Tuesday, March 29, 2011

#5 - Attack Methodology

There are a few schools of thought when it comes to attack methodologies—the plan of attack that a hacker adopts when it comes to penetration testing a network. There are a few variances here and there but most people agree that a good methodology to adopt involves more or less five (5) steps:
  • Reconaissance
  • Scanning and Enumeration
  • Gaining Access (and Escalation of Privileges)
  • Maintaining Access
  • Covering Your Tracks
The preceding steps are the official attack methodology proposed by the EC-Council in its Certified Ethical Hacker (CEH) certification. For the purpose of the rest of the lessons, we'll stick to these steps, unless something else comes along.

Let's look at these steps a little more in-depth:
Reconnaissance is the act of gathering information. An attacker will attempt to gather as much information about a target (a company, a web site, or a platform) as they can. This reconnaissance can be either passive or active. For instance, an attacker wanting to gather information passively might perform some extremely thorough and pointed internet searches to find out as much as possible about a company. They might try to find Organization Charts, personnel listings, contact information.
BackTrack has some excellent reconnaissance tools built into it and we'll discuss them more in-depth in the next lesson. Also, we'll discuss a few tools that I think happen to do excellent jobs in the passive act of reconnaissance.
When we discuss active reconnaissance, however, we're typically speaking about an attacker who is scanning ports or services in order to obtain more in-depth knowledge about his victim. Walking along firewall rules and dumpster diving are other examples of this kind of reconnaissance.
Utilizing port scanners, vulnerability scanners and performing war dialing are all examples of what an attacker would use to accomplish this task. We're going to focus a lot of our time on nmap and nessus during these lessons but we'll determine if there are any other scanning tools that help perform these tasks better.
This step in an attack methodology is where the actual hack or attack takes place. The attacker launches some sort of attack against a service, a port, a login, etc. and is able to gain access to the system.
Once an attacker penetrates a system, they will most likely want to return for future use and they'll want to make sure that the system is easier to gain access next time. This is performed through the use of tools like rootkits and Trojan Horses that leave backdoors into systems.
Once you have implemented an attack, taken control of a box and left yourself a backdoor to enter any time you like, you need to cover your tracks and hide all signs you were ever there. This includes emptying of logs and wiping of system data.
All right. Now that we've determined what steps make up our attack methodology, let's take an in-depth look at Reconnaissance.

1 comment: