Successful Network Attacks - Phase Two: Network Scanning

by Daelphinux

Every successful network attack will eventually become an active event.  When this happens, it means that the attacker has now committed to the attack and will do what they can to see it through to completion.  This is also the first step where there are definitive ways to detect what the attacker is doing that will alert you to an impending attack.

Phase Two is the first phase that would fall under the popular assumption of what people think of as "hacking."

In this phase an attacker will use a number of tools and their know-how to probe a network for any vulnerabilities, such as backdoors, known exploits, unused protocols, or weak protocols.  Building on network information retrieved from the last phase, the attacker will use tools such as Nmap, Nessus, Metasploit, the Zed Attack Proxy (ZAP), Xenotix, or Grabber to find exploits in websites, network equipment, end user devices, servers, or any other device the attacker can make a connection with (even printers).

During this process the attacker will certainly gather more useful data.  In this phase, even if relatively unsuccessful, the attacker will gain a significant amount of information about your network and the kinds of devices that exist on it.  Everything from IP maps, a good estimation of any subnets, network speeds, resilience, open ports on clients, appliances, and servers to any vulnerabilities in web applications.  This phase will let the attacker finish determining the most viable attack vector for the real "meat" of the attack.  This is the last chance for a defense to stop an attacker in their tracks and prevent the attack from succeeding.

Detecting a scan can be relatively easy.  Network slowdowns will begin showing up.  Once that happens, network administrators can look into access logs and will likely notice if a single IP address or small IP range is attempting to access multiple resources on multiple ports.  Once this occurs, action must be taken to prevent the attacker from gathering any significant information.  In more complex cases the attacker will use a botnet, or a host of zombie computers that are being controlled by malware, to perform the scan.  In any event, the network administrators should be able to determine when systems are being accessed in an irregular way, but it will not be as obvious and, by the time it is realized, it may be too late to prevent the scan from being successful.

Preventing the scanning portion of an attack can be managed by ensuring that an attacker cannot gather any useful information about the attacked network.  This can be achieved in a number of ways; namely the use of Network Address Translation (NAT), firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), patching, and proper administration.  Each of these tools and systems has their specific use and merit; together they form a very powerful defense against this phase and subsequent phases.  Each of these will be discussed at a high level as complete explanations are outside the scope of this series of articles.  More information is available, at length, online and in other publications.

The first thing that an entity can do to avoid being attacked is implement a NAT solution.  NAT solutions involve setting the network of an entity up in such away that all traffic entering the network is directed at a single IP address.  This IP address usually points to an edge router that, with the help of other networking equipment and servers, will keep track of internal device IPs.  This edge router will then be able to properly direct incoming traffic to the appropriate recipient.  NATing a network makes it harder for an attacker to gain information about internal IP structures, thus making it harder for the attacker to navigate should the attack move to the next phase.

The next solutions are closely tied together.  These involve setting up various firewalls with an IDS or an IPS (sometimes both).  Usually an entity, especially one with an externally facing website, will set up (at least) a pair of firewalls.  One, the external firewall, forms the first line of defense and contains rules that allow incoming traffic to Internet servers, extraneous, and other information accessible to the outside (customers, clients, visitors, etc.).  Inside this area between the firewalls is the Demilitarized Zone or DMZ.  The DMZ forms a layer of protection in itself by hosting servers that cannot be used to compromise the internal network and which house nothing particularly useful, while still posing as potential targets to less-savvy attackers.  Past the DMZ sit the internal firewall and the IDS or IPS.  These have significantly stricter rules controlling traffic moving in and out of the network.  The firewall uses human-created rules to prevent malicious or unwanted traffic from accessing the network at all.  The IDS or IPS, however, are more dynamic.

Both IDS and IPS can be used to heuristically determine malicious or abnormal traffic patterns and act upon them.  They do this either by a set of human-created rules or by gathering a baseline of data when they are first connected to a network.  An IDS will use these developed rules to determine if a traffic pattern is potentially malicious and then inform an administrator.  This administrator will then look at the traffic and take appropriate action.  This system simply detects the traffic and lets someone know.  An IPS will perform the same monitoring and determinations regarding traffic, however if it determines the traffic patterns are malicious, it will take a pre-set action, usually cutting the connection or blacklisting the IP, and inform the administrator that action was taken.  The IPS is far more active in the security process.  While both are useful, it should be determined which is more fitting in the context of false-positives.  If a false-positive is determined by an IDS, an administrator will take no action, white-list the pattern, and move on.  However, the response time to potential threats is dramatically slower than an IPS.  The IPS, in the event of a false-positive (although with faster response time), can cause lost time if it takes action against acceptable traffic.  Both the pros and cons should be weighed when deciding which system to use.

Patching and proper administration also go hand-in-hand (as one should inform the other).  However, if it is not feasible for a business to have on-staff administrators for their system and use off-boarded pay-by-hour support, at a bare minimum it should be the responsibility of a staff member to ensure network connected systems are properly updated and patched.  This will ensure that known patched exploits can no longer be used as attack vectors against an entity.  However, ideally there will be an administrator on staff who will ensure said patching.  Additionally, the administrator should take various precautions in ensuring the systems are secure.  Servers, for instance, should be used only for as few purposes as possible to perform their jobs.  This way, each server will have as few ports open as possible.  Further, access to systems should be properly managed to ensure that only those who need access have access to a given system.  Resource accounts and shared logins should be avoided unless absolutely necessary.  An administrator should also ensure that machines have the proper protective software on their systems and are regularly scanned for malware.  Finally, where appropriate, systems should have file auditing active such that if a breach occurs, the attacked entity will be able to determine what data was accessed and may have been compromised.

The above defenses will prove very strong and successful at fending off most casual attackers.  However, no defense is perfect.  In the event that these prove ineffective, the next courses of action depend largely on the acceptable level of risk for an entity and the intentions of the attacker.  In the event that the attacker simply wanted a complete listing of vulnerabilities as a test of their ability or to perform a job for another attacker, there is no more to defend against; the entity has been compromised.  However, usually after a scan, an attacker will formulate an attack vector and proceed to the third phase.  In that instance, the best course of action would be to prepare for an intrusion and begin defenses for Phase Three.  Additionally, an entity should perform scans on their own network occasionally and patch any vulnerabilities that they find.  If an entity determines that a scan has taken place, that would form a suitable next level defense.

Phase 1: Reconnaissance - Gathering as to much useful information about the target as possible.

Phase 2: Scanning - Gathering useful information about the target's networks and any possible exploits.

Phase 3: Gaining Access - Getting into the network to be able to accomplish the attack's goal.

Phase 4: Maintaining Access - Ensuring access to the network persists long enough to accomplish the attack's goal.

Phase 5: Covering Tracks - Obfuscating the attacker's presence on the network such that they cannot be traced.

Return to $2600 Index