2-sep-13 18:27 This site was featured in the 2003 Black Hat Meeting is Las Vegas!This is a sample method of how a planned (notice I didn't say well planned?) attack may go. There are a variety of tools to accomplish these methods. Most of the pre-attack research doesn't even touch the target system(s) or network(s)! If you are a network defender, think about these methods and the possible footprints each step may leave. For example, some of the fingerprinting methods from nmap/metasploit may indicate a pending attack.
I will be continuously updating this with some newer methods. This includes "spear phishing," single-mark targeted attacks, and blended attacks.
· Intelligence Gathering
o Organic Reconnaissance
§ Social networking websites
§ Target Email address harvesting (for use in spear phishing/social engineering)
o IP addresses assigned
§ Web Server IP Addresses
§ Name Server IPs
§ Mail Server IPs
§ Firewall IPs
§ Border routers
§ IDSs//IPSs/Honey Pots - look for unexpected return packets & answering every port if you port scan
§ Unnamed Systems
o Name Server
§ System Info
§ Zone Transfer
o Upstream / Outsourcing Info
o VPNs (IPSec & SSLVPNs) / TACACS / RADIUS
o LDAP/AD Domain Controllers
o Log Servers/SIEM
o Develop a network map, handy for beachheading
· Target Identification
o Operating System
§ Version / Patch
o Services Info
o Operator Info
§ Physical - Are there legal concerns? State lines (U.S.) and national boundaries (Chinese penalty can be death) may be of concern.
§ Logical (Relative to firewall, etc.)
o Data Content
o Log Locations
o 3rd Party Software
· Attack Planning
o Identify known vulnerabilities
o Develop network entry sequence - local, distant, vpn
o Develop attack sequence
o System entrance plan (attack)
o System exit plan (stealth)
o DoS plan against ID/PSs - Attacks during virus outbreaks may get lost in the noise
o Configure attack systems - Bootable images on CD/read only media that are easily discarded/destroyed. Stand-off systems (bot nets and snowshoeing)
o Evaluate ability for beachheading & system hopping (trojanize/bot/stand-off)
o Locate internet entry point (public hotspot, war-drive?)
o Never attack from home or work!!!
o Blind ID/PSs (Especially on mass attacks)
§ Fake Attack (now called fuzzing) - Spoofed IP addresses, etc.
o Hit a perimeter or VPN system first
o Look for detection indications
§ Evaluate continuation
§ Look for TCP resets, ICMP Type 3 packets, DoS, etc from target owned networks.
o Verify log locations and alter (look for hash files)
o Recon file system
o Trojanize - bot/zombie
o Root Kit
o Add user
o It is a good time to look for PKI
o Reevaluate detection
o Move to another system and repeat
o Evaluate Detection
o Evaluate Data Acquired
o Evaluate Foot Print left behind
o Use compromised system as hop box for next system attack (beachheading).
Did you discover a new hole, method of detection, or honeypot? As a system admin/engineer, did you find a method to discover a previously undetectable attack method? These are all important and you may consider sharing it with which ever community you are a part of. Remember, use your powers for good, not evil.