulnerabilities in software they use and to “get into the shoes of a hacker” to try to break into his own system and to be continually in the context of paranoia. When skills within the company are not sufficient to carry out this operation, it should be an audit by a company specializing in computer security.