fbpx
technique

To create a botnet, the attacker can use several technique to scan vulnerable machines. The attacker first collects information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensure the spreading and installation of malicious code in little time. Which technique is discussed here ?

To create a botnet, the attacker can use several technique to scan vulnerable machines. The attacker first collects information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensure the spreading and installation of malicious code in little time. Which technique is discussed here ?

Option 1 : Subnet scanning technique
Option 2 : Topological scanning technique
Option 3 : Permutation scanning technique
Option 4 : Hit-list scanning technique

1. Subnet scanning technique

The following example illustrates a DNS cache poisoning attack, during which an attacker (IP 192.168.3.300) intercepts a communication channel between a client (IP 192.168.1.100) and a server computer happiness to the website www.estores.com (IP 192.168.2.200).

In this scenario, a tool (e.g., arpspoof) is employed to dupe the client into thinking that the server ip is 192.168.3.300. At the same time, the server is created to suppose that the client’s ip is also 192.168.3.300.

Such a scenario would proceed as follows:
  1. The attacker uses arpspoof to issue the command: arpspoof 192.168.1.100 192.168.2.200. This modifies the mac addresses within the server’s arp table, inflicting it to suppose that the attacker’s laptop belongs to the client.
  2. The attacker yet again uses arpspoof to issue the command: arpspoof 192.168.2.200 192.168.1.100, that tells the client that the perpetrator’s laptop is that the server.
  3. The attacker problems the Linux command: echo 1> /proc/sys/net/ipv4/ip_forward. As a result, ip packets sent between the client and server are forwarded to the perpetrator’s laptop.
  4. The host file, 192.168.3.300 estores.com is made on the attacker’s loca“Network scanning” is the method allowing you to see all active devices on your network. Active scanning is once the tool sends a ping to every device on the network and awaits a response. The scanner then looks at the responses it gets to check if there are inconsistencies or vulnerabilities.

For informatics networks, this is|this can be} often done by sending a ping to every possible ip address and getting a response to see its status. It’s possible to manually ping your subnet to using an Address Resolution Protocol (ARP) scan. however to look at all devices on the network across all subnets, your best bet is to use a tool that may automatically run scans and see devices. using the required internet control Message Protocol (ICMP) scan is more complicated, however it will be done—you’ll got to use echo, timestamp, or subnet mask requests. This technique is often accustomed map network topology.

The purpose of network scanning is to manage, maintain, and secure the system victimization information found by the scanner. Network scanning is used to recognize available network services, discover and recognize any filtering systems in situ, look into what operating systems are in use, and to protect the network from attacks. It may also be used to verify the health of the network.

2. Topological scanning technique

An alternative to hit-list scanning is topologically aware scanning, that uses info contained on the victim machine so as to select new targets. Email worms have used this tactic since their inception, as they harvest addresses from their victim so as to seek out new potential targets, as did the Morris worm.

Many future active worms may simply apply these techniques during the initial unfold, before shift to a permutation scan once the known neighbors are exhausted. a lively worm that attacked a flaw in a peer-to-peer application may easily get a listing of peers from a victim and use those peers because the basis of its attack, that makes such applications highly attractive targets for worm authors. though we’ve got yet to see such a worm within the wild, these applications should be scrutinized for security. These applications also are vulnerable to contagion worms.

Similarly, a worm attacking net servers may seek for URLs on disk and use these URLs as seed targets in addition as simply scanning for random targets. Since these are known to be valid net servers, this could tend to greatly increase the initial unfold by preferentially probing for likely targets.

l computer, that maps the website www.estores.com to their native informatics.

  1. The wrongdoer sets up an online server on the native computer’s informatics and creates a faux web site created to jibe www.estores.com.
  2. Finally, a tool (e.g., dnsspoof) is used to direct all DNS requests to the perpetrator’s native host file. The fake website is presented users as a result and, the site by interacting with the positioning, malware is put in on their computers.
3. Permutation scanning technique
  • Permutation scanning will dramatically decrease the duplication of scanning efforts
  • Permutation scanning is somewhat controversial to topological scanning – duplicate touches will reveal new host addresses due to cache update
  • Combination of permutation scanning and topological scanning – worm maintains a thread on infected machines to wait for cache update
  • Simulation is on-going
4. Hit-list scanning technique

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

  • Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.
  • Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild–Lawrence Berkeley National Laboratory received ten throughout the past year.
  • DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).
  • Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.
  • Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.
  • Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers–because each came knock on everyone’s door!
Learn CEH & Think like hacker


This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment