Possible vulnerabilities and ways to exploit

Software bugs

Software always has bugs. System administrators and programmers can never track down and eliminate all possible software vulnerabilities. Attackers have to only find one hole to break in. Software bugs are often exploited in the server daemons, client applications, operating systems, and the network stack. Software bugs can be classified in the following manner:
Buffer overflows - Almost all the security holes you read about are due to this problem. A typical example is a programmer who sets aside 256 characters to hold a login username. However, if an attacker tries to enter in a false username longer than that you might have a problem. All the attacker has to do is send 300 characters, including code that will be executed by the server, and voila, game over. Hackers find these bugs in several ways. First, the source code for a lot of services is available on the net. Hackers routinely look through this code searching for programs that have buffer overflow problems. Secondly, hackers may look at the programs themselves to see if such a problem exists. Thirdly, hackers will examine every place the program has input and try to overflow it with random data. If the program crashes, there is a good chance that carefully constructed input will allow the attacker to gain access.
Unexpected combinations - Programs are usually constructed using many layers of code, including the underlying operating system as the bottom most layer. Attackers can often send input that is meaningless to one layer, but meaningful to another layer. The most common language for processing user input on the web is PERL. Programs written in PERL will usually send this input to other programs for further evaluation. A common hacking technique would be to enter something like "| mail < /etc/passwd". This gets executed because PERL asks the operating system to launch an additional program with that input. However, the operating system intercepts the pipe '|' character and launches the 'mail' program as well, which causes the password file to be emailed to the attacker. Race conditions - Most systems today are "multitasking/multithreaded". This means that they can execute more than one program at a time. There is a danger if two programs need to access the same data at the same time. Imagine two programs, ABC and XYZ, each program attempts to modify the same file. In order to modify a file, each program must first read the file into memory, change the contents in memory, then copy the memory back out into the file. The race condition occurs when program ABC reads the file into memory and then makes the change. However, before ABC gets to write the file, program XYZ steps in and does the full read/modify/write on the file. Now program ABC writes its copy back out to the file. Since program ABC started with a copy before XYZ made its changes, all of XYZ's changes will be lost. Since you need to get the sequence of events in just the right order, race conditions are very rare. Attackers usually attempt such actions thousands of times before they get it right, and gain access to the system.
Unexpected input - Most programs are written to handle valid input. Most programmers do not consider what happens when somebody enters input that doesn't match the specification.

System configuration bugs

Default configurations - Most systems are shipped to customers with default, easy-to-use configurations. Unfortunately, "easy-to-use" means "easy-to-break-in". Almost any UNIX or WinNT machine shipped to you can be hacked in easily.
Poor system administrator practices - A surprising number of machines are configured with an empty root/administrator password. This is because the administrator is too lazy to configure one right now and wants to get the machine up and running quickly with minimal fuss. Unfortunately, they never get around to fixing the password later, allowing attackers easy access. One of the first things an attacker will do on a network is to scan all machines for empty passwords.
Running unnecessary services - Virtually all programs can be configured to run in a non-secure mode. Sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn't absolutely positively need to run on a machine in order to avoid accidental holes. Note that security-auditing packages (such as Enterprise Security Manager from Symantec) can usually find these holes and notify the administrator.
Trust relationships - Attackers often "island hop" through the network exploiting trust relationships. A network of machines trusting each other is only as secure as its weakest link.

Password cracking

Easy-to-guess passwords - These are passwords where people use the names of themselves, their children, spouse/SO, pet, or car model as their password. Then there are the users who choose "password" or simply null passwords.
Dictionary attacks - With this attack, the attacker will use a program that will try every possible word in the dictionary. Dictionary attacks can be done either by repeatedly logging into systems, or by collecting encrypted passwords and attempting to find a match by similarly encrypting all the passwords in the dictionary. Attackers usually have a copy of the English dictionary as well as foreign language dictionaries for this purpose. They all use additional dictionary-like databases, such as names (see above) and lists of common passwords.
Brute force attacks - Similar to a Dictionary attack, an attacker may try all possible combinations of characters. A short 4-letter password consisting of lower-case letters can be cracked in just a few minutes. A long 7-character password consisting of upper and lower case, as well as numbers and punctuation can take months to crack assuming you can try a million combinations a second (in practice, a thousand combinations per second is more likely for a single machine).

Sniffing unsecured traffic

Shared medium - On traditional Ethernet, all you have to do is put a sniffer on the wire to see all the traffic on a segment. This is getting more difficult now that most corporations are transitioning to switched Ethernet.
Server sniffing - However, on switched networks, if you can install a sniffing program on a server (especially one acting as a router), you can probably use that information to break into client machines and trusted machines as well. For example, you might not know a user's password, but sniffing a Telnet session when they log in will give you that password.
Remote sniffing - A large number of boxes come with RMON enabled and public community strings. While the bandwidth is really low (you can't sniff all the traffic), it presents interesting possibilities.

Design flaws

Even if a software implementation is completely correct according to the design, there still may be bugs in the design itself that leads to intrusions.
TCP/IP protocol flaws - The TCP/IP protocol was designed before we had much experience with the wide-scale hacking we see today. As a result, there are a number of design flaws that lead to possible security problems. Some examples include smurf attacks, ICMP Unreachable disconnects, IP spoofing, and SYN floods. The biggest problem is that the IP protocol itself is very "trusting": hackers are free to forge and change IP data with impunity. IPsec (IP security) has been designed to overcome many of these flaws, but it is not yet widely used.
UNIX design flaws - There are number of inherent flaws in the UNIX operating system that frequently lead to intrusions. The chief problem is the access control system, where only 'root' is granted administrative rights.

ending