into the system if they are detected trying to
enter through the front door, or if they want to enter the
system without being detected. The most common backdoor point
is a listening port that provides remote access to the system
for users (hackers) who do not have, or do not want to use,
access or administrative privileges. Firewalls or router
filtering may prevent the hacker from later accessing these
ports. However, common router filtering may not block
high-numbered TCP ports (or any UDP ports). In addition,
firewalls and filters may allow traffic originating on a source
port such as TCP 20, 53, or 8 to pass. When these ports are
blocked, back doors that are more complex are necessary.
Reverse trafficking is a complex backdoor point that enables
the attacker to bypass the existing security mechanisms. While
routers and firewalls may prevent all unsolicited packets from
entering the network from the outside, a client inside the
firewall can still initiate a connection on a specified port
number to any host on the outside. Assume that a hacker
installs a reverse trafficking Trojan horse to use TCP port 80
to contact the computer of the hacker on a regular basis.
Because the client computer “pushes” a system-level command
shell to the hacker, the hacker can execute code on the
“protected” computer. The Code Red worm is an example of a
backdoor approach. The Code Red worm used reverse trafficking.
When installed, Code Red used TCP port 80 to instruct unpatched
web servers to execute a TFTP connection from the server to a
randomly chosen host on the Internet where it obtained a piece
of rogue code. Because the initiating traffic to the web server
was legitimate, it passed the firewall. Subsequently, firewalls
and routers allowed the web server to initiate a TFTP (UDP 69)
connection to the computer belonging to the hacker. If the
exploit is successful, the victim host will experience
defacement on all web pages requested from the web server.
Port Redirectors
Port redirectors can help bypass
port filters, routers, and firewalls, and can evade intrusion
detection. For example, assume that a firewall has ports 80
(HTTP) and 443 (HTTPS) open by default, but port 443 is unused.
Assume that there is a database server on port 3389
(ms-wbt-server). A hacker can select port 443 as a listening
port and remain undetected. The hacker can then set up a port
redirector without disrupting operations. A port redirector
takes traffic coming in on one port and directs it to another
host on another port. In this example, the port redirector on
the web server takes incoming traffic on port 443 and sends it
out to port 3389 on the database server.
Content
5.1 Thinking Like a Hacker
5.1.8 Step 7: Leverage the Compromised System The
hacker is now in control of the system and can take advantage
employing any of the techniques listed in Figure . After
installing back doors and port redirectors, hackers try to
attack other systems after fully hacking the local system.
Recall that reverse trafficking enables hackers to bypass
security mechanisms. Trojan horses help hackers execute
commands undetected. If the target host enables failed login
auditing or runs a third-party intrusion detection system
(IDS), it will record the IP address or computer name of the
host running the port redirector and not the system used by the
hacker. This makes it difficult to identify the attacker
directly. After hackers gain administrative access, they enjoy
hacking other systems on the network. As each new system is
hacked, the attacker performs the steps outlined previously to
gather additional system and password information. Hackers will
try to scan and exploit a single system or a whole set of
networks. The whole process can be automated. It is difficult
to identify this type of activity because the attacker is
usually operating under the guise of a valid administrator
account. Unless you catch the attacker before the person gains
administrator access, it may be nearly impossible to flush the
attacker from the network.
Content 5.1
Thinking Like a Hacker 5.1.9 Best Practices to
Defeat Hackers Defending your network against attack
requires constant vigilance and education. These ten practices
summarized in Figure represent the best insurance for your
network: - Keep patches up to date by installing them
weekly or daily, if possible, to prevent buffer overflow and
privilege escalation attacks.
- Shut down unnecessary
services and ports.
- Use strong passwords and change
them often.
- Control physical access to systems.
- Avoid unnecessary web page inputs. Some websites allow
users to enter usernames and passwords. A hacker can enter more
than just a username. For example, entering “jdoe; rm -rf
/”might allow an attacker to remove the root file system from a
UNIX server. Programmers should limit input characters and not
accept invalid characters such as | ; < > as possible
input.
- Perform backups and test the backed up files
on a regular basis.
- Educate employees about the risks
of social engineering and develop strategies to validate
identities over the phone, via e-mail, or in person.
-
Encrypt and password-protect sensitive data.
-
Implement security hardware and software such as firewalls,
intrusion prevention systems (IPSs), antivirus software, and
content filtering.
- Develop a written security policy
for the company.
These methods are only a starting
point for sound security management. Organizations must remain
vigilant at all times to defend against continually evolving
threats.
Content 5.2 Mitigating
Network Attacks 5.2.1 Types of Network
Attacks An attack against an enterprise network occurs in
several stages. In the initial stages, the attacker may have
only limited information about the target. Figure illustrates
these types of attack. One of the primary attacker objectives
is to gather intelligence about the target vulnerabilities.
Reconnaissance attacks involve the process of unauthorized
collection of information about the network weaknesses. Other
attacks that typically do not require in-depth knowledge about
the target include access attacks and denial of service (DoS)
and distributed DoS (DDoS) attacks. Access attacks exploit
known vulnerabilities in authentication services, FTP services,
and web services to gain entry to web accounts, confidential
databases, and other sensitive information. DoS attacks are one
of the most publicized forms of attack and are among the most
difficult attacks to completely eliminate. They can employ
various techniques, such as overwhelming network resources, to
render systems unavailable or reduce the network
functionality. A DoS attack on a server sends extremely large
volumes of requests over a network or the Internet. These large
volumes of requests cause the attacked server to dramatically
slow down, resulting in the attacked server becoming
unavailable for legitimate access and use. DDoS attacks are the
“next generation” of DoS attacks on the Internet. Victims of
DDoS attacks experience packet flooding from many different
sources (possibly spoofed IP source addresses) that overwhelm
the network connectivity. In the past, the typical DoS attack
involved a single attempt to flood a target host with packets.
With DDoS tools, an attacker can conduct the same attack using
thousands of systems. Once the attacker has gathered
information about the target network or even has direct access
to the resources as an inside user, a range of other attack
types can be launched against the enterprise systems. Figure
illustrates attacks requiring more intelligence or insider
information. Worms, viruses, and Trojan horses are examples of
malicious code that can compromise the hosts in the enterprise
network. These attacks can either be injected by an inside user
or can be used to exploit a vulnerability in the network
defense in order to compromise a protected system. Application
layer attacks aim at the highest Open System Interconnection