An ethical hacker follows processes similar to those of a malicious hacker. The steps to gain
and maintain entry into a computer system are similar no matter what the hacker’s intentions
are.These are the five phases that hackers generally follow in hacking a system. The
following sections cover these five phases.
Phase 1—Reconnaissance
Phase 2—Scanning
Phase 3—Gaining Access
Phase 4—Maintaining Access
Phase 5—Covering Tracks
Passive reconnaissance involves gathering information regarding a potential target without
the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when they leave.
However, it’s usually done using Internet searches or by Googling an individual or company
to gain information. This process is generally called
information gathering
. Social engineering
and dumpster diving are also considered passive information-gathering methods.
Sniffing the network
is another means of passive reconnaissance and can yield useful information
such as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is similar to building
monitoring: A hacker watches the flow of data to see what time certain transactions take place
and where the traffic is going.
Sniffing is the use of a network interface to receive data not intended for the machine in which
the interface resides. A variety of types of machines need to have this capability. A token-ring
bridge, for example, typically has two network interfaces that normally receive all packets
traveling on the media on one interface and retransmit some, but not all, of these packets on
the other interface. Another example of a device that incorporates sniffing is one typically
marketed as a “network analyzer.” A network analyzer helps network administrators diagnose a
variety of obscure problems that may not be visible on any one particular host. These problems
can involve unusual interactions between more than just one or two machines and sometimes
involve a variety of protocols interacting in strange ways.
Devices that incorporate sniffing are useful and necessary. However, their very existence
implies that a malicious person could use such a device or modify an existing machine to snoop
on network traffic. Sniffing programs could be used to gather passwords, read inter-machine
e-mail, and examine client-server database records in transit. Besides these high-level data, lowlevel
information might be used to mount an active attack on data in another computer
system.
Sniffing: How It Is Done
In a shared media network, such as Ethernet, all network interfaces on a network segment have
access to all of the data that travels on the media. Each network interface has a hardware-layer
address that should differ from all hardware-layer addresses of all other network interfaces on
the network. Each network also has at least one broadcast address that corresponds not to an
individual network interface, but to the set of all network interfaces. Normally, a network
interface will only respond to a data frame carrying either its own hardware-layer address in
the frame’s destination field or the “broadcast address” in the destination field. It responds to
these frames by generating a hardware interrupt to the CPU. This interrupt gets the attention
of the operating system, and passes the data in the frame to the operating system for further
processing.
Note Esniff.c is a simple 300-line C language program that works on SunOS 4.x. When
run by the root user on a Sun workstation, Esniff captures the first 300 bytes of each
TCP/IP connection on the local network. It is quite effective at capturing all
usernames and passwords entered by users for telnet, rlogin, and FTP.
TCPDump 3.0.2 is a common, more sophisticated, and more portable Unix sniffing
program written by Van Jacobson, a famous developer of high-quality TCP/IP
software. It uses the libpcap library for portably interfacing with promiscuous mode
network interfaces. The most recent version is available via anonymous FTP to
ftp.ee.lbl.gov.
NetMan contains a more sophisticated, portable Unix sniffer in several programs in
its network management suite. The latest version of NetMan is available via
anonymous FTP to ftp.cs.curtin.edu.au in the directory /pub/netman.
EthDump is a sniffer that runs under DOS and can be obtained via anonymous FTP
from ftp.eu.germany.net in the directory /pub/networking/inet/ethernet/.
Sniffing: How It Threatens Security
Sniffing data from the network leads to loss of privacy of several kinds of information that
should be private for a computer network to be secure. These kinds of information include the
following:
# Passwords
# Financial account numbers
# Private data
# Low-level protocol information
The following subsections are intended to provide examples of these kinds
Avoiding Transmission of Passwords
The most glaring security hole beyond simple loss of privacy is the opportunity for a sniffer to
gather passwords. The best way to deal with this problem is simply not to transmit cleartext
passwords across the network. Simply transmitting an encrypted password that could be
captured and replayed by a sniffer is also not acceptable. Several different methods are in use to
provide this kind of protection:
# The rlogin family of protocols
# Using encrypted passwords
# Zero knowledge authentication
The rlogin Family of Protocols
The rlogin protocol, originally used with Unix-to-Unix terminal sessions, uses end-to-end
mutual trust to avoid the transmission of any form of password. The protocol requires that the
server trust the client to authenticate the user. The user places a file on the server indicating
what combinations of username and hostname may connect to a particular account on
machines using the server. The user may connect from these without presenting any further
credentials such as a password.
Using Encrypted Passwords
Another solution is to use encrypted passwords over the network. You must use caution,
however, when simplifying this technique. Even with encryption, a sniffer can still record the
encrypted password and decipher the encrypted password at his or her leisure. One way around
this is to use an encryption key that involves the current time. If the sender and receiver are
closely synchronized, the sniffer must replay the encrypted password within one tick of the two
machines’ shared clock. If the sender and receiver are widely separated, however, this technique
becomes less practical and effective because shared clocks will lack sufficient time resolution to
prevent an attacker from using a quick replay. One way around this lack of close synchronization
is to set a limited number of attempts at typing the password correctly.
Zero-Knowledge Authentication
Another mechanism for secure authentication without passwords is zero-knowledge proofs.
Networks that use this system have a client and a server that share what is in essence a very
long sequence of digits. When the client connects to the server, the server queries the client
about a set of digits in a small set of positions in the sequence. Because the number of digits in
the sequence is very long, knowledge of a few digits by a sniffer is not sufficient. The server
will query for a different set of positions each time the client connects.
Employing Encryption for Entire Connection/Session
Public key cryptography can manage the authentication process to prevent password sniffing
but is not practical for entire terminal sessions or TCP/IP connections. Public key cryptography
is sometimes called asymmetric because different keys are used for encryption and
decryption with no practical way to compute one key from the other key. Classical, symmetric
techniques are much more computationally simple and practical for entire sessions. Just as
public key cryptography can be used to authenticate a user, it can also be used to solve the key
distribution problem of a symmetric encryption technique. Each sender receives the key
electronically with the key encrypted by a public key technique. Thus, the key cannot be
sniffed and used to decrypt the rest of the session.
One such mechanism employing the RSA public key encryption algorithm is the secure socket
layer (SSL) that is being promoted for use with the Web. Because the entire contents of a TCP
connection are encrypted, you can send credit card numbers over the Internet without
worrying that someone will intercept them at one of the many routers between the user’s Web
browser and the merchant’s Web site. You can use SSL as a layer on top of TCP for any server
that might otherwise use raw TCP.