Appendix A. Common Exploits and Attacks

Table A-1 details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks.

Table A-1. Common Exploits

ExploitDescriptionNotes
Null or Default PasswordsLeaving administrative passwords blank or using a default password provided by the application package. This is most common in hardware such as routers and BIOSes, though some services that run on Linux can contain default administrator passwords (though Red Hat Linux does not ship with them)

Commonly associated with networking hardware such as routers, firewalls, VPNs and network attached storage (NAS) appliances;
Common in many legacy operating systems, especially OSes that bundle services such as UNIX and Windows;
Administrators sometimes create privileged users in a rush and leave the password null, a perfect entrypoint for malicious users who discover the user

Default Shared KeysSecure services sometimes package default security keys for development or evaluation testing purposes. If these keys are left unchanged and placed in a production environment on the Internet, any user with the same default keys have access to that shared-key resource, and any sensitive information contained in it

Most common in wireless APs and preconfigured secure server appliances
CIPE (refer to Chapter 6) contains an sample static key that must be changed before moving to a production environment

IP SpoofingA remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or trojan to gain control over your network resources.

Spoofing is quite difficult as it involves the attacker predicting TCP/IP SYN-ACK numbers to coordinate a connection to target systems, but several tools are available to assist crackers in performing such a vulnerability
Depends on target system running services (such as rsh, telnet, FTP and others) that use source-based authentication techniques, which are not usually recommended compared to PKI or other forms of encryption authentication as used in ssh or SSL/TLS.

EavesdroppingCollecting data that passes between two active nodes on a network by eavesdropping the connection between the two nodes.

This type of attack works mostly with plain text transmission protocols such as telnet, FTP, and HTTP transfers.
Remote attacker must have access to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or Man-in-the-middle) to compromise a system on the LAN
Preventative measures include services with cryptographic key exchange, one-time passwords, or encrypted authentication to prevent password snooping; strong encryption during transmission also advised

Service VulnerabilitiesAn attacker finds a flaw or loophole in a service run over the Internet; through this vulnerability, the attacker compromises the entire system and and any data that it may hold and could possibly compromise other systems on the network.

HTTP-based services such as CGI are vulnerable to remote command executions and even shell access. Even if the HTTP service runs as a non-privileged user such as "nobody", information such as configuration files and network maps can be read, or the attacker can start a denial of service attack which drains system resources or renders it unavailable to other users.
Services sometimes can have vulnerabilities that go unnoticed during development and testing; these vulnerabilities (such as buffer overflow, where attackers gain access by filling addressable memory with a quantity over what is acceptable by the service, crashing the service and giving the attacker an interactive command prompt from which they may execute arbitrary commands.
Administrators should make sure that services do not run as the root user; stay vigilant of patches and errata updates for their applications from vendors or security organizations such as CERT and CVE.

Application VulnerabilitiesAttackers find faults in desktop and workstation applications such as e-mail clients and execute arbitrary code, implant trojans for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network.

Workstations and desktops are more prone to exploitation because workers do not have the expertise or experience to prevent or detect a compromise as servers run by an administrator; it is imperative to inform individuals of the risks they are taking when they install unauthorized software or open unsolicited mail
Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic updating of workstation software via Red Hat Network or other system management service can alleviate the burdens of multi-seat security deployments.

Denial of Service (DoS) AttacksAttacker or group of attackers coordinate an attack on network or server resources by sending unauthorized packets to the target machine (either server, router, or workstation). This forces the resource to become unavailable to legitimate users.

The most reported DoS case occurred in 2000 when several highly-trafficked sites were rendered unavailable by a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as redirected broadcasters
Source packets are usually forged (as well as rebroadcasted), making investigation to the true source of the attack difficult.
Advances in ingress filtering (IETF rfc2267), and Network IDS technology assist administrators in tracking down and preventing distributed DoS attacks.