Network Computingwww.networkcomputing.com

securify.com). Glance at the code of Back Orifice 2000 (www.bo2k.com), or the modifications and plug-ins that have followed. Then let's discuss attack complexity. Granted, attacks to deface Web sites for the White House, CIA, FBI, C-SPAN and Wired haven't been rocket science, but these organizations aren't exactly sleeping at the switch, either. Crackers are becoming more persistent, automating tasks and working in teams. They can, and do, "pull that off."

As state and federal law enforcement officials haul in young crackers for Web-defacement stunts, many of the "good" crackers go unnoticed. They're smarter. They don't leave tracks. The smart ones have defined goals and very targeted, methodical approaches. This breed is the true threat.

Warning!
What follows are details of an actual attack, on a real network (audited by permission, of course) with identities masked to protect the innocent. We want to give you a glimpse of an attack methodology, and present tangible solutions. Understand that these methods are not all-encompassing.

We'll call our target somedomain.com. We know little about somedomain.com other than its registered Internet domain name, so we start this cracking session with a reconnaissance mission. Our first objective: Identify hosts and IP ranges of the target network(s) by querying "public" services like DNS.

Using common tools, such as nslookup, dig and whois, we gather a wide-ranging amount of information. Starting with a whois query, we get information about the location and addresses of the name servers. Using the DNS tool nslookup we attempt to initiate an unauthorized DNS zone-transfer, which could give us a clear road map of available machines. Although this may seem trivial, even some "e-commerce" providers forget to lock this down (see screen on page 124).

Simply by using DNS queries, we can deduce the following:

Onto stage two--scanning for actual targets, which involves port scanning and banner grabbing. Port scanners check for active services (Web, ssh, ftp) and "ports"; banner grabbing is the art of identifying service versions. Port scanners--such as strobe--have been popular, but Fyodor's nmap is the new tool of choice (see www.insecure.org). In addition to scanning machines and networks for listening services, nmap is capable of guessing a host's OS purely based on unique IP stack implementations. Although nmap's OS-detection ability can be thrown off by packet filters and firewalls, it's a powerful tool.

We could target front-line systems--the main Web or e-mail servers, for instance--but instead we'll attack the development servers, where we have a better chance of success. They typically don't get the same attention as production machines, but they frequently have equivalent levels of access. A quick port scan (see screen below) shows two servers are running Web and ftp services, and based on banner checks and nmap's OS detection, we can guess at the running environment.