Reconnaissance attacks can consist of the following
:
- Packet sniffers
- Port scans
- Ping sweeps
- Internet information queries
A malicious intruder typically ping sweeps the target network to
determine which IP addresses are alive
. After
this, the intruder uses a port scanner to determine what network services or
ports are active on the live IP addresses
. From this
information, the intruder queries the ports to determine the application type
and version, as well as the type and version of operating system running on the
target host. Based on this information, the intruder can determine if a
possible vulnerability exists that can be exploited.
Using, for example,
the nslookup and whois utilities, an attacker can easily determine the IP
address space assigned to a given corporation or entity
. The
ping command tells the attacker what IP addresses are
alive.
Network snooping and packet sniffing are common terms for
eavesdropping. Eavesdropping is listening in to a conversation, spying, prying,
or snooping. The information gathered by eavesdropping can be used to pose
other attacks to the network.
An example of data susceptible to
eavesdropping is SNMP version 1 community strings, which are sent in clear
text. An intruder could eavesdrop on SNMP queries and gather valuable data on
network equipment configuration. Another example is the capture of usernames
and passwords as they cross a network.
Types of Eavesdropping
A common method for eavesdropping on
communications is to capture TCP/IP or other protocol packets and decode the
contents using a protocol analyzer or similar utility
. Two common uses
of eavesdropping are as follows:
-
Information gathering – Network intruders can identify usernames,
passwords, or information carried in the packet such as credit card numbers or
sensitive personal information.
-
Information theft – Network eavesdropping can lead to information
theft. The theft can occur as data is transmitted over the internal or external
network. The network intruder can also steal data from networked computers by
gaining unauthorized access. Examples include breaking into or eavesdropping on
financial institutions and obtaining credit card numbers. Another example is
using a computer to crack a password file.
Tools Used to Perform Eavesdropping
The following tools are
used for eavesdropping:
- Network or protocol analyzers
- Packet capturing utilities on networked computers
Methods to Counteract Attacks
Three of the most effective
methods for counteracting eavesdropping are as follows:
- Implementing and enforcing a policy directive that forbids the use of
protocols with known susceptibilities to eavesdropping
- Using encryption that meets the data security needs of the organization
without imposing an excessive burden on the system resources or the users
- Using switched networks
Encrypted Data
Encryption provides protection for data
susceptible to eavesdropping attacks, password crackers, or manipulation. Some
benefits of data encryption are as follows:
- Almost every company has transactions, which, if viewed by an eavesdropper,
could have negative consequences. Encryption ensures that when sensitive data
passes over a medium susceptible to eavesdropping, it cannot be altered or
observed.
- Decryption is necessary when the data reaches the router or other
termination device on the far receiving LAN where the destination host
resides.
- By encrypting after the User Datagram Protocol (UDP) or Transmission
Control Protocol (TCP) headers, so that only the IP payload data is encrypted,
Cisco IOS network-layer encryption allows all intermediate routers and switches
to forward the traffic as they would any other IP packets. Payload-only
encryption allows flow switching and all access-list features to work with the
encrypted traffic just as they would with plain text traffic, thereby
preserving desired quality of service (QoS) for all data.