14. Network Attack Phases Flashcards
Classic model phases of compromise
Reconnaissance Exploitation Reinforcement Consolidation Pillage
Sophisticated attacks will also
Come from a variety of IPs/locations
Be spread over a considerable period of time
Not all attacks will use all five phases
Reconnaissance
Attacker scopes out network looking for - services - vulnerabilities - connectivity methods Options; - port scan - banner grabbing - DNS brute forcing - Google
Port scan
One to one
- trivial or difficult to spot depending on speed of scan
One to many
- trivial or difficult to spot depending on speed of scan
Many to one
- difficult to spot, most likely coordinated from a botnet; each client may test a different port
IPv6 Port Scan
Less feasible because;
- 128 bits of IPv6 address space is considerably bigger than 32 bits of IPv4
- IPV6 subnets to which hosts attach will by default have 64 bits of host address space.
- traditional methods of remote TCP or UDP port scanning to discover open or running services on a host - less computationally feasible because - larger search space in the subnet
- can be reduced in two ways
1. if an admin numbers their hosts in a predictable way [prefix]::1 upwards
2. In case of statelessly autoconfiguring hosts, the host part of the address takes a well-known format including Ethernet vendor prefix and fffe stuffing
In 2nd case, search space less to 24bits (one probe per sec = takes 194 days)
Comparison IPv4 IPv6 port scanning
to see if a particular open service is running on a host in that subnet
IPv4 - 8bits reserved for host addressing
Attacker probe 256 addresses
One probe per second; may take 5 mins to complete
IPv6 - 64 bits reserved for host addressing
Attacker probe 2^64 addresses
One probe per second; may take 5 billion years
Mitigating reduction of space in IPv6 host addressing
- Use IPv6 Privacy extensions - hosts in network only ever connect to external sites using their temporary privacy address
Even if scanned, risk is reduced - Admin to configure DHCPv6 so that first addresses allocated from pool begine much higher in address space than [prefix]::1
Banner grabbing
Services give away their version, normally in the form of a banner
- might be a part of a port scan by tools such as nmap
Apache 2.2.24+ fixes some cross-site scripting issues
DNS brute force
Attempts to enumerate DNS hostnames by brute force guessing of common subdomains
Take commonly used system / service / server names and try them against the target domain
- get a list of potential targets
Often not detected - won’t trigger an IDS if not watching DNS traffic
Use Google
Detecting vulerabilities with google (without tripping IDS) eg find vulnerable wiki installation using gg search options - to look on Janet domains site:ac.uk - to look for a specific wiki name inurl:twiki or combine site:ac.uk inurl:twiki
Detecting reconnaissance
Attackers sniffing around for attack avenues? How to detect?
Can’t
Traffic may look normal
Too much ‘background’ noise
Unless very rapid scans from a single or small no of sources
Exploitation
After detecting poss attack path
Try to exploit, to gain level of contro over system;
- remote command execution
- buffer overflow
- SQL injection (poss if input filtering is not robust)
- Cross-site scripting (XSS) attack (insert malicious code into content of site - poss if server doesn’t check the input from a user that is reuses)
- brute force (eg pw dictionary attacks)
Detecting exploitation
Primary tool - IDS/IPS
- can block if observe a known attack
a 0-day attack wont have corresponding signature so not detected (attackers tend to save 0-day for prime targets)
Prudent to scan own network for known vulnerabilities, to detect & address them before exploited
Reinforcement
Attacker may Retrieve tools - wget from another compromised system Escalate privileges - exploit a kernel vulnerability Install rootkit - to allow back door in later
Detecting reinforcement
Network flow tools
Session statistics
Extrusion detection (web server connecting to an FTP server)
