Footprinting and Brute Force Attacks Are Still in Use
Total Page:16
File Type:pdf, Size:1020Kb
Beware of older cyber attacks Footprinting and brute force attacks are still in use IBM X-Force® Research Managed Security Services Report Click here to start ▶ ◀ Previous Next ▶ Contents Executive overview longer discussed much. One example is the TCP/ UDP port scan and TCP/UDP service sweep, Covering more than 18 years of vulnerability data, Executive overview which are part of an attack pattern known as the IBM® X-Force® database surpassed 100,000 Footprinting footprinting.2 Another is the password brute force entries in Q2 2016.1 That means there are a lot of attack pattern,3 one of the brute force attacks4 we Top 10 ports attack vectors at a criminal’s disposal. With much saw emerge decades ago and still see today. While of the media focus on new and emerging threats, Brute force password many products and services today require strong it’s easy to see how security teams might lose attacks passwords, weak passwords are still being used, sight of older, less newsworthy vulnerabilities and Secure shell (SSH) brute aiding criminals in carrying out successful brute attack vectors. force attacks force attacks.5 6 7 Persistence of SSH brute An assessment of recent data from IBM Managed Fortunately, many tools and mitigation techniques force top 20 attacker Security Services (IBM MSS), which continuously IP addresses to thwart these older kinds of cyber attack have monitors billions of events reported by more than been developed over the years. Organizations that SSH brute force top five 8,000 client devices in over 100 countries, reveals apply them in their environments will be better IP addresses some interesting findings about attack vectors no equipped to deal with the ongoing threat. File Transfer Protocol (FTP) brute force attacks Top five FTP brute force attacker IP addresses About this report Recommendations This IBM® X-Force® Research report was created by the Protect your enterprise IBM Managed Security Services Threat Research group, a while reducing cost team of experienced and skilled security analysts working and complexity diligently to keep IBM clients informed and prepared for the About IBM Security latest cybersecurity threats. This research team analyzes About the author security data from many internal and external sources, including event data, activity and trends sourced from References thousands of endpoints managed and monitored by IBM. 2 ◀ Previous Next ▶ Contents Footprinting Commonly used footprinting tools Most security analysts will agree that “nmap,” Executive overview Looking at the Common Attack Pattern Enumeration and Classification (CAPEC) made available in 1997, is the best known and most Footprinting 10 mechanisms of attack8, we see an attack pattern widely used network footprinting tool. “Scanrand” 11 12 13 Top 10 ports hierarchy. Footprinting9 is considered a meta (2002) , “amap” (2003) , “Unicornscan” (2005) , 14 attack pattern that falls under one of the top level “zmap” (2012) and “masscan” (2013) are also Brute force password popular. Newer tools such as “zmap” (2012) attacks categories, “Gather Information.” Often viewed as more of a pre-attack used to gather information on claim the ability to scan the entire Internet in Secure shell (SSH) brute 15 potential targets, the term encompasses several times ranging from five minutes to an hour. force attacks 16 attack techniques, among them network topology And masscan claims to do it in three minutes. Persistence of SSH brute mapping, host discovery, account footprinting, Scanning tools existed before 1997, for example the force top 20 attacker and port scanning. Generally, multiple ports are Internet Security Scanner (ISS) version 1.x that first IP addresses scanned in a port scan. appeared as a shareware product in 1992 and later 17 SSH brute force top five inspired a commercial product. IP addresses There’s also something called a service (or port) Another way to glean footprinting data is to use a File Transfer Protocol (FTP) sweep, in which multiple hosts in a network are brute force attacks checked for a specific open service port. Service search engine that is searching data from ongoing sweeps are often ignored, since they occur so Internet mapping projects. Shodan (2009) is one Top five FTP brute force of the most popular projects and is thought by attacker IP addresses regularly and aren’t something that warrants an 18 immediate response. The placement of network many to be the most comprehensive. Censys Recommendations sensors also impacts whether footprinting activity (2015) is geared towards computer scientists and 19 Protect your enterprise can be detected. If a sensor is behind a firewall researchers. Thingful (2013) is for Internet of 20 while reducing cost and the firewall is not configured to map ports to Things (IoT) devices. Internet mapping search and complexity internal systems, the scan activity won’t be logged. engines such as these allow attackers to gain About IBM Security access to footprinting information without actually sending packets to the victim, who then remains About the author unaware they’re being targeted. References 3 ◀ Previous Next ▶ Contents Top 10 ports Internet Assigned Executive overview In a sampling of IBM Managed Security Services Numbers Authority Destination customers over two days in Q1 2016, the telnet Rank Sweeps (IANA)-assigned Footprinting TCP port port (TCP port 23) received the most number of service description and popular use22 Top 10 ports sweeps, accounting for 79 percent of the events. 1 • 2 • 3 • 4 • 5 • 6 • 7 Port 80 is excluded from the network IDS signature 1 23 78.65% telnet Brute force password represented in this data due to the likelihood of 2 1433 2.61% Microsoft SQL Server attacks false positives because legitimate web traffic also 3 8080 2.14% HTTP alternate for port 80 uses port 80.21 Popular ports such as 25 (SMTP), Secure shell (SSH) brute 4 3306 1.59% MySQL force attacks 21 (FTP), 53 (DNS), 135 (RPC), 137 (NETBIOS), 139 MS WBT Server, Windows (NETBIOS), 445 (Microsoft-DS), and others ranked 5 3389 1.54% Persistence of SSH brute lower than the top 10. This is shown in Figure 1 Remote Desktop force top 20 attacker Active API Server Port, some IP addresses and Table 1. 6 3128 1.00% proxy servers (squid-http, 3proxy) SSH brute force top five To p 10 TCP service sweep destination ports 7 443 0.90% http protocol over TLS/SSL IP addresses 443 (HTTP over SSL) 0.90% Remote framebuffer, VNC 3128 (Active API) 1.00% File Transfer Protocol (FTP) 5900 (RmtFrameBuffer) 0.61% 8 5900 0.61% (virtual network computing), 3389 (MS WBT) 1.54% 9200 (WAP) 0.56% Apple Remote Desktop brute force attacks 3306 (MySQL) 1.59% 21320 (N/A) 0.54% WAP connectionless 1433 (SQL Server) 2.61% session service, EMC2 Top five FTP brute force 9 9200 0.56% 8080 (HTTP-alt) 2.14% (Legato) Networker or attacker IP addresses Sun Solstice Backup Other 9.87% Recommendations 10 21320 0.54% N/A Protect your enterprise All other 9.87% All other TCP ports combined while reducing cost and complexity Table 1. Rank, destination TCP port, sweeps and service description and popular use for About IBM Security the top 10 ports. Source: IBM MSS data. About the author References 23 (telnet); 78.65% Figure 1. Top 10 TCP service sweep destination ports. Source: IBM MSS data. 4 ◀ Previous Next ▶ Contents Ports provide multiple pieces of useful information. Banners can be particularly revealing. “Welcome Attackers may be seeking: to the ACME central bank system running Widgets Executive overview • Specific vulnerabilities for known services, such OS version 3.43.23c” reveals that the attacker Footprinting as Heartbleed on web servers has found both a prime target and an easy path to • Services that can be exploited for a brute force unauthorized access via what may be its operating Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7 password attack system’s many known vulnerabilities. Certain • Information on a target, such as what can be malware are also known to use many common Brute force password found in a login banner ports. Table 2 highlights those associated with the attacks top 10 TCP destination ports revealed in Table 1. Secure shell (SSH) brute force attacks Destination Rank Sweeps Trojans, worms or malware using the port Persistence of SSH brute TCP port force top 20 attacker ADM worm (May 1998), Aphex’s Remote Packet Sniffer, AutoSpY, ButtMan , Fire HacKer, My Very Own Trojan, 1 23 78.65% IP addresses Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (2005.10.26) SSH brute force top five 2 1433 2.61% Digispid.B.Worm (2002.05.21), W32.Kelvir.R (2005.04.12), Voyager Alpha Force IP addresses Reverse WWW Tunnel Backdoor, RingZero, Screen Cutter, Mydoom.B (2004.01.28), W32.Spybot. OFN (2005.04.29), W32.Zotob.C@mm (2005.08.16), W32.Zotob.E(2005.08.16), Backdoor.Naninf.D File Transfer Protocol (FTP) (2006.02.01), Backdoor.Naninf.C (2006.01.31), W32.Rinbot.A (2007.03.02), Android.Acnetdoor 3 8080 2.14% brute force attacks (2012.05.16), Feodo/Geodo (a.k.a. Cridex or Bugat), Backdoor.Tjserv.D (2005.10.04), RemoConChubo, Brown Orifice, Feutel, Haxdoor, Hesive, Nemog, Ryknos, W32.Kelvir, W32.Mytob, W32.Opanki, W32. Top five FTP brute force Picrate, W32.Spybot, W32.Zotob, Webus attacker IP addresses 4 3306 1.59% Nemon backdoor (discovered 2004.08.16), W32.Mydoom.Q@mm, W32.Spybot Recommendations 5 3389 1.54% Backdoor.Win32.Agent.cdm, TSPY_AGENT.ADDQ Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero, Mydoom.B (2004.01.28), W32.HLLW. Protect your enterprise 6 3128 1.00% Deadhat (2004.02.06) while reducing cost and complexity 7 443 0.90% W32.Kelvir.M (2005.04.05), Slapper, Civcat, Tabdim, W32.Kelvir, W32.Kiman About IBM Security 8 5900 0.61% Backdoor.Evivinc, W32.Gangbot (2007.01.22) 9 9200 0.56% Unknown About the author 10 21320 0.54% Spybot, TopArcadeHits malware installing unapproved proxy References Table 2.