Attack Phase 1: Reconnaissance
CS 493/693 Lecture,
Dr. Lawlor, 2006/02/08
The first phase of any attack is to gather information about the targets:
- Which machines are up and running. The
standard tool for this is "ping", which sends a standard ICMP "ping
packet" designed for this sort of network connectivity testing.
Many firewalls block ICMP ping requests; some block ICMP entirely.
- What network services (network ports) are open. The standard tool for this is "nmap" (for Linux and Windows), which sends (among many options) a standard TCP "SYN" packet to
see if the port is open. If it is, the server will respond with
the usual "SYN/ACK" packet; if not, a "RST". A standard
countermeasure is to drop "SYN" traffic to unused ports, or for a
client machine, drop all incoming "SYN" requests completely.
Closed ports can't be used to attack your machine, so look over the
list of services you're running carefully!
- What kind and version of each server program is on each open
port. "wget -S" can show the HTTP headers, which often include a
version number. "ssh -v" can show the remote server version. If
really paranoid, it'd be slightly better to set up your servers to give
generic responses, instead of a specific version number.
- What the security vulnerabilities are of each server. "google" is among the most useful tools for this.
Many tools gather together various steps; for example, nmap can do subnet scans and pings.
Once a specific server and version is identified, there are a variety
of exploits available--but luckily a well-run server is invulnerable to
most of them. "metasploit"
is a scriptable
collection of about a hundred common and not-so-common vulnerabilities,
with a
sophisticated encoder engine and a wide variety of targets, but you do
have to identify the particular vulnerability to try--metasploit is not
a scanner.