Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Methods of Attack

May 2nd, 2007
By Stephen Northcutt


According to Dr. Dorothy Denning, "The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks."¹

In the Mitnick example, we focused on a single attack that used just a few specific techniques to achieve a well-defined goal. Although there are probably thousands of different exploits that attackers can use against your systems, most can be classified into one or more categories. A large amount of research is being done in an attempt to define a standard vulnerability taxonomy; but so far, none have been widely accepted. A comprehensive taxonomy must be:

• Mutually exclusive
• Exhaustive
• Unambiguous
• Repeatable
• Accepted
• Useful²

Attacks usually rely on programming or user errors
Consider the following Computerworld headline:


Did they use exploits? No, they ran tests looking for problems in software. Security Tracker, probably one of the best sources to track vulnerabilities on the Internet, lists the following categories of causes for software vulnerabilities:

• Access control error
• Authentication error
• Boundary error
• Configuration error
• Exception handling error
• Input validation error
• Not specified
• Randomization error
• Resource error
• State error⁴

When a potential attacker finds evidence of a software error, they can then construct an attack to take advantage of the error. Once they have their tools, they can search for a victim.

In the classic sense of a planned attack, executed by a hacker with malicious intent, a sequence of events typically takes place. First, in the reconnaissance phase, the attacker gently probes the system(s) or network(s) to get a sense of what is out there. Second, after discovering potential targets, the attacker performs more thorough system scanning, if necessary, and begins the process of enumeration. With enumeration, the attacker attempts to gain some actual information about the network or system's users such as specific system names, open shares, SNMP or LDAP directories, and so on. Third in the sequence is the breach, where the attacker actually attempts to penetrate the system or network. The fourth step is a system administration mode. In this step, the attacker gains access and control of the resource in question. Finally, there may be a clean up mode where they attempt to eliminate evidence of their work.

In the Methods of Attack series, we will discuss classes of attacks that can be applied to almost any system.


1 http://www.ssrc.org/sept11/essays/denning.htm
2 http://www.nccaiim.org/Education/Proceedings/2004/7-Moore-vulnerabilities.ppt
3 http://www.computerworld.com/printthis/2006/0,4814,110897,00.html
4 http://securitytracker.com/topics/topics.html#cause