Kali Linux: research formalization and attack types
Today we present to your attention the translation of sections 11.3 and 11.4 of the book “ Kali Linux Revealed ”. They are dedicated to the formalization of security studies of information systems and types of attacks, the resistance to which is checked by systems during the analysis of their security.
→ Part 1. Kali Linux: security policy, protecting computers and network services
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: system protection and monitoring exercises
→ Part 5. Kali Linux: System Security Assessment
→ Part 6. Kali Linux: types of information system checks
After your Kali Linux has been prepared and the type of research has been determined, you are almost ready to get down to business. However, one more step remains: formalization of the research. This is extremely important, since at this step it is determined exactly what the client expects from you. In addition, here you are given permission to conduct operations that are normally illegal. We will look at all of this in general terms, but we have a very difficult and important stage in preparing for the study of systems for vulnerability, therefore, it is quite possible that at this stage you should consult a lawyer of your organization.
')
Part of the formalization process is the definition of research rules that you follow in the course of work. These rules concern the following:
Although this list is not complete, it will give you a general idea of the issues that need to be addressed before starting work. However, you should understand that without a high-quality legal formalities can not do here. After the study is formalized, you must obtain the appropriate permissions. This is important because most of the actions performed during security checks may be illegal without the permission of the appropriate company official.
After all of the above is agreed, there is one more important step: verification. Do not trust the materials of the study boundaries you have been given - always check them. Use several sources of information to confirm that the systems you plan to investigate are owned by the client and that the client manages them. For example, given the widespread use of cloud services, an organization may simply overlook the fact that it does not own the services provided to it. You may find that you need to get a special permit from the cloud service provider before you begin. In addition, always check the blocks of IP addresses provided to you.
Do not rely on the organization’s assumption that it owns the entire unit, even if you are told that the entire address range given to you is suitable for research. For example, we met with organizations that requested research in the range of addresses of a whole class C network, while only some part of this range belonged to them. Exploring the entire network of class C, we would, in fact, attack the organization’s neighbors in address space. The OSINT Analysis submenu (OSINT analysis) of the Information Gathering section of the Applications menu of Kali Linux contains many tools that can help you verify materials for research.
So, the work has begun. What attacks are carried out in the course of checking the security of information systems? Each type of vulnerability corresponds to a specific method of its operation. In this section, we describe the classes of vulnerabilities that you will encounter most often.
It doesn't matter what category of vulnerabilities you are interested in. Whatever it is, Kali makes it easy to find tools and exploits. The Kali menu on the desktop is divided into categories that help in finding suitable tools. In addition, the Kali Tools website provides extensive lists of tools available in Kali, organized by category and tagged for convenience. Each page of the tool contains detailed information about it, as well as examples of its use.
Denial of Service attacks (DoS) exploit vulnerabilities to block services, usually stopping a vulnerable process. The Stress Testing category in the Kali application menu contains many tools that are focused on solving this problem.
Many, when confronted with the term “denial of service attack,” think about attacks that consume resources that come from multiple sources simultaneously aimed at a single target. However, such an attack is the so-called distributed Denial Of Service Attack (DDoS). Such attacks are rarely part of professional systems security research.
Instead, single DoS attacks are most often the result of a failed attempt to exploit a vulnerability. If the author of the exploit released a partially functional code that proves the possibility of an attack (Proof of Concept, PoC), and it was used by someone in practice, this could lead to a situation similar to a DoS attack. Even a well-written exploit can only work if many specific circumstances coincide and lead to the failure of the attacked service in other cases. It may seem that the solution to the problem is to use only properly tested exploits, or to write your own exploits. However, be that as it may, there are no guarantees when using exploits, this puts the attacker in a rigid framework, leading to unjustified restrictions, which leads to a softening of research. The key to solving the problem is compromise. Do not use PoC-exploits and unverified code when conducting real-life research and always ensure that a company lawyer can cover you from other troubles.
Normally, DoS attacks are not intentional. Most automatic vulnerability detection tools consider DoS vulnerabilities low-risk due to the fact that although an attacker can disable a service, this service cannot be used, for example, to execute third-party code. However, it is important to remember that not all exploits are publicly available, and that DoS vulnerabilities may mask deeper and more serious threats.
An exploit that allows you to execute arbitrary code using a known DoS vulnerability may exist, but not in a public space. From here we can draw the following conclusion: pay attention to DoS-vulnerabilities and recommend clients to patch them even though they are usually assigned a low level of risk.
Violation of the integrity of information in memory occurs when a certain area in the memory of a process is accidentally modified due to an error during program development. Memory errors usually lead to unpredictable program behavior; however, in many cases, these errors allow you to manipulate the process memory. This gives the attacker the ability to control the flow of program execution and perform the actions he needs.
Such attacks are commonly referred to as “buffer overflow” attacks, although this is too simplistic a term. The most common types of violation of the integrity of information in memory vary greatly, for their operation requires special approaches and techniques. Here are the common types of memory attacks:
Due to the fact that modern websites are no longer static documents, but dynamically generated pages for a user, a typical website is very complex. Web application vulnerabilities are rooted in this complexity. In the course of corresponding attacks, the goal is either the server part of the application responsible for creating the pages, or the pages themselves, which the site visitor sees.
Web-based attacks are extremely common, as many organizations have reached a level at which they have very few public services. The two most common types of this type of attack are SQL injection and cross-site scripting (XSS).
Often, web applications are complex, have extensive capabilities, and sometimes difficult to understand the logic of work. They are a convenient target for intruders. In the Web Application Analysis section of the Kali Linux application menu, you can find useful tools for testing web application attack resistance. In addition, you should pay attention to the
Password cracking is an attack on the authentication systems of various services. Such attacks are often divided into online and offline. In accordance with this classification, the Password Attack section of the Kali application menu is also arranged. In the course of an online attack, an attempt is made to enter the system by going through many passwords. When conducting an offline attack, work is carried out with hashed or encrypted passwords obtained by the attacker. The purpose of this work is to reveal the original passwords. Protection against offline attacks is to increase the complexity of passwords, which increases the complexity of their disclosure. However, there are methods that allow even very complex passwords to be selected, for example, consisting in using calculations on powerful video cards, thanks to which it is possible to significantly improve the performance of hackers. The
Most often, online attacks are directed at standard passwords that software vendors set by default. Since these passwords are widely known, the attacker, in the hope of success, will check the standard entry points to the applications. Another common type of such attacks is an attack on a specially prepared dictionary. In the course of such an attack, a list of words is created that takes into account the characteristics of the target environment, and then they perform an online attack, trying to sort out the password for common, standard or known attacker accounts by sorting through the list.
During the course of the study it is very important to understand the potential consequences of such attacks.
First, they are usually very noticeable due to repeated attempts at authentication. Secondly, such attacks, after too many attempts to log in to a certain account, often lead to its blocking. Finally, the speed of such attacks is usually low, which leads to difficulties when it is necessary to search through password dictionaries of large sizes.
The goal of most attacks are servers, but since server services become harder to attack, attackers choose lighter targets, for example, client systems. With this approach, the attacker is interested in various applications installed on the employee’s computer of the organization that he is trying to hack. Relevant tools to help carry out such attacks can be found in the Social Engineering Tools category of the Kali application menu.
Such attacks were carried out most effectively in the early 2000s; their targets were Flash, Adobe Reader and Java. In these cases, the attacker will try to ensure that the victim visits a specially prepared website. Such a site will contain a special code that can take advantage of vulnerabilities in client applications, which will lead to the ability to run on the target system what the attacker needs.
Attacks on client systems are incredibly difficult to prevent. Much depends on user training, on constant updating of applications, and on network controls to reduce risk.
In this material, we talked about the formalization of research of information security systems, how important it is to coordinate the smallest details of such studies with customers, analyze them from a legal point of view, and, before starting work, carefully check all that, at first glance, no doubt. Immediately we gave a list of common types of attacks that systems undergo during the research. In the next publication we will share with you the final section of the 11th chapter and we will give the control questions to it.
Dear readers! Evaluation of the security of information systems is a complex of measures, the mistakes in planning or carrying out of which may threaten the researcher and the company for which he works, with serious problems with the law. What can you advise in order to minimize the risk of such problems in the Russian legal field?
→ Part 1. Kali Linux: security policy, protecting computers and network services
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: system protection and monitoring exercises
→ Part 5. Kali Linux: System Security Assessment
→ Part 6. Kali Linux: types of information system checks
11.3. Research formalization
After your Kali Linux has been prepared and the type of research has been determined, you are almost ready to get down to business. However, one more step remains: formalization of the research. This is extremely important, since at this step it is determined exactly what the client expects from you. In addition, here you are given permission to conduct operations that are normally illegal. We will look at all of this in general terms, but we have a very difficult and important stage in preparing for the study of systems for vulnerability, therefore, it is quite possible that at this stage you should consult a lawyer of your organization.
')
Part of the formalization process is the definition of research rules that you follow in the course of work. These rules concern the following:
- What systems can you interact with? It is important to have confidence that you do not accidentally interfere with the work of systems that are vital for the company under investigation.
- At what time of day you can work, how often can you conduct system research sessions? Some organizations prefer to limit the number of such sessions.
- If you find a potential vulnerability, can you exploit it? If not, then what is the process of confirming the presence of a vulnerability? In some organizations, they prefer to tightly control every attempt to exploit vulnerabilities, in others they use an approach that more or less realistically imitates a real attack. It is best to find out these points in advance.
- If a serious problem is found, how should you proceed? Sometimes organizations expect immediate notification of this, otherwise it is usually reported at the end of the study.
- Who can I contact in case of emergency? It is always important to know who to contact if there are any problems.
- What is the list of people who will know that a study is being conducted? How will this information be communicated to these individuals? In some cases, organizations want to check the response of their internal services to an incident, as well as the ability of these services to detect intrusions. It is best to be aware of this in advance, as with this approach you will be able, if necessary, to conduct research secretly.
- What does the company expect after the completion of the study? How to report results? Find out in advance exactly what all interested people expect from the study. A clear definition of expected results is the best way to avoid ambiguous situations after the completion of work.
Although this list is not complete, it will give you a general idea of the issues that need to be addressed before starting work. However, you should understand that without a high-quality legal formalities can not do here. After the study is formalized, you must obtain the appropriate permissions. This is important because most of the actions performed during security checks may be illegal without the permission of the appropriate company official.
After all of the above is agreed, there is one more important step: verification. Do not trust the materials of the study boundaries you have been given - always check them. Use several sources of information to confirm that the systems you plan to investigate are owned by the client and that the client manages them. For example, given the widespread use of cloud services, an organization may simply overlook the fact that it does not own the services provided to it. You may find that you need to get a special permit from the cloud service provider before you begin. In addition, always check the blocks of IP addresses provided to you.
Do not rely on the organization’s assumption that it owns the entire unit, even if you are told that the entire address range given to you is suitable for research. For example, we met with organizations that requested research in the range of addresses of a whole class C network, while only some part of this range belonged to them. Exploring the entire network of class C, we would, in fact, attack the organization’s neighbors in address space. The OSINT Analysis submenu (OSINT analysis) of the Information Gathering section of the Applications menu of Kali Linux contains many tools that can help you verify materials for research.
11.4. Types of attacks
So, the work has begun. What attacks are carried out in the course of checking the security of information systems? Each type of vulnerability corresponds to a specific method of its operation. In this section, we describe the classes of vulnerabilities that you will encounter most often.
It doesn't matter what category of vulnerabilities you are interested in. Whatever it is, Kali makes it easy to find tools and exploits. The Kali menu on the desktop is divided into categories that help in finding suitable tools. In addition, the Kali Tools website provides extensive lists of tools available in Kali, organized by category and tagged for convenience. Each page of the tool contains detailed information about it, as well as examples of its use.
▍11.4.1. Denial of Service Attack
Denial of Service attacks (DoS) exploit vulnerabilities to block services, usually stopping a vulnerable process. The Stress Testing category in the Kali application menu contains many tools that are focused on solving this problem.
Many, when confronted with the term “denial of service attack,” think about attacks that consume resources that come from multiple sources simultaneously aimed at a single target. However, such an attack is the so-called distributed Denial Of Service Attack (DDoS). Such attacks are rarely part of professional systems security research.
Instead, single DoS attacks are most often the result of a failed attempt to exploit a vulnerability. If the author of the exploit released a partially functional code that proves the possibility of an attack (Proof of Concept, PoC), and it was used by someone in practice, this could lead to a situation similar to a DoS attack. Even a well-written exploit can only work if many specific circumstances coincide and lead to the failure of the attacked service in other cases. It may seem that the solution to the problem is to use only properly tested exploits, or to write your own exploits. However, be that as it may, there are no guarantees when using exploits, this puts the attacker in a rigid framework, leading to unjustified restrictions, which leads to a softening of research. The key to solving the problem is compromise. Do not use PoC-exploits and unverified code when conducting real-life research and always ensure that a company lawyer can cover you from other troubles.
Normally, DoS attacks are not intentional. Most automatic vulnerability detection tools consider DoS vulnerabilities low-risk due to the fact that although an attacker can disable a service, this service cannot be used, for example, to execute third-party code. However, it is important to remember that not all exploits are publicly available, and that DoS vulnerabilities may mask deeper and more serious threats.
An exploit that allows you to execute arbitrary code using a known DoS vulnerability may exist, but not in a public space. From here we can draw the following conclusion: pay attention to DoS-vulnerabilities and recommend clients to patch them even though they are usually assigned a low level of risk.
▍11.4.2. Violation of the integrity of information in memory
Violation of the integrity of information in memory occurs when a certain area in the memory of a process is accidentally modified due to an error during program development. Memory errors usually lead to unpredictable program behavior; however, in many cases, these errors allow you to manipulate the process memory. This gives the attacker the ability to control the flow of program execution and perform the actions he needs.
Such attacks are commonly referred to as “buffer overflow” attacks, although this is too simplistic a term. The most common types of violation of the integrity of information in memory vary greatly, for their operation requires special approaches and techniques. Here are the common types of memory attacks:
- Buffer overflow on stack. When a program writes to the buffer that is on the stack, there is more data than the amount of available space, the data in the adjacent memory locations may be damaged, which often leads to a program crash.
- Heap memory corruption. Heap memory is allocated during program execution and usually contains data from running processes. Violation of data integrity on the heap is due to actions aimed at overwriting memory through pointers or linked lists.
- Integer memory overflow This kind of overflow occurs when the application tries to create a numeric value that cannot be placed in its allocated memory.
- Attack on string formatting functions. When the program accepts what the user entered and formats the input without verifying the data, the attacker can find out the memory addresses he needs, or the data in the memory can be overwritten. It depends on the formatting symbols used.
▍11.4.3. Attacks to web applications
Due to the fact that modern websites are no longer static documents, but dynamically generated pages for a user, a typical website is very complex. Web application vulnerabilities are rooted in this complexity. In the course of corresponding attacks, the goal is either the server part of the application responsible for creating the pages, or the pages themselves, which the site visitor sees.
Web-based attacks are extremely common, as many organizations have reached a level at which they have very few public services. The two most common types of this type of attack are SQL injection and cross-site scripting (XSS).
- SQL injection. These attacks are aimed at applications that have been developed with errors in the subsystem for checking and clearing user input. This leads to the ability to extract information from the databases of such applications, or even to gain complete control over the servers.
- Crossite scripting. As with SQL injection, XSS-based attacks are possible due to improper handling of user input. This allows an attacker to manipulate a user or site by capturing sessions and executing their own code in the browser.
Often, web applications are complex, have extensive capabilities, and sometimes difficult to understand the logic of work. They are a convenient target for intruders. In the Web Application Analysis section of the Kali Linux application menu, you can find useful tools for testing web application attack resistance. In addition, you should pay attention to the
kali-linux-web meta package.▍11.4.4. Password cracking
Password cracking is an attack on the authentication systems of various services. Such attacks are often divided into online and offline. In accordance with this classification, the Password Attack section of the Kali application menu is also arranged. In the course of an online attack, an attempt is made to enter the system by going through many passwords. When conducting an offline attack, work is carried out with hashed or encrypted passwords obtained by the attacker. The purpose of this work is to reveal the original passwords. Protection against offline attacks is to increase the complexity of passwords, which increases the complexity of their disclosure. However, there are methods that allow even very complex passwords to be selected, for example, consisting in using calculations on powerful video cards, thanks to which it is possible to significantly improve the performance of hackers. The
kali-linux-gpu meta kali-linux-gpu contains a variety of tools aimed at quickly selecting passwords.Most often, online attacks are directed at standard passwords that software vendors set by default. Since these passwords are widely known, the attacker, in the hope of success, will check the standard entry points to the applications. Another common type of such attacks is an attack on a specially prepared dictionary. In the course of such an attack, a list of words is created that takes into account the characteristics of the target environment, and then they perform an online attack, trying to sort out the password for common, standard or known attacker accounts by sorting through the list.
During the course of the study it is very important to understand the potential consequences of such attacks.
First, they are usually very noticeable due to repeated attempts at authentication. Secondly, such attacks, after too many attempts to log in to a certain account, often lead to its blocking. Finally, the speed of such attacks is usually low, which leads to difficulties when it is necessary to search through password dictionaries of large sizes.
▍11.4.5. Attacks on client systems
The goal of most attacks are servers, but since server services become harder to attack, attackers choose lighter targets, for example, client systems. With this approach, the attacker is interested in various applications installed on the employee’s computer of the organization that he is trying to hack. Relevant tools to help carry out such attacks can be found in the Social Engineering Tools category of the Kali application menu.
Such attacks were carried out most effectively in the early 2000s; their targets were Flash, Adobe Reader and Java. In these cases, the attacker will try to ensure that the victim visits a specially prepared website. Such a site will contain a special code that can take advantage of vulnerabilities in client applications, which will lead to the ability to run on the target system what the attacker needs.
Attacks on client systems are incredibly difficult to prevent. Much depends on user training, on constant updating of applications, and on network controls to reduce risk.
Results
In this material, we talked about the formalization of research of information security systems, how important it is to coordinate the smallest details of such studies with customers, analyze them from a legal point of view, and, before starting work, carefully check all that, at first glance, no doubt. Immediately we gave a list of common types of attacks that systems undergo during the research. In the next publication we will share with you the final section of the 11th chapter and we will give the control questions to it.
Dear readers! Evaluation of the security of information systems is a complex of measures, the mistakes in planning or carrying out of which may threaten the researcher and the company for which he works, with serious problems with the law. What can you advise in order to minimize the risk of such problems in the Russian legal field?
Source: https://habr.com/ru/post/339828/
All Articles