No matter how to hack or attack a network, the attacker always takes certain procedures to accomplish his objectives. In general, these procedures fall in one of the following seven steps:
- Post, and
where each step is enabled or helped by its previous steps and prepares for its following steps. These seven steps can serve as a procedural classification of hacking techniques because the hacking techniques used in each step are for the same purpose and share many common characteristics.
Reconnaissance is to gather information of the target system or network.
The information of interest may include host names, host addresses, host owners, host machine types, host operating systems, network owners, network configurations, hosts in the networks, list of users, etc. An intruder may start with searching the Internet for references to the target in order to find the domain information of the target. Then the intruder can obtain further information about other machines within that domain such as their host names and network addresses. For example, the intruder can analyze the target web pages to gather useful information about the users of the target system, because most web pages contain user information, such as contact emails or some personal information (name, address, phone number,etc.). If the intruder obtains a user account in the target system, he can begin to guess the password. Sometimes, he can even directly contact a person through phone or E-mail to acquire the person’s account information.
Probe is to detect the weaknesses of the target system in order to deploy the hacking tools.
After gathering enough information of the target, the intruder begins to probe the perimeter of the system for potential weaknesses. He can utilize remote exploit tools, which enable the intruder to conduct security surveys and automatically collect and report security-related vulnerabilities of remote hosts and networks. Using these hacking tools, the intruder can find out the remote services the target is providing, such as WWW, FTP, SMTP, finger, X server, etc., by scanning the hosts of the target network. In addition, the intruder can obtain such information as machine names, software names and version numbers. Then, he can refer to the known vulnerabilities of the detected services for further exploitation.
Toehold is to exploit security weaknesses and gain entry into the system.
Once a vulnerability is found, the intruder will first exploit this vulnerability to build a connection (or session) between his machine and the target host, and then remotely execute hostile commands on the target. (For example, the intruder can generate an X terminal emulation on his own display.) In this way, a toehold into the target network has been established and the intruder can go further to compromise the system. Gaining entry into the system, the intruder can also search for more critical system information. If the current user identification (UID) is for a privileged user, the intruder will jump to the stealth step; otherwise, he will get into the advancement phase.
Advancement is to advance from an unprivileged account to a privileged one.
In this step, the intruder uses local exploit tools to obtain additional information of the target, such as configuration errors and known vulnerabilities of the operating system. Once finding a local vulnerability, the intruder can advance from an unprivileged UID to a root UID. Then, with the highest level of privileges, the intruder can fully control the target system, steal sensitive data, maliciously modify files, and even delete the entire file system.
Stealth is to hide the penetration tracks.
During the probing phase, the intrusion actions are likely to be logged by intrusion detection systems, and during the phases of toehold and advancement, the intruder may leave his activities in the system log. Hence, in order to hide, the intruder will access the local log files and modify the corresponding log entries to remove the traces and avoid detection. He may further replace the system binary code with a malicious version in order to ensure future un-logged and undetected access to the compromised system.
Listening post is to install backdoors to establish a listening post.
In this step, the intruder inserts some malicious programs into the system, such as a stealth tool, a backdoor tool, and a sniffer. These programs ensure that his future activities will not be logged. They report false information on files, processes, and the status of the network interface to the administrators. They also allow the intruder to access the compromised system through the backdoor. With the sniffer tool, the intruder can capture the traffic on the network interfaces. By logging the interesting network traffic, the intruder can better monitor and control the compromised system.
Takeover is to expand control (or infection) from a single host to other hosts of the network.
From the listening post, the intruder can sniff a lot of important information about other hosts of the network, such as user names and passwords. The intruder can also obtain information through several other ways. For example, he can check some specific configuration files (e.g., /.rhosts) of the compromised host and find mutually trusted hosts. With these information, the intruder can retake the previous steps to break into other hosts. In this way, he can expand his control to the whole network.