Abtrusion Security Click here to send someone a link to this page Click here to Bookmark this page
home   products   buy   download   support   about   news   links   contact

Abtrusion Security home

Security products

Purchase Abtrusion Protector

Download of security software for Windows

Abtrusion Protector support

About Abtrusion Security

Security related news

Security links


Download Abtrusion Protector


Information for

> Corporate Management

> System Administrators

> Security Professionals

> Software Developers

> Home Users

Anatomy of a Hacker Attack

by Torbjörn Hovmark, president of Abtrusion Security AB

A hacker attack typically includes a couple of phases.
  1. Collect information about the target of the attack
  2. Locate a weakness to be used as an entry point
  3. Download and execute software on the target
  4. Use security holes to elevate privileges
  5. Steal or modify information
  6. Cover the tracks

Phase 1 - Collecting Information

The experienced hacker will probably spend the most of his effort collecting information, often called profiling. Once he has sufficient information, the remainder of the attack may be relatively quick and easy. The novice, however, will often skip phase one altogether and go straight for step two.

There is a lot of information that could be potentially valuable to a hacker trying to gain access to a private computer network. The design and layout of the network is always valuable. Where are the important computers on the network? What kind of applications do they run? How is the network wired? Where are the firewalls? How does it communicate with the rest of the world? Information such as IP addresses, dial-up access numbers and so forth are also valuable.

A second type of information that is often even more valuable is related to social factors. What are the names of some of the employees of the target? In a big company where all employees don't necessarily know each other, the name of an employee and some social skill is often sufficient to gain access to a login account. Using information about who knows who is potentially very valuable. Organizational charts are also a gold mine for the would-be hacker.

In the first phase, the hacker typically does not have direct contact with the company, or at least does not do anything unusual or suspicious. Instead it is a matter of trying to gather bits and pieces of what is already publicly known about the target.

Phase 2 - Locating a Weakness

Once sufficient information is available, the hacker will move on to locate a weakness that can be used to gain access to the target. In the bad old days, before firewalls, the hacker would be able to attack computers on the Internet directly without much effort. Today things are a bit more difficult, but not very much. Some of the weaknesses frequently used by viruses are bugs in e-mail clients. The same weaknesses are also used by hackers. There are a number of other ways to gain access to a computer network, with bugs in web browsers and web servers being some of the most common.

Another potential weakness, not related to software bugs, is the human factor. If enough is known about an organization, the hacker can often use a little bit of his social skill to trick or pressure someone into letting him into the network. For instance, in many of the larger organizations, when you forget your password, you just call up support and they will change it to something of your choice. All the hacker might need in this case is the name of an employee and an account name in order to gain access to the account. Pretending to be someone important is often a way to pressure the technical support organization into bending the rules a bit. Pretending to be a friend of an employee when you send him an e-mail with an attachment is often a good way to get him to trust you and open the attachment. The From address of an e-mail is very easy to forge. The point is, the possibilities are endless, and in most cases, the firewall will provides little or no protection against social skills.

Phase two is concerned with finding a way to establish contact between the private network and the hacker's own computer. Typically (but not necessarily) this contact occurs over the Internet.

Phase 3 - Download and Execute Software

Once a weakness is found, it is typically used to download one or several executable files to the target computer. The hacker might use a buffer overflow, an e-mail or a web browser bug to initiate this phase.

Although there are many publicly available hacker tools on the Internet, the professional hacker will probably custom build his own executable tools. This means that normal virus protection software will not be able to recognize them.

Hacker tools can be used to perform most of the tasks the hacker wants, more or less as if he were physically present in front of the computer. They can also be designed for very specific purposes, such as elevating privileges or bypassing security controls some other way. Yet other tools may be used to hide the fact that the computer has been hijacked.

If the hacker gets past phase three, the game is basically up. Once he is able to execute arbitrary code on your computer, there will not be much holding him back.

Phase 4 - Elevating Privileges

Normally, important information is protected so that only certain users can access it. For the hacker, this is usually not much of a problem. If he can execute code on the target system, there are a number of known security holes that can be exploited to elevate privileges, i.e. gain access to an administrative account. These range from bugs in operating system components to being able to replace system files or tricking the system into executing the wrong files. It is very unlikely that all of these holes are plugged on an individual system.

Phase 5 - Stealing or Modifying Information

To steal or somehow modify information is probably the primary goal of the hacker. There are also instances of hooliganism, but they are less common. A professional hacker will probably have a goal other than destruction. Sometimes, he will break in to one network only to use it as a base from which to attack his next target, but sooner or later he will want something.

With the right privileges and ample information about the target, stealing information is usually a piece of cake.

Phase 6 - Covering Tracks

Most hacker attacks go unnoticed. Many times this is because no-one is looking. Most computers have logs, but usually, there will not be anyone reviewing them. However, for the hacker, covering tracks by deleting entries from a log file is usually pretty easy. Other ways to cover tracks is to use hijacked intermediaries for all communication with the target computer. That way, locating the hacker through his IP address will be much more difficult.

Software may be used to hide your tracks as well. Once you have sufficient privileges on a computer, you can theoretically do more or less whatever you like with it, if you are skilled enough. For example, so called root-kits can be used to modify the operating system itself in a way that is practically impossible to detect.

Copyright © 2002 Abtrusion Security AB. All rights reserved. This document may be reproduced provided that it is reproduced in its entirety and that this copyright message is retained.