A guided tour to someone else's network
Step 3: The Attack
A few common attack methods work really well against modern networks and users. The first is attacking exposed servers and services (like DNS), the second is attacking web servers (which are basically application servers now), and the last is attacking through email (which is also the de facto file sharing application for many people).
The first method is pretty well understood; generally speaking, the attacker will scan for vulnerable servers with a tool such as Nmap  or Nessus  and then attack them using exploit code or toolkits like Metasploit . Exploiting these vulnerabilities will generally allow the attacker to run hostile code, like a root shell, on the machine.
Finding All the Attacks
So how do you track down all these individual attacks? Given a specific software package (e.g., Sendmail, WordPress, DokuWiki, or MediaWiki), how do you track down the vulnerabilities affecting it? Your best bets are to check out the CVE  and OSVDB  databases, which have links to resources in each security report, and, for exploit code, Milw0rm  (Figure 3) and PacketStorm Security  (Figure 4). The Metasploit framework actually includes surprisingly few exploits – around 300 at last count. PacketStorm Security carries about 300--400 exploits a month. Chances are that if the site is running out-of-date software, you can find something on Milw0rm or PacketStorm Security that will let you attack it, and if not, the CVE and OSVDB databases often contain enough information to point you in the right direction.
Attacking Web Servers
Web servers are basically application servers now, and where you have applications, you have security flaws. One of the biggest problems is the complexity of these programs. At a minimum, a "basic" application will often include: the application itself, a web server, an operating system, and a back-end database. All of these components can be attacked through flaws in the application, and in many cases, a number of small flaws can be combined to allow for code execution that lets an attacker onto the server.
If you're feeling lazy, you can also just download a web application scanner and point it at your target. Automated tools such as Nessus or like Nikto, which looks for more than 3,500 potentially dangerous files and CGI scripts, can scan a server for vulnerable applications. If these tools don't find anything with known vulnerabilities, the attacker can always use tools like WebScarab to examine and attack web applications directly. Poking around randomly often exposes interesting problems faster than you would think .
Buy this article as PDF
New release marks the arrival of AMD’s unified driver strategy.
A new study by IDC charts big changes in the big hardware market.
Azure CTO says Redmond has already considered the unthinkable.
Lead developer quells rumors that the Debian version is slated for center stage.
MSBuild is now just another GitHub project as Redmond continues its path to the light.
Malware could pass data and commands between disconnected computers without leaving a trace on the network.
New rules emphasize collegiality in coding.
Upstart lands in the dust bin as a new era begins for Linux.
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?