-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 16 of 19  ]
-------------------------[  Distributed Metastasis:
                            A Computer Network Penetration Methodology
-------[  Andrew J. Stewart 
"You may advance and be absolutely irresistible, if you make for the enemy's
weak points; you may retire and be safe from pursuit if your movements are more
rapid than those of the enemy."
- Sun Tzu, Art of War
----[  (struct phrack *)ptr;
You can find the original instance of this article in both Adobe .pdf and
Microsoft Word 97 format at http://www.packetfactory.net.
----[  Abstract
Metastasis refers to the process by which an attacker propagates a computer
penetration throughout a computer network.  The traditional methodology for
Internet computer penetration is sufficiently well understood to define
behavior which may be indicative of an attack, e.g. for use within an Intrusion
Detection System.  A new model of computer penetration: distributed metastasis,
increases the possible depth of penetration for an attacker, while minimizing
the possibility of detection.  Distributed Metastasis is a non-trivial
methodology for computer penetration, based on an agent based approach, which
points to a requirement for more sophisticated attack detection methods and
software to detect highly skilled attackers.
----[  Introduction
In the study of medicine, the term "metastasis" refers to the spread of cancer
from its original site to other areas in the body.  Metastasis is the principal
cause of death in cancer patients.  Cancer cells have the ability to enter the
vascular system and travel to virtually any part of the body where they detach
and burrow into a target organ.  Each cancer has an individualized way of
spreading.
The use of the term metastasis was first suggested in the context of computer
security by William Cheswick and Steven Bellovin [1] and refers to the process
by which an attacker, after compromising a computer host, attacks logically
associated hosts by utilizing properties and resources of the compromised host:
"Once an account is secured on a machine, the hacker has several hacking goals
... [to] open new security holes or backdoors in the invaded machine ... [and
to] find other hosts that trust the invaded host."
Before the techniques and advantages of distributed metastasis can be
explained,the traditional attack paradigm must be understood. Note that a
verbose description of the traditional attack paradigm is outside the scope of
this document; [2] describes that subject in detail.
----[  Traditional Attack Paradigm
The framework of processes and order of execution by which an attacker attempts
to penetrate a remote computer network is sufficiently well understood to
enable the creation of toolkits to attempt to exploit a weakness and/or to
attempt to audit a system for potential weaknesses.
The tasks an attacker performs to conventionally execute an attack can be
categorized as 'information gathering', 'exploitation', and 'metastasis', and
are described below.
----[  Information Gathering
The first phase of an attack, the information gathering phase, comprises the
determination of the characteristics of the target network such as network
topology, host OS type (within this paper the term 'host' will refer to a
generic network entity such as a workstation, server, router, etc.), and
"listening" applications e.g. WWW servers, FTP services, etc.  This is
ordinarily achieved by applying the following techniques:
I.     Host Detection
Detection of the availability of a host.  The traditional method is to elicit
an ICMP ECHO_REPLY in response to an ICMP ECHO_REQUEST using the 'ping'
program.  Programs designed to perform host detection in parallel such as fping
[3] enable large expanses of IP address space to be mapped quickly.
II.    Service Detection
a.k.a. "port scanning".  Detection of the availability of a TCP, UDP, or RPC
service, e.g. HTTP, DNS, NIS, etc.  Listening ports often imply associated
services, e.g. a listening port 80/tcp often implies an active web server.
III.   Network Topology Detection
Topology in this context relates to the relationship between hosts in terms of
'hop count' ("distance" between hosts at the Internet/IP layer).
Only two methods of network topology detection are known to the author: 'TTL
modulation' and 'record route'.  The UNIX 'traceroute' program performs network
topology detection by modulating the TTL (time to live) field within IP
packets;  in the windows NT environment, tracert.exe provides broadly
equivalent functionality.  'ping' can be used to "record [the] route" of ICMP
packets, albeit to a finite depth.  Both these techniques require a target host
to act as the final destination of the probe.
Firewalk [4] is a technique used to perform both network topology detection and
service detection for hosts "protected" behind certain vulnerable
configurations of gateway access control lists, e.g. as implemented in a
firewall or screening router.
Classical promiscuous-mode "network sniffing" is another, albeit non-invasive,
method of network topology detection [5], but may not be applicable in
those scenarios where traffic from the target network is not visible to an
attacker at their initial network location.
IV.    OS Detection
A common OS detection technique is "IP stack fingerprinting" - the
determination of remote OS type by comparison of variations in OS IP stack
implementation behavior.  Ambiguities in the RFC definitions of core internet
protocols coupled with the complexity involved in implementing a functional IP
stack enable multiple OS types (and often revisions between OS releases) to be
identified remotely by generating specifically constructed packets that will
invoke differentiable but repeatable behavior between OS types, e.g. to
distinguish between Sun Solaris and Microsoft Windows NT.
The pattern of listening ports discovered using service detection techniques
may also indicate a specific OS type;  this method is particularly applicable
to "out of the box" OS installations.
V.     Application-Layer Information Gathering
Applications running on target hosts can often be manipulated to perform
information gathering.  SNMP (Simple Network Management Protocol) enabled 
devices are often not configured with security in mind, and can consequently be
queried for network availability, usage, and topology data.  Similarly, DNS
servers can be queried to build lists of registered (and consequently likely
active) hosts.
Routers on (or logically associated with) the target network can often be
queried via the RIP protocol for known routes [6]. This information can be used
to further aid construction of a conceptual model of the topology of the target
network.
Many of these techniques are utilized by modern network management software to
"map" a network.
In summary, the information gathering phase of an attack comprises the
determination of host availability: "what hosts are 'alive'?", service
availability: "what network enabled programs run on those hosts?", network
topology: "how are hosts organized?", and roles: "what 'jobs' do each host
perform?".
----[  Exploitation
The exploitation phase of an attack is the initial chronological point at
which an attacker commits to attempting to penetrate an individual host.
The data generated in the information gathering phase of the attack is used to
determine if any hosts on the target network are running a network service
which has a known vulnerable condition that might be remotely exploitable.
Services may either be intrinsically insecure "out of the box" or may become
insecure through misconfiguration.
The methods by which a service can be exploited vary widely, but the end-result
often manifests as either the execution of a process in a privileged context
e.g. opening a privileged command line, adding an account with no password,
etc., or through the disclosure of security-critical information, e.g. a list
of encrypted passwords which can (possibly) subsequently be "cracked".  The
observed proportion of weak passwords within a password file [7] imply that a
password cracking attack is likely to be successful.
To summarize, the exploitation phase of an attack involves the compromise of a
vulnerable host on (or logically associated with) the target network.
----[  Metastasis
The metastasis phase of the attack, as defined by Cheswick and Bellovin, can
be logically separated into two key components: 'consolidation', and
'continuation', described here:
I.     Consolidation Component
Once access has been gained to an individual host, the attack proceeds with the
consolidation component of metastasis.
It is imperative to the attacker that the exploitation phase not be detected.
The attacker must remove evidence of the entry onto the host by removing
relevant entries from OS and security application log files.  If the
opportunity exists, the attacker will remove any trace generated by the earlier
information gathering phase also.
Depending on the exploit employed, the exploitation phase may not have granted
the attacker the highest level of privilege on the compromised system ('root'
for UNIX derivatives, 'Administrator' for Windows NT), and if not, the attacker
will attempt to escalate their privilege to the highest level.  The methods
used to escalate local privilege level often employ extremely similar
techniques, even across multiple OS platforms.  Such vulnerabilities reoccur
frequently due to non security-cognizant OS and application programming.  A
notable category of local exploit is a "buffer overflow" [8].
A program to enable remote unauthorized access is traditionally installed,
sometimes called a "back door".  A back door "listens" identically to a network
daemon/service, and provides either full remote command line access or a set of
specific actions e.g. upload/download file, execute/terminate process, etc.
In summary, the goals of the consolidation component of the metastasis phase of
an attack, are to remove any evidence of the exploitation phase, and to ensure
that remote access is available to the attacker.
II.    Continuation Component
The continuation component of metastasis is the most conceptually interesting
and challenging, in terms of attempting to construct a model of the attackers
actions.
Because a host on the target network has been compromised, the attacker can now
utilize 'passive' as well as the previous described 'active' attack methods to
deepen the penetration.  Traditionally, a "password sniffer" is installed - a
promiscuous mode network protocol monitor, designed to log the usernames and
passwords associated with those application layer protocols that utilize plain
text transmission, e.g. Telnet, FTP, rlogin, etc.
Implicit to modern enterprise network environments is the concept of trust.
[9] defines trust as:
"[the] situation when a ... host ... can permit a local resource to be used by
a client without password authentication when password authentication is
normally required."
Metastasis involves the use/abuse of trust relationships between a compromised
host and other prospective target hosts.
Regardless of OS type, a host is likely to engage in multiple trust
relationships, often in the areas of authentication, authorization, remote
access, and shared resources.  The process of trust relationship exploitation
involves identifying and "following" trust relationships that exist on a
compromised host, in order to deepen a penetration.  There is often no need to
perform the exploitation stage of an attack against other hosts on the target
network if they already implicitly trust the compromised host in some way.
The classical example of trust relationship exploitation involves the
subversion of the Berkley "R" commands and their configuration files in the
UNIX environment: '.rhosts' and '/etc/hosts.equiv'.
----[  Properties of the Traditional Attack Paradigm
    It is valuable to identify those properties that define the traditional
attack paradigm, as outlined above.
I.     One to One, One to Many Model
Information gathering techniques are traditionally performed using a "one to
one" or "one to many" model;  an attacker performs network operations against
either one target host or a logical grouping of target hosts (e.g. a subnet).
This process is ordinarily executed in a linear way, and is often optimized for
speed by utilizing parallel or multi-threaded program execution.
This linear process can be visualized using a conceptually simplified network
topology diagram.  Fig 1 shows attacker host A1 "attacking" (i.e. performing
the host and/or service detection phases of an attack) against a single target
host T1.
                                 A1 -------> T1
                            Fig 1. One to One Model
Fig 2 shows attacker host A1 attacking multiple target hosts T1 ... Tn.
                                 A1 -------> T1
                                 A1 -------> T2
                                 . 
                                 . 
                                 . 
                                 A1 -------> Tn
                            Fig 2. One to Many Model
Note that although the concepts of "one to one", "one to many", etc., are
simplistic - they are particularly relevant and important to modeling the
network activity generated by an attacker as they metastasize across a network.
II.    Server Centricity
Traditional, remote exploitation techniques target a server program by
approximating a client because, by definition [10]: 
"the client/server message paradigm specifies that a server provides a service
that a client may request ... the attacker (client) makes a request (attack) to
any server offering the service and may do so at any point."
Server programs typically run with elevated privileges and are therefore
advantageous targets for attack;  this conveniently maps to the "one to one"
and "one to many" models described in I.
III.   Attack Chaining
The traditional attack process is often chained from compromised host to host
in an attempt to obscure the "real" location of an attacker.  Fig 3 shows an
attack on target host T1 from attacking host A1 in which the attacker is
logically located at host H1, and is connected to A1 through host H2;  only the
connection from A1 can be "seen" from T1.
                     H1 -------> H2 -------> A1 -------> T1
                            Fig 3. Attack Chaining
IV.    Latency
Because password sniffer log files are traditionally written to disk, an
attacker must return to a compromised host to collect information that could
enable the depth of the penetration to be increased.
Similarly, an attacker must return to a compromised host in order to proxy
(chain) the attack process.
----[  Distributed Metastasis
These properties that define the traditional attack paradigm can be evolved.
The core of the distributed metastasis methodology is a desire to utilize the
distributed, client/server nature of the modern IP network environment, and to
perform a logical automation of the metastasis phase of the traditional attack
process.
The impetus for the distributed metastasis approach comes from the observation
of commercial "network enabled" security technology.
Manufacturers of security software tools have, in the majority, evolved their
products from a stand-alone model (single host e.g. COPS [11]) to a distributed
one - in which multiple embedded agents reside on topologically disparate
hosts, and communicate security-relevant information to a logically centralized
"manager".  This strategy is advantageous in terms of:
I.     Scalability
The agent population is almost certainly fluid in nature - agents can be added
and removed over time, but the manager remains constant.  This model maps to
the most common operating environment - the infrastructure is malleable but the
security monitoring function (hopefully) remains stable.
II.    Cost of Ownership
The impact of performing a single installation of an agent on a host is less
costly over time in both physical and administrative terms than with repeated
visitation.
Agents that can be remotely "programmed" (i.e. instructed how to perform) from
a remote location enable the function of the security software to be changed
more rapidly throughout the enterprise (such as with a security policy change),
than with multiple per-host installations.
III.   Coverage
By utilizing multiple automated, semi or fully autonomous agents, that can
either be scheduled to perform security analysis regularly or run continuously,
the depth of agent coverage is increased, and consequently the probability of
detecting anomalous (i.e. security relevant) behavior is increased.
Although security vendors understand the functional requirements associated
with large infrastructures in terms of scalability and cost of ownership, these
properties have not yet been fully leveraged by the attacker community in
extending the traditional attack methodology.
----[  Properties of Distributed Metastasis
A distributed, agent based approach, can be utilized in the metastasis phase
of the traditional attack methodology to reap appreciable benefits for an
attacker.
The properties that define distributed metastasis are as follows:
I.     Agent Based
The "back door" traditionally installed as part of the consolidation stage is,
with distributed metastasis, a remotely controllable agent in a similar vein to
those employed by network enabled security tools.
The attacker will never "log in" in the traditionally sense to a compromised
host once an agent is installed.  This approach brings time saving advantages
to an attacker because the log-file "clean up" operation involved with a
conventional login does not have to be repeated ad infinitum.
II.    Many to One, Many to Many Model
Whereas the traditional attack paradigm conventionally employs a "one to one"
or "one to many" model of information gathering, the use of multiple
distributed agents facilitates "many to one" and "many to many" models also.
A custom client can deliver a "task definition" to an agent which defines a
host and/or service detection task.  An agent can return the results to a
client either in (pseudo) real time or on task completion.
For execution of host and service detection techniques that require low-level
packet forgery (e.g. to enable a SYN port scan), the availability of a portable
network packet generation library [12] eases the development time required to
implement this functionality.
As described in [13], the ability to utilize multiple source hosts for
gathering host, service, and network topology information has advantages in the
areas of stealth, correlation, and speed.
Fig 4 and Fig 5 illustrate multiple source hosts (agents) used to perform
information gathering in "one to many" and "many to many" scenarios
respectively:
                                 A1 -------> T1
                                 A2 -------> T1
                                 .
                                 .
                                 .
                                 An -------> T1
                            Fig 3. Many to One Model
                                 A1 -------> T1 ... Tn
                                 A2 -------> T1 ... Tn
                                 .
                                 .
                                 .
                                 An -------> T1 ... Tn
                            Fig 5. Many to Many Model
Agents can be remotely programmed either to execute or to forward scan
definitions to functionally duplicate the "chaining" present in the
traditional attack approach.
Although an agent based approach is not implicitly required for "many to one"
and "many to many" models of information gathering, it is made substantially
easier through a programmatic approach.  The ability of an agent to multiplex
scan definitions allows an attacker to have topological control over which
links in the network attack-related network traffic flows.
III.   Real Time Monitoring
As described previously, delay exists when an attacker wishes to utilize a
compromised host for further attacks and to collect log files from data
collection programs such as password sniffers and keystroke recorders.
With a distributed model, collected data such as username/password pairs can be
transferred in (pseudo) real time to a remote location, and as shown, this
process can be chained through multiple compromised hosts.
Embedded password sniffing functionality could be extended to support
regular-expression style pattern matching which again, because of the benefits
of the agent based approach, would be remotely programmable.
Conceptually, there is no limit to the amount or type of data that could be
collected and forwarded by agents.  Possible areas of interest to an attacker
might include patterns of user activity and host and network utilization
metrics.
IV.    Minimal Footprint
In the traditional attack paradigm (albeit dependent on the "back door"
employed), the attacker is exposed to a window of possible detection when the
attacker re-enters a previously compromised host, between a login and the
removal of the evidence of the login.  With an agent based approach, the
consolidation phase need never be repeated after the agent installation.
V.     Communication
Covert channels between agents and managers and between agents can be created
by utilizing steganography techniques. [14] describes the ubiquitous nature of
ICMP network traffic to TCP/IP networks, and that it can subsequently be used
to tunnel information which (superficially) appears benign.
By utilizing such a ubiquitous transport, the ability to communicate between
widely disparate agents is less likely to be affected by network devices that
implement network traffic policy enforcement, e.g. screening routers,
firewalls, etc.
Confidentiality and integrity can be added using Cryptography.
VI.    Client Centricity
The structure of the traditional attack methodology lends itself to server
centric attacks - attacks which attempt to subvert a server by approximating a
client.  With a distributed approach in which an embedded agent resides on a
server, client requests to that server can consequently be intercepted and
subverted.
----[  Monoculture
As described, fundamentally, distributed metastasis advocates an agent based
approach.  The logical implication is that an attacker must construct a
functional agent for each OS variant that is likely to be encountered in the
target environment (and which it is considered desirable to compromise).
Admittedly, this requires initial time and intellectual investment by an
attacker; however, the predominance of "monoculture" IT environments simplifies
this task.  Also, cross-platform programming languages such as Java make
cross-platform operability realizable.
In the fields of ecology and biology, "monoculture" refers to the dominance of
a single species in an environment - a state considered to be pathologically
unstable.  Economies of scale make monoculture installations attractive -
greater short term efficiency is likely to be achieved, and therefore the
majority of large organizations tend towards monoculture installations that
employ one or two key OS types.
----[  Internet Worm Analogy
The distributed metastasis approach shares similarities to the propagation
method used by the Internet "worm" [15] - the proliferation of remote agents.
Once an instance of the Internet worm infected a host, it attempted to
communicate with an external entity, although this was later thought to be a
deliberate attempt at throwing those people attempting to reverse engineer the
worm "off the scent".
A combined attack form in which a worm was used as a vector to seed agents
which can then be remotely controlled would increase the speed of penetration,
but would likely be less controllable, unless the worm was specifically
targeted and rate limited in terms of expansion - perhaps using a "proximity
control" mechanism similar to that employed by the SATAN network vulnerability
scanner [16].
----[  A Challenge for State and Event Monitoring
Would todays state and event monitoring tools detect a distributed metastasis
attack?  Clearly, the answer is dependent on the proliferation, sophistication,
and configuration of those tools within the target environment.
If an attacker can compromise a host and remove evidence of the attack, state
monitoring tools will not detect the hostile activity if it falls between those
scheduled times when the tool performs its sweep.  Host based IDS, dependent on
the exploitation and privilege escalation method used by an attacker, may
detect the attack.  Clearly therefore, a combination of state monitoring and
real time state monitoring (a.k.a. intrusion detection) tools should both be 
employed within a technical security architecture.
"Many to Many" and "Many to One" attacks are less likely to be detected by
network based intrusion detection systems (N-IDS) than with a linear model.
The techniques described in [17] can be implemented to assist evasion of N-IDS.
As discussed, with an agent based approach, once an agent is installed and
hidden, the intrusion is less likely to be detected than with continual
re-visitation of a host (e.g. with Telnet) as in the traditional attack
methodology. If an agent can be installed and hidden, if it is not detected at
an early stage it is unlikely to be discovered from that point forward.
For "open source" OS' (e.g. OpenBSD, Linux, etc.) an agent could even be 
incorporated into the kernel itself.  Similarly, any OS that enables loading
of run-time kernel modules could be compromised in this way.
Polymorphic techniques could perhaps be implemented to increase the complexity
of detection (cf. polymorphic strains of virus).
----[  A New Architecture for Vulnerability Scanning
There exists several advantages in using a distributed agent model for
commercial vendors of network vulnerability scanning technology. A distributed
model would enable localized 'zones of authority' (i.e. delegation of
authority), would facilitate information gathering behind NAT (and firewalls,
where configured), and overcome network topology specific bandwidth
restrictions.
Information chaining would enable the construction of a hierarchical reporting
and messaging hierarchy, as opposed to the "flat" hierarchy implemented in the
majority of tools today.
At this time I am aware of no commercial (or free) vulnerability scanners that
employ a distributed architecture as described.
----[  Conclusion
Although some notable remotely programmable embedded agents exist [14] [18]
[19], they have not been fully utilized in continuation of the remote attack
paradigm.
Considerable benefits exist for an attacker in utilizing a distributed
penetration methodology, centered on an agent based approach;  these benefits
are not dissimilar to the benefits available through the use of distributed, as
opposed to static, security state and event monitoring tools.
Distributed metastasis is, in comparison to the traditional attack paradigm, a
non-trivial methodology for computer penetration, the advantages of which are 
likely only to be considered worth the expenditure in effort by a small
minority of skilled attackers;  however, strategically - those advantages could
be significant.
----[  References
[1]    William R. Cheswick & Steven M. Bellovin, "Firewalls and Internet
       Security", Addison-Wesley, 1994.
[2]    Andrew J. Stewart, "Evolution in Network Contour Detection", 1999.
[3]    Roland J. Schemers III, "fping", Stanford University, 1992.
[4]    Michael Schiffman & David Goldsmith, "Firewalking - A Traceroute-Like
       Analysis of IP Packet Responses to Determine Gateway Access Control
       Lists", Cambridge Technology Partners, 1998. www.packetfactory.net.
[5]    David C. M. Wood, Sean S. Coleman, & Michael F. Schwartz, "Fremont: A
       System for Discovering Network Characteristics and Problems", University
       of Colorado, 1993.
[6]    Merit GateD Consortium, "ripquery - query RIP gateways", 1990-1995,
       www.gated.org.
[7]    Daniel V. Klein, "Foiling the Cracker; A Survey of, and Improvements to
       Unix Password Security", Proceedings of the 14th DoE Computer Security
       Group, 1991.
[8]    Aleph One, "Smashing The Stack For Fun And Profit", Phrack Magazine,
       Volume 7, Issue 49, File 14 of 16, 1996, www.phrack.com.
[9]    Dan Farmer & Wietse Venema, "Improving the Security of Your Site by
       Breaking Into it", 1993, www.fish.com.
[10]   Michael D. Schiffman, Index, Phrack 53, Volume 8, Issue 53, Article 01
       of 15, 1998, www.phrack.com.
[11]   Dan Farmer, "COPS", 1989, www.fish.com.
[12]   Michael D. Schiffman, "Libnet", 1999, www.packetfactory.net.
[13]   Stephen Northcutt, "SHADOW Indications Technical Analysis - Coordinated
       Attacks and Probes", Navel Surface Warfare Center, 1998.
[14]   Michael D. Schiffman, "Project Loki", Phrack 49, File 06 of 16, 1996,
       www.phrack.com.
[15]   Eugene H. Spafford, "The Internet Worm Program: An Analysis", Purdue
       University, 1988.
[16]   Dan Farmer & Weitse Venema, "SATAN", 1995, www.fish.com.
[17]   Thomas H. Ptacek & Timothy N. Newsham, "Insertion, Evasion, and Denial
       of Service: Eluding Network Intrusion Detection", Secure Networks Inc,
       1998.
[18]   Cult of the Dead Cow, "Back Orifice 2000 (a.k.a. BO2K)", 1999,
       www.bo2k.com.
[19]   Greg Hogland et al, 1999, www.rootkit.com.
----[  EOF