Ten Stages of a Network Attack
Oracle Forensics tips by Paul Wright
This Chapter is a
tutorial on IT Security with references paid to Oracle.
The motives of
attackers are commonly political, intellectual challenge, commercial
gain perhaps via a competitor, and also internal career progression.
Whatever the motives, there are patterns in the historical pattern
of attacks that enable us to make a model of what attacks look like.
Generic attack process in a nutshell (in chronological order)
Port scanning and banner
grabbing a host
Using unauthorized privilege
gained for benefit
Of course in a
single incident the exact order and number of stages may be changed
but this is a good framework to work with.
Now drilling down
into the 10 stage list we see more detail about each stage in this
generic attack process.
1. Reconnaissance to find out about
the target before attack.
Reconnaissance would be done
anonymously so not to tip off the victim. Tor is an encrypted
channel for anonymous web browsing
http://tor.eff.org/ . Alternatively an attacker could bounce
between multiple Internet proxies such as
2. Network mapping of a subnet.
3. Port scanning of an individual
Nmap again as well as amap
http://www.thc.org/thc-amap/ . Nmap, by default, works by
using port number to identify the application running so for
instance if the Oracle Listener is on port 1522 then nmap will
present this port as being rna-lm as per the IANA default port
http://www.iana.org/assignments/port-numbers . By using the
additional ?sV switch of nmap it will correctly identify many
applications by their banner.
4. Banner grabbing a host to
identify the actual service being ran and vulnerability
identification from the version gained from the banner. This will
allow identification of likely vulnerabilities.
5. Exploitation of a software flaw
to gain unauthorized access.
These software exploits often
consist of buffer overflows due to incorrect bounds checking of
input variables. Another exploit common to Oracle is SQL Injection
into Web Front end, Forms and PLSQL packages which can result in
privilege escalation. These will be looked at it in greater detail
later on in the book.
6. Cracking passwords and user names
is basically the process of taking an encrypted password and then
decrypting it or guessing it correctly by attempting many times
until the correct password is gained.
installation enables covert access at a later date and generally
involves the installation of software by the attacker to hide their
presence after they have gained privileged access to the target
8. Hiding tracks to clear
up evidence involves deletion of logs and tools as well as resetting
Change timestamps to show that files
have not been changed using timestamps for instance
Secure deletion of files so that
recycle bin or forensic data recovery cannot bring the attackers
tools back after they have deleted them. Oracle now has a Recycle
bin which uses the PURGE keyword to empty or avoid it. We will
look in detail at this command.
9. Monitoring the system over time
which typically requires a covert channel.
10. Using unauthorized privilege for
Credit card numbers
and Social security IDs form a saleable resource to a commercially
An attacker might
blackmail a bank if they were able to gain customers data.
A competitor may seek
advantage in hiring a hacker to subvert another company or spy
upon them to gain their intellectual property or list of
Internally an employee
may seek advantage over an internal competitor by taking an
unauthorized action that disadvantages their adversary e.g.
causing a mistake to occur and making it look like their adversary
Lists always come in
groups of 10 but the 11th stage in this case should be ?getting
caught?, which is the responsibility of the reader once this book
is finished. This person will collect all the evidence and attempt
to deduce the knowable information from an incident with the aim
of identifying the culprit and recovering any losses legally if
Further detail on
general computer security in general can be found in a book which
has been made available free of charge by the Author who is
Professor Ross Anderson of Cambridge University.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.