A security tactic called the Cyber Kill Chain outlines the steps a cyber attacker must take in order to successfully compromise a target. Organizations can better detect, prevent, and react to cyberattacks by understanding and charting these steps.
The Cyber Kill Chain consists of seven stages:
Reconnaissance: The attacker researches the target, and gathers information about its systems, network, and vulnerabilities.
Weaponization: The attacker creates a weapon, such as malware or a phishing email, that can be used to exploit the target’s vulnerabilities.
Delivery: The attacker delivers the weapon to the target, often using a variety of techniques such as email, social engineering, or network exploitation.
Exploitation: The weapon is used to gain access to the target’s system, often by exploiting a vulnerability.
Installation: The attacker installs additional tools or malware on the target’s system to maintain access and escalate privileges.
Command and Control: The attacker establishes a command and control (C2) channel to communicate with the compromised system and execute further actions.
Actions on Objectives: The attacker executes their ultimate goal, which could be data theft, destruction, or disruption
The Cyber Kill Chain framework is useful for understanding the different stages of a cyber attack and developing effective security strategies to prevent, detect and respond to attacks at each stage. By identifying weaknesses at each stage and implementing appropriate security measures, organizations can significantly reduce their risk of falling victim to a cyber attack.
In this part, we have a look a little bit closer to the Reconnaissance stage as a first step that every attacker will perform against targets.
The Attacker may perform :
Passive Reconnaissance: The attacker uses public sources, such as the company’s website, social media accounts, and online reviews, to gather information about the target’s products, services, and customers.
Active Reconnaissance: The attacker performs active scans and probes to identify the target’s infrastructure, such as IP addresses, open ports, and network topology. This could involve using tools such as Nmap or Shodan.
Social Engineering: The attacker attempts to gather information through social engineering techniques, such as phishing emails or pretexting calls, posing as a legitimate customer, vendor, or employee.
External Footprinting: The attacker identifies the target’s external-facing systems, such as web servers, DNS servers, and email gateways, and scans them for vulnerabilities or misconfigurations.
Internal Footprinting: The attacker attempts to gather information about the target’s internal systems and networks, such as employee email addresses or software versions, using techniques such as OSINT (Open-Source Intelligence) or dumpster diving.
By combining data from several different sources, the attacker can create a thorough picture of the target’s infrastructure, systems, and potential vulnerabilities. The victim can then be specifically attacked using tools like malware or social engineering strategies, using the information obtained from this.
An attacker can learn a lot of details about the victim during the Cyber Kill Chain’s reconnaissance phase, such as:
Network topology: The attacker can identify the target’s IP addresses, domain names, and network architecture. This information is important for the attacker to determine how to enter the target’s network and move laterally to other systems.
Operating systems and applications: The attacker can identify what operating systems and applications are used by the target. This information is important to identify vulnerabilities that can be exploited in later phases of the attack.
Employee information: The attacker can identify the names, job titles, and email addresses of employees within the target organization. This information can be used for social engineering attacks and phishing campaigns.
Social media profiles: The attacker can gather information about employees’ social media profiles and use it to craft spear-phishing emails that are more convincing.
Physical infrastructure: The attacker can identify the physical locations of the target’s servers and data centers. This information is important for planning attacks that involve physical access.
Here is an illustration of how reconnaissance for a hypothetical target, a sizable e-commerce company, would appear. In our scenario, an attacker might use the “nmap” tool to gather network topology
information:
- The attacker launches the Nmap tool and scans the target’s network to identify hosts, open
ports, and services that are running on each host. - The attacker uses the “-sS” flag to perform a TCP SYN scan, which sends SYN packets to
the target’s hosts and analyzes the responses to determine which ports are open. - The attacker uses the “-O” flag to perform OS detection, which attempts to identify the
the operating system running on each host based on its responses to certain packets. - The attacker uses the “-v” flag to enable verbose output, which provides more detailed information about each host and the ports and services that are running.
- The output of the Nmap tool includes a list of hosts, IP addresses, and open ports, as well as information about the operating systems running on each host.
- The attacker can use this information to build a map of the target’s network topology, identifying which hosts are running which services and how they are interconnected.
Nmap -sS -O -v <target>
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-04 10:00 EST
Nmap scan report for 192.168.1.1
Host is up (0.0040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
OS details: DD-WRT v24-sp2 (Linux 2.4.37)
Nmap scan report for 192.168.1.2
Host is up (0.0030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
OS details: Microsoft Windows 7 – 10 (and 2008-2012), Linux 3.2 – 4.9
Nmap scan report for 192.168.1.3
Host is up (0.0020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
OS details: Linux 2.6.32 – 4.11
As you can see, the Nmap tool’s output contains details about each host on the target network, such as open ports, services, and operating systems. This information can be used by the attacker to spot possible weak spots and devise new assaults. It’s important to note that enterprises can scan their own networks using tools like nmap to find potential security flaws before attackers can take advantage of them.
We will demonstrate an example on port 80/tcp.
An attacker can examine the target system’s vulnerability by running a vulnerability scan or penetration test on port 80/tcp.
The attacker can use another tool such as Nikto.
“Nikto” is a popular tool that attackers may employ for this reason. Nikto is a scanner for web server vulnerabilities that can check for a variety of flaws on web servers using ports 80 or 443.
Here are the steps an attacker might take to use Nikto to check if port 80/TCP is vulnerable:
1. The attacker launches Nikto and enters the IP address of the target system along with the port number (e.g., 192.168.1.100:80).
2. Nikto sends a series of HTTP requests to the target web server and analyzes the responses to identify potential vulnerabilities.
3. Nikto reports any vulnerabilities it finds, along with a severity rating and a description of the vulnerability.
– Nikto v2.1.6
- Target IP: 192.168.1.100
- Target Hostname: example.com
- Target Port: 80
+ Start Time: 2023-03-05 09:00:00 (GMT-5)
- Server: Apache/2.2.15 (Red Hat)
- Server leaks inodes via ETags, header found with file /index.html, fields: 0x2a7d8
0x5639637a957a0 - The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS - The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type - Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.17). Apache 2.2.15
has 2 known vulnerabilities (the latest check for vulnerabilities being 2019-02-28). - Web Server allows directory listing : NOT GOOD
- OSVDB-3268: /icons/: Directory indexing found.
- OSVDB-3233: /icons/README: Apache default file found.
- OSVDB-3092: /manual/: Web server manual found.
- OSVDB-3092: /manual/images/: Web server manual images found.
- OSVDB-3092: /manual/images/favicon.ico: Web server manual favicon found.
- /phpmyadmin/: phpMyAdmin directory found
- OSVDB-3268: /phpmyadmin/: Directory indexing found.
- OSVDB-3092: /phpmyadmin/doc/: phpMyAdmin documentation found.
- OSVDB-3092: /phpmyadmin/examples/: phpMyAdmin examples found.
- OSVDB-3233: /phpmyadmin/setup/: phpMyAdmin setup found.
- OSVDB-3233: /phpmyadmin/setup/index.php: phpMyAdmin setup script found.
- OSVDB-6659: /phpmyadmin/scripts/setup.php: phpMyAdmin setup script found.
- OSVDB-6659: /phpmyadmin/scripts/setup.php: phpMyAdmin setup script found.
- OSVDB-6659: /phpmyadmin/scripts/setup.php.bak: phpMyAdmin setup script backup
found. - OSVDB-3233: /icons/small/tar.gif: Apache default file found.
- OSVDB-3233: /icons/small/README: Apache default file found.
- /phpmyadmin/index.php: phpMyAdmin Login Page Detected
- OSVDB-3268: /phpmyadmin/: Directory indexing found.
- /phpmyadmin/scripts/setup.php: phpMyAdmin Setup Script Detected
- /phpmyadmin/scripts/setup.php.bak: phpMyAdmin Setup Script Backup Detected
- /phpmyadmin/examples/scripts/setup.php: phpMyAdmin Example Setup Script Detected
- OSVDB-3092: /manual/images/logo.gif: Apache default file found.
- /phpmyadmin/js/keyhandler.js.php: phpMyAdmin JavaScript Key Handler Script Detected
- 7661 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2023-03-02 14:34:23 (GMT-5) (216 seconds) ————————————————————————— + 1 host(s) tested
If Nikto finds that the target system is utilizing a vulnerable version of the Apache web server, it will flag the vulnerability as having a high severity and give a detailed description. This output contains the target IP address, hostname, and port in addition to information on the web server and any vulnerabilities or out-of-date software that Nikto has identified. A summary of the total number of requests and problems detected during the scan is given, along with information on any default files or directories that could be present.
It’s crucial to remember that security professionals may assess their own systems’ security using vulnerability scanners like Nikto to identify any gaps before attackers can exploit them. Businesses should regularly scan their systems for vulnerabilities using vulnerability scanners and address any problems that are discovered in order to reduce the likelihood of a successful attack.
Let’s assume that Nikto has discovered a flaw in the target system where an outdated version of the Apache web server is being used, making it susceptible to a known attack.
One of the flaws mentioned by Nikto may be a problem with the Apache server status module, which could allow someone to access private data on the server.
Now to attacker need to move to a further phase. This phase is called “Weaponization”.
The weaponization stage we describe in another part of the Cyber Kill Chain.
