INTRO TO I.T.

DENIAL OF SERVICE ATTACKS

Introduction

By now you are aware the dangers of the Internet and have also find a few basic rules for protection as well as safety on the Internet. In previous article I explored ways to investigate a target system and to learn a great deal about it. The time has come that we explain that how the attack on the system. Now we will examine in this & coming articles, one category of attack that might be used to cause harm to a target computer system. In the depth, the working of the Denial of Service (DoS) attack. This threat is one of the most common attacks on the Internet, so it is prudent for you to understand how it works and how to defend yourself against it.

Overview

As was said in the introduction, one of the most common and simplest forms of attacks on a system is a Denial of Service (DoS). This attack does even attempt to intrude on your system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. It is easy to perform this type of attacks. Basically technical expertness is needed. It is fact that every machine has its own limitation, it can’t exceed from its limitation. For example, a truck has its own limitation, it carries limited goods for limited distance, like this computer has limitations, it performs limited operation for limited time. A workload for a computer system may be defined by the number of simultaneous users, the size of files, the speed of data transmission, or the amount of data stored. If you give the extra load of work to the system then it will stop to reply. For example, if you can flood a Web server with more requests than it can process, it will be over loaded and will no longer be able to respond to further requests (Webopedia, 2004). This reality underlies the DoS attack. Simply overload the system with request, and it will no longer be able to respond to legitimate users attempting to access the Web server.

IN PRACTICE: Illustrating an Attack

On simple way to illustrate this attack, especially in a classroom setting, involves the use of the pig command discussed in previous articles.

1. Start a Web server service running on one machine (you can use Apache, IIS or any Web server.

2. Ask several people to open their browsers and key the IP address of that machine in the address bar. They should then be viewing the default Web site for that Web server.

Now you can do a rather primitive DoS attack on the system. Recall from previous article that typing in ping/h will show you all the options for the ping command. The –I option changes the size of the pocket you can send. A TCP packet can be only of a limited size. Thus, you are wanted to set these packets to be almost as large as your requirement. The –w option decides how many milliseconds the ping utility will wait for a response from the target. When you use –O so that the ping utility does not wait. Then the –t instructs the ping utility to keep sending packets until explicitly told to stop.

3. Open the command prompt in Windows 2000/XP (that is the DOS prompt in Windows 98 and the Shell in Unix/Linux).

4. Key ping <address of target machine goes her>-I 65000 –w O –t.

What is happening at this point is that this single machine is continually pinging away at the target machine. Of course, just one machine in your classroom or lab that is simply pinging on your Web server is not going to adversely affect the Web server. However, you can now, one by one, get other machines in the classroom pinging the server in the same way. After each batch of three or four machines you add, try to go to the Web server’s default Web page. After a certain threshold (certain numbers of machines pinging the server), it will stop responding to requests and you will no longer be able to see the Web page.

Howe many machines it will take to deny service depends on the Web server you are using. In order to see this denial happen with a few machines involved as possible, you could use a very low-capacity PC as your Web server. For example, running an Apache Web server on a simple Pentium III laptop running Windows 98, it can take about 15 machines simultaneously pinging to cause a Web server to stop responding to legitimate requests. This strategy is, of course, counter to what you would normally select for a Web server – no real Web server would be running on a simple laptop with Windows 98. Likewise, actual DoS attacks use much more sophisticated methods. This simple exercise, however, should demonstrate for you the basic principle behind the DoS attack: Simply flood the targe3t machine with so many packets that it can no longer respond to legitimate request.

FYI: Buffer Overflows
A Denial of Server attack is “ one of the most common” attack on a system. Another extremely common type of attack is the buffer overflow. Which of these is the leading form of attack is subject to debate among the experts. Regardless, understanding DoS attacks and how to thwart them is clearly on important component of system security.

Generally, the method used for DoS attacks are significant more sophisticated than the illustration. For example, a hacker might develop a small virus whose sole purpose is to initiate a ping flood against a predetermined target. Once of virus has spread, the various machines that are infected with that virus then begun their ping flood of the target system. This sort of DoS is easy to do, and it can be hard to stop. A DoS that is launched from several different machines is called a Distributed Denial of Service. (DDoS).

Common Tools Used for DoS

As with any of the security issues in previous articles, you will find that hackers have at their disposal a vast array of tool with which to work. The DoS arena is no different. While it is certainly well beyond the scope this & previous articles to begin to categorize or discuss all of these tools, a brief introduction to just a few of them will prove useful. The two tools discussed here, TFN and Stacheldraht, and typical of the type of tools that some one wishing to perform a DoS attack would utilize.

TFN and TFN2K TFN also known as Tribal Flood Network, and TFN2K are not viruses, but rather attack tools that can be used to perform a DDoS. TFN2K is a newer version of TFN that supports both Windows NT and Unix platforms (and can easy be ported to additional platforms). There are some feature which make its complex more than predecessor.

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

including sending decoy information to avoid being traced. Experts of TFN2K can use the resources for attack against more than one target. Additionally, TFN and TFN2K can perform various attacks such as UDP flood attacks, ICMP flood attacks, and TCM SYN flood attacks.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1. The master instruction its agents to attack a list of designated targets.

2. The agents respond by flooding the targets with a barrage of packets.

With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. Additionally, there are a number of “safty” features for the attacker that significantly complicates development of effective and efficient countermeasures for TFN2K.

· Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

· Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

· The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht, which is German for “barded wire”, is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht master. It also involve in automatic updating of the agents.

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automaticallyDoS Weanknesses

The weakness in any DoS attacks, form the attacker’s point of view, is that the flood of packets must be sustained. As soon as we stop sending packets, the target system is backed up. As DoS/DDoS attack, however, is very often used in conjunction with another form of attack, such as diabling one side of a connection in TCP hijacking or preventing authentication or logging between servers.

If the hacker is using a distributing attack, as soon as the administrator or owners of the infected machines realize their machine is infected, they will take steps to remove the virus and thus stop the attack. If a hacker attempts to launch an attack from her own machine, she must be aware that each packet has the3 potential to be traced back to its source. This fact means the single hacker using a DoS will almost certainly be caught by the authorities. For this session, the DDoS is quickly becoming the most common type of DoS attack.

Common Tools Used for DoS

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1. The master instruction its agents to attack a list of designated targets.

2. The agents respond by flooding the targets with a barrage of packets.

· Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

· Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

· The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automatically

DoS Weanknesses

PORT MONITORING AND MANAGING

Using the tool I have already outlined in previous article, you have access to a great deal of information about the ports in use on a system. There are however, some additional tools that allow you to obtained more specific information about port in use and the9ir state, as well as about the flow of information in and out of those ports. Some of these tools also allow you to link listening port to its application.

NetStat Live

One of the most popular protocol monitors is NetStat, which is on free ships with Microsoft Windows. A version of this, NetStat Live (NSL), which is freely available on the Internet, is a small, easy-to-use TCP/IP protocol monitor that can be used to see the exact throughput on both incoming and outgoing data whether you are using a modem, DSL or even a local network. It allows you see the speed at which your data goes from your computer to another computer on the Internet. It will even tell you how many other computers your data must go through to get to its destination. It also graphs the CPU usage of the NSL system. This can be especially useful if, for example, you are experiencing slow connection speeds. It can identify whether your computer is the reason for the slow down or if it is you Internet connection.

After you download and install the program, you simply run it. When the program launches.

It displays the last 60 seconds of display data. It shows the average data rate, the total amount of data sent after the last reboot, and the maximum data rate. It tracks all incoming and outgoing messages. Default display window, but this window can be customized to display what you want, but this window can be customized to show exactly what you want. To enable or disable a pane, simply right – click on the window, choose Statistics and then place a check next to any statistics that you would like to see. Your choices are:

Ø Local Machine. Monitoring current machine name, IP address and network interface.

Ø Remote Machine. The remote machine, including average ping time and number of hops.

Ø Incoming Data. Data on the incoming (Download) channel.

Ø Incoming Totals. Total for the incoming data.

Ø Outgoing Data. Data on the outgoing (upload) channel

Ø Outgoing Totals. Totals for the outgoing data.

Ø System Threads. Total number of threads currently running in the system.

Ø CPU Usage. Graphs the CPU load.

Notice that a machine is listed in the remote section and some information about it. You can easily change the server you are collecting information for. Simply open your Web browser, go to a Web page and copy the URL (including the http://) into the clipboard by using Ctrl + C). Notice that a machine is listed in the remote section and some information about it. You can easily change the server you are collecting information for.

In addition to adjusting the display, NSL can also9 be configured to operate in several different ways from the Configure dialog box. To access the Configure options, right-click on the NSL display and choose the configuration as your demand.

From this dialog box, you can configure the program in many ways. Your configuration option are:

Ø Auto Minimize. If enabled, when NSL start up, it will automatically show up in the system tray instead of as a window on the screen.

Ø Auto Start. If enabled, NSL will automatically run time you reboot your machine. (this is good to use with Auto Minimize option).

Ø Always on Top. If enabled, the NSL dialog box will always be on top of other windows. This allows you to see the information no matter what else is on the screen.

Ø URL ClipCap. If enabled, NetStat will scan Windows clipboard for URL and if it finds one, will automatically ping/traceroute it.

Ø Close Minimize. If enabled, pressing the Close button doesnot actually close NSL, but rather minimizes it to the system tray.

Ø TCP/IP Interface. This drop-down list allows you to select from the TCP/IP interface currently available or to monitor. All available interfaces (if a specific interface can not be found, it defaults back to all.)

Ø Displays values in. this drop-down list allows you to select whether or not the values are displayed in bits or bytes (the default).

NetStat Live tracks all network activity. This means that you can see how quickly data moves across the local network (as long as you are using TCP/IP) as well as to and from remote sites. Additionally, this means that when used on a modern connection, you will see the actual throughput and not just what the dial-up networking adapter or modem says it is doing. This allows you to see exactly what kind of performance you are getting while you are browsing around Web page.

Active Ports

Active Ports is another easy-to-use tool for Windows. Through it you will enable to monitor all open TCP and UDP ports on the your local computer. Active Ports maps ports to the owning application so that you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you detect Trojan horses and other malicious programs.

Like so many of these types of programs, Active Ports is available as free download from many sites on the Internet.

Fport

Like Active Ports, fport reports all open TCP/IP and UDP ports and maps them to the owning application. Additionally, it maps those ports to running processes. Fport can used to quickly identify unknown open ports and their associated application.

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP & UDP endpoints on your system, including the remote addresses and the state of TCP connections. TCPView provide a conveniently presented subset of the Netstat program.

In-Depth Searches

Port scanners and other types of scanners can only tell you so much about a target system. At some point, you will probably have taken your investigation to a deeper level. For example, if you find out that particular server is running IIS 5.0, that discovery probably means the company has Windows 2000. If you then uncover default shared folders and default registry settings, you know that the system is probably entirely set up with default settings. It is also less likely that this system is routinely patched and updated because a security-conscious administrator would not have left default setting in the first place. Your next step is to scan the Internet using various search engines (e.g. www.yahoo.com, www.google.com, www.lycos.com) to find out whether there are any known vulnerabilities with the target system and its configuration. There is a good chance that someone has actually documented the specific vulnerabilities and how these faults can be exploited. Once you have studied the potential vulnerabilities in a target system, yu can take one of several actions, depending on your role in the investigation.

1. If you are a system administrator, you must correct those vulnerabilities promptly.

2. If you are a “sneaker” (or an “ethical” white hat hacker), you would document what you have found to then report to your client.

3. If you are a cracker, you can use this information to select the most appropriate way to compromise the target system. However, be aware that such activities are illegal and can culminate in severe civil penalties, including a prison sentences.

Web search and newsgroup searches (you can use Google’s “groups” tab for this task) can also provide other interesting information about it site. You will often be able to find details about a company, such as its key personnel and ISP. There are several ways to use this information. For example, if you find that a company has a high turnover in its systems department (for example, you see the same job posted frequently, indicating rapid turnover), then it is less likely that the system is as secure as it should be. Or, if you see that one company is being bought out by another, this event might lead to some confusion in the two companies’ IT departments as they try to merge. This information can help you identify other vulnerabilities in a target system.

SCANNING

A number of utilities freely available on the Internet for performing scans. Some of the more common Once you have used VisualRoute or perhaps simply used the traceroute utility and manually looked up information on www.internic.net, you are now ready to move to the next phase in gathering information about a target system. This phase is completed by scanning.

The process of scanning can involve many tools and a variety of techniques. The basic goal of scanning is to identify security host or network. Scanning is best in science, but considered an art by many because a skilled attacker is patient and has a knack for knowing (usually based on experience) precisely where and how to scan target devices.

There are tools are as under:

1. Nmap (Powerful tool available for Unix or Windows that finds ports and services available via IP)

2. Hping2 (Powerful Unix-based tool used to gain important information about a network.)

3. Netcat (Others have quat4ed this application as the “Swiss Army knife” of network utilities)

4. Ping (available for testing IP connectivity on at most every platform and operating system)

5. Traceroute (Map out the hops of the network to the target device or system)

Of these, Nmap (“Network Mapper”) is probably the best known and most flexible scanning tool available today. It uses IP packets in a new way to determine which hosts are available on the network. What operating systems are running, and what firewalls are in use. It also provides options for fragmentation; use to decoy IP addresses, spoofing stealth scans and a number of other features. Nmap is the most widely used tool by both cracker and security professionals for the purpose of port scanning and operating system identification. Formerly, this was only a Unix-based utility; however, it has recently been extended for use with Windows systems. If you have access to or will be working on a UNIX system or care to obtain the newer Windows-based Nmap, this is a utility with which you should certainly become familiar.

Network mapping is a process in which you discover information about the topology of the network. This can include gateways, routers and servers. The first step is to sweep for a live system. To find live hosts, hackers ping them by sending ICMP packets. If a system is live, it will send an ICMP echo reply. ICMP messages can be blocked, so an alternative is to send a TCP or UDP packet to a p[rot, such as 80 (http), that is frequently open, and live machines will send a SYN-ACK (acknowledgment) packet in response. Once the live system is known, utilities such traceroute or the others already discussed can pro0vide additional information about network by discovering the paths taken by packets to each host. This provides information about the routers and gateways in the network and general layout of the network.

In following sections, we will examine some methods for performing port scans. Fortunately, there are a number of utilities freely available on the Internet for doing port scanning. We will also discuss network mapping and vulnerability scanning.

FYI: Scanning Utilities
You can find a list of additional URLs for port scanning software in Appendix B of this book. You can also search the Internet using the keywords “port scanning.”

Port Scanning

Once the IP address of a target system is known, the next step is port scanning & network scanning, such scanning is the process of sending packets to each port on a target system to see what ports it has open (in the LISTEN state). A system has 65,535 port numbers, with one TCP port and one UDP port for each number. Each port has an affiliate service that may be exploited or vulnerable. Thus, viewing the ports tells you what sort of software is running. If someone has port 80 open , then he or she is probably running a Web server. If you see that all the default ports are open, the discovery probably indicates a network administrator who is not particular security conscious and may have left all default setting on all of his or her systems. Th9is deduction gives you valuable clues as to the kind of target you are examining. In the following section, we will experiment with a few port scanning utilities.

Now that you have a tool to find out which ports are open on the target machine, what can you do with this information? As we already mentioned, an open port can tell you a great deal about a system. We briefly reviewed a number of well-known ports. This lidt was not exhaustive, but the list should give you an idea. The following list well-known ports.

· www.networkssorcery.com/protocol/ip/ports00000.html

· www.iana.org/assignments/port-numbers

· www.techadvice.com/tech/T/TCP_well_known_ports.htm

Using this information about well-known ports, you should be able to tell whether a system is using NetBIOS because such a system will have ports 137, 138 & 139 open. If a system is running an SQL server, then it may have port 118 open. This information can then be used by a hacker to begin to explore possible flaws or vulnerabilities in the service running on a given port number. Therefore, this information is quit important from a security perspective. If you are scanning your own machine and see ports that are open (once that you do not use), then close them. All firewalls give you the option of blocking ports. That function is necessary purpose of any firewall. A basic rule of thumb in security is that any port that you are not actively using should be blocked.

FYI: SQL Server
Generically, an SQL server is any database management system (DBMS) that can respond to queries from client machines formatted in the SQL language

NetBrute

Some port scanners do more than just scan open ports; some even give you extra information. One such product is NetBrue form RawLogic. Located at www.rawlogic.com/netbrute/. This one is quite proper with both the security and hacker community. No computer security professionals should be without this item in their tool chest. This utility will give open ports, as well as other vital information in future. Once you install and launch NetBrue, you will see a screen such as the one depicted.

We will concentrate on the NetBrute lab first. You can elect to scan a range of IP address (per feet for network administrators assessing the vulnerability of their own systems), or you can choose to target an individual IP. When you are done, it will show you all the shared drives on the computer.

With the PortScan tab, you can find ports. It works exactly like the first tab except that, instead of giving you a list of shared folder/drives, it gives you a list of open ports. That way, with NetBrute, you get a port scanner and a shared folder scanner. The WebBrute tab gives the permission to you to scan your required targeted Web site and obtain information similar to what you would get from Netcraft. This scan gives you information such as the target system’s operating system and Webserver software. Shared folders and drives are important for security because they provide a possible way for hackers to gain access to the system. If a hacker can gain access to this shared folder, it can use this area to upload Trojan horses, viruses, key loggers, or other devices.

Cerberus Internet Scanner

Perhaps one of the most popular scanning utilities is the Cerberus Internet Scanner (a number of download locations are listed in Appendix B). this tool is very simple in use as well as informative for us.

From this screen, you can click the button on the far left that has an icon of a house or you can go to “File” and select “Host”. Then key the URL or IP address of the machine you want to scan. Click the "S" button or go to "File" and select "Start Scan". Cerberus will then scan that machine and give you back wealth of information. You can see all the various categories of information that you r4eceive.

For review the report click on the third button. A Hypertext Markup Language (html) will launch by the reprot (thus the document is easy to save for future reference) with links to each category.

One of the most interesting parts to review, especially for the security administrator, is the NT Registry Report. This report will examine the Window Registry and information you of any security flaws found there and how to correct them.

This list shows specific Windows registry settings, why those settings aren't particularly secure, and what you can do to keep them safe. For obvious reasons, this tool very popular with hackers. Cerberus can provide a comprehensive map of all potential vulnerabilities of the system, including, but not limited to, shared drives, insecure registry settings, running services, and known bugs in the operating system.

All of those tools (and others we have not examined) have one thing in common: They provide information to anyone who wants it. Information is a powerful weapon, but it is also a double-edged sword. Any information is network administrator can use to secure his network; a cracker can also use to break into the network. It is imperative that all network administrators be comfort with the virus scanning tools that are available. It is a good idea to make a routine habit of scanning your own system to search for vulnerabilities – and then close these vulnerabilities.

Port Scanner for UNIX: SATAN

UNIX administrator for years (as well as hackers) is SATAN. This tool is not some evil supernatural being, but an acronym for Security Administrator tool for analyzing networks. It can be downloading for free from any number of Web sites. Many of those sites are listed at www.fish.com/satan/mirrors.html. This tool is strictly for Unix and will not work in Windows. For that reason, we will not be discussing it here, but it is important that you be aware of it. If you inte3nd to work with Unix or Linux, you should definitely get this utility.

Vulnerability Scanning

In addition to the utilities and scanners we have already discussed, another essential type of tool for any attacker or defender is vulnerability scanner. A vulnerability scanner, or security scanner, will remotely audit a network and determine whether someone (“or something, such as worm) may break into it or misuse it in some way. These tools allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration setting that allow attackers access, and the most recently reported system vulnerabilities. As with port scanners, there3 are both commercial as well as free open-source versions of vulnerability scanners. We will discuss two vulnerability scanners here, but there are many others available.

SAINT

SAINT is a network vulnerability assessment scanner that takes a preventatives approach to securing computer networks. It scans is system and finds security weaknesses. It prioritizes critical vulnerabilities in the network and recommends safeguards for your data. SAINT gives you benefits in several ways:

· Prioritized vulnerabilities let you focus your resources on the most critical security issues.

· Fast assessment results help you identify problems quickly.

· Highly configurable scans increase the efficiency of your network security program.

NetBrute

Cerberus Internet Scanner

For review the report click on the third button. A Hypertext Markup Language (html) will launch by the reprot (thus the document is easy to save for future reference) with links to each category.

Port Scanner for UNIX: SATAN

Vulnerability Scanning

SAINT

· Prioritized vulnerabilities let you focus your resources on the most critical security issues.

· Fast assessment results help you identify problems quickly.

· Highly configurable scans increase the efficiency of your network security program.

Nessus

Nessus, or the “Nessus Project” as it is also known, is another extremely powerful network scanner. It is one of the most up-to-date and easy-to-use remote security scanners currently available. It has fast, reliable and modular architecture that allows you to customize it to your needs. Works on systems such as Ness Unix (Mac OS X, Free BSD, Linux, Solaris and more) also has a Windows version called NeWT.

Additionally, Nessus includes a variety of plug-ins that can be enabled depending on the type of security checks you want to perform. These plugins work cooperatively with each test specifying what is needed to proceed with the test. For example, if a specific test requires a remote FTP server and a previous test shows that none exists, it will not be tested. Not performing futile test speeds up the scanning process. This plug-ins is updated daily and is available from the Nessus Web site.

The output from Nessus scan of a system is incredibly detailed & there are multiple formats available for the reports. These reports give information about security holes, warnings & notes. Nessus does not attempt to fix any security holes that it finds. It simply reports them and gives suggestions on how to make the vulnerable system more secure.

ASSESSING A TARGET SYSTEM

Introduction

Ultimately, every hacker wishes to compromise a target system and gain access to that system, this goal is the same for any hacker, regardless of the hacker’s “hat” (his or her ideology or motivation). Before a hacker can attempt to compromise a target system, he must know a great deal about the target system. There are a number of network utilities, Web site & programs that a hacker can use to find out about a target system. Learning these methods will help us for two reasons. First you should know exactly what tools crackers have at their disposal to assess your system’s vulnerabilities. Second, many security-savvy network administrators will frequently use these tools to assess their own systems. Another term for assessing your own systems. Another term for assessing your own system (or a client’s) is auditing. When hacker or cracker is examining a potential target system, this assessment is called footprinting. If you can find vulnerabilities. You have the chance to fix them before someone else exploits.

Recall the discussion of the rather tedious process hackers have to use in order to enter a target system. The first stage of this process is learning about the system. It is important to know about the operating system, any software running on it, what security measures are in effect and as much about the network as possible. This legwork is like a bank "template" before attempting a hooligan crime. The thief needs to know all about alarm systems, work schedules and guards. It is necessary for the hacker, who enters into the system. The hacker’s first step is to gather information about that system. To assess you own system, therefore, needs to be your first step also.

Basic Reconnaissance

On any system, you must first start finding out some general information. This task – commonly referred to as reconnaissance – is particularly easy with Web server. A Web server, by definition, must communicates with Web clients. That activity means that a certain amount of information is easily accessible in the public domain. In the past, security managers had to use some rather arcane – looking commands from either a command prompt or a Linux / Unix shell to gather this information. But today, you can get the information in just a few simple steps by using some readily available utilities. These tools are used by both security managers as well as crackers.

The ways in which information is obtained by a cracker can vary greatly. Although there are many tools available, the ways listed below are the most likely initial reconnaissance methods used for Windows platforms:

v Nslookup

v Whois

v ARIN (This is available via any Internet browser client.)

v Web-based tools (Hundreds if not thousands of sites offer various reconnaissance tools.)

v Target Web site (The client’s Web site often reveals too much information.)

v Social engineering (People are an organization’s greatest asset as well as their greatest risk.)

In the following section, we will explore a few of the many Web based tool available for obtaining basic information on a target system.

Netcraft

The first step on our journey is the Netcraft Web site. This Web site gathers information about Web servers – information that you can use in assessing a target system. It provides an online utility that will tell you what Web server software it is running, what operating system it is using and other important and interesting information.

1. Open your browser and key www.netcraft.com

2. Click the link titled “What’s that site running,” which is found on the left side of the page.

3. Key www.chuckeasttom.com into the “What’s that site running?”

4. Press Enter. You will find a great deal of important information.

You can see that server is running the FreeBSD operating system a Unix variant. You can also look the machine’s IP address. This step is your first in learning about the target system. In many cases, with other addresses, you would also find out what Web server the target system is running. You can then scan the Internet looking for any known flaws with either the operating system or the Web server software. This step gives you a starting place to find out about the system and what weaknesses you might be able to exploit. In this case, you would simply go to your favorite search engine (Google, Yahoo, Lycos and so forth) and key in something such as “FreeBSd security flaws.” You will surprise that how many Web sites will provide you the drawback of the system. Some sites even have step-by-step instruction on how to exploit these weaknesses.

The fact that this information is so readily available should be enough to alarm any system administrator. As software developers are known from drawbacks of their software, they usually correct their code, known as patches or updates. If you are not regularly updating your system’s then you are leaving your system for external virus attacks.

Besides strengths and weaknesses of that software, sometimes just knowing the operating system and the Web server software is enough information in and of itself. i.e. if a target system is running Windows NT 4.0, what would this fact tell a hacker? Because Microsoft has long ago released Windows 2000, Windows XP and Window 2003 Server, the hacker can deduce that this target system does not frequently update its software. This could denote a company that is on a very tight budget or one that simply is not particularly computer – savvy. In either case, this lack of updating software means that this system probably doesn’t employ the latest security devices and techniques.

Tracing the IP Address

The nest piece of information you will want concerns the various connections between you and the target system. When you visit a Web site, the packets bouncing back and forth between you and the target site do not take a direct route from you to there. They usually bounce around the Internet, going through various Internet service providers and routers. The obvious way to obtain this information is to use the traceroute or tracert utility. You can then write down the IP address of each step in the journey. Howeve, this task can be very tedious. An easier process is offered through the Visualware Inc. Web site. Visualware offers some very interesting products, along with free online Web demos. These products automate network utilities, such as tracert and who is, in a rich graphical interface. I find Visualware’s product, VisualRoute, to be particularly useful and remarkably easy to employ.

Using IP Registration Information

The information gained with these utilities can be used in a variety of ways i.e. you can take the e-mail address of the administrator and do a Google “groups” search for that address. Google now provides a gateway, via its “groups” tab, to Usenet newsgroups. These groups are basically global bulletin boards where people can engage in discussion on a wide range of topics. Network administrators sometime post questions in specific newsgroups hoping to get advice from the colleagues. If the network administrator of the target system has posted, he or she may have given away more information about her network than is wise. In one case, a network administrator usually posted a link to a diagram showing his entire network, the server, IP addresses, type of firewall and so on. This information could have been easily exploited.

That is not to say that administrators must avoid using the Internet as an information source. That is certainly not the case. But when administrators do use newsgroups, they should not use their real name, their company’s name, or any information that might facilitate tracking them back to their company. In this way, information that they discuss about their forms network can not readily to apply.

Social Engineering

One of the most common applications for using the information gained from reconnaissance work is social engineering. Social engineering is a non-technical way of intruding on a system. This can range from dumpster diving to trying to get employee to unwittingly compromise the system.

When dumpster diving, some typing to obtain information will go through trash cans or dumpsters looking for garbage that contains information such as a IP address, password or even a map of the network. This technique can be very messy, but also quite effective.

The most common tactic is to try to get an authorized user of a system to give you her password. This task may sound impossible, but it is actually quite easy. For example, if a hacker has discovered the name of the system administrator and knows that the company is rather large with a big Information Technology (IT) department, she can use this name to her advantage. Assume a scenario in which a hacker finds out that the network administrator for a certain firm is named Jan Smith. She can get Jan’s office location, e-mail address and phone number from Internic or from using VisualRoute software. She can now call a remote office and speak to a secretary. The pan could work extremely well if that secretary (let’s call him Eric) is new to the company. The hacker tells Eric that she is a new intern working for John Smith and that John has instructed her to check all the PCs to ensure that they have proper virus – scanning software. The hacker name and password, so could Eric please give these to her? It is amazing how often the person will indeed give a username and password to a caller. With this information, the hacker does not need to use any technical skills at all. She can simply use Eric’s legitimate username and password and log on to the target system.

Note that such as all the employees of an organization must be knew about computer security same in that scheme. No matter how secure your system is or how much time and money you invest in security, it is all for naught if your empolyees are easily duped into compromising security.

There are entire volumes written on social engineering. As with all topics, the goal is acquaint you with the basics, not to make you master of any of the topics. The following links may be interest.

Ø www.securityfocus.com/egi-bin/sfonline/infocus.pl?id=1527

Ø www.cybercrime.net/Property/Hacking/social%20Engineering/SocialEngineering.html

Ø www.sans.org/rr/catindex.php?cat_id=51

INTRO TO I.T.

DENIAL OF SERVICE ATTACKS

PORT MONITORING AND MANAGING

SCANNING

ASSESSING A TARGET SYSTEM

THE IMPACT OF AI ON THE FUTURE OF HUMAN LIFE

Report Abuse