March 01, 2011

The different types of attacks

The computer is a very wide area, the number of vulnerabilities on system may be important. Thus, attacks against these vulnerabilities may be the both very diverse and very dangerous. Therefore we will initially analyze what we call "the anatomy of an attack, then a second time, we characterize these attacks and observe their progress.



Network attacks

This type of attack is based mainly on faults related to the protocols or their implementation.
Observe some well-known attacks.
  
Scan techniques

Port scans are not attacks itself. The purpose of the scans is determine which ports are open, and thus deduce the services are performed on the target machine (eg port 80/TCP for an HTTP service). Therefore, most attacks are preceded by a port scan at the Probe phase which is as we have seen, the first phase of the 5P's, in the course of an attack.
 
There are a large number of scan techniques. Ideally, the best scan technique is one that is more stealth so as not to alert the suspicions of the future victim.

IP Spoofing

Target: To spoof the IP address of another machine.
Purpose: to impersonate another machine faking IP packets. This technique
may be useful in the case of authentication based on IP address (such as services
rlogin or ssh for example).
Finality: to impersonate another machine faking IP packets. This technique
may be useful in the case of authentication based on IP address (such as services
rlogin or ssh for example).
Stages: There are utilities to change the IP packets or create their
own packages (eg hping2). With these utilities, you can specify an address
IP different from what one has, and so pretending to be another "machine ".
However, this poses a problem by specifying a different IP address for our machine,
we will not receive responses from the remote machine, since it will answer
spoofed address.

ARP Spoofing (ou ARP Redirect)

Target: To redirect traffic from one machine to another.
Purpose: Through this redirection, an attacker can impersonate
another. In addition, the attacker can reroute the packets it receives to the real consignee, so the user does usurped will realize nothing. The purpose is the same as IP spoofing but it works here at the data link layer.
Finality:: To perform this usurpation must corrupt the ARP cache of the victim. This which means that we must send ARP frames, stating that the IP address of another machine is his. ARP caches are regularly emptied, care must be taken to maintain usurpation.

DNS Spoofing 

Target: to provide false answers to DNS queries, that is to say, indicate a false address IP for a domain name.
Finaly: redirect unwitting surfers to sites of pirates. With this false
redirect, the user can send his credentials in confidence for example.
 

Fragments attacks

Object: The purpose of this attack is to bypass the protections of filtering equipment IP.
Purpose: In bypassing protections, such as a hacker can penetrate a
network to carry out attacks or retrieve confidential information.
 

TCP Session Hijacking

Object: The purpose of this attack is to redirect a TCP stream in order to override a password protection.
Purpose: control of authentication taking place only at the opening of the session, a pirate attack that successfully manages to take possession of the connection throughout the duration of the session.
Process: firstly, the attacker must monitor the network, then when it considers
that authentication has occurred (time of n seconds for example), it's out of sync
session between the user and the server. To do this, it constructs a packet having
source IP address, that of the user's machine and the TCP acknowledgment number expected by the server. In addition to synch the TCP connection, this package allows the attacker inject a command through the previously established session.
 

Application attacks

Application attacks rely on flaws in the programs used, or still misconfigurations. However, as before, it is possible classify these attacks according to their origin.

Configuration problems

It is very rare for network administrators configure correctly program.
In general, they simply use the default settings. These are often unsafe to facilitate the operation of the software (eg login / password of a default server database).
 
In addition, errors can occur when configuring software. A a server misconfiguration can lead to access important files, or involving the integrity of the operating system. It is therefore important to read documentation provided by developers to avoid creating faults.

Bugs 

Related to a problem in the source code, they can lead to exploitation of vulnerabilities. It is not uncommon to see the operation of a machine following a simple error programming. It may not do anything against such problems, except wait a patch from the developer.

Buffer overflows

Buffer overflows or stack overflow, are a special category of bug.
Coming from a programming error, they can operate a remote shellcode3.
This shellcode will allow an attacker to execute commands on the
remote system, up to its destruction.
 
The programming error is often the same: the size of an entry is not
Entry is checked and copied directly into a buffer whose size is smaller than the sizethe entrance. 
We find ourselves in a situation of overflow, and the operator can access memory.

 Scripts

Mainly web (eg Perl, PHP, ASP), they are running on a server and returns a
result to the client. However, when dynamic (ie they use inputs entered by a user), faults can occur if the inputs are not properly controlled.
The classic example is the use of remote file, such as displaying the file
password system, up the tree from the web directory.

SQL Injection

Like scripting attacks, SQL injections benefit of input parameters unaudited. 
As their name suggests, the purpose of SQL injection is to inject SQL code
in a query database. Thus, it is possible to retrieve information is
found in the database (eg passwords) or destroy data.
 
  
Man in the middle
 
Less known but equally effective, this attack can divert traffic
between two stations. Suppose a client C communicates with a server S. A hacker can divert traffic from the client by passing queries from C to S P by his machine, then forwarding requests from P to S. And vice versa for responses from S to C.
 
Completely transparent to the client machine P plays the role of proxy. It accesses
and to all communications and can obtain information without the user noticing.
 

Denial of service 

Mentioned above, denial of service attack is to make unavailable service. 
This can be done in several ways: through a network overload, making the machine totally unreachable, or so in application crashing
the application remotely.
 
The use of a buffer overflow may allow remote crash the application.
Thanks to some malicious instructions and following a programming error, a
someone could make available a service (web server, server messaging, ... etc.) or even a complete system.
 

Why is this post important

This story displays the attacks adopted a more streamlined for a previous topic as well as the importance of where we will explain one of these attacks in more detail in future.
  
Reference
Les systèmes de détection d'intrusions,
David Burgermeister, Jonathan Krier

 


No comments:

Post a Comment