Anatomy of an Attack

 

February 2004

  
 

Exploitation:

Exploiting a security vulnerability can range from extremely easy, by using an already written and compiled exploit application, or extremely difficult, when exploiting a fairly unknown vulnerability.

As vulnerabilities are discovered often the discoverer will outline in detail how the system was compromised, what the error was and how to exploit it. In addition to this detailed explanation Proof of Concept (PoC) code is often included in the vulnerability report. The Proof of Concept code is source code which includes the necessary shell code, and packet construction to exploit a vulnerable system. Unfortunately this PoC code is often necessary to convince vendors the discovered vulnerability is worth fixing. As soon as the PoC is released the hacker community will take the code and quickly build their own tools to attack and exploit their target systems.

Once the hacker has listed all possible vulnerabilities they will exploit the vulnerability to gain access to the server. The exploit can be found in the form of fully automated exploit applications which simply ask for a target IP address and return system access to the attacker. Nearly all recent vulnerability includes Proof of Concept code which outlines clearly the vulnerability and how to exploit it in source code. If there is no exploit tool, PoC code or other vulnerability available the attacker may try to exploit other computers on the same network connected to the target computer to enter through a less protected access point. Finally, if the attacker is unsuccessful in all other methods they may attempt to discover a new vulnerability by searching for buffer overruns or other new security bugs on the target system.

The use of exploit applications by hackers is fairly rare; however the fully automated exploit application often surfaces as a worm. Each of the major worms to wreak havoc upon the internet within the last two years have exploited a major security vulnerability, and required no user interaction whatsoever.

Techniques:


Technique

Access Obtained

Exploit Applications

Often in the form of worms, can gather information or simply exist to replicate

PoC

Can depend on the exploit, shell code, and how it is used. Can range from a benign alert that the remote system is vulnerable to complete compromise.

Exploit another computer on the network

By exploiting another computer on the network the hacker may be able to discover a new way to gain access to the final target.


Tools:

  1. BugTraq
  2. Hacker/Security websites
    1. www.securityinnovation.com
    2. www.securityfocus.com
    3. www.packetstormsecurity.com
  3. Various PoC Code
  4. Various Exploit Tools

<<Previous 1 2 3 4 5 6 7 8 9 10 11 Next>>

Provided by: Security Innovation, The Application Security Company