Earlier this year, the USA network sensation, Mr. Robot (Season 2 Episode 1), played to our worst technology fears with a vignette of a smart home being completely compromised by hackers. In this hack, the high net-worth homeowner returns from a jog to find her smart home is completely under the control of nefarious individuals which promptly drive her out of her home by rendering it completely uncontrollable.
While the scenario of an overt cyber attack is terrifying to smart home technology integrators, it is far less ominous than what real world hackers actually do covertly once they compromise a homeowner's or business owner's network. To understand more, we should look at the anatomy of a modern network attack.
Modern network attacks can be broken into distinct phases. Each phase has a distinct purpose and set of activities associated with it. It is no accident that in the military, we use similar phases in our continuum of military operations. This is a war that we are in, whether or not we chose to acknowledge our involvement, connecting to the Internet makes us an active participant.
Reconnaissance is the gathering of data in preparation for the attack. The more information a hacker has on a target, the less guessing they will have to do and the better they will be at hacking sites with cracking passwords, phishing attempts, and vulnerability exploits.
- Organization - The digital footprint that we voluntarily place on the Internet is massive and perfect for patient and meticulous hackers building and documenting a profile on the weakest link of most networks, the users. Social engineering begins here and can be the hacker's greatest asset.
- Facebook/Linkedin/Social Media - Build a list of employers, co-workers, friends and family members using a network. Find clues to possible passwords, activities, geographic locations, habits, etc.
- Google - Search names, businesses and Internet domains associated, find emails, phone numbers, news articles, organization affiliations, etc. Search for specific "easy access" points of entry such as PHP websites, old CGI
- Resumes - Looking at a resume, a hacker can see what organizations someone worked at and exactly what types of technology were used in those organizations giving very valuable clues to what vulnerabilities could be present (i.e. Deployed X-Brand routers and switches, Y-Brand control systems).
- Website - A family or corporate website/blog can be very useful in finding personal information.
- Whois - Domain owner lookups. Find out the who, what and where of a domain.
- ARIN - IP address reverse lookups - Do the same as Whois but with an IP address.
- web.archive.org - Find old files, blogs and posts archived over the years. Yes, anything you put on the web really does stay on the web!
SCANNING (ACTIVE RECONNAISSANCE)
Scanning is used by the hacker to make as accurate a physical and logical map of the target organization as possible. Using tools and techniques such as these;
- Banner Grab - Query public facing servers using telnet and common public ports for software and version (Web Servers, E-Mail Servers, databases, etc.).
- NMAP/NESSUS - Automated scanner, can be run in stealth mode but considered aggressive. Find and map network IP addresses, ports, services, operating systems, etc.
- DNS, mailserver, webserver - can be used to gather network information passively over time.
Reconnaissance and scanning are done. Now the hacker knows what the organization's, family's, or individual's network looks like. We are ready to enter the network.
- Remote exploit - an external attack from the Internet facing side of your router/firewall. Not common, but could happen with DNS rebind attack on some routers.
- Broken applications - SQL injection on web servers. Uncommon in most small to mid sized businesses or homes.
- Client-side attacks - SPAM, malware and Phishing attacks. This is the easy, low hanging fruit to attack on the client side. These attacks originate behind the firewall, granting access to a "soft target" with complete access to the network's underbelly.
- Expired Java, Adobe Reader.
- Sharing thumb-drives or optical media with other users (friends, family, kids).
- Web site links with malicious code (sent by email or directed to with DNS rebind attack)
- Phishing attacks
- SPAM attacks
- (Bluetooth) Bluesnarf/Bluesnipe attack
Now the hacker has a local point of presence on the target network, they must build a back-door to ensure its survive-ability on the host. This is where the hackers covertly shore up their beach-head to ensure constant connectivity over time.
- Add executable "backdoor" to startup file/folder to survive reboot.
Now that the hacker can survive a reboot, it is time to import tools to harden and expand their presence.
- Install a hidden rootkit in the OS of the host machine. Remove old executable "backdoor" from PERSISTENCE phase.
- Packet sniffer to capture all broadcast network traffic for later inspection.
Now that the hackers are in network, they start looking for lateral host targets to compromise.
- Pass the Hash - Use AAA name and password values from initial target to access other targets on the network.
- Scan for vulnerabilities and identify exploits in micro computers such as serial UART, telnet, SSH heart-bleed, outdated firmware, unpatched operating systems, default passwords in devices such as
- Media Players
- Media Servers
- Control Systems
- Access Points
- Security Systems
Now they own the entire network. This is the end-state hackers prefer to operate from. Covertly listening for traffic and extending their tentacles throughout your network. Now they can take all of your private information, social security number, bank account login information, credit card information, anything you send on the network, and use it as they wish. In addition to this, the hackers can launch new attacks from your network to your friends and associates. At any point from here on, they can also encrypt all of your files with a ransomware attack.
The good news is that once this is detected, Laptops/PCs and tablets and smartphones can be cleaned and recovered. The bad news is that there is no practical way to clean the root kits and back doors hackers install on firmware based appliances, so devices must be unplugged and replaced or may stay on the premises as long as they are not allowed to re-join the network.