This action might not be possible to undo. Are you sure you want to continue?
2 Supplemental Study Guide
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 2 Footprinting Study Guide Objectives: . . . . . . . . . . . . . . . What is Footprinting? Objectives of Footprinting Footprinting Threats Footprinting Methodology Internet Footprinting Competitive Intelligence WHOIS Footprinting People Searching DNS Footprinting Networ Footprinting Email Footprinting Google Hac ing Additional Footprinting Tools Footprinting Countermeasures Footprinting Pen Testing
What is Footprinting Footprinting is the term used for collecting information about a target. This is the first step of fully identifying a target in order to begin planning an attac . Footprinting refers t o finding the digital and material footprint of information made by a targets existence. The objective of Footprinting is to find as much information as possible about a target from as many sources as you can secure. In malicious hac ing and blac box ethical hac ing, i t is important to eep this information gathering secret as well. Relevant target information includes: Domain Name User and Group Names Networ Bloc s System Names IP Addresses Employee Details Networ ing Protocols Company Directory VPN points News Articles/Press releases Intrusion Detection system running System Banners
Footprinting Threats The threat of Footprinting is that a hac er will find out sensitive information about a target from a publicly accessible source. From the targets perspective it is important to now what information is available to the general public Footprinting Methodology
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Footprinting begins with finding the targets main URL. Any search engine will us ually disclose this website. From this main website you can begin searching for other internal URL s s uch as intranet.*.com or mail.*.com
Internet Footprinting Our practice uses robtex.com and archive.org for finding information that has be en, or is currently loaded on websites. Archive.org s Waybac Machine eeps a database of when websites have changed their content organized by date so that you can view the website as it h as progressed over the years. Robtex.com lists connections between websites that share a domain. Competitive Intelligence For business intelligence, any financial website will have information on public ally traded companies. Job hunting websites such as monster.com and dice.com allow for searching by com pany, which can be used to find out what technical s ills they are currently loo ing for. This allo ws for an intelligent hac er to have an idea where a company may be wea , or if they are loo ing to expand in to a new technology. WHOIS Footprinting The regional internet registries such as ARIN for North America eep a database of information about domain names and who owns them. This information can be used to find a target bl oc of external IP
com/2011/04/ceh-v7. Some systems have more information than others. includi ng the occasional phone number and email address.net . Using emails listed on inte rnet sources.jpg http://danielweis. and Google Earth can be used to find location data.wordpress.http://www.files.chec dns.com/wp-content/uploads/2011/04/ec-council-logo. People Searching After a hac er has information about a company in general they may require more specific information about people employed or associated with the target. This inf ormation may give a hac er a better understanding of a naming scheme and the organization of a targe t s computer system. a hac er may begin profiling social media websites such as Faceboo and Lin edIn loo ing for more information.jpg addresses and may provide information about technical points of contact. Networ Footprinting . DNS Footprinting Using online tools such as www.ecotarget. More specific information can be found on people searching websites. government websites for court cases. the publically available DNS recor ds for a site or IP address can be located.
jpg http://danielweis. Email Footprinting Email trac ing can be used to monitor emails sent. Google Hac ing Google hac ing refers to using the power of the advanced operator options in sea rch engines to find exploitable targets and footprint nown targets in a simple fashion. Anytime you connect with the target it is Active footprinting. For example using the intitle operator you can search for websites that have in their title the word password wh ich could give you valuable information about password policies or even a document listing password s. when they are read and from w hat IP address. Sending probes such as traceroutes to a target and getting a response bac is an active method. Reading information is a passive me thod.com/wp-content/uploads/2011/04/ec-council-logo. Email sending programs can generate random email possibilities such as Jsmith@hac erta rget. Using these techniques it is possible to map out an organization s email structure. T raceroute measures hops in the route from one address to another by manipulating the Time to Live o f ICMP pac ets. this is active. PDF documents. Remember.com/2011/04/ceh-v7.jpg Footprinting the edge networ of a target begins with finding the IP range from WHOIS and then using a tool such as traceroute to determine the position of routers and possible DMZ s. It is at this point that Footprinting becomes Active.http://www. . and size restrictions. If you call the a utomated attendant in the middle of the night to wor out the phone tree.wordpress. any phishing emails sent to the mail server address ing schema is active footprinting.ecotarget.com to find out what names are actually in use.files. This can also be used to learn if there are any rules bloc ing execut ables.
However. [site:] [allintitle:] [intitle] [inurl:] Additional Footprinting Tools In addition to other tools previously mentioned.jpg http://danielweis. . but if an entity does not now what is available they cannot ma e that determination. Google Advanced Operators . Maltego is another great footpr inting tool. The information that is available may not be sensitive or wort h eeping secret.http://www. Footprinting Countermeasures The most important countermeasure to Footprinting is: nowing what information i s available to outside requests. The use of this tool ma es it easier to visu alize connections found in Footprinting a target and ways of finding relationships that may not have been a pparent at first glance. It provides a graphical representation of data. .files.com/wp-content/uploads/2011/04/ec-council-logo.jpg The hac ersforcharity.com/2011/04/ceh-v7.ecotarget. .org website Google Hac ing Database has a list of common s earches used by hac ers. although this information is becoming outdated. . it is important to now that Maltego maintains a cache of data that is not always the most up to date.wordpress.
Policies should be enacted for the release of information through any channel. phone communications.http://www.com/2011/04/ceh-v7.files. Once the information is released it will b e cataloged and ept in some form somewhere.jpg http://danielweis.wordpress. and any other method. Be familiar with: 20 FTP data 110 POP3 21 FTP control 135 SMB 22 SSH 137 Netbios 23 Telnet 138 Netbios 25 SMTP 139 Netbios 53 DNS TCP and UDP! 161 SNMP 69 TFTP 389 LDAP 80 HTTP 443 HTTPS 88 Kerberos 636 LDAP over SSL or TLS Note: The CEH exam expects you to have nowledge of standard ports. . w eb. WHOIS information registered should point to a position in the company not a specific person.ecotarget.jpg Proper configuration of networ devices can protect from most technical Footprin ting.com/wp-content/uploads/2011/04/ec-council-logo. email.
passive information gathering is legal. legal does not always eth ical as well. After you have written authorization find out as much as you can about your target using p assive techniques. However. For the most part.Footprinting Pen Testing First and foremost. . get proper written authorization before beginning any Footpr inting.
files.jpg documenting everything you find along the way.wordpress.jpg http://danielweis.http://www. use active sources as anonymously as possible to eep yourself from being noticed.ecotarget.com/2011/04/ceh-v7. Once you have exhausted passive s ources.com/wp-content/uploads/2011/04/ec-council-logo. . Document ation at this stage will ma e every other hac ing activity easier.
com/2011/04/ceh-v7. . . .ecotarget. Definition and Types of Scanning Understanding CEH Scanning Methodology Chec ing Live Systems and Open ports Understanding Scanning Techniques Different Tools Present to Perform Scanning Understanding Banner Grabbing and OS Fingerprinting Drawing Networ Diagrams and Vulnerable Hosts Preparing Proxies Understanding Anonymizers Scanning Countermeasures Scanning Pen Testing .com/wp-content/uploads/2011/04/ec-council-logo. .files. .jpg Module 3 S canning Networ s Study Guide Objectives: .wordpress. .jpg http://danielweis. .http://www. . . .
with the goal of finding an active port and exploiting a nown vulnerability of that serv ice. return information about which IP addresses map to live hosts that are ac tive on the Internet and what services they offer.jpg Definitions and Types of Scanning Networ scanning is a procedure for identifying active hosts on a networ .jpg http://danielweis. networ s or applications for wea nesses.ecotarget. eith er for the purpose of attac ing them or for networ security assessment.An attac that sends client requests to a range of server port addre sses on a host. 5. Scanning procedures. 6. Vulnerability Scan. computer systems. Understanding CEH Scanning Methodology 1.Designed to assess computers.com/2011/04/ceh-v7. such as ping sweeps and port scans.files.wordpress. 2. Port Scan . 4.http://www. 3. Chec for Live Systems Chec for Open Ports Banner Grabbing Scan for Vulnerability Draw Networ Diagrams Prepare Proxies Networ Scan.Identifies active hosts on a networ .com/wp-content/uploads/2011/04/ec-council-logo.
TCP Three Way Handsha e. B + 1. .are used to determine live hosts from a range of IP addresses by s ending ICMP ECHO requests to multiple hosts. The sequence number is set to the received ac nowledgement value i. Once the passive open is established . 3. it usu ally means that the host computer is down or an administrator is filtering the reply from t he host. If no response is received. Before a client attempts to connect with a server. B. Ping Sweeps . TCP uses a three-way handsha e. If all is w ell the computer that sent the ICMP_ECHO pac et will receive an ICMP_ECHO_REPLY pac et w hich means that the host computer is up and alive. the server replies with a SYN-ACK. and the sequence number that the server chooses for the pac et is another random number. The ac nowledgment n umber is set to one more than the received sequence number (A + 1). SYN: The active open is performed by the client sending a SYN to the server. 2. It sets the segment's sequence number to a random value A. A + 1.e. the client sends an ACK bac to the server. an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not.e. if they are alive they will respond with a n ICMP ECHO reply. a client may initiate an active open. the three-way (or 3-step) handsha e occu rs: 1. It can be used to create an inventory of live systems on a networ .To establish a connection. To establish a connection. the server must first bind to a port t o open it up for connections: this is called a passive open. and the ac nowledgement number is set to one more than the received sequence number i.During most ping scans using ICMP. The simplest of tools to do this is to use the ping command which comes with most *n ix systems and Windows systems ali e.Chec ing Live Systems and Open ports ICMP Scanning. SYN-ACK: In response. ACK: Finally.
com/wp-content/uploads/2011/04/ec-council-logo. here s another way of thin ing about it The Three Way Handsha e is a lot li e a phone call You dial the number.jpg http://danielweis. I gotta go . ( hello . and the other person says. (SYN)). As the two of you transfer data those sent ences are passed bac and forth with those ACK/PSH and ACK flags set . this is Bill .wordpress. (the initial connection. (FIN). see you. From there you two tal . Each part of th e conversation is bro en down into sentences if you will. both the client and server have received an ac nowledgment of the connection If that didn t sin in.ecotarget. the recipient pic s up the phone. o .com/2011/04/ceh-v7. and you respond Hi there. and the conversation closes by you both putting the phone down.files. bye. (ACK).http://www. (SYN/ACK)). (lots of ACK s). (FIN/ACK). At the end of the conversation one of you says well.jpg At this point. In between there are a bunch of ACK/PSH and ACK s as you two chat. you say Bye . (ACK).
is scriptable using the Tcl language and implements an engine for string based.ecotarget.files. so that the programmer can write scripts related to low level TCP/IP pac et manipulation and analysis in a very short time. Hping is one of the de-facto tools for security auditing and testing of firewalls and networ s.com/wp-content/uploads/2011/04/ec-council-logo. hping is useful to security experts. but there are a lot of applications related to networ testing and system administration.com/2011/04/ceh-v7. hping3.http://www. The new versio n of hping. human readable description of TCP/IP pac ets.wordpress. very helpful to learn switch es . and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. Understanding Scanning Techniques (-s*) = Switches used in Nmap This is Zenmap which is the front-end GUI for nmap. Li e most tools used in computer security.jpg Hping2 / Hping3 Hping is a free pac et generator and analyzer for the TCP/IP protocol.jpg http://danielweis.
Stealth Scan (Half-Open Scan) (-sS) The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handsha e process. however. . The SYN scan is a common scan when loo ing for open ports on a remote device. an d its simple SYN methodology wor s on all operating systems. Unli e the TCP SYN scan (-sS). This scan method uses the sa me TCP handsha e connection that every other TCP-based application uses on the networ . When an open port is identified. The TCP SYN scan never actually creates a TCP session so it isn't logged by the destination host's applications. This is a much "quieter" scan than the TCP connect scan.wordpress. This techniqu e is often referred to as "half open" scanning. Because it only half-opens the TCP c onnections.files. the TCP connec t scan uses a normal TCP connection to determine if a port is available.com/2011/04/ceh-v7. this scan may be the only method availab le. and there 's less visibility in the destination system's application logs since no sessions are ever initiated.jpg http://danielweis. It might be considered the TCP scan of last resort. This scan is very noisy on a networ and highly detectable through application e vent logs. the TCP handsha e is reset before it can be completed. it's considered a very clean scan type. If privileged access isn't available and determination of open TCP ports is absolutely necessary.jpg TCP Connect/ Full Open Scan (-sT) The TCP connect scan is named after the connect call that's used by the operati ng system to initiate a TCP connection to a remote device.ecotarget.http://www.com/wp-content/uploads/2011/04/ec-council-logo.
Without privileged access nmap cannot create the raw pac ets necessary for this half-open scan The SYN scan only provides open. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001). or filtered port information. . such as the ve rsion scan (-sV) or the operating system fingerprinting (-O) option. Xmas Scan (-sX). much li e the lights of a Christmas tree.The SYN Scan requires privileged access to the system. This is a scan type that sends a single frame wi th the expectation of a single response. The differences between them are how the TCP flags are set: Xmas FIN FIN/URG/PUSH flags FIN flag Null-No Flags set) The XMAS Scan (-sX) sends a TCP frame to a remote device with the FIN. more intrusive scanning is required. To determ ine operating system or process version information. closed. PUSH flags set. These are called "stealth" scans because they send a single frame to a TCP port withou t any TCP handsha ing or additional pac et transfers. FIN Scan (-sF). and NULL Scan (-sN) These three scans are grouped together because their individual functionality i s very similar. URG.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg The FIN Scan (-sF) The TCP FIN scan identifies listening TCP port on how the target device reacts to a transaction close request for a TCP port (even ection may exist before these close requests are made). This type of scan can get through s and boundary routers that filter on incoming TCP pac ets with the Finish (FIN) and ACK on. The TCP pac ets used in this scan include only the TCP FIN flag setting. numbers based though no conn basic firewall flag combinati
The Null Scan (-sN) is a type of TCP scan that hac ers both ethical and maliciou s use to identify listening TCP ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the wrong hands, it is a reconnaissance tool. It is a pre-attac probe. A Null Scan is a series of TCP pac ets that contain a sequence number of 0 and n o set flags. In a production environment, there will never be a TCP pac et that doesn t contain a fl ag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and ed ge routers that filter incoming pac ets with particular flags. The expected result of a Null Scan on an open port is no response. Since there a re no flags set, the target will not now how to handle the request. It will discard the pac et and no reply will be sent. If the port is closed, the target will send an RST pac et in response The IDLE Scan The IDLE scan (-sI) is the ultimate stealth scan but can me more time consuming . You also need to locate a zombie wor station/networ device that is IDLE, hence the name. If the zombie is not idle and has other networ traffic, it will bump up its IP ID sequence and disrupt the sc an logic.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg The lower the latency between the attac er and the zombie, and between the zombi e and the target, the faster the scan will proceed. Simple networ devices such as printers often ma e great zombies because they ar e commonly both underused (idle) and built with simple networ stac s which are vulnerable to IP ID traffic detection. Open Port: Using a spoofed zombie IP address you will send a SYN pac et to the t arget, if the target s port is open, it will send a SYN/ACK to the zombie. The zombie will respond to t he SYN/ACK with a RST pac et bumping up its IP ID by 1. Closed Port: If the port is closed, your SYN pac et spoofing the zombie s IP addre ss will cause the target machine to respond with a RST pac et. The zombie will not respond to the RST pac et, and the IP ID will not be incremented. ICMP Echo Scanning/List Scan The ICMP Echo scan (-sP) is the most simplistic discovery method and the easies t to detect. By sending a series of ICMP echo request (ICMP type 8) pac ets to various IP addres ses, a hac er can determine which systems are active (or "alive"). Knowing that Intrusion Detectio n Systems (IDSs) are designed to catch this type of discovery sequence, hac ers vary the destination devices or delay the ping interval by minutes, hours, or even days.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg -sL (List Scan) The list scan is a degenerate form of host discovery that simply lists each host of the networ (s) specified, without sending any pac ets to the target hosts. By default, Nmap sti ll does reverseDNS resolution on the hosts to learn their names. It is often surprising how muc h useful information simple hostnames give out. For example, fw.chi is the name of one co mpany's Chicago firewall. Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity chec to ensure that you have proper IP addresses for your targets . If the hosts sport domain names you do not recognize, it is worth investigating further to pr event scanning the wrong company's networ SYN/Fin Scanning Using IP Fragments (-f) Fragmentation scanning : This is not a new scanning method in and of itself, but a modification of other techniques. Instead of just sending the probe pac et, you brea it into a couple of small IP fragments. You are splitting up the TCP header over several pac ets to ma e it harder for pac et filters and so forth to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny pac ets.
The f instructs the specified SYN or FIN scan to use tiny fragmented pac ets.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg UDP Scanning
This scanning method varies from the above in that we are using the UDP protoco l instead of TCP. While this protocol is simpler, scanning it is actually significantly more diffi cult. This is because open ports don't have to send an ac nowledgement in response to our probe, and closed ports aren't even required to send an error pac et. Fortunately, most hosts do send an ICMP_PORT_U NREACH error when you send a pac et to a closed UDP port. Thus you can find out if a port is NOT o pen, and by exclusion determine which ports which are. Neither UDP pac ets, nor the ICMP errors are gu aranteed to arrive, so UDP scanners of this sort must also implement retransmission of pac ets that app ear to be lost (or you will get a bunch of false positives).
Also, you will need to be root for access to the raw ICMP soc et necessary for r eading the port unreachable. The -u (UDP) option of nmap implements this scanning method for roo t users.
Some thin UDP scanning is pointless, however you may come across holes where se rvices are running on undocumented higher UDP ports. While some lower ports maybe bloc ed you may b e successful with scanning higher ports.
wordpress. An XMAS probe with the FIN. RFC 793 states that if a port is closed on a hos t. attac ers send TCP probe pac ets with various TCP flags set. URG.jpg Inverse TCP Flag Scanning Filtering and other security systems such as firewalls and IDS can detect SYN pa c ets and there are programs available that can detect half-open SYN Flag scan attempts as well.com/2011/04/ceh-v7. To ta e advantage of this feature. it sends garbage that usually won t be pic ed up to each port. This scanning method isn t necessarily the most accurate.jpg http://danielweis. A NULL probe with no TCP flags set RFC standard 793 states that if no response is seen from the target port. an RST/ACK pac et should be sent to reset the connection.files. and PUSH TCP flags set . Three types of probe pac et flag configurations are normally used: . but it is stealthy.com/wp-content/uploads/2011/04/ec-council-logo. . Probe pac ets with strange TCP Flags set can sometimes pass through undetected.http://www. A TCP probe pac et is sent to each port of the target host. eithe r the port is open or the server is down. depending on the security mechanisms in place.ecotarget. A FIN probe with the FIN TCP flag set . Using malformed TCP flags to probe a target is nown as an inverted technique be cause responses are sent bac only by closed ports.
com/2011/04/ceh-v7. He nce.jpg http://danielweis. For example.jpg For all closed ports on the target host. so no RST/ACK response is seen when an attempt is made to connect to a closed port.http://www.ecotarget. the TTL value c an be used as a mar er of how many systems the pac et has hopped through . this technique is effective against some Unix-based platforms. However. some operating platforms (such as those in the Microsoft Windows family) disregard the RFC 793 standard. Analysis of the time-to-live (TTL) field of received pac ets .com/wp-content/uploads/2011/04/ec-council-logo. This te chnique exploits vulnerabilities within the BSD-derived TCP/IP stac and is therefore only effect ive against certain operating systems and platforms. ACK Flag Scanning (-sA) A stealthy technique is that of identifying open TCP ports by sending ACK probe pac ets and analyzing the header information of the RST pac ets received from the target host.files. Analysis of the WINDOW field of received pac ets These techniques can also chec filtering systems and complicated networ s to un derstand the processes pac ets go through on the target networ . There are two main ACK scanning techniques: .wordpress. RST/ACK pac ets are received.
ecotarget.jpg http://danielweis.files.jpg Different Tools Present to Perform Scanning IP Fragmentation tools: Fragtest. Understanding Banner Grabbing and OS Fingerprintng OS Fingerprinting determines what operating system is running on a remote target system. Nmap will extract information such as: Services (application names and versions) Operating Systems (OS Versions) Type of pac et (filters/firewalls) SuperScan: is a powerful TCP port scanner. that includes a variety of additional networ ing tools li e ping.com/2011/04/ceh-v7. Active OS Fingerprinting uses specially crafted pac ets sent to the remote OS an d the response is compared with a database to determine the OS. Live hosts on a networ . Fragroute for fragmenting probe pac ets.wordpress. Nmap: Free.http://www. It uses multi-threaded and asynchro nous techniques resulting in extremely fast and versatile scanning.com/wp-content/uploads/2011/04/ec-council-logo. WHOIS and more. Reponses from different Operating Systems vary due to differences in TCP/IP stac implementation. open source utility for networ exploration /mapping. traceroute. There are two types of OS Fingerprinting: Active and Passive. HTTP HEAD.
It is also based on varia tions of how the TCP/IP Stac is implemented.wordpress.victim.com/wp-content/uploads/2011/04/ec-council-logo. .com/2011/04/ceh-v7.0 Banner grabbing from error pages Typing in a URL that does not exist on a server can result in an error page lis ting server information.files.jpg Passive OS Fingerprinting uses sniffing techniques to capture pac ets flowing fr om the system. Banner Grabbing Banner Grabbing is an enumeration technique used to glean information about com puter systems on a networ and the services running its open ports. An intruder however can use banner grabbi ng in order to find networ hosts that are running versions of applications and operating systems wi th nown exploits.com 80 then you may use GET or HEAD COMMANDS in your telnet session. the HEAD command w ill suffice for fingerprinting ex.ecotarget. Administrators can use this to ta e inventory of the systems and services on their networ . A telnet client can be used for banner grabbing: telnet [target ip or URL] [port ] telnet www. HEAD /HTTP /1.http://www. Captured pac ets are then analyzed for OS information.jpg http://danielweis.
Identifies vulnerabilities and wea nesses of a system an d networ in order to determine how a system can be exploited Scanning tools: Saint. The proxy server then evaluates the request according t o its filtering rules. connection. Attac ers use them for scanning and attac ing anonymously Soc schain is a program that allows a user to wor with any Internet service thr ough a chain of SOCKS or HTTP proxies to hide the real IP-address. web page. as it is simply the diagrams with networ nodes and connections as undirected or di rect edges (depending on the type of connection).jpg Drawing Networ Diagrams and Vulnerable Hosts Vulnerability scanning. A c lient connects to the proxy server requesting some service such as a file. .com/wp-content/uploads/2011/04/ec-council-logo. Preparing Proxies Proxy Server .wordpress. Nessus and Core Impact Networ Diagrams.com/2011/04/ceh-v7. There are thousands of free public proxy servers that are easily found on google .The physical networ topology can be directly represented in a networ diagram.files.jpg http://danielweis.http://www.a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients see ing resources from other servers.ecotarget. or ot her resource available from a different server. The logical networ topology can be inferred from th e networ diagram if details of the networ protocols in use are also given.
Tor client software routes Internet traffic through a worldwide volunteer networ of servers in order to conceal a user's location o r usage from someone conducting networ surveillance or traffic analysis. Users may set up SSH tunnels to transfer unencrypted traffi c over a networ through an encrypted channel. privacy. It is intended to protect users' personal freedom. The soft ware is open-source and the networ is free of charge to use HTTP Tunneling HTTP Tunneling is a technique by which communications performed using various networ protocols are encapsulated using the HTTP protocol. The HTTP stream with its covert channel is termed an HTTP Tunnel. HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software.wordpress. SSH tunneling A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SS H protocol connection. permitting them to be used in conditions of restricted net wor connectivity including firewalled networ s and networ s behind proxy servers.jpg http://danielweis.http://www.com/2011/04/ceh-v7. instant messages and other communication for ms". Using Tor ma es tracing Int ernet activity. The HTTP protocol therefore acts as a wrapper for a covert channel that the networ protocol being tunneled uses to communicate.ecotarget. including "visits to Web sites. and ab ility to conduct confidential business. the networ protocol s in question usually belonging to the TCP/IP family of protocols. . by eeping their internet activities from being monitored.jpg TOR (The Onion Routing) Proxy Chaining software Tor is a system intended to enable online anonymity.files. to the user more difficult. online posts.com/wp-content/uploads/2011/04/ec-council-logo.
the user can connect t o the specified local port to access the networ service. you want to operate a s ecure web server but have only a normal server. That's what SSL Proxy can do for you Understanding Anonymizers Anonymizer An anonymizer or an anonymous proxy is a tool that attempts to ma e activity on the Internet untraceable. protecting personal information by hiding the client computer's identifying info rmation. Just start SSL P roxy with the appropriate parameters and you re good to go. It accesses the Internet on the user's behalf. Once the SSH tunnel has been established. SSL Proxy can be your solution: It's plugged into the connection between the client and the server and adds Secure Soc et Layer (SSL) support. .To set up an SSH tunnel. If users can connect to an external SSH server. Say. But users may not wish to have their web traffic monitored or bloc ed by t he organization's proxy filter. SSH tunnels provide a means to bypass firewalls that prohibit certain Internet s ervices so long as a site allows outgoing connections. For example. SSL Proxy You probably now secure HTTP from secure websites. To access the rem ote web-server users would point their browser to the local port at http://localhost/. The local port need not have the same port n umber as the remote port. Or the oth er way around: You have an ordinary telnet client but want to connect to a secure site. they can create an SSH t unnel to forward a given port on their local machine to port 80 on a remote web-server. It is a proxy server computer that acts as an intermed iary and privacy shield between a client computer and the rest of the Internet. one configures an SSH client to forward a specified loc al port to a port on the remote machine. an organization may prohibit a us er from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the us er sees through the web).
called spoofing. a port-scanning tool should be run against hosts on the networ to determine whether the firewall correctly detects and stops the port scanning activity. Scanning Countermeasures Ethical hac ers use their tool set to test the scanning countermeasures that hav e been implemented. The firewall should carry out stateful inspections. Once a firewall is in place.jpg http://danielweis.http://www.jpg IP Address Spoofing IP address spoofing or IP spoofing refers to the creation of Internet Protocol ( IP) pac ets with a forged source IP address. which means it examines the data of the p ac et and not just the TCP header to determine whether the traffic is allowed to pass through the firewall. with the purpose of concealing the identity of the sender or impersonating another computing system. such as Nmap.wordpress. Networ IDS should be used to identify the OS-detection method use d by some common hac ers tools.files.ecotarget. Only needed ports should be ept open.com/2011/04/ceh-v7. . The staff of the organization using the systems should be given appropriate trai ning on security awareness. The firewall should be able to detect the probes sent by port-scanning tools.com/wp-content/uploads/2011/04/ec-council-logo. The rest should be filtered or bloc ed.
5.ecotarget. Netcraft.) Perform Port scanning (Nmap. 6. usually dialing every number in a local area code to searc h for computers. 3.Netscan. 2. Error Pages. Core Impact. Companies rarely control the dial-in ports as strictly as the firewall. War Dialing Tools: WarVOX. SSL Proxy) Document all findings . and machines with attached modems are sprin led throughout the company on people's des top compute rs and specialpurpose computers that communicate with partners. Angry IP Scanner. 7. Soc sChain. .) 4.) Perform Banner Grabbing/OS Fingerprinting (Telnet. and ToneLoc Tool to detect War Dialing: Sandtrap Scanning Pen Testing 1. UDP Scanner. etc. one of the first things they do is war dial the c entral office near the company.jpg http://danielweis. Ipsonar) Prepare Proxies (Proxifier.jpg War Dialing Countermeasure War Dialing is the technique of using a special program with a modem to automati cally scan a list of telephone numbers.http://www. etc Scan for vulnerabilities (SAINT.Nessus) Draw Networ Diagrams (LAN Surveyor. When hac ers target companies.etc.files. PhoneSweep. Perform Host discovery (Nmap.com/2011/04/ceh-v7.wordpress.com/wp-content/uploads/2011/04/ec-council-logo.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 4 Enumeration Study Guide Objectives: . . . . . . . . . . Enumeration Defined Techniques for Enumeration NetBIOS Enumeration User Account Enumeration SNMP Enumeration Unix/Linux Enumeration LDAP / Active Directory NTP Enumeration SMTP and DNS Enumeration Enumeration Countermeasures
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Enumeration Defined Enumeration is the process of extracting user names, machine names, networ reso urces, and lists of services from a target environment. This step in the methodology is often carrie d out along with scanning. As your information comes in from your various tests and sources it is imperative to Document Everything. Enumeration often comes into play when a hac er has wor ed themselves into a place on the networ , such as on an intranet Techniques for Enumeration The techniques listed below are used to gather Username information or networ d evice information. In order to create a clearer picture of a target, multiple methods are commonly used together. NetBIOS Enumeration NetBIOS refers to an older method of communication over a networ to control ses sions. This is still commonly used over TCP/IP. The name service eeps a list of computers that belon g to a domain. If services that are used contain NetBIOS names, this may allow a hac er to create a list of computers in the networ . For example running the psexec tool can be used to list an ipconfig output from all the computers on the domain. User Account Enumeration Creating a list of user accounts is often necessary for a hac er. User accounts can be found on a local machine or in a domain structure.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SNMP Enumeration The Simple Networ Management Protocol is intended to be used to remotely monito r devices on a networ using TCP/IP. Using this protocol an attac er can extract information, e specially if the default public and private names are still in use. Most networ monitoring software can be u sed in this manner. Unix/Linux Enumeration
LDAP Enumeration Lightweight Directory Access Protocol is a method used to access listing in an A ctive Directory type environment. Using a tool such as JXplorer a hac er can attach to a directory an d read the contents in a very manageable form. NTP Enumeration Using the Networ Time Protocol on UDP 123, computers on a networ can be ept i n sync with the NTP server. This also allows for tools to scan and determine if this port is open on target systems.
These systems have some standard commands for finding information on the networ . The showmount command finds shared directories. The finger command can be used to list user, h ost, and other information on a system. Rpcclient and rpcinfo can be used to determine username s and applications communicating over the networ
and gateways. The nsl oo up command can also be used to enumerate hosts. NTP. this can be used to verify newly found email a ddresses DNS Enumeration The Domain Name service provides a translation for IP addresses that devices use on a networ into words that are better understood and remembered by humans. Accessing a server with SMTP port 25 open can be a very simple process. switches. or LDAP. F rom the command line the syntax is: host -l domain name ip address or dns name of DNS server. only use services that are necessary for a system. SMTP.SMTP Enumeration The Simple Mail Transfer Protocol was not built with security in mind. You should always change default passwords to accounts . Test configurations of DNS and SMTP servers to ensure the y are configured properly and are only accessed by systems and users who have been authenticated. Enumeration Countermeasures As always. eep them disabled. . The SMTP server provides feedbac abo ut email addresses as they are given to the service. Restrict information from being accessed by Anonymous connections. even on networ devices such as routers. If you do not need SNMP. If configured incorre ctly it is possible for an attac er to use this service to enumerate all the systems on a networ .
com/2011/04/ceh-v7.http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.files.jpg http://danielweis.wordpress.jpg .
. .wordpress. . .http://www.jpg Module 5 System Hac ing Study Guide Objectives: . . . . . Introduction to System Hac ing Password Crac ing Password Crac ing Techniques Types of Password Attac s Automatic Password Crac ing Algorithm Privilege Escalation Executing Applications Keylogger Spyware Root its Detecting Root its NTFS Data Stream What is Steganography Steganalysis Covering Trac s . .files. .ecotarget.com/wp-content/uploads/2011/04/ec-council-logo. .jpg http://danielweis. . .com/2011/04/ceh-v7. .
com/wp-content/uploads/2011/04/ec-council-logo . . Identification of Sy stems 3. Enumeration. Identification of services. typically derived from a l ist of words for example a dictionary (hence the phrase dictionary attac ) or a bible etc.jpg Introduction to System Hac ing Stages of hac ing and where System Hac ing comes in: 1. A d ictionary attac tries only those possibilities which are most li ely to succeed. System Hac ing. Hiding Files) c) Clearing logs (Covering Trac s) Password Crac ing Password crac ing is the process of recovering passwords from data that has been stored in or transmitted by a computer system. Footprinting -IP ranges. Escalating Privileges) b) Maintaining Access (Executing Applications. Employee Web Usage 2. Security flaws 4. Namespace.Intrusive probing. Password complexity is crucial in the defense against password crac ing Password Crac ing Techniques Dictionary Attac s A dictionary attac uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values).files.a) Gaining Access (Crac ing Passwords.com/2011/04/ceh-v7.ecotarget. Generally. dicti onary attac s succeed because many people have a tendency to choose passwords which are short (7 chara cters or fewer).Target assessment. User lists.wordpress.Description: http://www. Scanning.jpg Description: http://danielweis.
when in fact the entire conversation is controlled by the attac er.It is the combination of brute force and dictionary attac s. This allows the at tac er to customize the crac ing tools to be used. method by adding . ma in g them believe that they are tal ing directly to each other over a private connection. Syllable Attac .jpg Brute Forcing Attac s or exhaustive ey search is a strategy that can in theory be used against any encrypted data by an attac er who is unable to ta e advantage of any wea ness in an encryption system that would otherwise ma e his/her tas easier. It involves systematically chec ing all possible eys until the correct ey is found. usually followi ng some form of enumeration that has identified the password policy in place.files.used when an attac er gains some information.Pac et sniffing tools can be run on a LAN to access and record ra w networ traffic.Description: http://www. Rule-based Attac .ecotarget.wordpress.com/wp-content/uploads/2011/04/ec-council-logo .com/2011/04/ceh-v7.jpg Description: http://danielweis. Th is can be effective for non-existent words.is a form of active eavesdropping in which the attac er ma es independent connections with the victims and relays messages between them. Types of Password Attac s Passive Online Attac s Wire Sniffing. Active Online Attac s Man-in-the-Middle (MITM) attac .a Hybrid Attac builds on the dictionary attac numerals and symbols to dictionary words. Hybrid Attac .
jpg Description: http://danielweis. usually for crac ing password hashes 2. Rainbow table-A rainbow table is a precomputed table for reversing cryptograp hic hash functions. Computed Hashes.Description: http://www.com/wp-content/uploads/2011/04/ec-council-logo .ecotarget.jpg Replay Attac This is an attac where an authentication session is captured by a sniffer. then replayed by an attac er to fool a computer into granting access. Trojans/Spyware/Keyloggersa) Trojans can be used to gain access to computers and phone home to an attac er giving them remote control of the system b) Spyware is a type of malware that can be installed on computers to collect pi eces of information about users without their nowledge c) Keyloggers are a type of spyware that runs in the bac ground and allows recor ding of eystro es Hash Injection Attac .files.Computes the hash for a list of possible passwords and then compares it with the precomputed hash table.wordpress.com/2011/04/ceh-v7. If a match is found then the password is crac e d .An attac er injects a compromised hash into a local sessi on and uses the hash to validate and gain access to networ resources Rainbow Attac s: Pre-Computed Hash 1.
Unauthorized viewing of either the user s eyboard or screen whi le he/she is logging in Dumpster Diving-Searching for sensitive information in residential or commercial trash bins. Shoulder surfing. recoveries have been limited to the processing power of one machine. printer trash bins.It is easy to recover passwords by comparing the captured password hashes to the precomputed tables Distributed Networ Attac (DNA). DNA uses th e power of machines across the networ or across the world to decrypt passwords Non-Electronic Attac s Social Engineering.is a technique used to recover password protec ted files.files.jpg 3. Compare the Hashes.Description: http://www. In the past. in contrast to brea ing in or using technical crac ing techniques.is the art of manipulating people into performing actions or divulging confidential information. or at a user s des .com/2011/04/ceh-v7.com/wp-content/uploads/2011/04/ec-council-logo .ecotarget.wordpress.jpg Description: http://danielweis.
and then use the algorithm to generate his/her own hash un til they get a match.ecotarget. design flaw or configuratio n oversight in an operating system or software application to gain elevated access to resources that are nor mally protected from an application or user. .jpg Automatic Password Crac ing Algorithm . . Find a valid user Find encryption algorithm used Obtain encrypted passwords Create list of possible passwords Encrypt each word See if there is a match for each user ID Repeat steps 1 through 6 The vulnerability does not arise from the hashing process but from the storage.wordpress. it is assumed the proper password was supplied. Therefore all that an attac er has to do in order to crac a password is to get a copy of the one-way hash stored on the server.jpg Description: http://danielweis. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actio ns. . Privilege Escalation Privilege escalation is the act of exploiting a bug. .com/wp-content/uploads/2011/04/ec-council-logo . During the login process. . the password entered is run through the algorithm generating a one-way hash and compared to the hash stored on the system.files. Most systems do not "decrypt" the stored password during authentication.com/2011/04/ceh-v7. . but store the one-way hash.Description: http://www. . If they are the same.
This is called system. Spyware Spyware is a type of malware that can be installed on computers. such as installing additional software and redirecting Web browser activity.jpg Description: http://danielweis. but can also interfere with user control of the co mputer in other ways. There are numerous eylogging methods. The presence of spyware is typi cally hidden from the user. spyware is secretly installed o n the user's personal computer. corporate. different home pages. and which colle cts small pieces of information about users without their nowledge.Description: http://www.jpg Executing Applications Attac ers execute malicious applications in this stage. spywares such as eyloggers are installed by the o wner of a shared. Sometimes. resulting in slow connection speeds.files. Spyware programs can collect various types of personal information. Spyware is nown to change computer settings.com/2011/04/ceh-v7. and can be difficult to detect. however.wordpress. or public computer on purpose in order to secretly monitor other user s. owning the . typically in a covert manner so that the person using the eyboard is unaware that their actions are b eing monitored.ecotarget. Keylogger Keystro e logging is the action of trac ing (or logging) the eys struc on a e yboard. Typically.com/wp-content/uploads/2011/04/ec-council-logo . ranging from hardware and software-based approa ches to electromagnetic and acoustic analysis. an d/or loss of Internet connection or functionality of other programs. such as Inte rnet surfing habits and sites that have been visited.
Root its Root its are ernel programs that have the ability to hide themselves and cover up traces of their activities They replace certain operating system calls and utilities with their own modifie d versions of those routines -Kernel root its can be especially difficult to detect and remove because they o perate at the same security level as the operating system itself. o r spyware in order to exploit it Root its allow the attac er to maintain hidden access to the system Detecting Root its Integrity Based Detection.It loo s for deviations from normal system patterns and beh avior to find unidentified root its based on their execution path Cross View based Detection. In this situation.compares a snapshot of file systems.This technique compares characteristics of all system processes and executable files with a database of now root it fingerprints Heuristic Detection. . or memory with a nown trusted baseline Signature Based Detection. Any software. running on the compromised system is equally vulnerable. Trojan. and are thus able to interce pt or subvert the most trusted operating system operations. no part of the system can be trusted. boot records.This compares "trusted" raw data with "tainted" cont ent returned by an API (Application Programming Interface). The attac er acquires root access to the system by installing a virus. such as antivirus softwa re.
program or protocol. such as a document file.jpg Description: http://danielweis. author name. or display to file browsing utilities ADS allow an attac er to inject malicious code on a breached system and execute them without being detected by the user What is Steganography? Steganography is the art and science of writing hidden messages in such a way th at no one.Description: http://www.files. determine whether or not they have a payload encoded into them. Media files are ideal for steganography because of their large size. recover that payload. a form of security through obscurity In digital steganography. size. suspects the existence of the message. and. Steganalysis The goal of steganalysis is to identify suspected pac ages. Subtle chan ges in a large file can easily go unnoticed.ecotarget.wordpress. image file. . electronic communications may include steganographic c oding inside of a transport layer.jpg NTFS Data Stream NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metada ta for the file such as attributes. and access and modification time of the files ADS has the ability to for data into existing files without changing or alterin g their functionality.com/wp-content/uploads/2011/04/ec-council-logo . apart from the sender and intended recipient.com/2011/04/ceh-v7. if possible. word count.
coo ies.com/wp-content/uploads/2011/04/ec-council-logo . cache. temporary files.jpg Description: http://danielweis.ecotarget.wordpress. and proxy log files b y log poisoning or flooding Close all remote connections to the victim machine Close any opened port .com/2011/04/ceh-v7.files.jpg Covering Trac s Remove activity trac s Remove web activity trac s such as MRU (Most Recently Use d). server log files.Description: http://www. and history Disable Auditing use Auditpol Tamper log files modify event log files.
.jpg Module 6 Trojans and Bac doors Study Guide Objectives: .jpg http://danielweis.files.wordpress.jpg http://danielweis.com/2011/04/ceh-v7.com/wp-content/uploads/2011/04/ec-council-logo. .http://www.com/wp-content/uploads/2011/04/ec-council-logo. . . .ecotarget.com/2011/04/ceh-v7. . . .files.wordpress.jpg http://www. .ecotarget. What is a Trojan? Overt and Covert Channels Purpose of Trojans Indications of a Trojan Attac Common Ports Used By Trojans How to Infect Systems Using Trojans Types of Trojans How to Detect Trojans Evading Anti-Virus Techniques Trojan and Bac door Countermeasures .
Tro jans are set apart from other types of malware by the ability to phone home and allow a hac er to access a system in real time. It is also possible to use a Trojan for information gathering at first and then ma e the compromised system a vailable to other hac ers for use as a zombie or proxy. Covert channel communication ta es place over channels that are not intended for data traffic o r by hiding information that violates security policy in an overt channel. . Purpose of Trojans Trojans allow for a hac er to control a compromised computer just as if they had physical access. Trojans are a multi-purpose tool of hac ers. They can be used to obtain sensitive information such as passwords or to further open a computer for other attac s. used for many different types of at tac s.What is a Trojan? A Trojan is a remote access tool disguised as a different piece of software. Overt and Covert Channels Overt channels are those used in legitimate data traffic such as http traffic ov er port 80. An attac er may use a Trojan for a specific purpose or for going after specific information.
jpg http://danielweis. emailed as an attachment. the person who finds the attac er s media will try to see what is on that mysterious CD or USB stic and un nowingly install the attac er s Trojan. it is common to use common ports in a covert manner as well. the malicious code is inserted into some sort of wrapp er that disguises the code as something benign li e a harmless jpg file or simple game.ecotarget.com/2011/04/ceh-v7.com/wp-content/uploads/2011/04/ec-council-logo.files. or placed on a U SB stic or cd.jpg Indications of a Trojan Attac Almost any odd or unexpected behavior of a system could be lin ed to an infiltra tion by a Trojan. How to Infect Systems using Trojans When a Trojan is written. . The only guaranteed method of removing a Trojan is to reins tall the OS from nown good media. Many also have the ability to ill the tas manager and msconfig processes in order t o eep their processes from being disabled. These ports can be found with a Google search. Common Ports Used By Trojans In the past Trojans used specific ports such as 31337 for Bac Orifice and 12345 for Netbus. The possibilities are endless. Once the Troja n is wrapped it can be placed on a website to be downloaded.wordpress. However.http://www. A CD /USB stic can be configured to autorun so that when an attac er intentiona lly leaves media for others to find.
and can be written with pinpoint target accuracy. These many faces of Trojans represent the differe nt types listed in the CEH courseware. are delivered in numerous way s.Types of Trojans Trojans can be used over many different protocols. By Method: Trojans that use a specific method of communication or deployment: VNC HTTP/HTTPS ICMP Command Shell Document Covert Channel Email FTP SPAM Trojans that have specific targets: Credit Card Trojans E-ban ing Trojans Mobile Trojans MAC OS X Trojans .
folders. Trojans can cause suspicious traffic on open ports.wordpress. A Trojan writer can avoid leaving a signature by using a wrapper or Trojan that was selfwritten.jpg Trojans that have a specific payload or create a payload: Data hiding (Encrypts data. Evading AntiVirus Techniques Anti-Malware software attempts to identify Trojans by wrapper signature or by co de signature. By changing the code itself. sometimes ransoms the ability to decrypt the data to the victim. A Trojan can also be bro en up into multiple pieces for deployment and then assembled at the victim to evade detection. and accomplishes the goal of the Trojan.com/2011/04/ceh-v7. (Ransomware) Destructive Botnet Trojan Proxy Server Trojan Defacement Trojan How to Detect Trojans Detecting Trojans relies on having a baseline to compare suspicious behavior aga inst.http://www. .ecotarget. or sh ow up as new installed programs. create registry entries.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files. The CEH expects you to be familiar with these activities. files. it appears different.
com/2011/04/ceh-v7. Education about the ris Trojans pose increases awareness and decreases the li e lihood of dangerous behavior li e downloading files from the internet and viewing un nown email atta chments. but they may hide in common port traffic or inject into other files.com/wp-content/uploads/2011/04/ec-council-logo.jpg Trojan and Bac door Countermeasures Trojan s are an insidious threat.wordpress. .files. but a personally written one will not always be caught. The only sure fire way of avoiding compromise is to not connect to the Internet.jpg http://danielweis.http://www. Trojans fit the idea of They are everyone. Even with this you could be compromised but the Trojan would be unable to phone home . The most innocent loo ing file or program could be hiding a malicious payload. Common Trojans can be detected by Anti-m alware software. Trojans may be hidden in critical components for business or on website s that are commonly used. Trojans may be detected by loo ing for suspicious port activity or files.ecotarget. and they are no one. However.
.http://www. Introduction to Viruses Stages of Virus Life How a Virus wor s Virus Analysis Types of Viruses Writing a Simple Virus Program Computer Worms Worm Analysis What is a Sheep Dip Computer Malware Analysis Procedure Virus Detection Methods Virus and Worm Countermeasures Anti-Virus Tools Penetration testing for Viruses .wordpress. .com/wp-content/uploads/2011/04/ec-council-logo. . .com/2011/04/ceh-v7.ecotarget. .jpg http://danielweis. . . . . . .files. . .jpg Module 7 Viruses and Worms Study Guide Objectives: .
Some viruses infect each time they are run and executed completely and others infect only whe n users trigger them.wordpress. or a particular event. or USB drive. CD.http://www. DVD. A true virus can spread from one computer to another (in some form of executable code) when its host is ta en to the target computer.Developing virus code using programming languages or construction its . Some have bugs that replicate and perform activities such as file deletion and d ecrease the session s time.exe file in the system.com/wp-content/uploads/2011/04/ec-council-logo. or carried it on a removable medium such as a floppy dis . Attac Phase Some viruses have trigger events to activate and corrupt systems.ecotarget.jpg Introduction to Viruses A virus is a self-replicating program that produces its own code by attaching co pies of itself into other executable codes.com/2011/04/ceh-v7.files. which can include a day. for instance because a user sent it over a netw or or the Internet. Sometimes they corrupt targets only after spreading completely as intended by th eir developers Design .jpg http://danielweis. Some viruses affect computers as soon as their code is executed. other viruses l ie dormant until a predetermined logical circumstance is met Stages of Virus Life Replication Virus replicates for a period of time within the target system and t hen spreads itself Launch It gets activated with the user performing certain actions such as runnin g an infected program Detection A virus is identified as a threat infecting target systems Anti-virus software developers assimilate defenses against the vir Users install anti-virus updates and eliminate the virus threats Incorporation us Elimination How a Virus Wor s Infection phase the virus replicates itself and attaches to an . time.
wordpress.jpg http://danielweis.http://www.files.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.com/2011/04/ceh-v7.jpg Virus Analysis Why are viruses created? To inflict damage on competitors Financial Benefits Research Projects For Pran s Vandalism Cyber Terrorism Distribution of Political Messages Processes ta e more resources and time Computer slows when programs start Files and Folders are missing Hard Drive is accessed often Unable to load OS Anti-Virus alerts Browser window freezes How are Computers infected? Opening infected Email attachments Not running the latest anti-virus software Not updating and installing new versions of plug-ins Installing pirated software When a user accepts files and downloads without chec ing the source properly Indications of a Virus attac .
Macro Viruses infect files created by Microsoft Word or Excel. It could mass-mail itself from e-mail cl ient Microsoft Outloo 97 or Outloo 98. virus code is executed first and th en control is passed to original MBR File Viruses File viruses infect executable files by inserting their code into s ome part of the original file so that the malicious code can be executed when the file is accessed. After re peatedly becoming alarmed. is a notorious example of a file overwriting virus. When system boots. Most are written in Visual Basic for Applications (VBA). leaving them especially vulnerable to the next real and truly destructive virus. Fil e infecting viruses have targeted a range of operating system. Files af fected by an overwriting virus cannot be disinfected and instead must be deleted and restored from bac up . permanently destroying the contents of those files. both the boot sector and the executable o .com/2011/04/ceh-v7. Example: The Melissa Virus would spread on word processors Microsoft Word 97 and Word 2000 and also Microsoft Excel 97. while maintaining their appearance of ordinary document files.It infected both executable .files.COM-files and boot sectors.http://www. Overwriting viruses cause irreversible damage to the files. DOS. UNIX. file virus. and Window s. only to learn that there was no real virus.com/wp-content/uploads/2011/04/ec-council-logo.wordpress. Types of Viruses System or Boot sector Viruses moves MBR to another location on the hard dis and copies itself to the original location of MBR. replacing it with the malicious code. And then there are some v iruses that aren't really out there at all.jpg http://danielweis. Loveletter searched for certain file types and overwrote them with its own malicious code. computer users may get into the habit of ignoring all virus warning messages. Multipartite Viruses attempt to attac r program files at the same time. An overwri ting file virus is one that overwrites the original file entirely.ecotarget.There are a lot of viruses out there. including Macintosh.jpg Viruses Hoaxes . Example: Ghostball . which operated as an email worm. Macro viruses infect templates or convert infected documents into template file. 2000 and 2003. Hoax virus warning messages are more than annoyances. Example: Loveletter. and Trojan dow nloader.
Encryption Viruses . To execute. The alterations in code carried out by a metamorphic virus ma e it much harder f or traditional signature-based antivirus programs to identify two separate iterations as one an d the same virus. the virus has to have a polymorphic engine (also called mutating engine or Encrypted Mutation Engine. When the macro mass-mails.DOC or another infected fil e. Metamorphic Viruses this virus actually ma es direct changes to its code. To enable the polymorphic code. perman ently altering itself between each iteration. a cluster virus is only in one place on the system. is downloaded and opened.http://www. It is encrypted with a different ey or each infected file. it collects the first 50 entries from the alias list or address boo and sends itself to the e-mail addresses in those entries. ma ing them very rare creations. Cluster Viruses A type of virus that associates itself with the execution of pro grams by modifying directory table entries to ensure the virus itself will start when any program o n the computer system is started. a polymorphic virus must decrypt itself bac to its original form. The code changes performed by a metamorphic virus are di rected by a metamorphic engine. If infected with a cluster virus it will appear as if every program on the computer system is infected. . AV scanners cannot directly detect these types of vir uses using signature detection methods Polymorphic Code uses encryption to transform its code into an alternate.wordpress.jpg If a Word document containing the virus.files. encryp ted form. replacing the infected file with an uni nfected one that it has stored on the hard drive. This is th e counterpart to a polymorphic virus's polymorphic engine.com/wp-content/uploads/2011/04/ec-council-logo. Fortunately. either LIST.jpg http://danielweis. then the macro in the document runs and attempts to mass mail itself. A well-written polymorphic virus has no parts that stay the same on each infecti on.com/2011/04/ceh-v7.this type of virus uses encryption to mas its code.ecotarget. It places a copy of itself in another location on the drive. Stealth / Tunneling Virus this virus actively hides itself from anti-virus softwa re by either mas ing the size of the file that it hides in or temporarily removing itself from the infect ed file. which may itself be altered between iterations. the technical challenges involved in creating a functioning metamor phic virus are quite high. It w ill then mutate with new encryption. however.
ma i ng itself the original program and host code as its sub-routine Almost all boot program viruses are shell viruses File extension Viruses These viruses change the extensions of files.com/wp-content/uploads/2011/04/ec-council-logo. T his empty space can be used to house virus code.jpg http://danielweis. This is difficult to do.files. Example: LeHigh Virus Sparse Infector Viruses they will infect only occasionally (e.EXE file.g. Companion / Camouflage Viruses . for a variety of reasons. A cavity virus attempts to install itself in this e mpty space while not damaging the actual program itself.COM file with the same name a s an existing . A counterme asure is to turn off Hide file extensions in Windows . Most viruses ta e the easy way out when infecting files. On PCs this has usually been accomplished by creating an infected . these vi ruses create a new program which (un nown to the user) is executed instead of the intended program. Many viruses that do this also implement some stealth techniques s o you don't see the increase in file length when the virus is active in memory. every tenth pro gram executed). A cavity virus.ecotarget. they simply attach them selves to the end of the file and then change the start of the program so that it first points to the vir us and then to the actual program code. on the other hand.A cavity virus attempts to install itself i nside of the file it is infecting. Integrity chec ing antivirus software that only loo s for modifications in exist ing files will fail to detect such viruses. On exit.jpg File Overwriting or Cavity Viruses . have empty space inside of them. Some program files. or only files whose lengths fall within a narrow range.instead of modifying an existing file.http://www.com/2011/04/ceh-v7. Shell Viruses Virus code forms a shell around the target host program s code. the new program executes the original program so that things appear no rmal.wordpress. An advantage of this is that the virus t hen does not increase the length of the program and can avoid the need for some stealth techniques. attempts to be clever.
wordpress. Writing a Simple Virus Program There are many virus ma ers available to the public and most of them require no technical nowledge to create a virus. however. and spread across networ connections independently without human interaction.jpg http://danielweis.ecotarget.com/2011/04/ceh-v7. then it will select the target program to be modi fied and corrupted.jpg Add-on and Intrusive Viruses Add-on viruses append their code to the host code. As a zombie they will be part of a botnet used to carry out further cyber-attac s controlled by the worm author or whoever they sell the bot net to. .files. execute. consuming available computing resources. The TSR can only be removed by rebooting the system.\ The Terminate and Stay virus (TSR) remains permanently in the memory during the entire wor session even after the target host s program is executed and terminated. Computer Worms Computer worms are malicious programs that replicate. some worms carry a payload to damage the host system Attac ers can use worm payloads to install bac doors in infected computers.com/wp-content/uploads/2011/04/ec-council-logo. Most worms are created only to replicate and spread across a networ . Intrusive viruses overwrite the host code partly or completely with viral code Transient and Terminate and Stay Resident Viruses The Transient virus will trans fer all controls of the host code to where it resides.http://www. whic h in turn will ma e them susceptible to becoming zombies. Without ma ing any changes it will relocate the host code or insert its own code at the beginni ng.
Although Microsoft released an emergency out-of-ba nd patch on October 23.ecotarget. propagated t hrough the Internet by exploiting a vulnerability in a networ service (MS08-067) on Windows 2000.wordpress. and Trojans. such as floppy dis s or CD -ROMs.jpg http://danielweis. Researchers believe that these were dec isive factors in allowing the virus to propagate quic ly: by January 2009.jpg Worm Analysis Confic er Worm The first variant of Confic er. Recent estimates of the number of infected computers have been notably more dif ficult because of changes in the propagation and update strategy of recent variants of the virus. discovered in early November 2008. Windows Server 2008.files. meaning it is not connected to the networ .com/2011/04/ceh-v7. A second variant of the virus. and Windows Server 2008 R2 Beta . W indows XP. Most sheepdips use at least two different antivirus programs in ord er to increase effectiveness. worms. They are used along with sheep . added the ability t o propagate over LANs through removable media and shares. 2008 to close the vulnerability. Windows Server 2003. the Windows 7 Bet a was not publicly available until January 2009. the estimated number o f infected computers ranged from almost 9 million to 15 million.http://www. discovered in December 2008. a computer that sheep dips is used only for that process and nothing else and is isolated from the other computers. for viruses before they are used in a computer. a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. Windows Vista.com/wp-content/uploads/2011/04/ec-council-logo. Typically. The goal of sheep dipping is to bloc viruses from entering syste ms rather than waiting until they manifest on user wor stations at which time they will have already do ne their damage Anti-Virus Sensor Systems Anti-virus systems have a collection of computer software pac ages that detect a nd analyze malicious code threats such as viruses. While Windows 7 may have been affected by this vulnerability. What is a Sheep Dip Computer? A sheepdip is the process of chec ing physical media.
dip computers .
jpg Malware Analysis Procedure Preparing Test bed Install VMWare or Virtual PC on the system Install guest OS into the virtual machine Disable shared folders and guest isolation Copy the malware over to the guest OS Note .At least two machines should be used.wordpress.Description: http://www. One machine is for hosting the mali cious binary (victim machine) and the other is for baselining and sniffing the networ traffic (sniff er machine).jpg Description: http://danielweis.ecotarget. They should be networ ed in such a way that each of them is able to sniff the other's networ traffic.com/2011/04/ceh-v7. it is possible to write scanning programs that l oo for signature string characteristics of the virus Integrity Chec ing These products wor by reading the entire dis and recording integrity data that acts as a signature for the files and system sectors Interception The interceptor monitors the operating system requests that are written to the d is Isolate the system from the networ .files. Malware Analysis Procedure Virus Detection Methods Scanning Once a virus has been detected.com/wp-content/uploads/2011/04/ec-council-logo .
wordpress.com/2011/04/ceh-v7. allowing it to identify and c lean new bugs Avoid opening the attachments received from an un nown sender as viruses spread via e-mail attachments The possibility of virus infection may corrupt data.com/wp-content/uploads/2011/04/ec-council-logo .files.ecotarget.jpg Virus and Worm Countermeasures Install anti-virus software that detects and removes infections as they appear Generate an anti-virus policy for safe computing.jpg Description: http://danielweis. thus regularly maintain dat a bac -ups Schedule regular scans for all drives after the installation of anti-virus softw are Do not accept dis s or programs without scanning them with anti-virus software f irst AntiVirus Tools AVG Antivirus BitDefender Kaspers y Trend Micro Norton AntiVirus Avast .Description: http://www. and distribute it to the staff Pay attention to the instructions while downloading files or any programs from t he Internet Update the anti-virus software on a monthly basis.
Penetration Testing for Viruses Install Anti-Virus on the networ infrastructure and on the end-user s system Update Anti-Virus to update the virus database of the newly identified viruses Scan the system which helps to repair damage or delete files infected with virus es If the virus is not removed, go in to safe mode and delete infected files manual ly If any suspicious process, registry entries, startup program or service is disco vered, chec associated executable files Chec the startup programs and determine if all the programs can be recognized w ith nown functionalities Chec the data files for modification or manipulation by opening several files a nd comparing their hash value with a pre-computed hash
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Modu le 8 Sniffers Study Guide Objectives: . . . . . . . . . . Lawful Intercept Sniffing Threats Types of Sniffing Hardware Protocol Analyzers MAC Attac s DHCP Attac s ARP Poisoning Attac s Spoofing Attac Sniffing Tools Countermeasures
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Lawful Intercept Lawful Intercept is the policy of allowing a Law Enforcement Agency (LEA) to obt ain records of data transmissions across traditional communication lines through wiretaps, and also through internet services for voice and data with proper judicial order. This information is prov ided to an LEA after such an order has been received by the service provider. Sniffing Threats Monitoring traffic in a networ environment is called Sniffing. Using hardware o r software to capture traffic a hac er can read any data found in plaintext. This data can ta e the fo rm of web traffic, email traffic, passwords transmitted across protocol using plain text, and other traff ic. Sniffing relies on having physical access to a networ . Types of Sniffing Passive Sniffing Passive sniffing is monitoring pac ets on a networ segment that is not switched or bridged and can be seen by all machines on that segment. Hubs are outdated which ma es them a rare find, but it is still possible to sniff wireless networ s or networ s with compromised switches. Any n etwor card set to promiscuous mode connected to an open networ segment can read all the connected devices traffic because the traffic is not switched and sends the same data to all ports. Active Sniffing
In today s switch-based networ environments, a hac er injects pac et into networ traffic for a desired effect. This is active because you are actually causing a change instead of watc hing what occurs.
and Accounting) server can be used to aut henticate discovered MAC addresses as well . Using a piece of hardware li e this on the SPAN port of a switch. li e a hub.files.wordpress. An AAA (Authentication.http://www. which is setup to receive of copy of pac ets sent across the switch.jpg Hardware Protocol Analyzers OSI Model Vulnerable Protocols: Telnet HTTP SMTP NNTP POP FTP IMAP These protocols are vulnerable because they send some or all information in plai n text. Hardware protocol analyzers are special equipment that monitor networ traffic a cross a cable without altering it and allow for precise information reading about that traffic. The Content Addressable Memory (CAM) table is usually of a small. fixed size.com/2011/04/ceh-v7. This traffic is capable of being compromised at the Data Lin Layer (Layer 2 on the OSI model) w hich does not adhere to the restrictions of the upper levels.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis. Authorization.ecotarget. To defend against this some switches have the ability to limit the number of MAC addresses that can be learned on ports connected to end stations. This allows for all of the traffic alon g these protocols to be compromised without issues in the higher OSI model layers. MAC Attac s MAC Flooding This attac occurs when a switch is bombarded with requests with different sourc e MAC addresses. when i t reaches its maximum the switch begins to broadcast traffic to all connections. allows for capture and monitoring of all the con nections to that switch.
Using these fa e ARP messages an attac er can divert communication to compromise a user or system. Rogue DHCP An attac er can run a DHCP for the same scope as the legitimate server. DHCP Starvation This is a Denial of Service attac against a DHCP implementation.wordpress.http://www. ARP Poisoning Attac s The Address Resolution Protocol maps an IP address to a physical machine address that is recognized on the local networ .jpg DHCP Attac s Dynamic Host Configuration Protocol (DHCP) is used to allow new hosts to connect to a networ easily. This can then fill the ARP ta ble. similar to a MAC Flood attac . The ARP table can be bound to ports on a switch at the switch level to counter A RP poisoning. causing users to connect to the rogue. This server can then be used to eavesdrop on the users or intercept reque sts and send them to malicious sites.files. When an answe r is found the machine updates the table with the address pair allowing communication.com/wp-content/uploads/2011/04/ec-council-logo. The attac er s ends out requests for an entire DHCP scope instead of just one address. It is important to remember th at attac s against DHCP ta e advantage of its functionality because it is permitted but in a manner that was not intended. ARP spoofing occurs when these pac ets are forged.com/2011/04/ceh-v7.ecotarget.jpg http://danielweis. An ARP table is created in networ ed devices containing this information. ARP spoofing can also be used to Poison the ARP table with fictiti ous entries to enable snooping. eeping anyone else from connecti ng to the server. When a MAC address is not found in the table an ARP request is broadcast. DHCP attac countermeasures Counter DHCP attac s can be done at the switch level by requiring DHCP traffic t o be restricted by port and to only travel to trusted servers. because of this functionality it can be insecure. .
When the user requests a website from a spoofed DNS server the user is sent to t he location the attac er has designated on the false server. In order to defend against these attac s it is recommended that you resolve all DNS requests locally. A DNS server can be tric ed into accepted false inf ormation. the attac er now has acce ss to what the legitimate user had access to by bypassing Access Control Lists on Routers and Servers. poisoning the cache of names that are used to answer a client s request for a website or networ resource.http://www. Configure firewalls to restrict ex ternal DNS loo ups so that users are forced to eep requests internal. implementing this protocol mitigates spoofing threats. DNS Poisoning The Domain Name system used to identify names human use into numbers computers u se can be tric ed by spoofing as well.jpg Spoofing Attac s MAC Spoofing Attac s When an attac er can sniff out MAC addresses. Usi ng spoofed MAC addresses is also used in other networ traffic attac s li e SYN floods and the Ping of Death. If the MAC address is used for networ identification. Sniffing Tools Kismet Snort Wireshar . Countering spoofing attac s involves the use of binding tables and chec ing that MAC addresses do not change IPs on the switch they are connected to. DNSSEC or Secure DNS uses cryptograp hic electronic signatures signed with a trusted public ey certificate to confirm authentic tra ffic. they can use that information to s poof or duplicate the MAC in question and intercept or use a legitimate users MAC address to receive t hat users traffic.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.com/2011/04/ceh-v7.files.ecotarget. and use only trusted outside DNS servers as well.wordpress.
files. a pac et capture device canno t be installed.ecotarget. . SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.jpg Countermeasures Sniffing with hardware requires physical access to the traffic that is being tar geted.jpg http://danielweis.wordpress.com/wp-content/uploads/2011/04/ec-council-logo.http://www. Sniffing depends on traffic being in plaintext. encryption eeps this from occur ring. By securing the physical location and access to networ equipment.com/2011/04/ceh-v7.
Types of Social Engineering .jpg http://danielweis.com/wp-content/uploads/2011/04/ec-council-logo. Social Engineering through Impersonation on Social Networ ing Sites .wordpress. Common targets of Social Engineering .com/wp-content/uploads/2011/04/ec-council-logo.ecotarget. Common Intrusion Tactics and Strategies for Prevention .jpg http://www. Phases in a Social Engineering attac . Social Engineering Countermeasures .files.com/2011/04/ceh-v7.jpg Module 9 Social Engineering Study Guide Objectives: . Why is Social Engineering effective? . Social Engineering Pen Testing .wordpress. Ris s of Social Networ ing to Corporate Networ s . What is Social Engineering? .files.http://www.com/2011/04/ceh-v7.ecotarget. Identity Theft .jpg http://danielweis.
Contacting employees anonymously over the Internet and persuading them t o provide information Telephone Requesting information usually through impersonating a legitimate user . financial information. Develop In this phase relationships are built with selected employees.com/wp-content/uploads/2011/04/ec-council-logo. and humans are the most s usceptible factor It is difficult to detect social engineering attempts There is no method to ensure complete security from social engineering attac s Research Researching a target company consists of dumpster diving.com/2011/04/ceh-v7. either to access the telephone system itself or to gain remote access to compute r systems Phases in a Social Engineering Attac .files. websites. impersonations ma y be developed as well.http://www.jpg http://danielweis. Exploit Collect sensitive account information. etc.wordpress.jpg What is Social Engineering? Social engineering is the art of manipulating people into performing actions or divulging confidential information Social engineers prey on people that are careless about protecting confidential information Why is Social Engineering Effective? There is no specific software or hardware for defending against a social enginee ring attac Security policies are as strong as their wea est lin . employees. and current techno logies Command Injection Attac s Online. c ompany tours.ecotarget.
fear.wordpress. or someone s des Tailgating .files. video.jpg http://danielweis. and the helping nature of humans An attac er can pose as a legitimate end user. attac ers get information by as ing for it directly Common Targets of Social Engineering Receptionists/Help Des Personnel Technical Support Executives System administrators Vendors of the target organization Users and clients Types of Social Engineering Human-based Gathers sensitive information by interaction Attac s of this category exploit trust. Eavesdropping Unauthorized listening of conversations or reading of messages Interception of any form such as audio.http://www.jpg Personal Approaches In personal approaches. a technical support person.ecotarget.com/2011/04/ceh-v7. printer s tations. or es sentially anyone that they feel will persuade someone to reveal information.com/wp-content/uploads/2011/04/ec-council-logo. or written Shoulder Surfing Attac ers can loo over someone s shoulder or view a target with binoculars to gai n confidential information Dumpster Diving Searching for useful documents or any other information in trash bins.
This is done without the consent of the autho rized user Piggybac ing Essentially the same principle as tailgating. prepare someone to pass the inte rview.com/2011/04/ceh-v7.files.wordpress.ecotarget. have that person hired. or Spyw are Phishing An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user s personal or account information Social Engineering using SMS Insider Attac s Spying If a competitor wants to cause damage to your organization. and they will be in the organization Revenge It ta es only one disgruntled person to ta e revenge and your company is comprom ised -%60 of attac s occur from behind the firewall . or downloads malicious programs such as eyloggers. or put you out of business. the unauthorized person h as consent in this case.jpg An unauthorized person enters a secured area by following closely behind an auth orized person to gain access without the need for a ey. rather than the other way around These attac s involve sabotage.jpg http://danielweis.com/wp-content/uploads/2011/04/ec-council-logo. The authorized person allows an unauthorized individual to gain access with thei r credentials Reverse Social Engineering This is when the attac er creates a persona who appears to be in a position of a uthority so that employees will as him for information. however.http://www.Trojans. and tech support Computer-based Social engineering carried out with the help of computers Pop-Ups Can be used to tric users into clic ing a lin that redirects them to fa e webs ites as ing for personal information. they just have to find a job opening. mar eting. steal critical secre ts.
ecotarget. Staff training. and refuse transfers Social Engineering through Impersonation on Social Networ ing Sites Malicious users can gather information by impersonating others on social networ s. trace calls. Area of Ris Attac er s Tactics Combat Strategy .com/wp-content/uploads/2011/04/ec-council-logo.files.jpg -an inside attac is easy to launch and is difficult to prevent Common Intrusion Tactics and Strategies for Prevention Phone (Help Des ) Impersonation and Persuasion Train employees never to reveal information over the phone Building Entrance Unauthorized Physical Access ID Badge enforcement. attach rogue wireless eep updated inventories access points or protocol analyzers Phone and PBX Stealing phone access Control overseas and longdistance calls. Not allowing others to view you typing Phone (Help Des ) Impersonating Help des calls Assign a PIN to employees for help des calls Office Wandering strangers Escort all guests Mail Room Insertion of forged memos Loc and monitor mail room Machine room/ Phone closet Attempting to gain access.com/2011/04/ceh-v7. remove Keep these spaces l oc ed equipment.wordpress. security officers Office Shoulder Surfing Frosted Glass.http://www.jpg http://danielweis.
wordpress. i ncreasing the ris of information exploitation Involuntary Information In the absence of a strong policy.com/2011/04/ceh-v7.files.http://www.jpg http://danielweis.ecotarget.jpg This information can lead to an attac er creating large networ s of friends to e xtract information using social engineering techniques They can also use this information to carry out other forms of social engineerin g outside of the social networ Ris s of Social Networ ing to Corporate Networ s Data Theft A social networ ing site is an enormous database accessed by many individuals. employees may un nowingly post sensitive data about their company on social networ ing Targeted Attac s Information on social networ ing sites could be used for preliminary reconnaissa nce in a targeted attac Networ Vulnerability All social networ ing sites are subject to flaws and bugs that may lead to vulne rabilities in the company s networ Identity Theft Identity theft is a form of fraud in which someone pretends to be someone else b y assuming that person's identity. such as Social Security or driver s license numbers .com/wp-content/uploads/2011/04/ec-council-logo. typically in order to access resources or obtain credit and o ther benefits in that person's name Theft of Personal Information Identity theft occurs when someone steals your name and other personal informati on for fraudulent purposes Loss of Social Security Numbers It is a crime in which an imposter obtains personal information.
wordpress. They recognize these techniques in use in the future .jpg Easy Methods Cyberspace has made it easier for an identity thief to use stolen information fo r fraudulent purposes Social Engineering Countermeasures Policies Good policies and procedures are ineffective if they are not taught and reinforc ed by the employees After receiving training. etc. fo r public use.http://www. Being aware of the psychological techniques peo ple tend to succumb to gives users empowerment. and guest accounts with proper authorizatio n Proper Incident Response Time There should be proper guidelines for reacting to a social engineering attempt Two-Factor Authentication .jpg http://danielweis. proprietary.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.files. user. Bac ground Chec s and Proper Termination Procedures Insiders with criminal bac grounds and terminated employees are easy targets for procuring information Access Privileges There should be administrator. for internal use only.com/2011/04/ceh-v7. employees should sign a statement ac nowledging that t hey understand the policies and the ramifications for not upholding them Training An efficient training program should consist of all security policies and variou s methods to increase awareness on social engineering. Operational Guidelines Ensure security of the sensitive information and authorized use of resources Classification of Information Categorize the information as top secret.
wordpress. modem pools. create believable impersonations. im personation. etc.com/2011/04/ceh-v7. teams. Try to extract as much information as possible using footprinting techniques Create a Script Based on the collected information.files. web searches. and the level of physical intrusion allowed Intelligence Gathering Collect email addresses. and email spider tools. to attac the target Use Emails If management approves social engineering via email. and contact details of the target organization and its human resources (if not already provided) using techniques such as dumpster diving. use two-factor authentication for high-ris networ services such as VPN s. These details may consist of a list of departments.com/wp-content/uploads/2011/04/ec-council-logo. and wireless networ s . storylines .Anti-Virus/Anti-Phishing Defenses Use multiple layers of anti-virus defenses at end-user des tops and mail gateway s to minimize social engineering attac s Change Management Change management is a structured approach to transitioning individuals.jpg Instead of fixed passwords. use phishing techniques.ecotarget. An employeedependent. You are assessing how email attac s are treated by the or ganization and how much confidential information can be obtained http://www. send malicious attachments. email guessing. undocumented approach is reactive and could harm productivity Social Engineering Pen Testing Gaining Authorization Obtain management s explicit authorization and details that will help in defining the scope of a pen-test. and organizations from a current state to a desired future state A documented change-management process is highly effective and is proactive. individual employees to targ et.jpg http://danielweis.
room and st . and anyone you come into contact w ith. pose as an external auditor.http://www. thr ow on some coveralls and impersonate a technician.com/wp-content/uploads/2011/04/ec-council-logo. security staff. Befriend employees.jpg Pic Up the Phone Call a target posing as a colleague. Documentation Document EVERYTHING The responses from the users.ecotarget.wordpress. Use tailgating to gain physical access. create fa e badges. an important customer. Video ma es for a convincing form of documentation. tech support. or ref er to an important person in the organization to gain information In Person Be creative and convincing. These are all believable characters to play.files.com/2011/04/ceh-v7.jpg http://danielweis. What information was obtained and what vulnerabilities allowed you to collect co nfidential information There is never a problem with too much detail in a report All of this documentation is important to management as it helps to improve thei r security posture Once inside eavesdrop and shoulder surf. Meet employees in the brea ri e up a conversation.
http://www.jpg http://www.wordpress. What are DoS and DDoS attac s? Symptoms of a DoS attac DoS Attac Techniques Botnets Detection Techniques Dos/DDoS Attac Countermeasures DoS Attac Penetration Testing . .com/wp-content/uploads/2011/04/ec-council-logo.com/2011/04/ceh-v7.ecotarget. .jpg http://danielweis.wordpress.files. .ecotarget.files. .jpg http://danielweis.com/wp-content/uploads/2011/04/ec-council-logo. .com/2011/04/ceh-v7. .jpg Module 10 Denial of Service Study Guide Objectives: .
com/2011/04/ceh-v7. They can b e directed with simple commands and they are frequently used without the actual owner s nowledge. These alerts are often configured to allow the conceptual right amount of alerts that the networ admin is comfortab le with. Does the attac er have more bandwidth or CPU power than the victim? Websites are a common target for DOS attac s. a hac er may be able to use all of the bandwidth available to the webserver. then the webserver tas ed with handling the information becomes slowe r or unable to create new connections to provide information.ecotarget. A DoS attac becomes a war of attrition.jpg http://danielweis. These attac s often occu r using botnets. Connection monitor ing features in routers or the use of a separate device will trigger alerts for this type of traffic. DoS and DDoS wor by flooding a computer or networ with specifically crafted qu eries or by just using a larger amount of bandwidth to connect to the target than the target has availa ble to respond to the Symptoms of a DoS Attac .http://www. or an inability to access the internet.com/wp-content/uploads/2011/04/ec-council-logo.files. This creates a false s ense of security. An attac er ta es up available resources using specific vulnerabilities or by us ing a Distributed attac through another networ such as a Botnet.wordpress. If enough users (real or machine created) put a load on a website. a set of computers that are controlled li e robots to do a controller s bidding. no regard is given to the actual networ traffic when they are set. The website code itself may require too much processing power. Depending on the attac . One common method of DOS is a Distributed Denial of Service.jpg What are DoS and DDoS Attac s? Denial of Service refers to ma ing a web site or service unavailable to users fo r a period of time. Symptoms may include a website being noc ed down. where the attac er has multiple computers under their control to distribute the attac . a large influx of spam.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg A Web Stress test, such as used by Massively Multiplayer Online game developers, functions the same way in a legitimate, controlled fashion to show what the brea ing point is of a set of servers. Malicious hac ers can use the same tools and just ignore the brea ing point to bring down the target.
Who uses DoS/DDoS Cyber Criminals are increasingly being associated with organized crime syndicate s. These organizations provide a hierarchical setup to use various activities and technical s ills to m a e sophisticated attac s. Organized groups create and rent botnets, offer services such as malware writing , hac ing ban accounts, or create Denial of Service attac s against targets for a price. Accor ding to Verizon s 2010 Data Breac Investigations Report, the majority of breac es were drivien by orga nized groups and 70% of data stolen was the wor of criminals outside the victim organization. Organi zed hac tivism is a matter of concern for national security agencies.
DoS Attac Techniques
All bandwidth is used up by an attac . This leaves none for legitimate users. Th is type of attac is normally conducted by Distributed Denial of Service. Some hosting companies allo w for ramping up more bandwidth during an attac , but the cost for this service can be prohibitiv e for many companies. Service Request Floods A service request flood wor s by exhausting server resources. Requests are made from a valid source, or a spoofed valid source, with the intention using up TCP connections. When the th reshold for connections is met, the server can no longer answer requests, denying the servic e to other users.
An attac exploits the three way handsha e by creating spoofed SYN pac ets. This
attac causes the server to send ACK s to the fa e source of the SYN pac ets. This floods the source sys tem that was spoofed with ACK traffic, eeping this system from responding to other traffic.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SYN Flooding SYN Flooding wor s the same as SYN attac , but instead of sending ACKs to a targ et, it uses the half open connections to overload the listening queue on the server. This eeps the se rver s ability to respond offline for a period of time depending on implementation.
A large number of pac ets with fa e source addresses are sent to target. Whether the target accepts the ping or not the ping traffic overloads the target. This attac is also nown as a Smurf Attac . Peer to Peer attac s Using p2p clients and the DC++ protocol an attac er can instruct other computers on the p2p networ to disconnect and connect to a website. Given the massive amount of users connected to some of these networ s this creates a DoS attac . Permanent Denial of Service This attac is also referred to as Phlashing. An attac er sends a fa e auses a user or system to load software to damage the hardware or bric the system. update that c
Application Level Flood attac s These attac s occur higher on the OSI model than most flood attac s. Using appli cations such as email clients or web logins an attac exploits the program itself to create a flood of traffic. These can also occur with programs using a database by using crafted queries to jam access to t he database. Botnets Botnets are huge networ s that can be commanded to underta e actions on behalf o f the Bot herder . Botnets are created by passing the controlling software to users and networ s by several means. Trojans are a leading cause, such as Shar and Poison Ivy Command and Control, ICQ, IRC Older internet communications such as ICQ and IRC are very lightweight and able to be used to relay commands to a zombie computer in a botnet. Internet Relay Chat is built in
ICMP Flood attac
to some botnet creation tools. When a hac er configures the botnet they can create the callbac that allows for the
DoS/DDoS Attac Countermeasures Countermeasure strategies 1.com/2011/04/ceh-v7. One new trend with Anonymous is to use th e Low Orbit Ion Cannon. DDoS Botnet software operates li e a Trojan. the human hac er evolves faster than the computer pro gram.jpg bots to come to a specific IRC chat channel and receive commands from the master control. or protocol. If the non-critical services are being attac ed this may thwart the attac . . This allo ws your critical services the bandwidth or resources to run. Degrading your services provided by turning off non-critical services. which do n ot always wor . It is covertly installed then it dials b ac to its command center.jpg http://danielweis. The current standard is to use Abnormalities and Noticeable deviation thresholds.files. Data is initially filtered by address.http://www. Sequential Change-Point Detection uses algorithms to isolate traffic statistics that are changed during attac s. Wavelet Analysis is a way of describing input by spectral components loo s for anomalies and the frequency of information to determine the normal frequency versus one during an attac . Degrade 3. This d ata is compared against deviations during an attac . Once one pattern is found.com/wp-content/uploads/2011/04/ec-council-logo. This allows for a bot herder to issue commands anonymously. This requires significant planning and capital. which users can point at a website by themselves or opt in to an attac .ecotarget.wordpress. Accept To absorb an attac requires the resources and planning to scale your infrastruc ture above the hac ers ability to generate traffic. Absorb 2. port. Detection Techniques Teaching a computer the difference between legitimate traffic and attac s is con stantly being tested. The compromised computer is now a bot.
turning off your outside connections. or allowing them to be down for as long as the attac continues. (Let the terrorists win? Too soon?) .A third option is to accept the attac .
wordpress. Depending on the target and scope of the engagement.com/wp-content/uploads/2011/04/ec-council-logo.files.jpg http://danielweis.com/2011/04/ceh-v7.http://www. Once the target is flooded with traffic. email flooding. . Mitigate with Load Balancing and throttling. Using Ingress and Egress filters to determine if traffic is coming from the correct location. it can be defeated by spoofing. DoS pen testing port flooding. Bloc all inbound pac ets origination from the service ports.ecotarget. Configure the firewall to deny exter nal Internet Control Message Protocol traffic access.jpg Mitigation and Prevention Filtering traffic is one method to prevent DoS. are for DoS compared to may involve explicit pe Honeypots or Honeynets can be used to deflect attac s to a less critical networ section. or website stress testing. bloc ing the traffic if it does not match. the findings about response time are what is desired. How ever. Be cautious and be sure to have rmission to do this type of test. Depending on how external internet access is setup organizations may be able to prevent the transmission of the fraudulently addressed pac ets at ISP level. Disable unused and insecure service s. DoS Penetration Testing DoS testing involves finding out roughly what the minimum thresholds attac s. Creating a system or networ that loo s li e your production system but does not have the s ensitive data can be difficult and time consuming.
jpg .files.jpg http://danielweis.com/2011/04/ceh-v7.http://www.com/wp-content/uploads/2011/04/ec-council-logo.wordpress.ecotarget.
. Hijac ing Session Hijac ing Process Types of Session Hijac ing Session Hijac ing in OSI Model Application Level Session Hijac ing Networ Level Session Hijac ing TCP/IP Hijac ing Session Hijac ing Tools Countermeasures IPSec Architectrure .wordpress. . . . .http://www. .com/wp-content/uploads/2011/04/ec-council-logo. .wordpress.com/2011/04/ceh-v7.jpg http://www. .ecotarget.jpg http://danielweis.files.files. .com/wp-content/uploads/2011/04/ec-council-logo. .jpg Module 11 Session Hijac ing Study Guide Objectives: . .com/2011/04/ceh-v7.jpg http://danielweis.ecotarget. What is Session Hijac ing Key Session Hijac ing Techniques Spoofing vs.
usually requ iring sniffing Brute forcing session ids occurs when there is not a mechanism to stop an attac er from trying random session ids until they are successful. insecure handing of session ids. which contains the session ID. . Spoofing requires a hac er to be able to get crendent ials or other identifiers. Hijac ing requires a hac er to be able to find an existing session.files. Most computers us e TCP/IP to communicate. and clear text transmission of data incl uding the session identifier. Using a lin t o another site the hac er entices the victim to clic on the lin which causes the browser to send the referrer URL. Vulnerabilities that allow session hijac ing include: not having loc outs for s essions. Hijac ing Spoofing occurs when an attac er pretends to be a valid user. Sniffing and interception are common methods. Hijac ing occurs w hen an attac er ta es over a valid user s session.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.com/2011/04/ceh-v7.http://www. This requires a limited field of possible session ids in order to succeed. All of this ma es Session Hijac in g a very big threat. Any of these vulnerabilities can lead to exploitation. this occurs when a hac er ta es over a session of communication between two computers. Calculating a session id can be easily accomplished if session ids have no rando m components. TCP/IP is the most commonly attac ed protocol due to wea nesses in its design an d because it is used in most communication.jpg http://danielweis. indefinite session times.jpg What is Session Hijac ing? Session Hijac ing is exploiting a valid computer session. Session Hijac ing can be difficult to counter without encryption. Compromised se ssions can allow for information and identity theft in a difficult to trace manner. A referrer attac is one method.wordpress. which session hijac ing targets. This is used to get access to the system and to steal data. Key Session Hijac ing Techniques Stealing session ids can occur whenever they are transmitted during the session. Spoofing vs.
1. One example of this is a webserver session that uses a constant bit of data and adds the date and time to that constant to create a unique session ID.com/2011/04/ceh-v7. 4.files. T his requires access to networ traffic.jpg Session Hijac ing Process 1.jpg http://danielweis. Session Sniffing Predictable Session To en Man in the middle attac s Client side attac s . Session Sniffing Using a sniffer an attac er can capture a valid session to en and present it to the webserver. 2. 2. Application level hijac ing gains control of an HTTP user session by sniffing th e session ID coo ie or pac et used to eep trac of a user s session on the website. 5. 3.ecotarget. Sniff Monitor. which can be accomplished remotely by use of a Trojan or by use of pac et sniffers on a networ or device. 3. 4.http://www. If there is not a mechanism for chec ing the validity of the to en. it can be used by the at tac er to gain access to the session.com/wp-content/uploads/2011/04/ec-council-logo. Predicting Session To ens When webservers use a predictable method for generating session ID s it is then po ssible to guess what session ID s will be and use that guess to access the server. in order to predict sequence numbers Session Disconnect of valid user Session ID prediction to ta e over the session Command injection to communicate with target system Session Hijac ing in OSI Model Networ level Hijac ing involves intercepting pac ets in a TCP or UDP session.wordpress. Application Level Session Hijac ing There are multiple methods for gaining control of a session at the application l evel.
which can allow a Denial of service to the true IP or close the connection with a FIN bit.connection attempt to a server with the correct sequence number along with a forged source IP addre ss. .
jpg http://danielweis. An example of doing this would be a hac er with a laptop in a coffee shop posing as a Wireless Acces s Point. With a pac et sniffer installed on a device. causing them to end the session.files. The host accepts that pac et. This requires that you are on the same networ as the target system. Using an Address Resolution Protocol Spoof an attac er can pose as another device that a client uses to connect to a host. UDP Hijac ing UDP does not deal with sequence numbers as TCP does. Blind Hijac ing occurs when a hac er can inject data into a communication but is not able to route the communication to sniff the results. any data that passes through that d evice can be used in a Man in the Middle attac . which allows the attac er to step in and continue the communication as if he were the victim.ecotarget. Source Routed pac ets can be used by an attac er to specify what path the pac et s in a communication should ta e. RST Hijac ing refers to the technique of sending a forged RST pac et to a victim . Man-in-the-Middle Attac using Pac et Sniffers . however if the attac er can send a response bac to a client after a request before the server does an attac er can ta e ove r the communication. Once this session is closed the victim may attempt to reset the con nection with the hac er or the hac er may create a denial of service by repeating the process. First. The attac er directs the pac ets to pass through a specific device for sniffing.com/wp-content/uploads/2011/04/ec-council-logo. increments the sequence number and sends an ACK to the client. Using forged Internet Control me ssage Protocol pac ets can also be used to direct client to server traffic through a hac er s pac et snif fer. Then the hac er spoofs the IP and sends a pac et with the next se quence number.http://www.com/2011/04/ceh-v7. This pac et will be considered out of sequence causing the client to disregard this pac et a s valid.jpg TCP/IP Hijac ing TCP/IP hijac ing is a technique using spoofed networ pac ets to ta e over a ses sion between client and target. an attac er sniffs traffic to determine the sequen ce numbers in the communication. Clients connect un nowingly to the hac er s Access Point and the hac er sniffs the traffic that then goes to the internet.wordpress. and able to spoof the ip address of the client.
ecotarget.http://www. Encryption can be used to eep individual pieces of information such as user names. attac er generated session. Using Encrypted and secure protocols also thwarts session hijac ing. . This handles the vulnerabil ity of a person being tric ed into using a specific. This is the tool commonly used in our practice. and inspecti on of traffic. and session ids unreadable.com/2011/04/ceh-v7. Networ traffic should not allow source routing of pac ets.github. Read http://codebutler.wordpress.com fo r more information Countermeasures All session hijac ing relies on plaintext communication. Session IDs should be randomly generated on request.com/wp-content/uploads/2011/04/ec-council-logo. Sessions should also have absolute time outs so that they cannot be used after a valid user is disconnected. modification. Firesheep is the now defunct firefox addon that allowed anyone who tried it out to hijac sessions of popular sites such as Faceboo and Twitter.files. passwords.jpg Session Hijac ing Tools Burp Suite is a proxy that allows for the inspection.jpg http://danielweis.
ecotarget.jpg http://danielweis. A s ecurity association is simply the bundle of algorithms and parameters (such as eys) that is being used to enc rypt and authenticate a particular flow in one direction.com/wp-content/uploads/2011/04/ec-council-logo. This mode does have the ability to encrypt the actual data pa yload of the pac ets and does wor with Networ Address Translation (NAT). or both to provide for data security. SA or Security Asssociation is the third component of IPSEC. Transport mode authenticates the com munication between computers. This also provides a counter measure to replay attac s. 2. T he IPSec architec ture uses the concept of a security association as the basis for building security functions into IP. The entire pac et is encrypted then encapsulated. t he flows are secured by a pair of security associations.wordpress. 5.com/2011/04/ceh-v7. not just the data payload. Transport and Tunnel. 3. in normal bi-directional traffic. ESP.jpg IPSec IPSEC uses two modes. IPSEC provides: lay . The Encapsulation Security Payload is used to eep the information in a pac et c onfidential. IPSEC implementations may include AH.files. 1. It is often used in Virtual Private networ s. Tun nel mode supports NAT traversal ISPEC uses Authentication Headers to ensure that the data is what it says it is (integrity) and came from where it says it came from (Origin authentication). 4. Therefore. Networ -level Peer Authentication Data Integrity Data Confidentiality Replay Protection Data Origin Authentication IPSEC is a set of protocols developed to secure communication at the networ er.http://www. Tunnel mode encapsulates t he whole pac et.
. . . .jpg http://danielweis.jpg Module 12 Hac ing Webservers Study Guide Objectives: . . . Webserver Threats Web Application Attac s Webserver Attac Tools Countermeasures Defending Against Webserver Attac s What is Patch Management? Patch Management Tools Webserver Security Tools Webserver Pen Testing . .com/wp-content/uploads/2011/04/ec-council-logo.files.wordpress.ecotarget.http://www.com/2011/04/ceh-v7. .
This enables a hac er to view files o utside the web directory and execute commands. Proper URL encoding and disallowing codes for a carriage return will prevent this attac . .com/2011/04/ceh-v7.jpg http://danielweis. This is covered in detail in the next module. Metasploit uses n own vulnerabilities to create payloads . This occurs when a DNS server is vulnerable to accepting cache information from untru sted sources. HTTP Response Hijac ing occurs when a hac er can use the technique above to send a response to a victim from the vulnerable server and then use the information the victim was tr ansmitting to receive the response of that request. The attac er issues a command to flush the caches and then sends a request that crea tes the malicious entry. Webserver Attac Tools Metasploit is a penetration testing tool it. Other webserver attac s target the encryption between the client and server. li e an HTTP request that causes the server to split the response allowing the hac er to cont rol some of the return.com/wp-content/uploads/2011/04/ec-council-logo. This tool it allows ethical hac ers to test systems.wordpress.files. or the password used to authenticate when these are vulnerable. they can then concentrate on forcing it open the rest of the way.ecotarget.http://www. The vulnerability is the unvalidated input allowed by the web application on the server. files that contain the code needed to successfully exploit these vulnerabilities. HTTP Response Splitting Attac s occur when a malicious hac er inserts data into a request.jpg Webserver Threats Webservers exist to provide information or resources to the public. Web Application Attac s Directory Traversal Attac s exploit a vulnerability in how the server communicat es with the client to tell it to change the directory for the client. Webservers can be vulnerable to attac s that target the website or web application itself. or t o attac s that allow a foothold into a target s environment. Web Cache Poisoning puts a malicious website into a web server s cache as a legiti mate site. This creates a partially open door for malicious hac ers. but can be used by malicious hac ers to run exploits against webservers.
Directory structure listing should be disabled. that database s hould be on a separate server. All accounts that are used by the webse rver should have as little privilege as possible and require strong passwords. Any non-web files such as logs a nd bac ups should be removed from the server.jpg http://danielweis. Rem ote access should be encrypted or disabled. . The server itself needs to be hardened and accessed phy sically only when necessary.com/2011/04/ceh-v7.com/wp-content/uploads/2011/04/ec-council-logo. Protocols. and ftp should not be in use on a webserver. Protocols used by the webserver should be limited to only the ones required for operation. Insecure protocols such as telnet. Updates and patches for the server OS of the webserver should be applied in a re gular fashion. and file structure.files. Ac counts.ecotarget. If web applications are running that require a database bac end. smtp. All default accounts should be disabled. Defending Against Webserver Attac s Defending against web server attac s requires a defense in depth approach to ens ure that all attac vectors have been guarded against. It should not be connected to the internet until after it has been ha rdened. Audit logs should also be ept on a separate server. Every service and connectio n should be run with a least privilege account.http://www. after testing in a non-production environment. These accounts should have logon auditing and have alerts for when they fail to combat dictionary and brute force password att ac s.jpg Countermeasures Countermeasures for webserver attac s can be divided into Updates.wordpress. The more ports that are open and applications that are running on a web server creates more opportunities for hac ing.
It is important to ensu re that you have a window of time for updating critical systems that will not be too soon after the patch is released. Being sure that all patches are applied o n a regular basis to all systems is critical.jpg What is Patch Management? Patch Management is the process of ensuring that all systems are using the appro priate and up to date software for the hardware or software asset. Accurately Inventory all hardware and software assets Determine acceptable update window based on criticalness. Hac Alert Hac Alert is a cloud based service for monitoring and vulnerability assessment. A good patch management program will follow these steps: 1.com/2011/04/ceh-v7. Patches might brea critical software. It is capable of fully automated scans and c an be used for specific exploitation. Document any exceptions to the program. 2. 4.com/wp-content/uploads/2011/04/ec-council-logo. Be sure to test updates in a non-production environment.http://www. This Software as a Service (SaaS) can also be tied into Web Application Firewalls.files.wordpress. . Developing a good patch management system is critical to eeping systems secure.ecotarget. Webserver Security Tools SAINT The System Administrators Integrated Networ Tool is a popular software pac age that can be used to assess and test webserver security. Test all updates adequately prior to placing in production environment Install patches within update window stated in step 2. 5. 3. Patch Management Tools The Microsoft Baseline Security Analyzer is an example of a free patch assessmen t tool that can chec for nown vulnerabilities caused by missing patches.jpg http://danielweis.
.ecotarget. Web servers require Footprinting. and specific attac testing.http://www.jpg Webserver Pen Testing Penetration testing webservers encompasses most of the entire pen testing spectr um. OS assessment. After the vulnerabilities are no wn.files. enumeration of user accounts and ports.com/2011/04/ceh-v7.jpg http://danielweis.wordpress. exploits may be attempted to assess the extent of the vulnerability and determine what informati on can be compromised.com/wp-content/uploads/2011/04/ec-council-logo. scanning. website vulnerability assessment. All of these steps must be carried out and documented to perform a full penetration test.
com/2011/04/ceh-v7.wordpress.jpg .Description: http://www.jpg Description: http://danielweis.files.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .
jpg http://danielweis. Web Application Architecture .http://www.wordpress.files.jpg Module 13 Hac ing Web Applications Study Guide Objectives: . Unvalidated Input . Hidden Field Manipulation Attac .com/2011/04/ceh-v7. Cross-Site Scripting (XSS) Attac s . Parameter/Form Tampering .com/wp-content/uploads/2011/04/ec-council-logo.ecotarget. Injection Flaws . Web Application Components . How Web Applications Wor . Introduction to Web Applications .
Web Application Security tools . How to Defend Against Web Application Attac s . Web Application Hac ing Tools . Web Application Firewalls .. Hac ing Methodology . Web Application Pen Testing . Web Services Attac .
real.jpg Introduction to Web Applications Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynam ically within the client Web browser. format string attac s. For example: Parameter manipulation. to try to bypass the site s security mech anisms. Web applications use input from HTTP requests (and occasionally files) to determ ine how to respond. and hidden field manipulation. etc ) Allowed character set Minimum and maximum length Whether null is allowed .Description: http://www. Parameters should be validated against a positive specification that defines: Data type (string. buffer overflows.ecotarget. an attac er can obtain sensitive information or attac th e site. query string. Common names for common input tampering attac s include: forced browsing.files.jpg Description: http://danielweis. Web Application Components Web attac vectors are paths or means to attac and gain access to computer or n etwor resources. web service routing issues. command insertion. integer. client validation. XML poisoning.com/2011/04/ceh-v7. server miscon figuration. and cross site scripting (XSS).wordpress. SQL injection. Attac ers can tamper with any part of an HTTP request. and hidden fields. headers. form fields. coo ie p oisoning. there is a good chance the att ac er used unvalidated input as an element of the attac . If information submitted via a We b site is not validated before it's processed. cross-site scripting(XSS). Unvalidated Input When an e-commerce Web site has been compromised.com/wp-content/uploads/2011/04/ec-council-logo . including the URL. coo ies.
Whether the parameter is required or not Whether duplicates are allowed Numeric range Specific legal values (enumeration) Specific patterns (regular expressions) .
Description: http://www.com/2011/04/ceh-v7. Security Misconfigurations Web server and application server configurations play a ey role in the securit y of a web application. This type of attac also occurs when hidden fields are used by websites for e-co mmerce transactions.files. directory c limbing.jpg Description: http://danielweis. directory services. including data storage. Directory traversal is also nown as the . and bac trac ing. . the web development group is separate from the group operating the s ite.. In fact.wordpress. In addition. then those parameters can be modified by using a proxy. mail. This attac exploits a lac of security (the software is acting exac tly as it is supposed to) as opposed to exploiting a bug in the code. Frequently.com/wp-content/uploads/2011/04/ec-council-logo . When the client sends the parameters of the exchange to the server. The price or quantity field is transmitted using the client./ (dot dot slash) attac . Failure to manage t he proper configuration of your servers can lead to a wide variety of security problems.ecotarget. This is called Hidden Field Manipulation. and more. Web application security concerns often span this gap and require m embers from both sides of the project to properly ensure the security of a site s application. which ma es the fie ld susceptible to being altered by an attac er. These servers are responsible for serving content and invo ing applications that generate content. many application servers provide a number of services that web applica tions can use.jpg Parameter/Form Tampering Parameter tampering occurs when the client side of the web application has sensi tive information which is then manipulated by an attac er. messaging. there is often a wide gap between those who write the application and those responsible f or the operations environment. Directory Traversal The goal of this attac is to order an application to access a computer file tha t is not intended to be accessible.
jpg There are a wide variety of server configuration problems that can plague the se curity of a site. Administrative or debugging functions that are enabled or accessible . including scripts. . Unnecessary default. .wordpress. applications. or sample files. Default accounts with their default passwords . e . Overly informative error messages (more details in the error handling section) . Server software flaws or misconfigurations that permit directory listing and d irectory traversal attac s . Unpatched security flaws in the server software . Having secure software and a secure configuration are both required in order to have a secure site.jpg Description: http://danielweis. . including content management and remote administ ration .com/wp-content/uploads/2011/04/ec-council-logo .Description: http://www.com/2011/04/ceh-v7. bac up. These include: . Misconfigured SSL certificates and encryption settings Use of self-signed certificates to achieve authentication and man-in-the-middl protection Use of default certificates Improper authentication with external systems Some of these problems can be detected with readily available security scanning tools. Unnecessary services enabled. Successful attac s can also result in the compromise of bac end systems including databases and cor porate networ s. Once detected. Improper file and directory permissions . and web pages . these problems can be easily exploited and result in total compromise of a websi te.files.ecotarget. configuration files.
the most effective way to discuss these flaws is to note the distinct fe atures which classify them as injection flaws.all mitigated in very d ifferent ways.wordpress.Description: http://www.i.jpg Injection Attac s Injection problems encompass a wide variety of issues . injection problems need only for the data to be parsed.com/2011/04/ceh-v7. using no other mechanism. This means that the execution of the process may be altered by sending code in through legitimate da ta channels. involve the use o f some further issue to gain execution.com/wp-content/uploads/2011/04/ec-council-logo . The most important issue to note is that all injection problems share one thing in common . For this reason. they allow for the injection of control plane data into the user-controlled data plan e.ecotarget.. The most classing instances of this category of flaw are SQL injection and forma t string vulnerabilities. and many other flaws. .jpg Description: http://danielweis.e. While buffer overflows.files.
The technique may be refined to allow multiple statements to run.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .Username = 'Username' AND UserList.wordpress. or even to loa d up and run external programs. consider a web page has two fields to allow users to enter a user n ame and a password. thereby allowing access. The code behind the page will generate a SQL query to chec the password against the list of user names: SELECT UserList. . However.Password = 'password' OR '1'='1' In the example above. then access is granted. "'1'='1'" will always be true and many rows will be returned.com/2011/04/ceh-v7. For example.Description: http://www.files.jpg Description: http://danielweis.Username = 'Username' AND UserList. if the maliciou s user enters a valid Username and injects some valid code ("password' OR '1'='1") in the Password fie ld.Username FROM UserList WHERE UserList.Password = 'Password' If this query returns any rows.Username FROM UserList WHERE UserList. then the resulting query will loo li e this: SELECT UserList.jpg SQL Injection SQL injection ta es advantage of the syntax of SQL to inject commands that can r ead or modify a database. "Password" is assumed to be blan or some innocuous string . or compromise the meaning of the original query.
etc. web services can be seen as a specialized web application that differs mainly at the presentation level. While web applications typically are HTML-based. while web services are employed as building bloc s by other web applications for formi Web Services Attac . visitor log. The victim then retrieves the malicious script from the server when it requests the stored information. Interactive users for B2C (business to consumer) transactions normally access we b applications. such as in an e-mail message. the injected code travels to the vulnerable web server. When someone clic s on the lin .Description: http://www. in that ra ther than exploiting the user's trust in a site. in a message forum. search result. such as in a database. typically allowing the attac er to steal information. t he embedded programming is submitted as part of the client's Web request and can execute on the user's computer. or on some other web server. web service s are XML-based.com/wp-content/uploads/2011/04/ec-council-logo .com/2011/04/ceh-v7.jpg CrossSite Scripting (XSS) Attac s Cross-site scripting (XSS) is a security exploit in which the attac er inserts m alicious coding into a lin that appears to be from a trustworthy source.files.wordpress. comment field. the attac er (and his malicious page) exploits the site' s trust in the client software. or any other response that includes some or all of the i nput sent to the server as part of the request. The browser then executes the code because it came from a "trusted" server. submitting requests that the site believes represent conscious and intentional a ctions of authenticated users.jpg Description: http://danielweis. such as in an error message.ecotarget. Reflected attac s are delivered to victims via another rout e. which reflects the attac bac to the user s browser. Stored XSS Attac s Stored attac s are those where the injected code is permanently stored on the ta rget servers. At the simplest level. Reflected XSS Attac s Reflected attac s are those where the injected code is reflected off the web ser ver. Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS. When a user is tric ed into clic ing on a malicious lin or submitting a specially crafted form.
.ng B2B (business to business) chains using the so-called SOA model.
many atta c s can be identified and bloc ed. these rules cover common attac s such as Cross-sit e Scripting (XSS) and SQL Injection.Description: http://www. capable of being c alled in a programmatic fashion. Validate and Sanitize Input .jpg Web services typically present a public functional interface. Custom error messages so there isn t a mess of information available to average users .com/2011/04/ceh-v7. OWASP How to Defend Against Web Application Attac s Ma e sure you are familiar with these concepts. Generally. The effort to perform this customization can be significant and needs t o be maintained as the .com/wp-content/uploads/2011/04/ec-council-logo . Validate redirects and forwards. These are the tools our practice uses.jpg Description: http://danielweis. Hac ers are rapidly learning how to effectively compromise Web Services technolo gies to carry out their attac s or gain valuable footprinting information.files. while web applications tend to deal with a richer set of features and a re content-driven in most cases.wordpress.ecotarget. or filter that applies a set of rules to an HTTP conversation. W3af . Low privilege accounts for DB connection . avoid using them at all . Least amount of information about services on a server as possible Web Application Firewalls A web application firewall (WAF) is an appliance. No session data in GET and POST . . Safely handle different encoding schemes . . server plugin. Secure coo ies and do not store sensitive info in plain text . By customizing the rules to your application. Burp Suite .
.application is modified.
. session hijac ing. bac -end authentication. including: . Business logic errors: Day-to-Day threat analysis. the Open Web Application Security Project.com/2011/04/ceh-v7.wordpress. buffer overflow. web serv er configuration. an open source web application security documentation project. unauthorized logins. cross-site scripti ng. has produced documents such as the OWASP Guide and the wi dely adopted OWASP Top 10 awareness document. credential management. password in memory. Known vulnerabilities in COTS (Commercial Off The Shelf) applications . Technical vulnerabilities: URL manipulation.jpg Web Application Pen Testing Web application penetration testing refers to a set of services used to detect v arious security issues with web applications and identify vulnerabilities and ris s. breach of cus tomer trust etc. person al information modification. . Clic jac ing.jpg Description: http://danielweis.com/wp-content/uploads/2011/04/ec-council-logo .ecotarget.files. pricelist modification.Description: http://www. SQL injection. OWASP. etc. unauthorized funds transfer.
Description: http://www.files.jpg Description: http://danielweis.jpg .wordpress.com/wp-content/uploads/2011/04/ec-council-logo .ecotarget.com/2011/04/ceh-v7.
com/wp-content/uploads/2011/04/ec-council-logo.jpg Description: http://danielweis.com/2011/04/ceh-v7.jpg Description: http://www. .wordpress. .jpg Module 14 SQL Injection Study Guide Objectives: .wordpress.jpg http://danielweis.http://www.files. . .ecotarget.com/wp-content/uploads/2011/04/ec-council-logo . .ecotarget. . .com/2011/04/ceh-v7.files. Introduction to SQL Injection Types of SQL Injection SQL Injection Methodology Common SQL Injection Advanced SQL Injection SQL Injection Tools Signature Evasion Techniques Defending Against SQL Injection .
The authentication occurs becaus e logically.jpg Description: http://danielweis. as well as possible Denia l of Service attac s Critical Concepts Server Side Technologies ASP. SQL injections occur when untrusted data is s ent to an interpreter as part of a command or query.wordpress.files. and when changed the SQL injection SQL commands and logic A common login method is to match a username and password. This is a specific version of an injection attac identified in module 13. IBM DB2 and MySQL a re all server side technologies that are susceptible to SQL injection attac s. or just delete the table. In a vulnerable implementation.Net and relational Databases such as SQL Server. the matching data creates a TRUE condition. entering another TRUE condition such as 1=1 and then a to comment out the rest of the SQL request will also allow for an authentication. Using this logic a hac er can use true conditions to then edit the table. A successful SQL injection can lead to information theft and tampering. this string is vis ible as the HTTP address in vulnerable implementations.ecotarget.jpg Introduction to SQL Injection SQL injection is the most common enemy.Description: http://www. if the user s input data matches the data found in the table the user is considered authenticated. HTTP Post Request When the HTTP Post method is used to send data to the server. display records. The vulnerability in SQL injection is th at data is not validated before it is sent to the database. This allows for a significan t bypassing of security measures. Oracle. This data is used to create the SQL query .com/2011/04/ceh-v7. In a legitimate inter action these two bits of data are loo ed up in a table. It is not a mat ter of specific vulnerabilities in the software but the way they are implemented to create dynam ic content without data validation. add re cords. The attac er s hostile data can tric the interpreter into executing unintended commands or accessing unauthorized data.com/wp-content/uploads/2011/04/ec-council-logo . .
In thi s case. user names. Using this type of commands and patience almost any information can be uncovered .ecotarget.jpg Informative Error Messages Error messages are used to correct issues with a database query.jpg Description: http://danielweis. we will get the first table name that matches the criteria.wordpress. One method is to use the UNION command to combine two types of data that cannot be combined.TABLES WHERE TABLE_NAME LIKE '%25login%25'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarc har value 'admin_login' to a column of data type int.Description: http://www. When these erro rs are displayed to a hac er they can be used to get important information such as tabl e names. '%25login%25' will be seen as %login% in SQL Server. "admin_login".com/wp-content/uploads/2011/04/ec-council-logo .files. .asp. /index. line 5 The matching patent. passwords. and even more sensitive information. For Example: http://duc /index.com/2011/04/ceh-v7. such as a string of characters and an integer.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA. This will produce an er ror that tells you what data could not be combined.
com/2011/04/ceh-v7. End of Line comment Using or other commenting characters to nullify legitimate code suffixed onto the attac code. Injecting these stat ements along with an OR logically creates a statement that is true ma ing the SQL injection wor . Hac ing when receiving a generic or customer error message requires Blind SQL in jection techniques. If you do not use parameters.ecotarget. The importan t thing to do is use parameters with stored procedures. Tautology A Tautology is a statement that is always true such as 1=1.files.wordpress.jpg Types of SQL Injection Attac Stored Procedure Using stored procedures does not necessarily prevent SQL injection. they may still be sus ceptible to attac . BENCHMARK is ano ther such command. Blind SQL Injection When a target does not provide informative error messages. your stored pro cedures can be susceptible to SQL injection if they use unfiltered input Union Query Using UNION to return information desired. This requires more time and patience to uncover information.jpg Description: http://danielweis.Description: http://www. Blind SQL Injection wor s by as ing a series of Yes or No questions and using that information to construct an understanding of the target. Injecting a request with the WAITFOR DELAY command and a 10 second sleep will te ll a hac er if their command was accepted if the page then delays in its processing.com/wp-content/uploads/2011/04/ec-council-logo . .
wordpress. create database accounts in a system. This is done by injecting test queries such as and 3. 4. transfer an entire database to your machine. which allow a file to be loaded to the database and viewed or interact with a command line t hrough the database. Examples of this include the LOAD_FILE command and the xp_cmds hell. Move on to compromise the networ . Advanced Database interaction Using more specific SQL commands it is possible to grab stored password hashes t o be bro en offline. Depending on the level of permissions of the database user it is also possible t o interact with the operating system.jpg SQL Injection Methodology 1. or perform networ reconnaissance. Extract desired information 5. Advanced SQL Injection Hac ing Advanced Enumeration Recognize that different databases require different query types. or Blind SQL injections depending on vulner abilities and level of error reporting found.Description: http://www. interact with the file system or operating s ystem.ecotarget. Another common interaction is to transfer the entire database to the attac ers m achine using standard port 80 traffic. The CEH test d oes not require you now which commands interact with each database type. 6.files. Detect vulnerabilities a.com/2011/04/ceh-v7. Gather Information 2. Union based. Compromise the machine b. Preform Error based. Interact with the OS a. Execute commands or access system files Common SQL Injection Hac ing Use SQL injection hac ing to grab passwords or hashes.jpg Description: http://danielweis.com/wp-content/uploads/2011/04/ec-council-logo .
ecotarget. Adding inline comments with the /* and */ to separate commands will also confuse most IDS s. Concatenating these strings allows them to bypass rules in an IDS against the commands themselves being entered.jpg Description: http://danielweis. SQL queries do not always chec for whitespace. Using various forms of encoding you can evade an IDS by not exactly matching wha t they are loo ing for. you can obscure y our attac s in multiple ways. while an IDS usually will require an exact match. IF an IDS is set to bloc attempts to inject 1=1 you can evade it by using 7=7 o r 7 >1.wordpress. UNION SELECT a nd UNION SELECT will be read differently.jpg SQL Injection Tools SQLninja Absinthe Signature Evasion Techniques Targets may be setup with an Intrusion Detection System that compares attac s to input strings of nown attac s to detect SQL injection attac s.com/2011/04/ceh-v7. SQLsmac . String concatenation allows for commands to be entered in a shorthand form that the database can read. To bypass this. Dropping or adding whitespace [SPACE] can evade signatures as well.Description: http://www.com/wp-content/uploads/2011/04/ec-council-logo . Some IDS can be evaded by encoding in HEX or using the CHAR function to represent characters.files.
Data must be validated before it goes to the server. Stored procedures can be us ed to process user input and provide a layer of protection. Data should not be concatenated if it h as not been validated.com/wp-content/uploads/2011/04/ec-council-logo .com/2011/04/ceh-v7. .wordpress. To coun teract this error messages should be custom and suppressed whenever possible.jpg Defending Against SQL Injection Web Applications have the following vulnerabilities which require defending: The database server can run OS commands. Error messages can be manipulated to reveal information in the database.ecotarget.Description: http://www.files.jpg Description: http://danielweis. Removing nown bad information may not always wor as a validation process becau se of possible encoding techniques instead sanitize by removing everything but nown good infor mation. because of this the database service a ccount needs to have minimal rights and commands that allow shell prompts and networ discovery shoul d be disabled.
jpg Module 15 Wireless Networ s Study Guide Objectives: . . . .jpg http://danielweis.ecotarget. . . . . . . . .http://www.com/2011/04/ceh-v7.files.wordpress.com/wp-content/uploads/2011/04/ec-council-logo. Wireless Networ s Types of Wireless Networ s Wi-Fi Authentication Modes Types of Wireless Encryption Wireless Threats Wireless Hac ing Methodology Wireless Hac ing Tools Bluetooth Hac ing Defending Against Bluetooth Hac ing Defending Against Wireless Attac s Wi-Fi Security Tools Wireless Pen Testing Framewor .
These networ s are less secure by virtue of this greater functionality. 80 2.http://www.ecotarget. All of these standards are ma r eted under the name Wi-Fi. For the CEH you need to understand the difference in Megabit per second transmission rates and bandwidth used.jpg http://danielweis.wordpress. These standards can be set with option s about authentication methods and encryption.11n introduced Multiple In.files. 802.4GHz band at the data rate of 54 Mbit/s.com/wp-content/uploads/2011/04/ec-council-logo.jpg Wireless Networ s Wireless networ s broadcast data so that it can be received in a local area with out wires. These networ s are easier to install and scale to accommodate more users. . Multiple Out (MIMO) increasing Mbit/s to 600 in the 5 GHz band. Wireless Standards The 802. Types of Wireless Networ s Wireless networ s are built on standards.11b is built from the same standards and operates in the 2. requir ing a close range under ten meters. 802.com/2011/04/ceh-v7.11a operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s. 802. Bluetooth is a wireless standard for very short range transmission at a low band width.11g uses the 2.4 GHz band with a maximum data rate of 11Mbit/s. Bluetooth is utilized for low power devices such as cell phone hands free microphones.11x standards cover the development of the wireless spectrum for home an d business use.
.com/wp-content/uploads/2011/04/ec-council-logo. the signal is not encrypted and any device can authentic ate to the Access Point. Types of Wireless Encryption WEP Wired Equivalency Protocol is an older insecure encryption method.files.ecotarget. which creates a mechani sm for changing the ey used.jpg WiFi Authentication Modes Open In open authentication.http://www.jpg http://danielweis. It uses small eys with flaws in implementation that ma e it trivial to brea using tools li e aircrac -ng. WPA2 Enterprise integrates with EAP standards for stronger authentication CCMP uses 128 bit eys and 48 bit initialization vectors.wordpress. Temporal Key Integrity Protocol. Centralized A central server handles an authentication mechanism to allow clients onto the n etwor . WPA2 uses AES 128 bit encryption and CCMP for stronger encryption than its prede cessor. WPA Wi-Fi Protected Access corrects the flaws in WEP creating a new wireless standar d.com/2011/04/ceh-v7. which is much better t han the WEP standard used for replay detection EAP stands for Extensible Authentication Protocol which allows multiple methods for authentication such as smart cards and to ens. Encryption is improved by using TKIP. Shared Key Clients use an encryption ey nown to the client and the Access Point to encryp t a challenge text sent from the access point to allow connection to the networ . The Access Point receives requests and as s for a response that includes an identity to pas s on to the central server such as a RADIUS server that then handles the actual authentication.
and prone to being used in replay attac s. y ou can capture an authentication pac et and use offline tools such as Rainbow Tables to crac the WPA ey offline.jpg WEP Flaws WEP was implemented without public or academic review. Integrity Attac s are used by injecting data to replay a captured authentication to gain access. If there are live clients in range an attac er can force that client to disconnect. Brea ing WPA Encrypted Wireless Networ s With WPA-PSK a Pre Shared Key is used to begin the TKIP encryption. The PMK is what is used to begin the encrypted session between the access point and the client. The RC4 cipher used is de signed for one time message use. Availability Attac s prevent legitimate use of a wireless networ preventing traffic from or resource by . Using airodump-ng pac ets are captured to gain access to the IV pac ets.wordpress.com/2011/04/ceh-v7. Once enough pac ets are collected t he ey can be crac ed using aircrac -ng. not to be used for multiple messages. While the pa c ets themselves are not crac able. and the ey can be replayed to gain access to the networ . Aireplay-ng can be used t o do fa e authentications to generate traffic as well. Wireless Threats Access Control Attac s are used against AP MAC filters or port access controls b y spoofing MAC addresses or port addresses.http://www. Also these attac s are used to facilitate other attac s such as Denial of Service. Confidentiality Attac s refer to attac s intercepting data that is assumed to be confidential.files. this Pre-Shared Key can be brute forced. When they reconnect the authentication pac can be captured and attempt to brute force against that Pair wise Master Key (PMK). With access to the AP. Tools such as aircrac allow for WEP to be crac ed with little technical nowledge.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis. Brea ing WEP Encrypted Wireless Networ s Using aircrac -ng and a copy of Bac trac on a laptop with an injection capable wireless card is required for brea ing WEP encrypted networ s. The Wireless card is set into monitor mode.ecotarget. This leads to the IV fra mes being repeated.
Authentication Attac s aim to steal identity of clients by crac ing logins or sn iffing credentials. .reaching it.
jpg Rogue Access Points Any access point setup to loo li e a legitimate member of the networ . Cars driving around an area are common enough that they blend into the surroundings.http://www. Finding a Wi-Fi signal can be aided by using different antennas.com/2011/04/ceh-v7. Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitima te hotspot offered on the premises. Any meth od of travel can become a War vehicle. or in some cases a remote controlled. Warchal ing is a method of documenting Wi-Fi networ s in public places. These ma r s often resemble graffiti. An evil twin attac is the wireless version of the phishing scam. but actually has been set up by a hac er to eavesdrop on wireless comm unications among Internet surfers.wordpress. a ircraft with a Wi-Fi antenna mounted to it for the purpose of finding Wi-Fi signal. Warflying involves the use of a private. but is designed to have a much greater range in that direction than a n omnidirectional antenna would. but is u sed by a hac er to accomplish any of the attac s above.jpg http://danielweis.files. Evil Twin Attac . Omnidirectional antennas are common. A directional antenna such as a Yagi o nly wor s in one direction. Wardriving Wardriving refers to driving around with a mobile Wi-Fi device loo ing for a WiFi signal. Warwal ing can be used in a small enough area.com/wp-content/uploads/2011/04/ec-council-logo. they pic up signal from all around them.ecotarget. An attac er fo ols wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitima te provider. li e a college campus.
Tools such as Netstumbler or WIGLE allow for automatic capturing of GPS data in the log. Some tools will automatically prov ide this data while monitoring. Wireless Traffic Analysis involves gathering of information such as SSIDs and en cryption methods to determine appropriate strategies for attac s.http://www.jpg Wireless Hac ing Methodology Wi-Fi discovery can be passive by monitoring for traffic or active by sending pr obes out and getting responses. Blue Snar ing is the theft of information from a Bluetooth device Bluejac ing refers to sending messages over Bluetooth to other Bluetooth devices . Terms of Bluetooth Hac ing Bluesmac ing is a DoS attac caused by random data pac ets being sent to the dev ice. However. you may have to crac Wi-Fi Encryption before this.com/2011/04/ceh-v7.jpg http://danielweis.ecotarget. or you may be able access inform ation without this step. Launch a wireless attac after determining the appropriate methods. Using passive methods allows you to stay hidden for longer. Yo uTube videos and Google searches will turn up an amazing amount of information on how to run it a nd what is needed to use aircrac -ng. GPS Mapping is not always necessary for every job. such as aircrac -ng. This is done . Depending on the networ .wordpress. All Bluetooth hac ing requires a close proximity to t he device in question because of its limits.files. Wireless Hac ing Tools Tool Recommendation: Aircrac -ng is the most used Wi-Fi tool of our practice. Bluetooth Hac ing Bluetooth hac ing ta es advantage of some flaws in the Bluetooth stac in order to compromise Bluetooth enabled devices. active technique s will usually generate needed information faster. Using act ive techniques will increase the chances of your attac s being discovered.com/wp-content/uploads/2011/04/ec-council-logo.
.anonymously through the OBEX protocol.
If a client can be wired. Hiding your SSID Broadcast and positioning your antennas ca n only do so much to limit your ris . WiFi Security Tools Aircrac -ng Suite: All in one set of tools easily found in Bac trac . Wireless signals handle networ traffic just li e a hub. Special antennas can pic up a signal and broadcast from much further than standard wor space equipment.com/2011/04/ceh-v7.jpg Defending Against Bluetooth Hac ing If you eep Bluetooth disabled until you need it. These hiding techniques remove you from the low-hanging frui t category that hac ers loo for.ecotarget. encrypt data on the mobile device as a defense in depth measure should your devi ce be compromised. Physical access to networ equipment can be used to bypass many networ security controls . By ensuring that your wireless networ is encrypted. Lastly. the traffic is broadcast for any one in range with the right equipment. Defending Against Wireless Attac s Always assume that your wireless signal will be available outside of your intend ed wor area. Ma e sure that your wireless networ is only being used by the devices and users that need to use it. you will minimize the window o f opportunity for a hac er to compromise your device. you can eep your traffic confidential.http://www. After getting the information you need Aircrac provi des tools for brea ing . Periodic sweeps loo ing for rogue access points that may have been plugged into your wired netwo r will avoid this problem. the y are afforded a greater level of security. SSID and encryption method capture. As with any other networ .files. Our practi ce uses this tool as a beginning to end tool. MAC ad dress capture. When not pairing.wordpress. be sure that your equipment does not use default pass words. It allows for sniffing of traffic. pac et capture.jpg http://danielweis. eeping your device in a non -discoverable mode is the best method for ensuring that the device does not broadcast information a bout itself.com/wp-content/uploads/2011/04/ec-council-logo. and that your authenticatio n is implemented correctly.
Kismet encryption eys and using the decrypted eys for replay attac s. .
Kismet identifies networ s by passively collecting pac ets and detecting standard named networ s. detecting hidden networ s. Netstumbler Netstumbler is a tool that sniffs Wi-Fi signals and informs users if their wirel ess networ is properly configured. w hich is great for Wardriving. such as WEP or WPA encryption. the next step is to dis cover what vulnerabilities are available to exploit.jpg http://danielweis. Wireless Pen Testing Framewor .com/2011/04/ceh-v7.com/wp-content/uploads/2011/04/ec-council-logo.ecotarget.ecotarget.files.wordpress.files. Once this is determined and documented. The penetration test of a wireless networ component begins with documenting wha t security is currently in place. the auditor can then determine if the target would require an infeasible amount of time to brute force an opening. Once a wireless device is discovered an auditor will d etermine what security is being used. and inferring the presence of non-beaconing networ s via data t raffic. and it is implem ented in a secure manner. After documenting the current state.com/wp-content/uploads/2011/04/ec-council-logo.com/2011/04/ceh-v7. If the wireless networ is using up-to-date encryption methods.jpg Kismet is a layer 2 wireless sniffer that wor s with most common wireless networ cards. the report can b e created with the findings.wordpress.http://www.jpg http://danielweis. This tool can be set to play an audio tone when it finds networ s.jpg http://www.
Firewalls and Honeypots Objectives: .http://www.jpg http://danielweis.com/2011/04/ceh-v7. Intrusion Detection Systems (IDS) Ways to Detect an Intrusion Types of Intrusion Detection Systems Firewalls Types of Firewalls Firewall Identification Techniques Honeypots Types of Honeypots Evading IDS Evading Firewalls Countermeasures Firewall and IDS Penetration Testing . . . .ecotarget. . .files.com/wp-content/uploads/2011/04/ec-council-logo.jpg Module 16 Evading IDS. . .wordpress. . . . .
com/wp-content/uploads/2011/04/ec-council-logo . Ways to Detect an Intrusion Signature Recognition Captured data is compared to signatures of possible attac s. on .Description: http://www.jpg Description: http://danielweis. networ traffic loo s li e. If the data does not match what the system expects it can raise an alarm. Anything outside of this expected behavior is considered an anomaly.ecotarget. This is also called misuse detection. whether inte rnal or external.com/2011/04/ceh-v7. Log File Monitoring These systems collect log data and comb through it to hopefully reveal events af ter they occur This IDS relies on having a baseline of what normal ce this is determined anything outside of that norm is an anomaly.wordpress. has circumvented the system's security policy.jpg Intrusion Detection Systems (IDS) An intrusion detection system analyzes data from a networ and compares that dat a against rules that have been configured. Types of IDS Networ Based A device placed on the networ in promiscuous mode to listen for traffic and to dynamically inspect networ pac ets for suspicious and anomalous activity Host Based A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system Thin of HIDS as an agent that monitors whether anything or anyone. Anomaly Detection Protocol Anomaly Detection Instead of a baseline of networ traffic the expected behavior of protocols are used as a base. To raise an alarm it has t o be configured with rules that trigger this response.files. To analyze data an IDS has to be set to capture pac ets.
ecotarget.Description: http://www. 2.wordpress. these indications can also be signs of user activity and accident s. Indications of Intrusions 1.com/wp-content/uploads/2011/04/ec-council-logo . File Integrity chec ing Any of these ID systems may be wrapped into another piece of equipment such as a firewall or networ gateway. A bastion host is a computer that is fully exposed to attac . It is configured to have a public interface connected to the Internet and a private one connected to the internal networ . source or destination address. The CEH exam expects students to be familiar with Snort logs and functions. New files that are unfamiliar Repeated probes of machines and services Connections from unusual locations Gaps in system log file accounting System crashes or reboots Unfortunately. Firewalls A firewall is a pac et filter between networ s. Frequen tly the roles of these systems are critical to the networ security system. protocol analysis. li e to mon .jpg Intrusion Detection Tool: Snort Snort is an open source networ tool capable of firewall type pac et filtering. Snort is used for a variety of networ tas s. but not necessarily exact commands. Firewall Architecture Bastion Host A bastion host is a special purpose computer on a networ specifically designed and configured to withstand attac s. Compares files against a record of what the file is supposed to loo itor if files have been changed by intruders. and rules based logging. Firewalls may filter tr affic based on port. unprotected by a firewall or filtering router.files. or type of traffic. 4. 5. Commonly they are used to eep i nternet traffic on one side of the wall and internal traffic on the other side. The system is on t he public side of the demilitarized zone (DMZ).jpg Description: http://danielweis. 3.com/2011/04/ceh-v7.
in a demilitarized zone (DMZ). T hey do not filter individual pac ets. . or protocols involved. As each component system of the screened subnet firewall needs to implement only a specific tas . Often smaller networ s do not have mult iple firewalls. and an inside firewall.wordpress.com/wp-content/uploads/2011/04/ec-council-logo . These may allow for further rule customization such as addresses. Typically.files.jpg There are two common networ configurations that include bastion hosts and their placement. each system is less complex to configure. Circuit Level Gateway Firewall This type of firewall operates at the Session Level of the OSI model.ecotarget.Description: http://www. This allows the private systems to be ept behind a separate networ interface Multi-homed Firewall Multi-homed equipment allows for more zone creation to eep sections of the inte rnal networ from connecting or for allowing the DMZ to be more specifically divided up. The first requires two firewalls. These gate ways monitor traffic for TCP handsha e information and determine whether or not the session is allowed. with bastion hosts sitting between the first "outside wo rld" firewall. bastion hosts are commonly placed outside the firewall.com/2011/04/ceh-v7. Types of Firewalls Firewalls are categorized by what level of the OSI model at which they operate. so if only one firewall exists in a networ . Pac et Filtering Firewall These firewalls wor at the networ level. The DMZ houses resources that are available to the public. for speed and organizational purposes. private. public. such as web servers. This requires at least three interfaces.jpg Description: http://danielweis. Screened Subnet A screened subnet firewall can be used to separate components of the firewall on to separate systems. ports . they are paired with a net wor router to compare pac ets with criteria and then discard or route the pac et in question depending on the criteria it matches. and mixed. A screened subnet firewall is often used to establish a demilitarized zone (DMZ) .
they are revealed by port scanning. Production honeypots are placed inside the production networ with other production servers by an organization to improve their overall state of security . Firewal ing is a method of using Time to Live of TCP or UDP pac ets to determine if a target allows traffic through to a hop on the other side. However. Telnet. capture only limited information. The high level filtering allows for applicatio n specific filtering. honeypots may be classified as: Production honeypots are easy to use. if the banner has been left as a default. rules create patterns. when you encounter a system that appears to be open to eve rything you want to access. and are used primarily by companies or corporations. Honeypots Honeypots are systems that are configured to loo li e production systems to att ract possible intruders. SMTP or http ports is another method of ident ifying services. Which pac ets are forwarded and give a TTL exceeded in transit message inform a hac er what pac ets are being passed onto the networ . and patterns can be exploited by Hac ers. Firewall Identification Techniques Firewalls can be identified by how they act. Only allowed applications are able to pass traffic through this system. Stateful Multilayer Inspection Firewall This is a combination of firewall types that filters at all of the above firewal l types levels. All Firewalls involve using a set o f rules. Any activity on this otherwise unused system would be a sign of a hac er ta ing a loo around. . Based on the deployment. Some firewalls have a signat ure of what ports they listen on. as a hac er.Application Level Firewall There firewalls operate at the Application layer of the OSI model. Banner grabbing using FTP. you are probably in a Honeypot and therefore will leave it alone. Types of Honeypots Honeypots can be classified based on their deployment and based on their level o f involvement.
Description: http://www. Their value lies not in their use. but in their abuse. Research honeypots are complex to deploy and maintain. High interaction honeypots imitate the activities of the real systems that host a wide variety of services and.com/wp-content/uploads/2011/04/ec-council-logo . ma ing the concept ideally suited to ensu ring data integrity any use of them is inherently suspicious if not necessarily malicious. each honeypot needs to be maintained for each physical computer. Honeyto ens can exist in almost any form.wordpress. honeypots can be classified into three categories as 1. therefore. non-profit research organization or a n educational institution to gather information about the motives and tactics of the crac er c ommunity targeting different networ s. In general.jpg Research honeypots are run by a volunteer. low interaction honeypots Pure honeypot is a full production system. pure honeypots 2.files. capture extensi ve information.com/2011/04/ceh-v7. they don't necessarily prevent any tampering with the data. high interaction honeypots 3.ecotarget. from a fa e account to a databa se entry that would only be selected by malicious queries. Honeyto ens are honeypots that are not computer systems. which can be very expensive Low interaction honeypots are based on the services that the attac er normally r equests. and are used primarily by research. military. an attac er may be allowed a lot of services to waste his/her ti me. but inst ead give the administrator a further measure of confidence in the data integrity. The activities of the attac er are mo nitored using a casual tap installed on the honeypot s lin to the networ .jpg Description: http://danielweis. Based on the design criteria. There are many positives with the requirement of only few services by the attac ers which means low overhead and simple configuration. or government organizations. Example:Honeyd. . If virtual machines are not available.
Evading Firewalls By spoofing an IP address that is trusted by the target firewall. If the rules require an exact match of data. if this chec sum is wrong it will throw a pac et out.jpg Description: http://danielweis. and so passes on the pac ets. such as encoding in Unicode. but the victim has longer to reassemble and does so. Invalid RST pac ets may be used to tric IDS into believe a session has ended. or using encrypted channels. b ut eep a communication alive. Because an IDS uses specific rules to identify attac s any method used to encode or hide the attac may be successful.files. TCP uses chec sums to ensure communication is reliable. eeping the communication going.ecotarget. a llowing for the networ to be unprotected during the intended attac . causing the dat a to loo different will not set off an alarm. When an IDS sees the RST pac et with an invalid chec sum it does not discard it and assumes a session is over.wordpress. By creating a Denial of Service a hac er can consume resources of the ID S to the point that it is unable to log an actual attac . if a firewall is configured to bloc http access to . Fragmentation attac s ta e advantage of a configuration in reassembly where the victim has a longer timeout for fragments than the IDS does. The IDS is unable to assemble the fragm ented attac in the window of time allowed by its rule. a hac er can g ain access just li e the actual spoofed machine By as ing for information in a method the firewall does not expect you can gain access to data the firewall would normally bloc . DoS may also be used to bring the IDS offline.jpg Evading Intrusion Detection Systems IDS s are susceptible to multiple evasion techniques and are even capable of being used to attac a target.Description: http://www.com/wp-content/uploads/2011/04/ec-council-logo . Any flood of data can be used to bury an attac within a wall of log data that o ften goes unread or unanalyzed. The victim does see the chec sum as invalid and disca rds the RST pac et. For example. Application layer attac s depend upon an IDS being unable to chec in a compress ed file format use as images or video pac ets.com/2011/04/ceh-v7.
and other standard communications can be used to create a tunnel that is then se en by the firewall as accepted communication. HTTP. Creating a tunnel through accepted protocols can also bypass most firewall restr ictions.com but you ping www.1 71.www.228. the firewall does not see that as as ing for th e same information. ICMP. .faceboo .39 and put that number in your web browser.faceboo .com to find that it is hosted at 69.
com/wp-content/uploads/2011/04/ec-council-logo .files. Rules need to be set to account for the ability of information to be as ed for and sen t in multiple encoding methods.jpg Countermeasures IDS s and Firewalls live and die by their rules and signatures. Ensure that your settings allow of the IDS to see fragmented data exactly as the end cl ient will see it.jpg Description: http://danielweis.wordpress. Always eep the si gnatures and software up to date to avoid being victim to an already patched exploit or a signature th at was available.Description: http://www.com/2011/04/ceh-v7.ecotarget. . If the rules eep out t he attac . Firewall/IDS Penetration Testing Testing of firewalls and Intrusion Detection Systems is a matter of finding if t he rules involve account for the methods that may be used to bypass their protection. then the system is considered secure.
com/wp-content/uploads/2011/04/ec-council-logo . . .files. .com/2011/04/ceh-v7. Buffer Overflows Stac -Based Buffer Overflow Heap-Based Buffer Overflow Stac Operation Buffer Overflow Steps Attac ing a Real Program Smashing the Stac Identifying Buffer Overflows BoF Detection Tools Defense against Buffer Overflows BoF Countermeasure Tools BoF Pen Testing . .jpg http://danielweis. .jpg Description: http://danielweis.jpg Module 1 7 Buffer Overflows Study Guide Objectives: .ecotarget. .wordpress.jpg http://www.Description: http://www. .com/2011/04/ceh-v7.ecotarget.files.com/wp-content/uploads/2011/04/ec-council-logo. . . .wordpress. .
The Stac Based Buffer overflow attac s this structure to over write data or int roduce commands to ma e the program function in ways the programmer did not intend. If a critical piece of data is ove rwritten the program crashes. crashing the program. This data is corrupted by a Heap Based Overflow to alter the structure of the heap to run malicious code Stac Operation Shellcode Exploits for Buffer overflows utilize Shellcode. This can be as simple as a program expecting to receive a 10 digit phon e number but a command li e strcpy placing 11 bits in the memory space. These bits of assembly level pr ogramming language are written to cause the buffer overflows and give a hac er a measure of control. HeapBased Buffer Overflow The heap is an area in memory dynamically created when the program is run. They store information in allocated memory.files.wordpress. This overwrites whatever comes next in the memory. Fo r the CEH test be able to identify shellcode such as this: /* This is the minimal shellcode from the tutorial */ static char shellcode= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58" . The se allocations are usually created to fit a certain number of bytes in data.ecotarget. When the information t hat is placed in memory is more bytes than the space that was allocated you have a buffer overflow or bu ffer overrun.com/2011/04/ceh-v7.jpg http://danielweis.jpg Buffer Overflows Programs utilize memory to wor .http://www.com/wp-content/uploads/2011/04/ec-council-logo. Stac Based Buffer Overflow The stac or call stac is a section of memory used to eep trac of subroutines in a computer program.
which is called a NOP sled. This instruction tells a proce ssor not to process the following code until it gets to a certain Pointer in the program.jpg No Operations Most CPU s have a No Operation instruction. and nowledge of debugging tools and how higher level programming la nguages convert into lower level languages. or ma e connections usi ng netcat Smashing the Stac . a Buffer Overflow allows a hac er to control where the program loo s for information in the stac and point it to code they want to run. Debugging software such as Ollydbg can be used to generate malformed input in programs and watch exactly how the Stac or Heap handles the problem In general. Knowledge Required to Create a Buffer Overflow Exploit To create a Buffer Overflow the hac er has to have an understanding of the under lying structures such as stac and heap memory processes. Knowledge Required to Run a Created Exploit If a piece of software has a nown Buffer Overflow issue there may already be an exploit tool available.http://www. but recognizing 0x90 as a standard NOP is recommended.com/2011/04/ceh-v7. The NOP sled is often encoded to loo li e something else.com/wp-content/uploads/2011/04/ec-council-logo. Anyone who can find the tool and the vulnerable software in use can run the expl oit. After the stac is smashed the hac er has the same privileges as the process. and then gain super u ser access. asse mbly level programing.jpg http://danielweis. or NOP. It is also possible to create bac doors using inetd or Trivial FTP. Identifying Buffer Overflow Vulnerabilities Identifying these vulnerabilities is generally done by code review and manual te sting.ecotarget. system calls at the machine code level. This is nown as smashing the stac .files.wordpress. A long str ing of these instructions can be placed into an exploit.
reviewing the code for insecure function calls.ecotarget.jpg http://danielweis. By usin g safe languages or ma ing sure not to use unsafe functions in languages you can prevent many common overflows. Data Execution Prevention (DEP) Buffer Overflow Penetration Testing If the source code is available. By having a strong code review process after the code is written you can find possi ble crac s. to monitor programs .com/wp-content/uploads/2011/04/ec-council-logo.jpg Preventing Buffer Overflow Attac s The prevention of Buffer Overflow attac s comes from having programmers who are familiar with what can happen when the stac or heap is left open to these vulnerabilities. If the source code is not available reverse engineering is possible using disassemblers and debugging tool s. Understanding the programing involved is required. The process for using the debugger involves sending the code large amounts of input data and watching how the code handles it.files.com/2011/04/ceh-v7. As always. documentation of all the findings is critical to a good penetration test DEP is a set of hardware and software technologies that wor and verify in real time if they are using system memory in a safe manner.http://www.wordpress.
com/2011/04/ceh-v7.jpg http://danielweis. .com/2011/04/ceh-v7. Introduction and Definitions Types of Cryptography Ciphers Algorithms Message Hashes / Digest Public Key Infrastructure (PKI) Dis Encryption Cryptography Attac s .jpg http://www.http://www.wordpress.com/wp-content/uploads/2011/04/ec-council-logo. .files. .files. .ecotarget.jpg Module 18 Cryptography Study Guide Objectives: .com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis. . . .wordpress.ecotarget.
In order to create a confidentia l method. The private ey is what the entity eeps private. and the algorithm is rotating letters 13 places down the alphabet. Instead of using ROT13 as above it becomes ROTx where x can represent any number of rotations. Cryptography is also used to provide data integrity and non-repudiation. Types of Cryptography Asymmetric Asymmetric encryption uses one ey to encrypt and different ey to decrypt.files. the algorithm used requires a crypto-variable or ey. If something is encrypted with the private ey. When someone is authenticated to use the encrypted data they are give n the eys necessary to decrypt it and view the data. This is a very basic method nown as RO T13.http://www.com/wp-content/uploads/2011/04/ec-council-logo.ecotarget. Integrity is the ability to be sure that the data has not b een altered. This provides non-repudiation. It is impo rtant to remember is that the . Th is is usually done by a mathematical algorithm which ta es information and turns it in to what is called cipher text.wordpress. The use of a ey results in a unique algorithm. it can only be dec rypted with the public ey. the ent ities involved now that only the holder of the private ey could have wrapped it with encryption th at is opened with a specific public ey. the cipher text is pbzchgre. Thes e are the public and private eys. assuring the parties of confidentiality.jpg http://danielweis. this allows multiple users to use a common algorithm while maintaining confident iality. Cryptography is used to eep data confidential. For example: you can rotate the a lphabet by thirteen characters so that computer becomes pbzchgre. Li ewise.jpg Introduction and Definitions Cryptography is used to ma e data unreadable. a message encrypted with an entities public ey c an only be read by the entity with the private ey. Nonrepudiation is the ability to be sure that the data came from a certain source b y attaching a digital fingerprint to a message. When the private ey is used to en crypt a message it is effectively enclosed in a digital envelope . literally meaning hidden writing . a process called encoding. The plaintext is computer. each letter is substitute d with the letter that is 13 places in front of it. If something is encrypted with the public ey it can only be decrypted by t he private ey.com/2011/04/ceh-v7.
eys in such a structure cannot be derived from each other. . Asymmetric encryption is used when the ey needs to be transmitted securely wher e it would be infeasible to do so out of band. such as in email encryption.
IPSEC is a good example w hich is used for VPN type traffic which requires a high rate of transmission.wordpress. The ciphers wor by brea ing the data into bloc s of whatever size such as 160 bit bloc s. others are able to use variable bloc sizes. It does not require a ey.files. This ey is usually ept at a secure location and is transfer red out of band.com/2011/04/ceh-v7. proving integrity.http://www.ecotarget. Stream Ciphers Stream ciphers encrypt continuous streams of data. t hen encrypting each piece. and is commonly used for large r sets of data. This type of cipher does not require ce rtain data size bloc s.com/wp-content/uploads/2011/04/ec-council-logo. These are often used in symme tric encryption for data that has to be transmitted quic er.jpg Symmetric Symmetric encryption uses the same ey for encryption and decryption.jpg http://danielweis. anyone with access to this ey can re ad any message that is encrypted with it. such as a chec sum. It is used to create a piece of cipher text which does not need to be decrypted. Ciphers Bloc Ciphers Bloc Ciphers encrypt bloc s of data. . Hash Function A hash function is a one way method encryption. The entiti es using this ey have to ta e great care in protecting this ey. Some ciphers can only use bloc s of certai n sizes. This is used to provide inte grity for a file. This cipher is slow. which can be used to prove that the plaintext is whole. A piece of plaintext passed through an algorithm gives a message diges t hash. Symmetric encryption is faster than using asymmetric.
AES Message Hashes / Digests Message Digests or Messages Hashes are one way encryption of a bloc of data.ey bloc cipher. As computer power has increased in the last three decades the 56 bit ey is no l onger considered secure.ey cipher used for both confidentiality and digital signatures. RC4 is a widely used variable bit stream cipher.files. based on the difficulty of factoring large numbers.wordpress. .com/2011/04/ceh-v7. Data Encryptio n Standard. RC5 is a 32/64/128-bit bloc ci pher developed in 1994. with a different ey each time. RSA RSA is a public. It uses 128 bit bloc s and has a variable ey size of 128. Triple DES was created by ta ing the DES cipher algorithm and applying i t three times to each data bloc .ecotarget.ey encryption algorithms invented by R on Rivest. DES uses a ey of 56 bits.com/wp-content/uploads/2011/04/ec-council-logo.jpg Algorithms DES This bloc cipher was chosen in 1976 by the US NSA to be the U.jpg http://danielweis. 192 or 256 bits. thought at the time to be beyond the ability of any c omputer to brute force attac and determine the ey.http://www. If any bit in the original text changes every bit has a fif ty percent chance of also AES is a symmetric.S. RC6 is a 128-bit bloc cipher based heavily on RC5 created in 1997. AES is currently considered the standard for secure encryption. RC Algorithms The RC algorithms are a set of symmetric. Th is cipher text is called a Hash Value. This gives an effective ey len gth of 168.
ma ing it infeasible for two documents to have the same hash value.changing. They are also used as an identifier for files or persons where it is a bad idea to transmit a password. Th ese values are used for verifying file or message integrity. It was shown to be wea to Collision Attac s i n 2008. MD5 has is a 32 digit hexadecimal number that can be used as a digital fingerprint or signature. Message Digest Ciphers MD5 MD stands for Message Digest. .
S.files. and SHA-512 which can produce an output of either 512 or 384 bit. to the client. which has been generated using a hash function. SHA-256 which can produce an output of e ither 256 or 224 bit.wordpress.jpg http://danielweis. The server chooses the strongest one available that both can use and tells the client. The client can then chec the ce rtificate with the Trust authority. The client as s the server for a secure connection and presents the list of has functions it can use. Federal In formation Processing standard.http://www.ecotarget. Public Key Infrastructure (PKI) PKI refers to all the bac ground parts needed to use digital certificates as a w . You generate a ey pair using a tool li e PuTTY. The private ey is never transmitted. SHA-1 produces a 160 bit digest from a message. From that random number both server and client generate session eys to be used for the symmetric encryption. When using SSH to log on t o the server you present this digital signature to the server who can verify it with the publ ic ey. Using a hash function you crea te a signature from your private ey.jpg SHA The Secure Hashing Algorithm was created by the NSA as part of a U. Examples of Message Digest Uses SSL and TLS communication between clients and servers use Hash functions during the handsha e stage to start communication.com/wp-content/uploads/2011/04/ec-council-logo. The server then presents its digital certific ate. It is very similar to MD5. which only you could generate. The Public ey is store d on the SSH server that needs to be available for connection. Once this is done the client encrypts a random number with the server s Public ey so that only the server can decrypt it. SSH (Secure Shell) uses Public and Private Keys to authenticate uses and generat e a secure tunnel.com/2011/04/ceh-v7. Th e NIST has stated that the Federal government is required to use SHA-2 functions after 2010 . SHA-2 has two different functions.
Also referred to as a Trusted Third Party (TTP) . computer.ay of equating public eys to entities using them. Authorities Registration Authority This entity handles the requests of an entity (server. or person) to o btain a digital certificate Certification Authority This entity generates and assigns certificate to entities.
as implemented in the Pretty Good Pr ivacy free version of email encryption. ensuring Confidentiality. The message itself is encrypted with the recipients public ey. ensuring the Integrity of the email message.509 standard document used in PKI. PKI can also exist in a Web of Trust model.com/wp-content/uploads/2011/04/ec-council-logo. The term digital certifi cate refers to the X. Examples of commercial Certification Authorities include VeriSign. When the message is decrypted.files. In email encrypti on. websites are issued certificates from Certif ication Authorities to use to handsha e and identify themselves to clients. In web traffic such as SSL and TLS. Go Daddy. The term PKI is sometimes used incorrectly to refer to the Certificate Authority (CA).wordpress. a message can be run through a hash function which creates a hash value unique to the mess age. Uses of PKI PKI is used in both encrypted email and encrypted web traffic.jpg http://danielweis. A web of trust exists as a set of certificates that a user trusts and can be used with the commercial models as long as another Certificate Authority will bac the self-signed certificates as authentic. and Comodo.http://www.jpg Validation Authority This entity handles the requests for confirmation that an entity is who they say they are when they present a digital certificate. In some systems these entities may all be one server. the hash value can be d ecrypted using the senders Public ey. so that it can only be decrypted by that recipient using their private ey.com/2011/04/ceh-v7. This function is added as a signature to the message.ecotarget. .
TrueCrypt also ha s the ability to create a hidden volume within an encrypted volume for plausible deniability.Dis Encryption Dis encryption refers to encrypting the data on a hard drive or other media. One best practice i s to encrypt all data bac ups when they are put onto removable media such as DVD or tape. Wh en the data in storage is encrypted it assures confidentiality of the data. Thi s hidden volume cannot be detected unless supplied with the hidden volume passphrase. Our practice uses the free tool TrueCrypt for dis encryption. .
jpg http://danielweis.files. Chosen Plaintext attac s occur when a hac er can chose a piece of plaintext and has access to the encryption function. While attac s against the ciphers themselves occur often it is quic er to attac the implementation or the person who uses the encryption instead. These methods are called Side Channel attac s. The time and security mechanis ms can be bypassed by techniques such as using Rainbow tables against a stolen hash. then analyze the output.jpg Cryptography Attac s All cryptographic attac s assume that the person doing the attac has access to encrypted information. Chosen Ciphertext attac s occur when a hac er has the ability to ta e a piece of Ciphertext and decrypt it. This is similar to the newspaper style puzz les where you have a method of how the message is setup and the encrypted message. Brute Force attac s attempt to try every possible ey for the cryptographic func tion.wordpress. Known Plaintext attac s are those attac s where a hac er has the whole of plaint ext that has been encrypted and the associated cipher text. .com/wp-content/uploads/2011/04/ec-council-logo. how much time the hac er has. Success depends on how long the ey is.ecotarget.http://www. and what other sec urity mechanisms are in place such as account loc out. Using the hac er s plaintext he can then ta e the generat ed cipher text and compare it to the plaintext to figure out a ey.com/2011/04/ceh-v7. When an attac er has the whole en crypted messaged it is possible to figure out the algorithm used to encrypt the plaintex t. Social Engineering attac s such as phishing or shoulder surfing can give an atta c er the passwords or eys used in encryption by ta ing advantage of users in question.
Rubber Hose attac s refer to using physical violence against someone who has no wledge of the encryption eys to force them to reveal those eys. .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.