2-sep-13 18:27 This site was featured in the 2003 Black Hat Meeting is Las Vegas!

This is a sample method of how a planned (notice I didn't say well planned?) attack may go. There are a variety of tools to accomplish these methods. Most of the pre-attack research doesn't even touch the target system(s) or network(s)! If you are a network defender, think about these methods and the possible footprints each step may leave. For example, some of the fingerprinting methods from nmap/metasploit may indicate a pending attack.

I will be continuously updating this with some newer methods. This includes "spear phishing," single-mark targeted attacks, and blended attacks.


Attack Methodology:


        Intelligence Gathering

o   Organic Reconnaissance

§         Social networking websites

§         Target Email address harvesting (for use in spear phishing/social engineering)

o       IP addresses assigned


         Web Server IP Addresses

         Name Server IPs

         Mail Server IPs

         Firewall IPs

         Border routers

         IDSs//IPSs/Honey Pots - look for unexpected return packets & answering every port if you port scan

         Unnamed Systems

o       Name Server

         System Info

         Zone Transfer

o       Upstream / Outsourcing Info

o       VPNs (IPSec & SSLVPNs) / TACACS / RADIUS

o       LDAP/AD Domain Controllers

o       Log Servers/SIEM

o       Develop a network map, handy for beachheading


        Target Identification

o       Operating System


         Version / Patch

o       Services Info

o       Hardware

o       Operator Info

o       Location

         Physical - Are there legal concerns? State lines (U.S.) and national boundaries (Chinese penalty can be death) may be of concern.

         Logical (Relative to firewall, etc.)

o       Data Content

o       Log Locations

o       3rd Party Software


        Attack Planning

o       Identify known vulnerabilities

o       Develop network entry sequence - local, distant, vpn

o    Develop attack sequence

o       System entrance plan (attack)

o       System exit plan (stealth)

o       DoS plan against ID/PSs - Attacks during virus outbreaks may get lost in the noise

o       Configure attack systems - Bootable images on CD/read only media that are easily discarded/destroyed. Stand-off systems (bot nets and snowshoeing)

o       Evaluate ability for beachheading & system hopping (trojanize/bot/stand-off)

o       Locate internet entry point (public hotspot, war-drive?)

o       Never attack from home or work!!!


o       Blind ID/PSs (Especially on mass attacks)


         Fake Attack (now called fuzzing) - Spoofed IP addresses, etc.

o       Hit a perimeter or VPN system first

o       Look for detection indications

        Evaluate continuation

        Look for TCP resets, ICMP Type 3 packets, DoS, etc from target owned networks.

o       Verify log locations and alter (look for hash files)

o       Recon file system

o       Trojanize - bot/zombie

o       Root Kit

o       Add user

o       It is a good time to look for PKI

o       Reevaluate detection

o       Move to another system and repeat


Post Attack

o       Evaluate Detection

o       Evaluate Data Acquired

o       Evaluate Foot Print left behind

o       Use compromised system as hop box for next system attack (beachheading).

Lessons Learned

Did you discover a new hole, method of detection, or honeypot? As a system admin/engineer, did you find a method to discover a previously undetectable attack method? These are all important and you may consider sharing it with which ever community you are a part of. Remember, use your powers for good, not evil.