LinuxWorld: Attacking Linux - To stop an attacker, think like a crackerAug 30, 2000, 23:10 (0 Talkback[s])
(Other stories by Rick Moen)
"Ozancin's talk dwelled at length on the methods and tools an attacker (a term he advocates over hacker) uses to select you as his target and worm his way in."
"The attacker may also use specialized network-vulnerability scanners (see Resources): Nessus, the older SATAN and SAINT packages, Firewalk (which probes and identifies a network's firewall ruleset), or proprietary scanners such as Internet Security Systems's Internet Scanner and Axxent Technologies' NetRecon -- as well as checking Websites on the target network for known-exploitable CGI scripts."
"Or the attacker may skip the fancy network scanners and concentrate on stealing one of your passwords. In my experience, that is the bad guys' usual way in and absurdly easy on most systems. If one of your users uses Telnet or (nonanonymous) FTP, or POP3 to reach your system remotely, the user's login name and password can be snagged with trivial effort at any point between the two machines. Alternatively, the malefactor may use as low-tech a means as shoulder surfing (watching the login as it's being typed in), or a variety of social engineering techniques. People are often astonishingly willing to give their passwords over the telephone to a stranger with a plausible reason for asking. Or they email passwords and other confidential data across the open Internet, ripe for interception.1 At the minimum, the attacker may telephone the firm to glean people's names and positions, or get that information from the company Webpages. He may then be able to predict valid usernames and try them with likely password combinations."
"Then there are the truly embarrassing password techniques that amount to walking into an open, unguarded bank vault. There are still services that ship with default remote administrative passwords, as evidenced by Red Hat Software's recent Piranha gaffe, as well as sites reckless enough to use null passwords, the username as the password, or the username reversed (e.g., toor for the root account). Or the attacker may use remote techniques to read a copy of /etc/passwd (on systems without shadow passwords enabled). Many such past exploits have relied on insecure CGI scripts provided by default with Web servers that are also unnecessarily running with root authority. (The Apache Web server most commonly used on Linux no longer ships with either of those faults.)"