CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [49]
By using a sniffer, an internal attacker can capture all the information transported by the network. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. This vulnerability is particularly acute in environments where network connections are easily accessible to outsiders. For example, an attacker could put a laptop or a portable computer in your wiring closet and attach it to your network.
Scanning Ports
A TCP/IP network makes many of the ports available to outside users through the router. These ports respond in a predictable manner when queried. For example, TCP attempts synchronization when a session initiation occurs. An attacker can systematically query your network to determine which services and ports are open. This process is called port scanning, and it is part of fingerprinting a network; it can reveal a great deal about your systems. Port scans are possible both internally and externally. Many routers, unless configured appropriately, will let all protocols pass through them.
Port scans help in identifying what services are running on a network.
Individual systems within a network might also have applications and services running that the owner doesn’t know about. These services could potentially allow an internal attacker to gain access to information by connecting to the port associated with those services. Many Microsoft Internet Information Server (IIS) users don’t realize the weak security that this product offers. If they didn’t install all of the security patches when they installed IIS on their desktops, attackers can exploit the weaknesses of IIS and gain access to information. This has been done in many cases without the knowledge of the owner. These attacks might not technically be considered TCP/IP attacks, but they are because the inherent trust of TCP is used to facilitate the attacks.
After they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply by using Telnet.
To check whether a system has a particular protocol or port available, all you have to do is use the telnet command and add the port number. For example, you can check to see if a particular server is running an e-mail server program by entering telnet www.youreintrouble.com 25. This initiates a Telnet connection to the server on port 25. If the server is running SMTP, it will immediately respond with logon information. It doesn’t take much to figure out how to talk to SMTP; the interface is well documented. If an e-mail account didn’t have a password, this system is now vulnerable to attack.
This process of port scanning can be expanded to develop a footprint of your organization. If your attacker has a single IP address of a system in your network, they can probe all the addresses in the range and probably determine what other systems and protocols your network is utilizing. This allows the attacker to gain knowledge about the internal structure of your network.
A study done by the University of Maryland’s A. James Clark School of Engineering found that 38 percent of attacks were preceded by vulnerability scans. The combination of port scans with vulnerability scans created a lethal combination that often led to an attack.
In addition to scanning, network mapping allows you to visually see everything that is available. The most well-known network mapper is nmap, which can run on all operating systems and is found at http://nmap.org/.
TCP Attacks
TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. As you may recall, the synchronization, or