Appendix B. Common Exploits and Attacks

Table B-1 details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks.

Null or Default PasswordsLeaving administrative passwords blank or using a default password set by the product vendor. This is most common in hardware such as routers and BIOSes, though some services that run on Linux can contain default administrator passwords (though Red Hat Enterprise Linux does not ship with them).

Commonly associated with networking hardware such as routers, firewalls, VPNs, and network attached storage (NAS) appliances.
Common in many legacy operating systems, especially OSes that bundle services such as UNIX and Windows.
Administrators sometimes create privileged users in a rush and leave the password null, a perfect entrypoint for malicious users who discover the user.

Default Shared KeysSecure services sometimes package default security keys for development or evaluation testing purposes. If these keys are left unchanged and are placed in a production environment on the Internet, any user with the same default keys have access to that shared-key resource, and any sensitive information contained in it.

Most common in wireless access points and preconfigured secure server appliances.
CIPE (refer to Chapter 6 Virtual Private Networks) contains a sample static key that must be changed before deployment in a production environment.

IP SpoofingA remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or trojan to gain control over your network resources.

Spoofing is quite difficult as it involves the attacker predicting TCP/IP SYN-ACK numbers to coordinate a connection to target systems, but several tools are available to assist crackers in performing such a vulnerability.
Depends on target system running services (such as rsh, telnet, FTP and others) that use source-based authentication techniques, which are not recommended when compared to PKI or other forms of encrypted authentication used in ssh or SSL/TLS.

EavesdroppingCollecting data that passes between two active nodes on a network by eavesdropping on the connection between the two nodes.

This type of attack works mostly with plain text transmission protocols such as Telnet, FTP, and HTTP transfers.
Remote attacker must have access to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or Man-in-the-middle) to compromise a system on the LAN.
Preventative measures include services with cryptographic key exchange, one-time passwords, or encrypted authentication to prevent password snooping; strong encryption during transmission is also advised.

Service VulnerabilitiesAn attacker finds a flaw or loophole in a service run over the Internet; through this vulnerability, the attacker compromises the entire system and any data that it may hold, and could possibly compromise other systems on the network.

HTTP-based services such as CGI are vulnerable to remote command executions and even interactive shell access. Even if the HTTP service runs as a non-privileged user such as "nobody", information such as configuration files and network maps can be read, or the attacker can start a denial of service attack which drains system resources or renders it unavailable to other users.
Services sometimes can have vulnerabilities that go unnoticed during development and testing; these vulnerabilities (such as buffer overflows, where attackers gain access by filling addressable memory with a quantity over that which is acceptable by the service, crashing the service and giving the attacker an interactive command prompt from which they may execute arbitrary commands) can give complete administrative control to an attacker.
Administrators should make sure that services do not run as the root user, and should stay vigilant of patches and errata updates for applications from vendors or security organizations such as CERT and CVE.

Application VulnerabilitiesAttackers find faults in desktop and workstation applications such as e-mail clients and execute arbitrary code, implant trojans for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network.

Workstations and desktops are more prone to exploitation as workers do not have the expertise or experience to prevent or detect a compromise; it is imperative to inform individuals of the risks they are taking when they install unauthorized software or open unsolicited email attachments.
Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic update of workstation software via Red Hat Network or other system management services can alleviate the burdens of multi-seat security deployments.

Denial of Service (DoS) AttacksAttacker or group of attackers coordinate against an organization's network or server resources by sending unauthorized packets to the target host (either server, router, or workstation). This forces the resource to become unavailable to legitimate users.

The most reported DoS case in the US occurred in 2000. Several highly-trafficked commercial and government sites were rendered unavailable by a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as zombies, or redirected broadcast nodes.
Source packets are usually forged (as well as rebroadcasted), making investigation to the true source of the attack difficult.
Advances in ingress filtering (IETF rfc2267) using iptables and Network IDSes such as snort assist administrators in tracking down and preventing distributed DoS attacks.

Table B-1. Common Exploits