Professional Documents
Culture Documents
1. Hacking Lifecycle
1. Subject (Arial 20)
3. Scanning
4. Enumeration
Hacking Lifecycle
The Hacking Lifecycle
Reconnaissance
Clearing
Scanning
Tracks
Maintaining Gaining
Access Access
Hacking Lifecycle
Reconnaissance
• Target ranges may include the target organisations clients, employees, operations, networks
systems or third parties.
Hacking Lifecycle
Scanning
• Pre-Attack Phase:
Refers to the phrase that the attacker scouts the scans the network for specific information based
on information gathered during reconnaissance.
• Port Scanner:
Scanning can include use of dialers, port scanners, network mappers, ping tools or vulnerability
scanners.
• Extract Information:
Attackers extract information such as live machines, ports, port status, OS details, device type,
system uptime and vulnerabilities
Hacking Lifecycle
Gaining Access
• The stage where the attacker obtains access to the OS or applications on the computer network
• The attacker is able to escalate privileges to acquire complete control of the system
Hacking Lifecycle
Maintaining Access
• Refers to when the attacker tries to retain their newly acquired ownership of the system.
• Attacker may prevent the system from being owned by other attackers by securing their exclusive
access with Backdoors, Rootkits or Trojans.
• Attackers can upload, download or manipulate data, applications and configurations on the owned
system.
• Hide:
Cover tracks carried out by attacker to hide malicious acts.
• Intention:
Continual access to the victim systems.
Remain unnoticed.
Delete evidence that might lead to prosecution.
• Overwrite:
Overwrite the server, system and application logs to avoid suspicion.
Hacking Lifecycle
What we’ve covered so far
• Recon
• Scanning
• Gaining access
• Maintaining access
• Clearing tracks
Hacking Lifecycle
Pop Quiz
2. What is exploiting a vulnerability to install a Remote Access Trojan (RAT) an example of?
3. Scanning
4. Enumeration
Footprinting & Reconnaissance
Recon Types
• Passive:
Involves acquiring information without directly interacting with potential target.
Example: Public records or press releases
• Active:
Involves interacting with the potential target directly by any means.
Example: telephone calls, technical departments.
Footprinting & Reconnaissance
Reconnaissance Activities
• Google Dork
Footprinting & Reconnaissance
Reasons they’re effective
• Physical Security
• Training
• Audits
LinkedIn Learning
Footprinting and Reconnaissance
35 Minutes
Section 1 + Quizzes
https://www.linkedin.com/learning/ethical-hacking-footprinting-and-reconnaissance/footprinting-and-reconnaissance-2?
u=78163626
Lab Exercise
Footprinting & Reconnaissance
Question:
Hackers use this information to plan and achieve their initial objectives
to break into systems.
Lab Exercise
Footprinting & Reconnaissance
There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Lab Exercise
Footprinting & Reconnaissance
Shodan
Google for hackers
2. What is using Google to find very specific information often referred to?
3. 3.
Scanning
Subject
4. Enumeration
Scanning
Scanning Types
• As with reconnaissance, scanning can also be put into two main categories:
• Active
• Passive
Scanning
Scan types
• Ping Sweeps
• Vulnerability Scanners
• Banner Grabs
• Network Scanning
• Idle Scans
• Port scans
• Fragmented
Scanning
Reasons they’re effective
• Discover OS’s
• Firewall evasion
• Very easy
• Can be anonymous
Scanning
Preventing their abuse
• Fire walls
• Monitoring systems
• Audits
Scanning
Three-way Handshake
Client Server
SYN
SYN/ACK
ACK
Connection Established
Scanning
Idle Scan
1 RST Packet
IPID = 31335
IPID Probe
SYN/ACK Packet
4 RST Packet
IPID = 31337
36
3 13
=
ID
IP
Sp 2 ke
t
oo T Pa
c
3
SY fed RS
K
Pa N C
ck N /A t
et e
SY a c k
P
Scanning
Let’s not get into any trouble…
Section 1, 3 - 6 + Quizzes
https://www.linkedin.com/learning/security-testing-nmap-security-scanning/mapping-networks-with-nmap?u=78163626
Scanning
NMAP scanning results
• Unfiltered:
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is
open or closed.
• Open|Filtered:
Nmap places ports in this state when it is unable to determine whether the port is open or filtered.
• Closed|Filtered:
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only
used for the IP ID idle scan.
Lab Exercise
Scanning
NMAP
A powerful yet simple to use scanning tool
Question:
2. Why?
• Idle scanning
• Fragmented scans
Scanning
Pop Quiz
2. When is a SYN packet sent from a machine, and for which protocol?
3. Scanning
4. Enumeration
4. Subject
Enumeration
Recon-ng
• Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for
leveraging the framework.
Lab Exercise
Enumeration
Recon-ng
All-in-one dashboard
Question:
There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
DNS Enumeration
• DNS offers a variety of information about public (and sometimes private!) organization servers,
such as IP addresses, server names and server functionality.
Enumeration
DNS Enumeration
• A DNS server will usually divulge DNS and mail server information for the domain it has authority
over.
• This is a necessity, as public requests for mail and DNS server addresses make up the basic
Internet experience.
• For example, let’s examine the fdmgroup.com domain. We’ll use the host command, together with
the- t (type) parameter to discover both the DNS and mail servers for the fdmgroup.com domain.
Enumeration
DNS Zone Transfers
• This process includes the copying of the zone file from a primary DNS server to a secondary
server.
• The zone file contains a list of all the DNS names configured for that zone. Zone transfers should
usually be limited to authorized slave DNS servers.
• Unfortunately, many administrators misconfigure their DNS servers, and as a result, anyone
asking for a copy of the DNS server zone will receive one.
• This is equivalent to handing a hacker the corporate network layout on a silver platter. .
Enumeration
DNS Sinkholing
• A sinkhole server, Internet sinkhole or Blackhole, DNS is a DNS server that gives out false
information to prevent the use of a domain name.
• Network-level disabling:
A sinkhole is a standard DNS server that has been configured to hand out non-routable addresses
for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real
website.
The higher up the DNS resolution chain the sinkhole is, the more requests it will block as it will
supply answers to a greater number of lower NS servers that in turn will serve a greater number of
clients. Some of the larger botnets have been made unusable by TLD sinkholes that span the
entire Internet.
• Host-level disabling:
By default, the local hosts file on a Microsoft Windows, Unix or Linux computer is checked before
DNS servers, and can also be used to block sites in the same way.
Lab Exercise
Enumeration
Question:
There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
Server Message Block
• The Server Message Block (SMB) protocol’s security track record has been poor for over a
decade, due to its complex implementation and open nature.
• From unauthenticated SMB null sessions in Windows 2000 and XP, to a plethora of SMB bugs and
vulnerabilities over the years, SMB has seen its fair share of action.
• That said, the SMB protocol has also been updated and improved in parallel with Windows
Operating Systems releases.
Enumeration
SMB Versions
• Here is a quick list to clarify SMB version numbers, and their related Windows Operating system
versions:
There are a lot of multi-role tools out there – but don’t forget about
defense-in-depth and the need for having different vendors’ tools
Enumeration
SNMP
• Simple Network Management Protocol (SNMP) is a poorly understood protocol by many network
administrators.
• This often results in SNMP misconfigurations, which can result in a dramatic information leakage.
• SNMP is based on UDP and is therefore susceptible to IP spoofing, and replay attacks. In
addition, the commonly used SNMP protocols 1, 2 and 2c offer no traffic encryption, meaning
SNMP information and credentials can be easily intercepted over a local network.
• Traditional SNMP protocols also have a weak authentication schemes, and are commonly left
configured with default public and private community strings.
• MIB values
Enumeration
What we’ve covered so far
• Recon-ng
• DNS enumeration
• DNS Sinkholing
• SMB
• SNMP
Enumeration
Pop Quiz
and