In previous article, we understood the phases where an attacker prepares for an attack enumerate the target environment and scans the entire network. More information about the target is acquired, more vulnerability can be identified and more attack vectors can be prepared to launch the attack.
Now that attacker has all this data, he has the vulnerability identified, scanned network architecture and the loopholes which can be utilized to gain access of the target network. Third phase, the step where an actual attack is performed, is known as Gaining Access.
To gain access, attacker might try to use anyone or more than one method:
- System Hacking
- Viruses and Worm
- Social Engineering
- Denial of Service
- Session Hijacking
- Hacking Web Servers
- Hacking Web Applications
- SQL Injection
- Hacking Wireless Networks
- Evading IDS, Firewall and Honeypots
- Buffer Overflow
To perform system hacking, password cracking technologies such as brute force, dictionary, syllable and rule based attacks are used and attacker tries to gain the system. Once the system is hacked, next step would be privilege escalation to perform administrative tasks, malware planting, hiding files and covering tracks so that hack is not identified during normal scans.
Multiple and daily evolving virus and worms are being launched over the internet on daily basis. To gain the access of any system, attacker might want to use the viruses and worms such as keyloggers and password guessing worms.
Attacker may plant a network sniffer to catch the traffic and enumerate the password even if the same is encrypted. This can be achieved through Man in The Middle (MITM) attack. Sniffers can also be installed at the target hosts and LMHash function can be monitored and passwords can be enumerated.
Social engineering can be most fatal and successful way to gain access of the system. In this way, attacker will not have to perform any technical activity, instead, he might try to gain confidence of any employee to talk him into sharing passwords and other critical information unknowingly.
Denial of Service, Session Hijacking, SQL injection, hacking web servers and applications and Buffer Overflow attacks can be performed only if the deployed application has any design flaw which can be exploited for gaining access and privilege escalation, overwhelming the services to reduce the performance of the application.
Hacking wireless networks and evading IDS, IPS and honeypots can be achieved only if the proper configuration is not done at the device end or latest patches are not available with the application which can lead to exploit of any open vulnerability.
- First of all, basic sanity of the endpoint systems has to be ensured in order to avoid any compromise of the machine.
- Host based IDS and firewall has to be configured in a system to identify and avoid password cracking attempts.
- Updated Antivirus software must be installed in the system to control the malware infection in the system.
- Adjust browser settings in such a way to minimize the attack vector and to set the security settings to Medium in internet zone systems. Rest systems should not have any internet access at all if not required.
- Employee education and awareness is a must in order to avoid any compromise which can be caused by Social engineering.
- To avoid LMHash enumeration, best way is to have passwords length more than 15 characters. Fi done so, LMHash enumeration becomes impossible. In general, complex and lengthy passwords must be used.
- While developing any application, developers stick to SDLC for organized development of the software. An organization must enforce the developers to follow Secure software Development Life Cycle. For example; OWASP’s Software Assurance Maturity Model (SAMM) can be integrated with any SDLC and should be followed while developing the software to avoid any vulnerability which can cause attacks like Buffer Overflow and SQL Injection in future. Following such practices improve the security of he software and reduces the cost of product which will be increased in future if vulnerabilities are identified and needed to be patched.
- Proper configuration of Firewalls, IDS, IPS and honeypots are must in case attacker might try to bypass them to gain access of the network. Patches and hotfixes must be updated in these devices to avoid exploit of the open vulnerabilities.
I will leave you with a statement of Mr. Art Wittmann (M.D. Information week Analytics) when he said, “As we have come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided”.
Authored by Punit Dwivedi
TCS Enterprise Security and Risk Management