Attackers use to follow a fixed methodology for breaking into a system. For understanding the methodology taken by a hacker, firstly, we need to understand the anatomy of an attack for taking countermeasures on that.
The Steps a hacker follows can be broadly divided into five phases, which include pre-attack and attack phases. The five phases are:
Reconnaissance is the firstly preparatory phase where an attacker makes a systematic attempt to locate, gather, identify, and record information about the target of evaluation prior to launching an attack. It involves network scanning either external or internal without authorization. Here, hackers use to find out as much information as possible about the victim. There are two categories of reconnaissance techniques which consist of active and passive reconnaissance.
Passive reconnaissance involves gathering information regarding a potential target without the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as watching a building to identify what time employees enter the building and when they leave. However, it’s usually done using Internet searches or by Googling an individual or company to gain information. This process is generally called information gathering methods.
Sniffing the network is another means of passive reconnaissance and can yield useful information such as IP address ranges, naming conventions, hidden servers or networks, and other available services on the system or network. Sniffing network traffic is similar to building monitoring: A hacker watches the flow of data to see what time certain transactions take place and where the traffic is going.
Active reconnaissance involves probing the network to discover individual hosts, IP addresses, and services on the network. This usually involves more risk of detection than passive reconnaissance and is sometimes called rattling the doorknobs. Active reconnaissance can give a hacker an indication of security measures in place, but the process also increases the chance of being caught or at least raising suspicion.
Both Passive and Active reconnaissance can lead to the discovery of useful information to use in an attack. For example, it’s usually easy to find the type of web server and the operating system (OS) version number that a company is using. This information may enable a hacker to find vulnerability in that OS version and exploit the vulnerability to gain more access.
2) Scanning
Scanning involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may employ during the scanning phase can include dialers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are seeking any information that can help them perpetrate attack such as computer names, IP addresses and user accounts.
3) Gaining Access
This is the phase where the real hacking takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. The method of connection the hacker uses for an exploit can be local area network (LAN, either wired or wireless), local access to a PC, the Internet, or offline. Examples include stack-based buffer overflows, denial of service (DOS), and session hijacking. These topics will be discussed in later posts. Gaining access is known in the hacker world as owning the system.
4) Maintaining Access
Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as zombie system.
5) Covering Tracks
Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include steganography, the use of tunneling protocols, and altering log files. Steganography and use of tunneling for purposes of hacking will be discussed in later posts.
No comments:
Post a Comment