This site was featured in the 2003 Black Hat Meeting is Las Vegas!

This is a sample method of how a planned (notice I didn't say well planned?) attack may go. There are a variety of tools to accomplish these methods. Most of the pre-attack research doesn't even touch the target system(s) or network(s)! If you are a network defender, think about these methods and the possible footprints each step may leave. For example, hits from netcraft.com or some of the fingerprinting methods from nmap may indicate a pending attack.

I will be updating this with some 2010 methods soon. This includes "spear phishing," single-mark targeted attacks, and blended attacks.

home

Attack Methodology:

Pre-attack

·        Intelligence Gathering

o       IP addresses assigned

§         ICANN/ARIN/RIRs

§         Web Server IP Address

§         Name Server IP

§         Mail Server IP

§         Firewall IP

§         Border router

§         IDSs/Honey Pots - look for unexpected return packets & answering every port if you port scan

§         Unnamed Systems

o       Name Server

§         System Info

§         Zone Transfer

o       Upstream / Outsourcing Info

o       RAS / TACACS / RADIUS

o       Log Servers

o       Develop a network map

·        Target Identification

o       Operating System

§         Type

§         Version / Patch

o       Services Info

o       Hardware

o       Operator Info

o       Location

§         Physical - Are there legal concerns? State lines (U.S.) and national boundaries (Chinese penalty can be death) may be of concern.

§         Logical (Relative to firewall, etc.)

o       Data Content

o       Log Locations

o       3^rd Party Software

·        Attack Planning

o       Identify known vulnerabilities

o       Develop network entry sequence - local, distant, vpn

       Develop attack sequence

o       System entrance plan (attack)

o       System exit plan (stealth)

o       DoS plan against ID/PSs - Attacks during virus outbreaks may get lost in the noise

o       Configure attack systems - Bootable images on CD/read only media that are easily discarded/destroyed. Stand-off systems

o       Evaluate ability for system hopping (trojanize/bot/stand-off)

o       Locate internet entry point (public hotspot, war-drive?)

o       Never attack from home or work!!!

Attack

o       Blind IDSs (Especially on mass attacks)

§         DOS

§         Fake Attack (now called fuzzing) - Spoofed IP addresses, etc.

o       Hit a perimeter system first

o       Look for detection indications

§        Evaluate continuation
§        Look for TCP resets, ICMP Type 3 packets, DoS, etc from target owned networks.

o       Verify log locations and alter (look for hash files)

o       Recon file system

o       Trojanize - bot/zombie

o       Root Kit

o       Add user

o       It is a good time to look for PKI

o       Reevaluate detection

o       Move to another system and repeat

Post Attack

o       Evaluate Detection

o       Evaluate Data Acquired

o       Evaluate Foot Print left behind

o       Use compromised system as hop box for next system attack?

Lessons Learned

Did you discover a new hole, method of detection, or honeypot? As a system admin/engineer, did you find a method to discover a previously undetectable attack method? These are all important and you may consider sharing it with which ever community you are a part of. Remember, use your powers for good, not evil.