O'Reilly Book Excerpts: Managing Security with Snort & IDS Tools
Anatomy of an Attack: The Five Psby Kerry J. Cox, Christopher Gerg
In a meeting with an engineer (Jonathan Hogue) from a security company called Okena (recently acquired by Cisco), I was introduced to the concept of the five Ps. Hogue graciously gave me the presentation slide and I use it all the time. There are a lot of models of how an attack progresses, but this is the best I've seen. These five steps follow an attack's progression whether the attack is sourced from a person or an automated worm or script. We will concentrate on the Probe and Penetrate phases here, since these are the stages that Snort monitors. Hopefully, the attacker won't get past these phases without being noticed. The five Ps are Probe, Penetrate, Persist, Propagate, and Paralyze.
In this phase, the attacker gathers information on a potential target. In a targeted attack, the scanning may be limited to your allocated range of IP addresses. In an untargeted attack (see Section 4.1.1, above), it might be against a wide range of addresses. Often, the initial activities of this information-gathering will not send a single packet to your network. A surprising amount of information can be gathered from information stores on the Internet. The goal of this phase is to map out your network and determine details about the systems on your network, permitting the attacker to tailor an attack to exploit known vulnerabilities in the software version running on your system, or perhaps to a configuration error.
Mining the Web
What follows are methods attackers use to gather information about the network, IP address range, or business assets they wish to attack& mdash;without sending a single packet to your network:
WHOIS, ARIN and DNS lookups
Gleaning data from off corporate web sites
General reconnaissance using Sam Spade, IP Tools, etc.
TIP: The victimized network is not always purposefully sought out. Driftnet scans or blindly probing large subnets for vulnerable devices sometimes brings networks onto radar screens. Such is the importance of staying current with patches and closing susceptible ports.
An initial tactic is to gather information regarding the IP addresses owned or managed by a particular company, the contact people, or even the physical address or location of the company. Here are some sites that give out this type of information:
Performs lookups on the administrative, technical, and billing contacts for a particular domain name.
Searches for the registrant and IP address range of a particular IP address. Useful for tracking down offending IP addresses.
Executes multiple DNS lookups on IP addresses or domain names. This site is used for performing both forward and reverse name resolution. It is comparable to the Linux command line
There are several other free WHOIS services available on the Internet. Each one offers nearly the same information that can be gleaned from the main Network Solutions page. Sites such as http://www.hyperwhois.com and http://www.accesswhois.com are also used. Attackers visit these sites to locate domain names pending expiration. Network Solutions and Verisign have proved most accommodating recently by providing alternative misspellings of common domain names. Both of these features are useful when attempting to take over a domain or redirect normal commerce traffic to another site by means of subversion. Check these web pages for information about your own company. If too much data is available on the Internet or if you wish to minimize your company's exposure, resubmit the correct forms to Network Solutions or to your domain name provider. Also, update the information contained on the ARIN site by modifying RWHOIS records. One tactic is to replace names with titles, or even use bogus names to make it harder for social engineering to succeed.
Another common tactic is to gather data from corporate web sites. Most companies list their physical address and provide maps and directions. Typical business sites often display not only the president or CEO's name (and all other higher management personnel) but provide an email address and phone number. These are useful to attackers when performing social engineering. In addition, the email address can assist in DNS requests and MX record lookups. Minimize the amount of data you are willing to share with strangers by censoring corporate web pages. Explain this to company managers as well as to the webmaster. Anyone using the corporate web site for marketing or sales purposes should be aware of any inherent security risks.
There are several free tools for Windows-based machines that execute commands
similar to those found on Linux. The two I mention here are Sam Spade and IP-Tools.
Their URLs are listed at the end of this chapter. The former is free, while
the latter currently requires a $35 registration fee. Both of these utilities
provide Windows users with much the same functionality as Linux. They offer
many like features, including webcrawling utilities, real-time blackhole lists
for determining the IP addresses of repeat spam offenders,
traceroute. The IP-Tools application does have some added
functionality such as port and NetBIOS scanning similar to that of Nmap for
Linux, along with a telnet utility. It also performs
that displays open ports listening for connection requests.
There are several other DNS query tools available for use directly off web pages. I recommend the netcraft.com site for determining version and release numbers of a particular web server. This leads us into the active probing that can be performed to gather information about your network.
Portscans and software version-mapping
One of the most widely used network mappers or port scanners is Nmap. Fyodor, the author, describes his tool in the following manner
Nmap or "Network Mapper" is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they offer, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Nmap is available for most systems, including nearly all BSD variants, Solaris
and Linux, and Windows. Nmap can be used from the command line as a console
tool or in its graphical release. It is started from the prompt with the command
The graphical version is initiated using
nmapfe, short for "nmap
frontend." Nmap is best run as root so all options are granted to the user.
Consult the Nmap home page at http://www.insecure.org/nmap/ for
available options and latest source code. Nmap comes in source and RPM formats.
It is included as a standard package with most Linux distributions, including
Red Hat. Install it initially or compile it later from source.
Figure 4-1 shows Nmap run as root with the graphical frontend. Selecting different variables within "Scan options" and "General options" customizes how stealthy or unobtrusive the scans run against target systems. The output as it appears on the command line is displayed directly below the options. By noting the syntax that appears below the main window, a scan can be run from the console or the command line.
Figure 4-1. The main interface for the Nmap Front End tool
After selecting a target IP address, subnet, or domain name, execute the scan. The output displays in the lower box. All detected open ports are shown here with the service name and port number.
The latest release of Nmap shows not only the open ports but performs fingerprinting of the listening ports and displays the software version and release currently running on that port. Not only can I find out if a port is open, but I can see the Apache version and the current PHP release running on my system.
Currently, Nmap is best run from the command line for a detailed report on available services. Here is what a scan showed against a typical machine with a default or "vanilla" configuration.
# nmap -sV -T4 -F localhost Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-09-17 19:36 MDT Interesting ports on localhost (127.0.0.1): (The 1203 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd 1.1.3 22/tcp open ssh OpenSSH 3.5p1 (protocol 2.0) 25/tcp open smtp Sendmail smtpd Secure/Rabid 80/tcp open http Apache httpd 1.3.28 ((Unix) PHP/4.3.2) 110/tcp open pop3 UW Imap pop3 server 2001.78rh 6000/tcp open X11 (access denied) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 9.486 days (since Mon Sep 8 07:56:31 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 16.151 seconds
Nmap scans are useful for testing Snort installations. By default, Nmap is fairly noisy and easily detectable. Most Nmap scans readily show up in the alerts file or via the ACID web page. Existing signatures that alert administrators to Nmap scans can be customized to suit.
Here is one of several possible alerts that appear in the Snort alert log
when Nmap is run (using Nmap's
-P0 option prevents the ping from
[**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 09/18-02:58:18.144568 220.127.116.11 -& gt; 18.104.22.168 ICMP TTL:22 TOS:0x0 ID:51496 IpLen:20 DgmLen:28 Type:8 Code:0 ID:44209 Seq:8907 ECHO [Xref =& gt; arachnids 162]
There are also Nmap-specific scans that show up in the Snort alert log. These range from Nmap web-based attacks to fingerprint attempts (much like the example scan shown above) to TCP scans. To view sample alerts generated by Snort when Nmap is run against it, simply grep the text "nmap" within the Snort rules. There are plenty of occurrences in which Nmap plays a role in generating alerts. Each of these rules can be customized to give alerts on a more specific level.
Once ACID is operational with Snort, consult the logs frequently for network scans and connection attempts. Some Nmap scans may be stealthy connection attempts so also look for SNMP requests and proxy scans, which are fairly typical for Nmap.
WARNING A quick word of caution. Those of you reading this book who think you are now an "elite hacker" or that this and the other outlined tools will assist in cracking other systems, do not be fooled. Simply running Nmap against other computers does no such thing. All Nmap does is show open ports and available software versions. That said, since a portscan is often a precursor to an attack, most people do not take kindly to network portscans. Consider yourself warned. People have been prosecuted for attacking a network after only performing a portscan.
Armed with this information, an attacker can go to a variety of web sites and discover if you are running an operating system or service version with known vulnerabilities. Once this is determined, it is a relatively easy manner to find scripts or programs that can exploit the vulnerable system, leading to a penetration.