Successful Network Attacks - Phase Three: Gaining Access
by Daelphinux
Without gaining access to the target network, an attack can barely be considered an attack; it definitely would not be considered successful.
Because of this, the third phase of network attacks is the most critical. It is in this phase that the attack will actively participate in penetrating the target network and reach a given goal.
While gaining access to the target network, an attacker will likely use a variety of tools and exploits. Some of these tools will be recognized from the Phase Two overview: Metasploit and the Zed Attack Proxy come to mind here, but there will also be a number of new tools that the attacker will use.
Many of these tools are more abstract than a simple program. Many networks are breached when an attacker sends a file to a user - complete with an email making the file look official - that carries a payload containing a Trojan, zombie program, or any sort of backdoor generator.
There are a number of applications on the Internet today that stuff files of all kinds with payloads to avoid detection by the best anti-virus software. If performed carefully, the attacker will entice the user to open the file on their machine while connected to the network. This is a common methodology when the attacker did not find any useful information in Phase Two that would allow them to penetrate the network.
Other attackers will use the exploits and open ports they found in the last phase by using various tools (specific to the exploits found), a knowledge of a number of network protocols, and knowledge about various operating systems. (These things are gained mostly by experience. Always assume an attacker is an expert on their choice attack vector.)
The methods used here are far too many to detail, although there are commonalities between most attacks.
* Attackers are very likely to be using remote shell access versus a remote GUI. This lightens the network traffic and makes it harder to detect the attack. Further, by using a shell, you can often accomplish tasks far more easily and rapidly.
* Attackers will often work from an endpoint that is not their target. For instance, it is most likely that an attacker is going to be controlling an end user's machine on the target network rather than operating directly on the server; even if the attacker is remotely controlling the server from the owned machine.
* Attackers are almost certainly going to be after performing some type of file manipulation. They will likely be copying files, moving files, deleting files, or modifying files to manipulate or gain information. A notable exception to this are Denial-of-Service (DoS) style attacks, where the goal is to disrupt access to a service.
As a good exercise, think about how you would get around the administrative rights on one of your servers and what information would be useful to a competing company or entity. Challenge yourself to do whatever you considered an attacker would do; when you succeed, you will have some idea of how the attackers will think and operate.
Detecting these attacks usually requires active monitoring, and that can be expensive. The expense will certainly be worth it when (not if) an attack occurs. The kind of monitoring that an entity attempting to avoid an attack will do involves file auditing, network monitoring, access logging, and regular manual auditing.
File audits are usually applications or scripts that run through and listen for changes to occur in key files. When a file that is not regularly changed - or should only be changed with proper reasoning or permission - is altered, these auditing tools alert administrators that a change has been made. If the change was expected, then the alert can be ignored. However, unexpected changes almost always will require thorough investigation.
Network monitoring is just what it sounds like, and largely as explained in Phase Two. Monitoring is usually accomplished by a variety of scripts and applications working in conjunction and reporting back to a centralized location. This location gives network administrators a single place to watch and look for changes. When a service goes down, or irregular network traffic is detected, the network administrators will be able to react fairly quickly. Often, instead of relying on the administrators to be constantly watching the monitors, network monitoring tools will alert administrators to any abnormal events.
Access logging is an important step in detecting illicit network access. This is where administrators will set up servers, network appliances, and sometimes even end-user machines to keep logs of any successful, or failed, attempts to utilize the device. In the event of an attack, often leading up to it, the logs will show a higher than normal number of failed login attempts. (If you want to know why this is referenced as "higher than normal," turn on access logging on any machine - even a personal machine - and look at the number of failed attempts. There are a number of automated tools out there and script kiddies who will be looking for easy access to a machine. By "higher than normal," it is meant that there will be a number of focused failed login attempts, in the thousands, often with a variety of usernames.) These logs can be crucial to preventing an attack before it occurs.
What good would logs be if no one ever read them? Regular manual audits of the logs will also provide a key indicator if an attack is happening, has happened, or is imminent. These logs can be read by a person in ways a machine cannot begin to do. A person can notice that logs have very large gaps, or very small gaps, that are out of place. They can notice that common events either did not take place or took place at an irregular time. Essentially, they have intuition. A person can read the logs and think "I have a bad feeling about this." That is something a machine simply cannot do.
Preventing access gain is often accomplished the same way detecting it is. By performing the above steps and paying due diligence, an entity trying to avoid an attack will be able to read the writing on the wall and notice that an attack is imminent. Once this happens, it is not terribly difficult to determine the attack vector and harden that avenue. There will, however, be attackers that know this and they will leave bread crumbs heading in one direction when their vector is something very different. The best thing to do if it appears an attack is coming is to take a good hard look at the at risk network and do everything that can be done to harden it.
Finally, by ensuring that the prior two steps (reconnaissance and network scanning) are adequately defended against, an entity will likely have a good baseline defense against anyone attempting to gain network access. It would behoove anyone intent on securing a network to reread the two prior sections. This will both ensure that the knowledge from these sections is well covered and that the reader will be able to view that information in new context, specifically, the context of under-standing the next step in the path.
Phase 1: Reconnaissance - Gathering as to much useful information about the target as possible.
Phase 2: Scanning - Gathering useful information about the target's networks and any possible exploits.
Phase 3: Gaining Access - Getting into the network to be able to accomplish the attack's goal.
Phase 4: Maintaining Access - Ensuring access to the network persists long enough to accomplish the attack's goal.
Phase 5: Covering Tracks - Obfuscating the attacker's presence on the network such that they cannot be traced.