- Administrator’s personality
Before a cracker identify a target, he must do some detail research about the system administrator of the host. A system administrator is usually responsible for the maintaining of the whole system and it’s security. He/she may sometimes run into some problems which he/she cannot solve. It has a good chance that he/she may post to a Usenet or mailing list for answers. By taking the time to run the administrator’s address, you may be able to gain greater insight into his network, his security, and his personality. Administrators who make such posts typically specify their architecture, a bit about their network topology, and their stated problem.
And always if so, you can get something more. For example, a system administrator is in a security mailing list or forum each day, disputing or discussing various security techniques and problems with other fellow administrators. This is evidence of knowledge. Analyzing such a person’s post closely will tell you a bit about his stance on security and how he implements it. And you can also find out this guy is a experienced or just a new guy.
You needn’t worry too much even if he doesn’t show in such lists. Maybe he is just a watcher, or there is another possibility. He doesn’t want to attend any kind of these discussions. The crackers reply in a large part on the administrator’s lack of knowledge.
- Time schedule
When can a attack occur, or when you initialize an attack? An attack can occur any time your network is connected to the Internet. Most networks are connected 24 hours a day, that means that an attack can happen any time. But you can find some conventions.
The majority of attacks occur late night relative to the position of the server. That is, if you are in Los Angeles and your attacker is in London, the attack will probably occur during the late night or early morning hours Los Angeles time. There are several reasons why a cracker would do in this time:
- Practicality
- Speed
- Stealth
- Doing a test run
The test run portion of the attack is practical only for those who are serious about cracking. The average cracker will never take such activity, because it takes a little money.
This step involves building a single machine with the identical distribution as the target, and after that, run a series of attacks against it. There are two things you are looking for:
- What the attacks are going to look like from the attacking site
- What the attacks will look like from the victim's side
- Tools
If you really want to do some crack things, you need to assemble the tools that you will actually use. These tools will most probably be scanners. You will be looking to identify all services now running on the target. For some instance, a particular service is covered by one tool but not by another, thus you’d better integrate the two tools together. To determine the exact outcome of how all these tools will work in correct, it is best to do this at least on some machines even it is not identical to the target. We only concern that whether these tools will interrupt or corrupt as the result of running more than one tool at the same time.
- Developing an attack strategy
The day of roaming around the Internet, cracking this and that server are basically over. Years ago, compromising the security of a system was viewed as a minor transgression as long as no damage was done. Today the situation is different. Today, the value of data is becoming an increasingly talked-about issue. Therefore the modern cracker would be wise not to crack without a reason. Similarly he would be wise to set forth cracking a server with a particular plan.
Your attack strategy may depend on what you are wanting to accomplish. Basically, the task is nothing more than compromising of system security. If this is your plan, you need to lay out how the attack will be accomplished. The longer the scan takes and the more machines that included within it, the more likely it is that it will be immediately discovered. Also the more scan data that you have to sift through, the longer it will take it implement an attack based upon that data. And in any situation, the time between the scan and the actual attack should be short
And if a certain portion of the network is segmented by routers, switches, bridges, or other devices, you should better excluded these from your scan, or you are just wasting your time. Compromising such system will produce little benefit. Suppose you gain root on one such box in a segment, how far do you think you can go?
Most crackers are not geniuses. They often implement techniques that are tried, true, and well known in the security community. Unless the cracker is writing his own tools, he must rely on available existing tools. Thus from the victim’s point of view, all attacks using such tools that looks basically the same.
Most crackers learn their techniques (at least the basics) from those who came before them. Although there are some pioneers in the field, the majority of crackers simply follow in the footsteps of their predecessors. These techniques have been described extensively in online documents authored by crackers, and such documents are available at thousands of locations on the Internet. In them are extremely detailed examples of how to implement a particular class of attack.
The new cracker typically follows these instructions to the letter. Often his effort are useless because some attack methods are outdated. If you examine such an attack in you logs, it may look almost identical to the sample logs posted by security professionals in various technical presentations designed with the express purpose of illustrating cracking examples.
However, there comes a point within a cracker’s experience where he begins to develop his specialized methods of implementing attacks. Some of these attack methods emerge as a result of habit; others are because the cracker realize some functions of a certain tool which is more than it’s express purpose. These types of attacks are called “hybrid attacks”.
Back