CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [114]
A simple method of footprinting might examine the source code of your website. Web servers often have plug-ins or options installed that allow entrance into a network using buffer overflows or command processing. Attackers may also be able to gain insights into your business by doing online searches of business records and filings.
For example, EDGAR, an online business research website, maintains a database of publicly available information about businesses. Your company’s annual report may brag about the new infrastructure that was installed last year. Strategic relationships with business partners may provide intelligence about your business. Similar information can help attackers infiltrate your system: They can go to VeriSign/InterNic and determine the root IP address for your network as well as obtain contact information to attempt social engineering attacks. In short, anything online or in print is a potential source of information.
An attacker can query DNS servers to determine what types of records are stored about your network. This information might provide insight into the type of e-mail system you’re using. Most DNS servers readily provide this information when a proper query is formed.
Individually, none of this information is damaging or discloses much about your business. Collectively, though, it may provide key pieces to the jigsaw puzzle that is your organization.
Scanning
Scanning is the process that attackers use to gather information about how your network is configured. They scan your network and look for paths to systems in your network using programs such as Traceroute. Traceroute can provide a detailed picture of your network, right to the demilitarized zone (DMZ).
After an attacker has a general layout of your network, they can then switch to a scan. Scans can start with a simple ping of systems with addresses near your web or mail server. If any of these machines respond, the attacker knows that you have ICMP running and, by default, TCP/IP.
After they know what systems are “alive” in your network, they can systematically attempt to find out what ports are running on these systems; this is known as a port scan. Using the information gained from the port scanner to know what ports are running , the attacker may try a few simple probes of your system to determine what vulnerabilities might provide an opportunity for attack. A vulnerability scanner is used to analyze the results from the probe.
One of the most well-known port scanners is nmap, while warscan can be used to test exploits that are found. Both of these can be readily found on the Internet.
After the scanning process is complete, the attacker may next choose enumeration. Enumeration will most likely provide the attacker with enough information to implement a network mapper and attack the target. The attack is the next step but might only provide the attacker with a low-level (non-root) account. If this is the case, the attacker will attempt privilege escalation. If the attacker is successful with privilege escalation, they will essentially own the computer.
While it may seem as if an attacker must have a great many tools at his disposal—protocol analyzer, port scanner, vulnerability scanner, and network mapper to name but a few—the reality is that many of these tools are bundled together or found on the same site. BackTrack (http://remote-exploit.org/backtrack.html), for example, combines all of these tools into a single application that is run from a CD.
Practicing good security techniques—such as those discussed in this chapter, and this book—can prevent events of this type from occurring.
Summary
This chapter covered most of the major points concerning communications monitoring, IDS, wireless technologies, and instant messaging. Your network infrastructure is vulnerable, but the situation isn’t hopeless. Tools exist to help you do your job.
Many different