Tools of the Trade
The "tools of the trade" are the means a cracker or hacker might use to penetrate your network. Some of the tools covered are programs, and some of these tools are techniques.
When most people hear the word reconnaissance, they think of spies and the espionage world. Although that community does indeed use reconnaissance, so does the cracker community. What is reconnaissance, and why do crackers use it? Reconnaissance is the process of gathering information about specific target(s). When a good burglar decides to rob a house, he will scope out an area to see how often neighbors, cops, and other traffic passes through. This gives the robber a good idea of the best time of day to attack. The same basic philosophy holds true for a cracker when she wants to attack a network or Web site.
When a cracker decides she wants to attack a network, there are many "recon" tools at her disposal. Let's look at a few of them and see how they work.
The first and probably the most underrated tool available is social engineering. Social engineering involves tricking, conning, or manipulating people into providing information detrimental to a company, organization, or a person. This type of information can be used to help plan, organize, or execute an attack.
Ira Winkler's excellent book Corporate Espionage (Prima Communications) covers social engineering, along with many other tactics used in obtaining information. It also discusses how to protect yourself against these types of attacks. For more on Ira, you can go to http://www.annonline.com/interviews/970512/. Another good book on social engineering is The Art of Deception (John Wiley & Sons) by the famous cracker Kevin Mitnick.
How does social engineering work? A good example is through a help desk. Cracker A wants to attack ABC123 Inc., a computer software company, and therefore wants to find out usernames, passwords, and maybe even some security measures ABC123 has in place. He begins by calling ABC123's main number, explains to the secretary that he is new to the company, works offsite, and needs the help desk number in order to set up his account and password. The secretary provides him with the number. Cracker A then calls up the help desk number, explaining the situation to the person on the phone and asks for a username, a password, and how he can get access to the network from the outside. Help Desk Worker B happily provides this information within seconds, not once questioning his request. (Why not? Most help desk operations I have seen stress customer service—"Remember: Never anger a customer.")
This simple scenario can provide the attacker with enough information to make an attack much easier to pull off without being detected. Other techniques that are related to social engineering are
Dumpster diving— A person goes through a dumpster or trash can looking for trash that contains information, such as an IP address, old passwords, and quite possibly a map of the network. Although this technique is often a dirty one, it is very effective.
Impersonations— A cracker pretends to be someone important and uses that authority to obtain the information she is looking for.
These social engineering techniques are effective, and there are many more that are beyond the scope of this book. Keep in mind that people still use these techniques, and they are a threat to both you and your company's security.
Port Scanners and Passive Operating System Identification
This section provides a technical overview of port scanners and sniffers, along with details regarding the art of passive operating system identification.
Port scanners are programs that check a computer's TCP/IP stack for ports that are in the LISTEN state. TCP/IP combines many protocols, enabling communication on the Internet. The TCP/IP protocol suite consists of 65,535 ports. Ports 1–1023 are considered "well-known" and on many computer systems—only users with root/admin privileges can use start processes that listen on these ports. Ports 1024–49151 are called registered ports, and ports 49152–65535 are considered dynamic and/or private ports.
The Transmission Control Protocol is covered by RFC 793, which defines many standards that socket programmers need to follow. It also defines how TCP will react to certain packets (FIN, ACK, and SYN):
If the state is CLOSED (that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.
If the state is LISTEN then first check for an RST. An incoming RST should be ignored. Second, check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third, check for a SYN; if the SYN bit is set, check the security. If the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.
What this tells us is how listening and closed ports respond to certain TCP flags. Knowing this, programmers can write programs that go out and identify open and closed ports. These programs are considered port scanners.
Let's look at some "famous" port scanners and see what they can and cannot do.
Nmap is probably the most popular port scanner being used and actively developed today. The brainchild of Fyodor (www.insecure.org), Nmap has grown through the active participation of the open source community. Nmap gives the user many options in scanning. Listing 3.1 shows the results of nmap -h. This is a great starting point for Nmap. For more details on Nmap, see the man page at http://www.insecure.org/nmap/data/nmap_manpage.html.