Intruders' Use of Software Tools
The tools available to launch an attack have become more effective, easier to
use, and more accessible to people without an in-depth knowledge of computer
systems. Often a sophisticated intruder embeds an attack procedure in a program
and widely distributes it to the intruder community. Thus, people who have the
desire but not the technical skill are able to break into systems. Indeed, there
have been instances of intruders breaking into a UNIX system using a relatively
sophisticated attack and then attempting to run DOS commands (commands that
apply to an entirely different operating system).
Tools are available to examine programs for vulnerabilities even in the
absence of source code. Though these tools can help system administrators
identify problems, they also help intruders find new ways to break into systems.
As in many areas of computing, the tools used by intruders have become more
automated, allowing intruders to gather information about thousands of Internet
hosts quickly and with minimum effort. These tools can scan entire networks from
a remote location and identify individual hosts with specific weaknesses.
Intruders may catalog the information for later exploitation, share or trade
with other intruders, or attack immediately. The increased availability and
usability of scanning tools means that even technically naive, would-be
intruders can find new sites and particular vulnerabilities.
Some tools automate multiphase attacks in which several small components are
combined to achieve a particular end. For example, intruders can use a tool to
mount a denial-of-service attack on a machine and spoof that machine's address
to subvert the intended victim's machine. A second example is using a packet
sniffer to get router or firewall passwords, logging in to the firewall to
disable filters, then using a network file service to read data on an otherwise
The trend toward automation can be seen in the distribution of software
packages containing a variety of tools to exploit vulnerabilities. These
packages are often maintained by competent programmers and are distributed
complete with version numbers and documentation.
A typical tool package might include the following:
Internet FAQ top
- network scanner
- password cracking tool and large dictionaries
- packet sniffer
- variety of Trojan horse programs and libraries
- tools for selectively modifying system log files
- tools to conceal current activity
- tools for automatically modifying system configuration files
- tools for reporting bogus checksums