CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [42]
The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. The program may allow a certain user ID to log on without a password or gain administrative privileges. Figure 2.2 shows how a back door attack can be used to bypass the security of a network. In this example, the attacker is using a back door program to utilize resources or steal information.
FIGURE 2.2 A back door attack in progress
A back door attack is usually either an access or modification attack. A number of tools exist to create back door attacks on systems. One of the more popular is Back Orifice. Another popular back door program is NetBus. Fortunately, most conventional antivirus software will detect and block these types of attacks.
Back Orifice and NetBus are remote administration tools used by attackers to take control of Windows-based systems. These packages are typically installed using a Trojan horse program. Back Orifice and NetBus allow a remote user to take full control of systems on which they are installed. They run on all of the current Windows operating systems.
Spoofing Attacks
A spoofing attack is an attempt by someone or something to masquerade as someone else. This type of attack is usually considered an access attack. A common spoofing attack that was popular for many years on early Unix and other timesharing systems involved a programmer writing a fake logon program. It would prompt the user for a user ID and password. No matter what the user typed, the program would indicate an invalid logon attempt and then transfer control to the real logon program. The spoofing program would write the logon and password into a disk file, which was retrieved later.
The most popular spoofing attacks today are IP spoofing and DNS spoofing. With IP spoofing, the goal is to make the data look as if it came from a trusted host when it didn’t (thus spoofing the IP address of the sending host). With DNS spoofing, the DNS server is given information about a name server that it thinks is legitimate when it isn’t. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning.
Always think of spoofing as fooling. Attackers are trying to fool the user, system, and/or host into believing they’re something they aren’t. Because the word spoof can describe any false information at any level, spoofing can occur at any level of network.
Another DNS weakness is Domain Name Kiting. When a new domain name is issued, there is a five-day grace period before you must technically pay for it. Those engaged in kiting can delete the account within the five days and re-register it again—allowing them to have accounts that they never have to pay for.
Figure 2.3 shows a spoofing attack occurring as part of the logon process on a computer network. The attacker in this situation impersonates the server to the client attempting to log in. No matter what the client attempts to do, the impersonating system will fail the login. When this process is finished, the impersonating system disconnects from the client. The client then logs in to the legitimate server. In the meantime, the attacker now has a valid user ID and password.
The important point to remember is that a spoofing attack tricks something or someone into thinking something legitimate is occurring.
Man-in-the-Middle Attacks
Man-in-the-middle attacks tend to be fairly sophisticated. This