1~Introduction to Ethical Hacking
What is Information Security?
Information Security is a set of practices intended to keep data secure from unauthorized access or alterations, both when it's being stored and when it's being transmitted from one machine or physical location to another.
-------------------------------------------------------------------------------------------------------------
Elements of Information Security?
Confidentiality: Keeping systems and data from being accessed, seen, or read by anyone who is not authorized to do so. Information is accessible only to authorized personnel.
Integrity: TRUSTWORTHINESS OF DATA OR RESOURCES: Protect the data from modification or deletion by unauthorized parties, and ensure that when authorized people make changes that shouldn't have been made the damage can be undone.
Availability: ACCESSIBLE WHEN REQUIRED BY AUTHORIZED USERS: Systems, access channels, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed.
Authenticity: Refers to the characteristic of communication, document, or any data that ensures the quality of being genuine.
Non-repudiation: It is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data.
--------------------------------------------------------------------------------------------------------------
Classification of Attacks?
Active attack: Detectable-communicate directly with the target (SQL injection, XSS, DOS, Brute-force, DNS poisoning, directory traversal)
Passive attack: Undetectable-silently sniffing - packets- monitoring traffic
Close-in attack: Social engineering (shoulder-surfing, eavesdropping)
Insider attack: Insider attacks are performed by trusted persons who have physical access to the critical assets of the target.
Distribution attack: injecting malware, when software is developing.
Modification of software or hardware during production
Modification of software or hardware during distribution
-------------------------------------------------------------------------------------------------------------
What is Cyber Kill Chain? (Military concept)
Cyber kill chain pretty much refers to the same thing - the steps the attacker adopts to infiltrate your system and exfiltrate data.
Recon: A malicious actor identifies a target and explores vulnerabilities and weaknesses that can be exploited within the network. As part of this process, the attacker may harvest login credentials or gather other information, such as email addresses, user IDs, physical locations, software applications, and operating system details, all of which may be useful in phishing or spoofing attacks.
Weaponization: Creating a deliverable malicious payload using an exploit and a backdoor.
Delivery: Send weaponized bundle to the victim using e-mail, USB, etc.
Exploitation: Exploit a vulnerability by executing code on the victim's system.
Installation: Install malware on the target system.
Command and Control: create a C2C channel to communicate and pass data back & forth
Action on object: perform an action to achieve the intended objective/goals
--------------------------------------------------------------------------------
What is TTPs?
Tactics: are the vectors used by cybercriminals to carry out their activities, that is strategy in the most general terms.
Techniques: are the methods that will be used by the attacker to help to achieve their goal.
Procedures: “Procedures” involve a sequence of actions performed by the threat actors to execute different steps of an attack life cycle.
-------------------------------------------------------------------------------------------------------------
What is Hacking?
Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources.
It involves modifying system or application features to achieve a goal outside of the creator’s original purpose.
Hacking can be used to steal and redistribute intellectual property, leading to business loss.
-------------------------------------------------------------------------------------------------------------
Types of Hackers:
Black Hat - Hackers that seek to perform malicious activities.
Gray Hat - Hackers that perform good or bad activities but do not have the permission of the organization they are hacking against.
White Hat - Ethical hackers; use their skills to improve security by exposing vulnerabilities before malicious hackers.
Script Kiddie / Skiddies - Unskilled individual who uses malicious scripts or programs, such as a web shell, developed by others to attack computer systems and networks and deface websites.
State-Sponsored Hacker - A Hacker that is hired by a government or entity related.
Hacktivist - Someone who hacks for a cause or political agenda.
Suicide Hackers - These are hackers that are not afraid of going to jail or facing any sort of punishment; hack to get the job done.
Cyberterrorist - Motivated by religious or political beliefs to create fear or disruption.
-------------------------------------------------------------------------------------------------------------
Phases of Ethical Hacking?
Information Gathering
Scanning
Gaining Access
Maintaining Access
Clearing tracks.
2~FootPrinting and Reconnaissance
What is Footprinting?
It is a process of collecting information about a target network and its environment. It is the first step of any attack.
Passive Footprinting: Gathering information about the target without direct interaction. (Publicly available information)
Active Footprinting: Gathering information about the target with direct interaction.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Information obtained by Footprinting
Organization Information
Org Structure
Websites
Phone Numbers
Directory Information
Office Locations
Company History
Business Associations
Network Information
DNS
IP networks
Acessible Systems
Websites
Access Control
VPN Endpoints
Firewall vendors
IDS Systems
Routing/Routed Protocols
Phone System (Analog/VoIP)
System Information
Listening Services
Operating System Versions
Internet Reachability
Enumerated Information
SNMP Info
Users/Groups
Mobile Devices
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Objectives
Know the security posture
Reduce focus area
Identify Vulnerabilities
Draw network map
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Methodology
Search Engine:
Attackers use search engines to extract information about a target such as technology platforms, employee details, login pages, intranet portals, etc. which helps in performing social engineering and other types of advanced system attacks.
Search engine caches and internet archives may also provide sensitive information that has been removed from the World Wide Web (WWW).
E.x- Google, yahoo, bing, duckduckgo
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Advanced Google Dorks:
Google hacking refers to collecting information using google dorks (keywords) by constructing search queries that result in finding sensitive information. details collected include compromised passwords, default credentials, competitor information, information related to a particular topic, etc.
Google supports several advanced operators that help in modifying the search:
[cache:] Displays the web pages stored in the Google cache
[link:] Lists web pages that have links to the specified web page
[related:] Lists web pages that are similar to a specified web page
[info:] Presents some information that Google has about a particular web page
[site:] Restricts the results to those websites in the given domain
[allintitile:] Restricts the results to those websites with all of the search keywords in the title
[intitle:] Restricts the results to documents containing the search keyword in the title
[allinurl:] Restricts the results to those with all of the search keywords in the URL
[inurl:] Restricts the results to documents containing the search keyword in the URL
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Web Service:
Netcraft
Sublist3r
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Social Networking Sites:
Attackers use social engineering tricks to gather sensitive information from social networking websites such as Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+, etc.
Attackers create a fake profiles on social networking sites and then use the false identity to lure the employees to give up their sensitive information.
contact info, photo, dob, email-id, address location, family, friends circle.
userRecon-tool
sherlock
theHarvester: theHarvester -d microsoft.com -l 200 -b linkedin
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Website:
Website Footprinting refers to monitoring and analyzing the target organization's website for information.
Domains, sub-domain, hosting-server, IP-add,
Waybackmachine
Website.informer.com
Whois
Httrack (website mirroring)-website cloning
cewl
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Network Footprinting:
Network range information assists attackers to create a map of the target network.
Find the range of IP addresses using the ARIN whois database search tool.
You can find the range of IP addresses and the subnet mask used by the target organization from the Regional Internet Registry (RIR).
Locate network range
Traceroute analysis
Traceroute tools
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS:
DNS is a naming system for computers that converts human-readable domain names into computer-readable IP addresses and vice versa.
Info about DNS Server, DNS record & types of servers used by the target organization.
Dig
nslookup
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
WHOIS:
Whois databases and the servers are operated by RIR - Regional Internet Registries. These databases contain the personal information of Domain Owners. Whois is a Query response protocol used for querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone numbers, and other details about a specified domain name.
*whois lookup
*ip neighbors checking
*wayback machine
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Email:
An email header reveals information about the mail server, the original sender’s email id, the internal IP addressing scheme, as well as the possible architecture of the target network.
Email lookup.
Email tracker pro tool, IP geolocation, read, received, proxy detection, os, browser info, Names, Addresses (IP, email), Mail servers, Time stamps, Authentication, and so on.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Social Engineering:
Social engineering is the art of exploiting human behavior to extract confidential information.
Eavesdropping:
Eavesdropping is the unauthorized listening of conversations or reading of messages.
It is the interception of any form of communication such as audio, video, or written.
Shoulder Surfing:
Shoulder surfing is a technique, where attackers secretly observe the target to gain critical information
Attackers gather information such as passwords, personal identification numbers, account numbers, credit card information, etc.
Dumpster Diving:
Dumpster diving is looking for treasure in someone else's trash.
It involves the collection of phone bills, contact information, financial information, operations-related information, etc. from the target company's trash bins, printer trash bins, user desks for sticky notes, etc.
Impersonation:
Pretending to be a legitimate or authorized person.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Footprinting Tools
Recon-ng
Maltego
Foca
Osint-framework
theHarvester
Recon-Dog
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Footprinting countermeasures:
Creating awareness among the employees and users about the dangers of social engineering.
Limiting the sensitive information
encrypting sensitive information
using privacy services on the whois lookup database
Disable directory listings in the web servers
Enforcing security policies
3~Scanning Network
What is Scanning?
Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network.
Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization.
-------------------------------------------------------------------------------------------------------------
Objectives of Network Scanning:
To discover live hosts, IP addresses, and open ports of live hosts
To discover operating systems and system architecture
To discover services running on hosts
To discover vulnerabilities in live hosts
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
TCP Communication Flags:
URG (Urgent): Data contained in the packet should be processed immediately
FIN (Finish): There will be no more transmissions
RST (Reset): Resets a connection
PSH (Push): Send all buffered data immediately
ACK (Acknowledgement): Acknowledges the receipt of a packet
SYN (Synchronize): Initiates a connection between hosts
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Network Scanning:
The purpose of each scanning process is given below:
Port Scanning – detecting open ports and services running on the target.
Network Scanning – IP addresses, Operating system details, Topology details, trusted routers information, etc
Vulnerability scanning – scanning for known vulnerabilities or weaknesses in a system
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scanning Methodologies:
Check for Live Systems: Ping scan checks for the live system by sending ICMP echo request packets. If a system is alive, the system responds with an ICMP echo reply packet containing details of TTL, packet size, etc.
Check for Open Ports: Port scanning helps us to find out open ports, services running on them, their versions, etc. Nmap is a powerful tool used mainly for this purpose.
Checking for Live Systems - ICMP Scanning
Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply.
This scan is useful for locating active devices
Ping Sweep Tools
Angry IP Scanner pings each IP address to check if it's alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.
SolarWinds Engineer Toolset's Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.
TCP Scanning:*
Open TCP Scanning Method:
TCP connect / Full open Scan:
TCP Connect scan detects when a port is open by completing the three-way handshake.
TCP Connect scan establishes a full connection and tears it down by sending an RST packet.
It does not require superuser privileges.
Nmap command: nmap -sT -v -p- <TargetIP>
Stealth TCP Scanning Method:
Half-open scan:
Stealth scan involves resetting the TCP connection between client and server abruptly before the completion of three-way handshake signals making the connection half open.
Attackers use stealth scanning techniques to bypass firewall rules, and logging mechanisms, and hide themselves as usual network traffic.
Nmap command: nmap -sS -v <TargetIp>
Stealth Scan Process:
The client sends a single SYN packet to the server on the appropriate port.
If the port is open then the server responds with an SYN/ACK packet.
If the server responds with an RST packet, then the remote port is in the "closed" state.
The client sends the RST packet to close the initiation before a connection can ever be established.
Inverse Tcp Flag Scan:
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, no response means port is open and RST means the port is closed.
Note: Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. It is known as null scanning if there is no flag set.
nmap -sN <target IP> (Null scan)
nmap -sF <target IP> (FIN scan)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Xmas Scan:
In a Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set.
FIN scan works only with OSes with RFC 793-based TCP/IP implementation.
It will not work against any current version of Microsoft Windows.
nmap -sX <target IP> (Xmas scan)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
ACK Flag Probe Scanning (-sA)
Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of received RST packets to find whether the port is open or closed.
TTL-based ACK flag probe scanning:
If the TTL value of the RST packet on a particular port is less than the boundary value of 64, then that port is open.
WINDOW-based ACK flag probe scanning:
If the WINDOW value of the RST packet on a particular port has a non-zero value, then that port is open.
ACK flag probe scanning can also be used to check the filtering system of the target.
Attackers send an ACK probe packet with a random sequence number, no response means the port is filtered (stateful firewall is present) and an RST response means the port is not filtered.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Third-Party and Spoofed TCP Scanning Methods
IDLE/IPID Header Scan (-sI)
Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. The Port is considered "open" if an application is listening on the port.
One way to determine whether a port is open is to send an "SYN" (session establishment) packet to the port.
The target machine will send back an "SYN|ACK" (session request acknowledgment) packet if the port is open, and an "RST" (Reset) packet if the port is closed.
A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored.
Every IP packet on the Internet has a "fragment identification" number (IPID).
OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the number of packets sent since the last probe.
nmap -sI <zombie host> <target IP>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
UDP Scanning (-sU)
UDP Port Open:
There is no three-way TCP handshake</**span> for the UDP scan
The system does not respond with a message when the port is open.
UDP Port Closed:
If a UDP packet is sent to a closed port, the system responds with ICMP port unreachable message (type 3, code 3).
Spyware, Trojan horses, and other malicious application use UDP ports.
Most popular services run over the TCP, but there are many common services that also use UDP: DNS (53), SMTP (25), DHCP (67), NTP (123), NetBIOS-ssn (137), etc.
nmap -sU <target>
You also can specify which UDP port:
nmap -sU -p U:53, 123 <target>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SSDP Scanning:
The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with UPnP to detect plug-and-play devices available in a network.
Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks.
An Attacker may use the UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not.
SSDP uses UDP transport protocol on port 1900
Host: 239.255.255.250:1900
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scanning in IPv6 Networks:
IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy.
Traditional network scanning techniques will be computationally less feasible due to the larger search space (64 bits of host address space or 2^64 addresses) provided by IPv6 in a subnet.
Scanning in an IPv6 network is more difficult and complex than the IPv4 and also some scanning tools do not support ping sweeps on IPv6 networks.
Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages.
Scanning an IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; the attacker can probe the "all hosts" link-local multicast address.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Countermeasures:
Configure IDS and firewall to block probes.
Keep firewall, routers, and IDS firmware update
Run port scanners to verify the security of the target.
Add rules in the firewall restricting access to ports.
Disable ICMP-based scanning at the firewall.
4~Enumeration
What is Enumeration?
In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target.
Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources.
Enumeration techniques are conducted in an intranet environment.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Information Enumerated by Intruders:
Network resources
Network shares
Routing tables
Audit and service settings
SNMP and DNS details
Machine names
Users and groups
Applications and banners
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Techniques for Enumeration
Extract user names using email IDs
Extract information using the default passwords
Extract user names using SNMP
Brute force Active Directory
Extract user groups from Windows
Extract information using DNS Zone Transfer
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Services and Ports to Enumerate
TCP/UDP 53: DNS Zone Transfer
TCP/UDP 135: Microsoft RPC Endpoint Mapper
UDP 137: NetBIOS Name Service (NBNS)
TCP 139: NetBIOS Session Service (SMB over NetBIOS)
TCP/UDP 445: SMB over TCP (Direct Host)
UDP 161: Simple Network Management Protocol (SNMP)
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
TCP/UDP 3268: Global Catalog Service
TCP 25: Simple Mail Transfer Protocol (SMTP)
TCP/UDP 162: SNMP Trap
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
NetBIOS Enumeration (Network Basic Input Output System)
NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and the 16th character is reserved for the service or name record type.
Attackers use the NetBIOS enumeration to obtain:
List of computers that belong to a domain
List of shares on the individual hosts in the network
Policies and passwords.
NetBIOS provides three distinct services:
Name service (NetBIOS-NS) for name registration and resolution via port 137.
Datagram distribution service (NetBIOS-DGM) for connectionless communication via port 138.
Session service (NetBIOS-SSN) for connection-oriented communication via port 139.
Commands and tools used:
Nbtstat: utility used to find protocol statistics, NetBIOS name table, and name cache details.
Superscan: GUI tool used to enumerate windows machines.
Net view: command line tool to identify shared resources on a network
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
SNMP (Simple Network Management Protocol) Enumeration
SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
SNMP holds two passwords to access and configure the SNMP agent from the management station:
Read community string: It is public by default; allows viewing of device/system configuration.
Read/write community string: It is private by default; allows remote editing of configuration.
The Attacker uses these default community strings to extract information about a device.
Attackers enumerate SNMP to extract information about network resources such as hosts, routers, devices, shares, etc., and network information such as ARP tables, routing tables, traffic, etc.
snmpcheck -t 192.168.186.139
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
NFS (Network File System) Enumeration
NFA, or Network File system, is a network service that allows files and folders to be shared with other systems over the network.
NFS enumeration enables attackers to identify the exported directories, and list of clients connected to the NFS server along with their IP address and the shared data.
nmap -sV --script nfs* 192.168.186.135
rpcinfo 192.168.186.135
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS (Domain Name System) Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses.
DNS Zone Transfer is used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
Tools: nslookup, maltego, dnenum,dnsrecon
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
SMTP Enumeration
SMTP provides 3 built-in-commands:
VRFY: Validates users
EXPN: Tells the actual delivery addresses of aliases and mailing lists
RCPT TO: Defines the recipients of the message
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on the SMTP server.
Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server.
Tool: NestScanTools Pro
nmap --script smtp-* -p 25 192.168.186.135
nc -nvv 192.168.186.135 25
smtp-user-enum -M VRFY -U users.txt -t 192.168.186.135
msf6 auxiliary(scanner/smtp/smtp_version) > run
msf6 auxiliary(scanner/smtp/smtp_enum) > run
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
LDAP Enumeration
Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services.
Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA.
Information is transmitted between the client and the server using Basic Encoding Rules (BER).
Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.
Tools: * Jxplorer - http://www.jxplorer.org/
LDAP Admin Tool - http://www.ldapsoft.com
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
NTP Enumeration
Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers.
It uses UDP port 123 as its primary means of communication.
NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet.
It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions.
The attacker queries the NTP server to gather valuable information such as:
List of hosts connected to the NTP server
Client's IP addresses in a network, their system names, and OSs
Internal IPs can also be obtained if the NTP server is in the DMZ
----------------------------------------------------------------------------------------------------------------------
5~Vulnerability Analysis
Vulnerability Research:
It is the process of analyzing protocols, services, and configurations to discover the vulnerabilities and design flaws that will expose an OS and its applications to exploitation, attack, or misuse.
Why?
To gather information about security trends, newly discovered threats, attack surfaces, attack vectors, and techniques
To find weaknesses in the OS and applications and alert the network administrator before a network attack
To understand information that helps prevent security problems
To know how to recover from a network attack
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability Scoring System and Databases
Common Vulnerability Scoring System (CVSS)
Common Vulnerability and Exposure (CVE)
National Vulnerability Database (NVD)
Common Weakness Enumeration (CWE)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability-Management Life Cycle
Identify Assets and create a Baseline
Vulnerability Scan
Risk Assessment
Verification
Monitor.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability Classification
Misconfiguration
Default Installation
Buffer Overflows
Unpatched Servers
Design Flaws
Operating System Flaws
Application Flaws
Open Services
Default Password
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Vulnerability Assessment
Active Assessment
Passive Assessment
External Assessment
Internal Assessment
Host-based Assessment
Network Assessment
Application Assessment
Database Assessment
Wireless Network Assessment
Distributed Assessment
Manual Assessment
Automated Assessment
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Security experts and vulnerability scanners classify vulnerabilities by:
A Severity level (low, medium, high)
Exploit range (local or remote)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerability scanners are capable of identifying the following information:
The OS version running on computers or devices
IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening
Applications installed on computers
Accounts with weak passwords
Files and folders with weak permissions
Default services and applications that might have to be uninstalled
Errors in the security configuration of common applications
Computers exposed to known or publicly reported vulnerabilities
EOL/EOS software information
Missing patches and hotfixes
Weak network configurations and misconfigured or risky ports
Help to verify the inventory of all devices on the network
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tools
Qualys
Nmap
Nessus
Openvas
Saint
Burpsuite
Netscan
Acunetix
Nikto
AVDS
Microsoft Baseline Security Analyzer (MBSA)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Resources for Vulnerability Research
The following are some of the online websites used to perform vulnerability research:
Microsoft Vulnerability Research (MSVR) (https://www.microsoft.com)
Dark Reading (https://www.darkreading.com)
SecurityTracker (https://securitytracker.com)
Trend Micro (https://www.trendmicro.com)
Security Magazine (https://www.securitymagazine.com)
PenTest Magazine (https://pentestmag.com)
SC Magazine (https://www.scmagazine.com)
Exploit Database (https://www.exploit-db.com)
Security Focus (https://www.securityfocus.com)
Help Net Security (https://www.helpnetsecurity.com)
HackerStorm (http://www.hackerstorm.co.uk)
Computerworld (https://www.computerworld.com)
WindowsSecurity (http://www.windowsecurity.com)
D'Crypt (https://www.d-crypt.com)
6~System Hacking
Goals:
Gaining Access
Escalating privileges
Executing applications
Hiding files
Clearing tracks
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Gaining Access
The goal here is to collect enough information to gain access to the target.
Password Cracking
Password cracking techniques are used to recover passwords from computer systems.
Attackers use password-cracking techniques to gain unauthorized access to the vulnerable system.
Most of the password-cracking techniques are successful due to weak or easily guessable passwords.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Password Attacks
Non-Electronic Attacks: The Attacker need not possess technical knowledge to crack passwords, hence known as a non-technical attack
Shoulder Surfing: Looking at either the user's keyboard or screen while he/she is logging in.
Social Engineering: Convincing people to reveal passwords
Dumpster Diving: Searching for sensitive information at the user's trash bins, printer trash bins, and user desk for sticky notes.
Active Online Attacks: The Attacker performs password cracking by directly communicating with the victims machine
Dictionary Attack: A dictionary file is loaded into the cracking application that runs against user accounts.
Brute Forcing Attack: The program tries every combination of characters until the password is broken.
Rule-based Attack: This attack is used when the attacker gets some information about the password.
Hash Injection and Phishing
Trojan/Spyware/Keyloggers
Password Guessing
Passive Online Attacks: The Attacker performs password cracking without communicating with the authorizing party.
Wire Sniffing
Man-in-the-Middle
Replay
Offline Attack: The Attacker copies the target's password file and then tries to crack passwords in his own system at a different location.
Pre-Computed Hashes (Rainbow Table)
Distributed Network
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Password Cracking Tools
L0phtCrack: L0phtCrack is a password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and network monitoring and decoding.
Ophcrack: Ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms.
Cain & Abel: It allows recovery of various kinds of passwords by sniffing the network, and cracking encrypted passwords using a dictionary, brute-force, and cryptanalysis attacks.
RainbowCrack: RainbowCrack cracks hashes with rainbow tables. It uses a time-memory tradeoff algorithm to crack hashes.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Privilege Escalation
An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privileges.
The attacker performs a privilege escalation attack which takes advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
These privileges allow attackers to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc.
Types of Privilege Escalation:
Vertical Privilege Escalation:
Refers to gaining higher privileges than the existing ones.
Horizontal Privilege Escalation:
Refers to acquiring the same level of privileges that already has been granted but assuming the identity of another user with similar privileges.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Executing Applications
Attackers execute malicious applications in this stage. This is called "owning" the system.
The attacker executes malicious programs remotely in the victim's machine to gather the information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install a backdoor to maintain easy access, etc.
Malicious programs that attackers execute on the target system:
Keyloggers
Spyware
Backdoors
Crackers
-------------------------------------------------------------------------------------------------------------
Hiding Files
Rootkits
Rootkits are programs that hide their presence as well as attackers' malicious activities, granting them full access to the server or host at that time and also in the future.
Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed.
A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
Types of Rootkits
Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity.
Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes.
Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker.
Application Level Rootkit: Replaces regular application binaries with fake Trojans, or modifies the behavior of existing applications by injecting malicious code.
Library Level Rootkits: Replaces original system calls with fake ones to hide information about the attacker.
NTFS Data Stream
NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files.
ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities.
ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user.
What is Steganography?
Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain the confidentiality of data.
Utilizing a graphic image as a cover is the most popular method to conceal the data in files.
Attackers can use steganography to hide messages such as a list of the compromised servers, source code for the hacking tool, plans for future attacks, etc.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Covering Tracks
Once intruders have successfully gained administrator access to a system, they will try to cover the tracks to avoid their detection.
The attacker uses the following techniques to cover tracks on the target system:
Disable auditing
Clearing logs
Manipulating logs
Manually Clearing Event Logs
Windows:
Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer.
Delete all the log entries logged while compromising the system.
Linux:
Navigates to /var/log directory on the Linux system.
Open plain text file containing log messages with text editor /var/log/messages
Delete all the log entries logged while compromising the system.
7~Malware & Threats
What is Malware?
Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud.
Examples of Malware:
Trojan Horse
Backdoor
Rootkit
Ransomware
Adware
Virus
Worms
Spyware
Botnet
Crypter
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
What is a Trojan?
Trojans are malicious files that are used by the attacker to create a backdoor without the knowledge of the user. It usually deletes or replaces operating system critical files, steals data, sends notifications to a remote attacker, and remotely controls the target. Trojans usually hide behind a genuine code or program or file to avoid getting noted by the user. Behind the original program, it establishes a backdoor connection with the remote attacker. It has 3 parts
Dropper: This is the code that installs malicious code into the target.
Malicious code: This is the code that exploits the system and gives the attacker control over the target.
Wrapper: Wrapper wraps dropper, malicious code, and genuine code into one exe package.
When victims try to download an infected file, the dropper installs the malicious code first and then the genuine program.
There are various types of Trojans:
Hypervisor Trojan
HTTP/HTTPS Trojan
Remote access Trojan
FTP Trojans
VNC Trojans
Banking Trojans
DOM-based Trojan
Destructive Trojan
Botnet Trojan
Proxy Trojan
Data hiding Trojan
-------------------------------------------------------------------------------------------------------------
What is a Virus?
A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector, or document.
Viruses are generally transmitted through file downloads, infected disk/flash drives, and email attachments.
Virus Characteristics:
Infects other programs
Transforms itself
Encrypts itself
Alters data
Corrupts files and programs
Self-replication
Different types of Viruses:
Boot sector virus: Replaces itself with the boot sector moving the boot sector into another location on the hard disk.
File overwriting or cavity Virus: Replaces the content of files with some other content leaving the file unusable.
Crypter: Encrypts the contents of the file which causes the file unusable for the user.
Polymorphic virus: The virus code mutates itself by keeping the algorithm intact.
Tunnelling Virus: These viruses trace the steps of interceptor programs that monitor operating system requests so that they get into the BIOS and DOS to install themselves. To perform this activity they even tunnel under anti-virus software programs.
Metamorphic virus: They rewrite themselves every time, reprogram themselves into a completely different code, and back to normal and vice versa.
Macro Virus: Infects Microsoft products like WORD and EXCEL. They are usually written in the macro language visual basic language or VBA.
Cluster Virus: Modifies the directory entries so it always directs the user to the virus code instead of the actual program.
Stealth/ tunneling virus: They intercept the anti-virus call to the operating system and give back the uninfected version of the files requested thereby evading the anti-virus.
Extension Virus: Hides the extension of the virus files, deceiving the unsuspecting user to download the files.
Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.
Add-on Virus: Add-on viruses append their code to the host code without making any changes to the latter or relocating the host code to insert their own code at the beginning.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ransomware
Ransomware is a type of malware that restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.
Ransomware Family:
Cryptorbit Ransomware
CryptoLocker Ransomware
CryptoDefense Ransomware
CryptoWall Ransomware
Police-themed Ransomware
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spyware
This malware when installed on the target, monitor the Target for every action and report to the remote attacker. Cookie stealing, Password stealing, identity theft, and information theft are a few attacks that are common using spyware
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Computer Worms
Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction.
Most of the worms are created only to replicate and spread across a network, consuming available computing resources; however, some worms carry a payload to damage the host system.
Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnets; these botnets can be used to carry the further cyber attacks.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malware Detection
How to Detect Trojans
Scan for suspicious OPEN PORTS.
Scan for suspicious RUNNING PROCESSES.
Scan for suspicious REGISTRY ENTRIES.
Scan for suspicious DEVICE DRIVERS installed on the computer.
Scan for suspicious WINDOWS SERVICES.
Scan for suspicious STARTUP PROGRAMS.
Scan for suspicious FILES and FOLDERS.
Scan for suspicious NETWORK ACTIVITIES.
Scan for suspicious modifications to OPERATING SYSTEM FILES.
Run Trojan SCANNER to detect Trojans.
8~Sniffing
What is Sniffing?
Sniffing is a process of monitoring and capturing all data packets passing through a given network. Sniffers are used by network/system administrators to monitor and troubleshoot network traffic. Attackers use sniffers to capture data packets containing sensitive information such as passwords, account information, etc. Sniffers can be hardware or software installed in the system. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Sniffing:
Passive Sniffing:
Passive sniffing means sniffing through a hub, on a hub the traffic is sent to all ports.
It involves only monitoring the packets sent by others without sending any additional data packets in the network traffic.
In a network that use hubs to connect systems, all hosts on the network can see all traffic therefore attacker can easily capture traffic going through the hub.
Hub usage is outdated today. Most modern networks use switches.
Active Sniffing:
Active sniffing is used to sniff a switch-based network.
Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, CAM keeps track of which host is connected to which port.
Active Sniffing Techniques:
MAC Flooding
DNS Poisoning
ARP Poisoning
DHCP Attacks
Switch Port Stealing
Spoofing Attack
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Protocol Vulnerable to Sniffing
HTTP: Data sent in clear text
Telnet and Rlogin: Keystrokes including user names and passwords
POP: Passwords and data sent in clear text
IMAP: Passwords and data sent in clear text
SMTP and NNTP: Passwords and data sent in clear text
FTP: Passwords and data sent in clear text
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
MAC Attacks
MAC Address/CAM Table
Each switch has a fixed size dynamic Content Addressable Memory (CAM) table.
The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters.
What Happens When CAM Table Is Full?
Once the CAM table on the switch is full, additional ARP request traffic will flood every port on the switch.
This will change the behavior of the switch to reset to it's learning mode, broadcasting on every port similar to a hub.
This attack will also fill the CAM tables of adjacent switches.
MAC Flooding
MAC flooding involves flooding of CAM table with fake MAC address and IP pairs until it is full.
Switch then acts as a hub by broadcasting packets to all machines on the network and attackers can sniff the traffic easily.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
DHCP Attacks
How DHCP Works
DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server.
It provides address configurations to DHCP-enabled clients in the form of a lease offer.
Client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information.
DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.
DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.
Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet.
Client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.
DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.
DHCP Starvation Attack
This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.
DHCP Starvation Attack Tools
Dhcpstarv:
dhcpstarv implements DHCP starvation attack. It requests DHCP leases on specified interface, saves them, and renews on regular basis.
Yersinia:
Yersinia is a network tool designed to take advantage of some weakness in different network protocols.
It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
dhcpstarv -i eth0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
ARP Poisoning
What Is Address Resolution Protocol (ARP)?
Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses.
All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines' MAC addresses.
When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network.
All machines on the network will compare this IP address to their MAC address.
If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and communication will take place.
ARP Spoofing Attack
ARP packets can be forged to send data to the attacker's machine.
ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch.
Switch is set in "forwarding mode" after ARP table is flooded with spoofed ARP replies and attackers can sniff all the network packets.
Attackers flood a target computer's ARP cache with forged entries, which is also known as poisoning.
Threats of ARP Poisoning
Using fake ARP messages, an attacker can divert all communications between two machines so that all traffic is exchanged via his/her PC.
The threats of ARP poisoning include:
Packet Sniffing
Session Hijacking
VoIP Call Tapping
Manipulating Data
Man-in-the-Middle Attack
Data Interception
Connection Hijacking
Connection Resetting
Stealing Passwords
Denial-of-Service (DoS) Attack
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spoofing Attack
MAC Spoofing/Duplicating
MAC duplicating attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses.
By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive all the traffic destined for the user.
This attack allows an attacker to gain access to the network and take over someone's identity already on the network.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS Poisoning
DNS Poisoning Techniques
DNS poisoning is a technique that trick a DNS server into believing that it has received authentic information when, in reality, it has not.
It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP addresses.
It allows attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls.
Attacker can create fake DNS entries for the server (containing malicious content) with same names as that of the target server.
9~Social Engineering
What is Social Engineering?
Social engineering is the art of convincing people to reveal confidential information. Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Phases in a Social Engineering Attack
Research on Target Company: Dumpster diving, websites, employees, tour company, etc.
Select Victim: Identify the frustrated employees of the target company.
Develop Relationship: Develop relationships with the selected employees.
Exploit the Relationship: Collect sensitive account and financial information, and current technologies.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Social Engineering
Human-based Social Engineering: Gathers sensitive information by interaction.
Impersonation
Eavesdropping and shoulder surfing
Dumpster diving
Piggybacking and Tailgating
Reverse Social Engineering
Vishing
Computer-based Social Engineering: Social engineering is carried out with the help of computers.
Phishing
Spam Mail
Instant chat messenger
Pop-up window attacks
Scare ware
Mobile-based Social Engineering: It is carried out with the help of mobile applications.
Republishing malicious apps
Repackaging legitimate
Using fake security applications
Smishing (Sms phishing)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
10~Denial-Of-Service
What is a Denial-of-Service Attack?
Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate users.
In a DoS attack, attackers flood a victim system with non-legitimate service requests or traffic to overload its resources.
DoS attack leads to the unavailability of a particular website and shows network performance.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
What is a Distributed Denial of Service Attack?
A distributed denial-of-service (DDoS) attack involves a multitude of compromised systems attacking a single target, thereby causing a denial of service for users of the targeted system.
To launch a DDoS attack, an attacker uses botnets and attacks a single system.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Basic Categories of DoS/DDoS Attack Vectors
Volumetric Attacks: Consumes the bandwidth of the target network or service.
Fragmentation Attacks: Overwhelms the target's ability to re-assembling the fragmented packets.
TCP State-Exhaustion Attacks: Consumes the connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers.
Application Layer Attacks: Consumes the application resources or service thereby making it unavailable to other legitimate users.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
DoS/DDoS Attack Techniques
Bandwidth Attacks and Service Request Floods
SYN Flooding Attack
ICMP Flood Attack
Peer-to-Peer Attacks
Application-Level Flood Attacks
Permanent Denial-of-Service Attack
Distributed Reflection Denial of Service (DrDoS)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
SYN Attack
The attacker sends a large number of SYN requests to the target server (victim) with fake source IP addresses.
The target machine sends back an SYN/ACK in response to the request and waits for the ACK to complete the session setup.
The target machine does not get the response because the source address is fake.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
ICMP Flood Attack
ICMP flood attack is a type of DoS attack in which perpetrators send a large number of ICMP packets directly or through reflection networks to victims causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests.
To protect against ICMP flood attacks, set a threshold limit that when exceeds invokes the ICMP flood attack protection feature.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Botnet
Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing.
A botnet is a huge network of compromised systems and can be used by an attacker to launch denial-of-service attacks.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tools
HULK
Metasploit
Nmap
Tsunami
Trinity - Linux-based DDoS tool
Tribe Flood Network - uses voluntary botnet systems to launch massive flood attacks
RUDY (R-U-Dead-Yet?) - DoS with HTTP POST via long-form field submission.
11~Session Hijacking
What is Session Hijacking?
Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers.
Since most authentication only occurs at the start of a TCP session, this allows the attacker to gain access to a machine.
Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc.
The attacker steals a valid session ID and uses it to authenticate himself with the server.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Session Hijacking Process
Stealing: The attacker uses different techniques to steal session IDs.
Some of the techniques used to steal session IDs:
Using the HTTP referrer header.
Sniffing the network traffic.
Using the cross-site-scripting attacks.
Sending Trojans on client machines.
Guessing: The attacker tries to guess the session IDs by observing variable parts of the session IDs.
Brute Forcing: The attacker attempts different IDs until he succeeds. Using brute force attacks, an attacker tries to guess a session ID until he finds the correct session ID.
Stealing Session ID: The browser directs the referrer URL that contains the user's session ID to the attacker's site and now the attacker possesses the user's session ID
Command Injection: Start injecting packets to the target server.
Session ID prediction: Take over the session.
Session Desynchronization: Break the connection to the victim's machine.
Monitor: Monitor the flow of packets and predict the sequence number.
Sniff: Place yourself between the victim and the target (you must be able to sniff the network).
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Session Hijacking (?)
Active Attack: In an active attack, an attacker finds an active session</span> and takes over.
Passive Attack: With a passive attack, an attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Session Hijacking in OSI Model
Network Level Hijacking: Network level hijacking can be defined as the interception of the packets during the transmission between the client and the server in a TCP and UDP session.
UDP Hijacking
TCP/IP Hijacking
RST Hijacking
Man-in-the-Middle: Packet Sniffer
IP Spoofing: Source Routed Packets
Blind Hijacking
Application Level Hijacking: Application level hijacking is about gaining control over the HTTP's user session by obtaining the session IDs.
Predictable session token
Man-in-the-middle attack
Man-in-the-browser attack
Cross-site script attack
Cross-site request forgery attack
Session replay attack
Session fixation
Session sniffing
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Session Hijacking Tools
Zaproxy
The OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications.
Burp Suite
Burp suite allows the attacker to inspect and modify traffic between the browser and the target application. It analyzes all kinds of content, with automatic colorizing of request and response syntax.
JHijack
A Java hijacking tool for web application session security assessment.
A simple Java Fuzzer is mainly used for numeric session hijacking and parameter enumeration.
Session Hijacking Tools for Mobile: DroidSheep and DroidSniff
DroidSheep:
DroidSheep is a simple Android tool for web session hijacking (side jacking).
It listens for HTTP packets sent via a wireless (802.11) network connection and extracts the session IDs from these packets.
DroidSniff:
DroidSniff is an Android app for security analysis in wireless networks and capturing Facebook, Twitter, Linkedin, and other accounts.
12~Evading IDS, Firewall, and Honeypot
Intrusion Prevention System (IPS) - ACTIVE monitoring of activity looking for anomalies and alerting/notifiying AND taking action when they are found.
Intrusion Detection System (IDS) - PASSIVE monitoring of activity looking for anomalies and alerting/notifying when they are found.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Deployment Types - HIDS & NIDS & WIDS:
Host-based - Monitors activity on a single device/host by being installed locally.
Network-based - Monitors activity across a network using remote sensors that report back to a central system. Often paired with a security Information & SIEM system for analysis. Often Reverse ARP or Reverse DNS lookups are used to discover the source.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Knowledge & Behavior-Based Detection:
Knowledge-Based (Signature Based | Pattern Matching) - Most common form of detection. Uses a database of profiles, or signatures to assess all traffic.
Behavior-Based (Statistical | Anomaly | Heuristic) - Starts by creating a baseline of behavior for the monitored system/network and then compares all traffic against that looking for deviations. Can be labeled an AI or Expert system.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of IDS Alerts
True Positive --> Attack - Alert ✅✅
False Positive --> No Attack - Alert ❌✅
False Negative --> Attack - No Alert ✅❌
This is the worst scenario
True Negative --> No Attack - No Alert ❌❌
------------------------------------------------------------------------------------------------------------------------------------------------------
Firewalls types:
Stateful (Dynamic Packet Filtering) - Layer 3 + 4 (Network + Transport layer)
Stateless (Static Packet Filtering) - Layer 3 (Network)
Deep Packet Inspection - Layer 7 (Application Layer)
Proxy Firewall - Mediates communications between untrusted and trusted end-points (server/hosts/clients). A proxy firewall is a network security system that protects network resources by filtering messages at the Application Layer 7. A proxy firewall may also be called an application firewall or gateway firewall.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Insertion Attack - The attacker forces the IDS to process invalid packets.
Evasion - An endpoint accepts a packet that the IDS would normally reject. Typically executed via fragmentation of the attack packets to allow them to be moved through the IDS.
Obfuscation - Encoding the attack packets in such a way that the target is able to decode them, but the IDS is not.
Unicode
Polymorphic code
Encryption
Path manipulation to cause a signature mismatch
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Tools for Evasion
Nessus - Also a vulnerability scanner
ADMmutate - Creates scripts not recognizable by signature files
NIDSbench - Older tool for fragmenting bits
Inundator - Flooding tool
----------------------------------------------------------------------------------------------------------------------------------------------------------------
SNORT - Tool
SNORT is an open-source network intrusion detection system (NIDS). Snort is a packet sniffer that monitors network traffic in real-time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.
Snort is a widely deployed IDS that is open source
Includes a sniffer, traffic logger, and a protocol analyzer
Runs in three different modes
Sniffer - Watches packets in real-time
Packet logger - Saves packets to disk for review at a later time
NIDS - Analyzes network traffic against various rule sets
Configuration is in /etc/snort on Linux and C:\snort\etc in Windows; the file is a snort.conf.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
SNORT Rules
SNORT has a rules engine that allows for the customization of monitoring and detection capabilities.
There are three available rule actions
Alert
Pass
Log
And three available IP protocols:
TCP
UDP
ICMP
13~Hacking Web Servers
A web server is a program (both hardware and software) that hosts websites; attackers usually target software vulnerabilities and configuration errors to compromise web servers.
Nowadays, network and OS-level attacks can be well defended using proper network security measures such as firewalls, IDS, etc., however, web servers are accessible from anywhere on the web, which makes them less secure and more vulnerable to attacks.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Why Web Servers Are Compromised?
Improper file and directory permissions.
Installing the server with default settings.
Unnecessary services enabled, including content management and remote administration.
Security conflicts with business ease-of-use case
Lack of proper security policy, procedures, and maintenance.
Improper authentication with external systems.
Default accounts with their default or no passwords.
Unnecessary default, backup, or sample files.
Misconfiguration in web servers, operating systems, and networks.
Bugs in server software, OS, and web applications.
Misconfigured SSL certificates and encryption settings.
Administrative or debugging functions that are enabled or accessible on web servers.
Use of self-signed certificates and default certificates.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Impact of Webserver Attacks
Compromise of user accounts.
Website defacement.
Secondary attacks from the Website.
Root access to other applications or servers.
Data tampering and data theft
---------------------------------------------------------------------------------------------------------------------------------------------------------
Open Source Webserver Architecture
Linux is a server's OS that provides a secure platform for the webserver.
Apache is the web server component that handles each HTTP request and response.
MySQL is a relational database used to store the webserver's content and configuration information.
PHP is the application layer technology used to generate dynamic web content.
--------------------------------------------------------------------------------------------------------------------------------------------------------
IIS Web Server Architecture
Internet Information Services (IIS) for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web.
---------------------------------------------------------------------------------------------------------------------------------------------------------
Webserver Attacks
-----------------------------------------------------------------------------------------------------------------------------------------------------
DoS/DDoS Attacks
Attackers may send numerous fake requests to the web server which results in the web server crashing or becoming unavailable to legitimate users.
Attackers may target high-profile web servers such as banks, credit card payment gateways, government-owned services, etc.
-------------------------------------------------------------------------------------------------------------------------------------------------------
DNS Server Hijacking
The attacker compromises the DNS server and changes the DNS settings so that all the requests coming toward the target web server should be redirected to his/her own malicious server.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Directory Traversal Attacks
In directory traversal attacks, attackers use the ../ (dot-dot-slash) sequence to access restricted directories outside of the web server root directory.
Attackers can use the trial and error method to navigate outside of the root directory and access sensitive information in the system.
---------------------------------------------------------------------------------------------------------------------------------------------------
Man-in-the-Middle/Sniffing Attack
Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and web servers.
The attacker acts as a proxy such that all the communication between the user and the web server passes through him.
------------------------------------------------------------------------------------------------------------------------------------------------------
Phishing Attacks
The Attacker tricks the user to submit login details for a website that looks legitimate, but it redirects to the malicious website hosted on the attacker's web server.
The Attacker steals the credentials entered and uses them to impersonate the website hosted on the legitimate target server.
The Attacker then can perform unauthorized or malicious operations with the website target server.
------------------------------------------------------------------------------------------------------------------------------------------------------
Website Defacement
Web defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offending data.
Defaced pages expose visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected.
Attackers use a variety of methods such as MYSQL injection to access a site in order to deface it.
------------------------------------------------------------------------------------------------------------------------------------------------------
Web Server Misconfiguration
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft.
Sample Configuration, and Script Files.
Anonymous or Default Users/Passwords.
Verbose debug/error messages.
Misconfigured/Default SSL Certificates.
Unnecessary Services Enabled.
Remote Administration Functions.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Web Cache Poisoning Attack
An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in the cache.
-----------------------------------------------------------------------------------------------------------------------------------------------------
SSH Bruteforce Attack
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network.
Attackers can brute force SSH login credentials to gain unauthorized access to an SSH tunnel.
SSH tunnels can be used to transmit malware and other exploits to victims without being detected.
SSH: TCP port 22
----------------------------------------------------------------------------------------------------------------------------------------------------
Webserver Password Cracking Techniques
Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc.
Passwords can be cracked by using the following techniques:
Guessing: A common cracking method used by attackers to guess passwords either by humans or by automated tools provided with dictionaries.
Dictionary Attacks: A file of words is run against user accounts, and if the password is a simple word, it can be found pretty quickly.
Brute Force Attack: The most time-consuming, but comprehensive way to crack a password. Every combination of characters is tried until the password is broken.
Hybrid Attack: A hybrid attack works similarly to a dictionary attack, but it adds numbers or symbols to the password attempt.
Dictionary attack + brute force attack
--------------------------------------------------------------------------------------------------------------------------------------------
Web Application Attacks
Vulnerabilities in web applications running on a webserver provide a broad attack path for webserver compromise.
Directory Traversal
Parameter/Form Tampering
Cookie Tampering
Command Injection Attacks
Buffer Overflow Attacks
Cross-Site Scripting (XSS) Attacks
Denial-of-Service (DoS) Attacks
Unvalidated Input and File injection Attacks
Cross-Site Request Forgery (CSRF) Attack
SQL Injection Attacks
Session Hijacking
----------------------------------------------------------------------------------------------------------------------------------------------------
Webserver Attack Methodology
Information Gathering
Webserver Footprinting
Mirroring Website
Vulnerability Scanning
Session Hijacking
Hacking Webserver Passwords
------------------------------------------------------------------------------------------------------------------------------------------------
Enumerating Webserver Information Using Nmap
Attackers can use advanced Nmap commands and Nmap Scripting Engine (NSE) scripts to enumerate information about the target website.
nmap -sV -O -p target IP address
nmap -sV --script=http-enum target IP address
nmap target IP address -p 80 --script=http-frontpage-login
nmap --script http-passwd --script-args http-passwd.root=/target IP address
----------------------------------------------------------------------------------------------------------------------------------------------------------
Tools:
Httprecon
ID Serve
Httprint
HTTrack
WebCopier Pro
DirBuster
Nessus
Webalize
AWStats
Ktmatu Relax
Metasploit
w3af
14~Hacking Web Applications
Introduction to Web Applications
Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Web Application Threats
Cookie Poisoning: By changing the information inside the cookie, attackers bypass the authentication process and once they gain control over the network, they can either modify the content, use the system for a malicious attack, or steal information from the user's system.
Directory Traversal: Attackers exploit HTTP by using directory traversal and they will be able to access restricted directories; they execute commands outside of the web server's root directory.
Unvalidated Input: In order to bypass the security system, attackers tamper with the HTTP requests, URLs, headers, form fields, hidden fields, query strings etc. Users' login IDs and other related data get stored in the cookies and this becomes a source of attack for intruders. Attackers gain access to the victim's system using the information present in cookies. Examples of attacks caused by unvalidated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.
Cross-site Scripting (XSS): An attacker bypasses the client's ID security mechanism and gains access privileges, and then injects malicious scripts into the web pages of a particular website. These malicious scripts can even rewrite the HTML content of the website.
Injection Flaws: Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query.
SQL Injection: This is a type of attack where SQL commands are injected by the attacker via input data; then the attacker can tamper with the data.
Parameter/Form Tampering: This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. This information is actually stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. Man in the middle is one of the example of this type of attack. Attackers use tools like Web scarab and Paros proxy for these attacks.
Denial-of-Service (DoS): A denial-of-service attack is an attacking method intended to terminate the operations of a website or a server and make it unavailable to intended users. For instance, a website related to a bank or email service is not able to function for a few hours to a few days. This results in loss of time and money.
Broken Access Control: Broken access control is a method used by attackers where a particular flaw has been identified related to the access control, where authentication is bypassed and the attacker compromises the network.
Cross-site Request Forgery (CSRF): The cross-site request forgery method is a kind of attack where an authenticated user is made to perform certain tasks on the web application that an attacker chooses. For example, a user clicks on a particular link sent through an email or chat.
Information Leakage: Information leakage can cause great losses for a company. Hence, all sources such as systems or other network resources must be protected from information leakage by employing proper content filtering mechanisms.
Improper Error Handling: It is necessary to define how the system or network should behave when an error occurs. Otherwise, it may provide a chance for the attacker to break into the system. Improper error handling may lead to DoS attacks.
Log Tampering: Logs are maintained by web applications to track usage patterns such as user login credentials, admin login credentials, etc. Attackers usually inject, delete, or tamper with web application logs so that they can perform malicious actions or hide their identities.
Buffer Overflow: A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size.
Broken Session Management: When security-sensitive credentials such as passwords and other useful material are not properly taken care, these types of attacks occur. Attackers compromise the credentials through these security vulnerabilities.
Security Misconfiguration: Developers and network administrators should check that the entire stack is configured properly or security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Missing patches, misconfigurations, use of default accounts, etc. can be detected with the help of automated scanners that attackers exploit to compromise web application security.
Broken Account Management: Even authentication schemes that are valid are weakened because of vulnerable account management functions including account update, forgotten or lost password recovery or reset, password changes, and other similar functions.
Insecure Storage: Web applications need to store sensitive information such as passwords, credit card numbers, account records, or other authentication information somewhere; possibly in a database or on a file system. If proper security is not maintained for these storage locations, then the web application may be at risk as attackers can access the storage and misuse the information stored. Insecure storage of keys, certificates, and passwords allow the attacker to gain access to the web application as a legitimate user.
Platform Exploits: Users can build various web applications by using different platforms such as BEA Web logic and ColdFusion. Each platform has its various vulnerabilities and exploites associated with it.
Insecure Direct Object References: When developers expose various internal implementation objects such as files, directories, database records, or key-through references, the result is an insecure direct object reference. For example, if a bank account number is a primary key, there is chance of the application being compromised by attackers taking advantage of such references.
Insecure Cryptographic Storage: Sensitive data stored in a database should be properly encrypted using cryptography. However, some cryptographic encryption methods contain inherent weakness. Thus, developers should use strong encryption methods to develop secure applications. At the same time, they must take care to store the cryptographic keys securely. If these keys are stored in insecure places, then attackers can obtain them easily and decrypt the sensitive data.
Authentication Hijacking: To identify a user, every web application employs user identification such as an ID and password. How ever, once attackers compromise a system, various malicious things such as theft of services, session hijacking, and user impersonation can occur.
Network Access Attacks: Network access attacks can majorly affect web applications, including basic level of service. They can also allow levels of access that standard HTTP application methods could not grant.
Cookie Snooping: Attackers use cookie snooping on victim systems to analyze users' surfing habits and sell that information to other attackers, or to launch various attacks on the victims' web applications.
Web Services Attacks: Attacker can get into the target web applications by exploiting an application integrated with vulnerable web services. An attacker injects a malicious script into a web service and is able to disclose and modify application data.
Insufficient Transport Layer Protection: Use SSL/TLS authentications for websites; otherwise, attackers can monitor network traffic to steal authenticated users' session cookies, making them vulnerable to threats such as account theft and phishing attacks.
Hidden Manipulation: Attackers attempting to compromise e-commerce websites mostly use these types of attacks. They manipulate hidden fields and change the data stored in them. Several online stores face this type of problem every day. Attackers can alter prices and conclude transactions, designating the prices of their choice.
DMZ Protocol Attacks: The DMZ ("demilitarized zone") is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. An attacker who is able to compromise a system that allows other DMZ protocols has access to other DMZs and internal systems. This level of access can lead to:
Compromise of the web application and data
Defacement of websites
Access to internal systems, including databases, backups, and source code
Unvalidated Redirects and Forwards: Attackers lure victim and make them click on unvalidated links that appear to be legitimate. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass, leading to:
Session fixation attacks
Security management exploits
Failure to restrict URL access
Malicious file execution
Failure to Restrict URL Access: An application often safeguards or protects sensitive functionality and prevents the displays of links or URLs for protection. Attackers access those links or URLs directly and perform illegitimate operations.
Obfuscation Application: Attackers usually work hard at hiding their attacks and avoid detection. Network and host-based intrusion detection systems (IDSs) are constantly looking for signs of well-known attacks, driving attackers to seek different ways to remain undetected. The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, or URL encoding. Unicode is a method of representing letters, numbers, and special characters to properly display them, regardless of the application or underlying platform.
Security Management Exploits: Some attackers target security management systems, either on networks or on the application layer, in order to modify or disable security enforcement. An attacker who exploit security management can directly modify protection policies, delete existing policies, add new policies, and modify applications, system data, and resources.
Session Fixation Attack: In a session fixation attack, the attacker tricks or attracts the user to access a legitimate web server using an explicit session ID value.
Malicious File Execution: Malicious file execution vulnerabilities are present in most applications. The cause of this vulnerability is because of unchecked input into a web server. Because of this, attackers execute and process files on a web server and initiate remote code execution, install the rootkit remotely, and - in at least some cases - take complete control over systems.
-------------------------------------------------------------------------------------------------------------------------------------------------------
Footprint Web Infrastructure
Web infrastructure footprinting is the first step in web application hacking; it helps attackers to select victims and identify vulnerable web applications.
Server Discovery: Discover the physical servers that hosts web application.
Service Discovery: Discover the services running on web servers that can be exploited as attack paths for web app hacking.
Server Identification: Grab server banners to identify the make and version of the web server software.
Hidden Content Discovery: Extract content and functionality that is not directly linked or reachable from the main visible content.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Server Discovery
Server discovery gives information about the location of servers and ensures that the target server is alive on Internet.
Whois Lookup: Whois lookup utility gives information about the IP address of web server and DNS names
DNS Interrogation: DNS interrogation provides information about the location and type of servers
Port Scanning: Port Scanning attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server.
Scan the target web server to identify common ports that web servers use for different services.
Tools used for service discovery:
Nmap
NetScan Tools Pro
------------------------------------------------------------------------------------------------------------------------------------------------------
Server Identification/Banner Grabbing
Analyze the server response header field to identify the make, model and version of the web server software.
Syntax: C:\telnet Website URL or IP address 80
Run command s_client -host [target website] -port 443
openssl.exe
Type GET / HTTP/1.0 to get the server information
Banner Grabbing Tools:
Telnet
Netcat
ID Serve
Netcraft
---------------------------------------------------------------------------------------------------------------------------------------------------
Hidden Content Discovery
Discover the hidden content and functionality that is not reachable from the main visible content to exploit user privileges within the application.
It allows an attacker to recover backup copies of live files, configuration files and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality which is not linked to the main application, etc.
Web Spidering:
Web spiders automatically discover the hidden content and functionality by parsing HTML form the client-side JavaScript requests and responses.
Web Spidering Tools:
OWASP Zed Attack Proxy
Burp Suite
WebScarab
----------------------------------------------------------------------------------------------------------------------------------------------------------
Attack Web Servers
After identifying the web server environment, scan the server for known vulnerabilities using any web server vulnerability scanner.
Launch web server attack to exploit identified vulnerabilities.
Tools used:
UrlScan
Nikto
Nessus
Acunetix Web Vulnerability
WebInspect
Launch Denial-of-Service (DoS) against web server.
DoSHTTP, Hping, Loci and Xoic, SYN Flooding, Slowloris, DRDos.
-------------------------------------------------------------------------------------------------------------------------------------------------------
Password Attacks: Password Guessing
Password List: Attackers create a list of possible passwords using most commonly used passwords, footprinting target and social engineering techniques, and try each password until the correct password is discovered.
Password Dictionary: Attackers can create a dictionary of all possible passwords using tools such as Dictionary Maker to perform dictionary attacks.
Tools: Password guessing can be performed manually or using automated tools such as WebCracker, Brutus, Burp Intruder, THC-Hydra,etc.
15~SQL Injection
What is SQL Injection?
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.
SQL injection is a basic attack used to either gain unauthorized access to a database or retrieve information directly from the database.
It is a flaw in web applications and not a database or web server issue.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of SQL Injection
Error-Based SQL Injection:
UNION SQL Injection
System Stored Procedure
Tautology
End of Line Comment
Illegal/Logically Incorrect Query
Blind SQL Injection:
Time Delay
Boolean Exploitation
-----------------------------------------------------------------------------------------------------------------------------------------------------------
SQL Injection Methodology
Information Gathering and SQL Injection Vulnerability Detection
Launch SQL Injection Attacks
Advanced SQL Injection
16~Hacking Wireless Network
Wireless Terminologies
GSM: Universal system used for mobile transportation for wireless networks worldwide.
Bandwidth: Describes the amount of information that may be broadcasted over a connection
BSSID: The MAC address of an access point that has set up a Basic Service Set (BSS).
ISM band: A set of frequencies for the international Industrial, Scientific, and Medical communities.
Access Point: Used to connect wireless devices to a wireless network.
Hotspot: Places where a wireless network is available for public use.
Association: The process of connecting a wireless device to an access point.
Orthogonal Frequency-division Multiplexing (OFDM): Method of encoding digital data on multiple carrier frequencies.
Direct-sequence Spread Spectrum (DSSS): Original data signal is multiplied with a pseudo-random noise spreading code.
Frequency-hopping Spread Spectrum (FHSS): Method of transmitting radio signals by rapidly switching a carrier among many frequency channels.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Wireless Network
Wi-Fi refers to wireless local area networks (WLAN) based on IEEE 802.11 standard.
It is a widely used technology for wireless communication across a radio channel.
Devices such as personal computers, video-game consoles, smartphones, etc. use Wi-Fi to connect to a network resource such as the Internet via a wireless network access point.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Service Set Identifier (SSID)
SSID is a token to identify an 802.11 (Wi-Fi) network; by default, it is part of the frame header sent over a wireless local area network (WLAN).
It acts as a single shared identifier between the access points and clients.
Access points continuously broadcast SSID, if enabled, for the client machines to identify the presence of the wireless network.
SSID is a human-readable text string with a maximum length of 32 bytes.
If the SSID of the network is changed, reconfiguration of the SSID on every host is required, as every user of the network configures the SSID into their system.
A non-secure access mode allows clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "any".
Security concerns arise when the default values are not changed, as these units can be compromised.
The SSID remains secret only on closed networks with no activity, which is inconvenient to legitimate users.
------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Wireless Encryption
WEP:
WEP is an encryption algorithm for IEEE 802.11 wireless networks.
It is an old and original wireless security standard that can be cracked easily.
WPA:
It is an advanced wireless encryption protocol using TKIP, MIC, and AES encryption.
Uses a 48-bit IV, 32-bit CRC, and TKIP encryption for wireless security.
WPA2:
WPA2 uses AES (128-bit) and CCMP for wireless data encryption.
EAP:
Supports multiple authentication methods, such as token cards, Kerberos, certificates etc.
WPA2 Enterprise:
It integrates EAP standards with WPA2 encryption.
TKIP:
A security protocol used in WPA as a replacement for WEP.
CCMP: CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection.
AES:
It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP.
802.11i:
It is an IEEE amendment that specifies security mechanisms for 802.11 wireless networks.
RADIUS:
It is a centralized authentication and authorization management system.
LEAP:
It is a proprietary WLAN authentication protocol developed by Cisco.
------------------------------------------------------------------------------------------------------------------------------------------------------
Aircrack-ng Suite (Tool)
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows.
Airbase-ng: Captures WPA/WPA2 handshake and can act as an ad-hoc Access Point
Aircrack-ng: Defacto WEP and WPA/WPA2-PSK cracking tool
Aireplay-ng: Used for traffic generation, fake authentication, packet replay, and ARP request injection
Airodump-ng: Used to capture packets of raw 802.11 frames and collect WEP Ivs
---------------------------------------------------------------------------------------------------------------------------------------
Bluetooth Hacking
Bluetooth hacking refers to the exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks.
Bluetooth-enabled devices connect and communicate wirelessly through ad hoc networks known as Piconets.
Bluesmacking (Bluetooth DoS Attack)
Bluejacking (anonymous message)
Blue Snarfling
BlueSniff
Bluebugging
BluePrinting
MAC Spoofing Attack
Man-in-the-Middle/Impersonation Attack
17~Hacking Mobile Platforms
A Mobile device has become an inseparable part of life today. The attackers are easily able to compromise the mobile network because of various vulnerabilities, the majority of the attacks are because of untrusted apps. SMS is another way attackers are gaining access to mobile devices by sending phishing messages/spam messages to users. The main operating systems used are:
Android
IOS
Windows
Blackberry
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Android Attacks
Untrusted APKs:
Attackers lure users to download applications from untrusted sources. These APKs may contain malicious software inside them, giving the attacker remote access to the mobile device when the APK is installed by the user.
SMS:
The user may come across a suspicious SMS giving them big bounties. When the users click that particular link in the message, they may be redirected to a malicious website giving away their sensitive information or may lead to financial loss.
Email:
Phishing emails may redirect the users to malicious websites compromising the user’s details. SPAM emails may steal information from users.
Spying:
Some applications may spy on mobile users and report to remote attackers.
App sandboxing issues:
Sandboxing is the process of testing an App in a limited resource environment against various threats and attacks. If sandboxing has issues, it means that malicious applications can bypass this mechanism.
Rooting:
Rooting is done for increasing the speed and performance of an android device. This is not a recommended solution by the android authorities. When a phone is rooted, it loses its warranty and may open the door for various malware and allows the attacker to take control of the device remotely.
Countermeasures:
Do not root your phone.
Do not download applications from untrusted third-party sources.
Do not click on suspicious emails.
Do not open suspicious SMS.
Use strong passwords/patterns.
Use Device administration API to set up password policy, remote wipe, etc.
Do not store passwords on your phone.
Update the operating system regularly.
Use strong anti-virus.
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of IOS Attacks:
Jailbreaking:
Jailbreaking may put the device at risk. It is done to gain administrative privileges and to download third-party application extensions, etc. Though, the device may lose its warranty, get infected with malware, drop in performance, etc. There are three ways jailbreaking can be done-
Tethered:
After a device is jailbroken, it will no longer have a patched kernel; it might go to a partially functioning state and requires re-jailbreaking using the same computer.
Semi-tethered:
When the device is turned off and on, it will no longer be jailbroken. The device can be used for normal functions.
Untethered:
The device once jailbroken remains jailbroken, and the kernel will be patched completely after reboot.
Countermeasures:
Do not jailbreak the device.
Apply strong encryption.
Always connect to safe networks.
Follow common security guidelines.
Do not open links/attachments from unknown sources.
18~IoT Hacking
What is IoT?
The Internet of Things (IoT) describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Three Basic Components
Sensing Technology
IoT gateways
The cloud
----------------------------------------------------------------------------------------------------------------------------------------------------------
Architecture of IoT
Edge Technology Layer - consists of sensors, RFID tags, readers and the devices
Access Gateway Layer - first data handling, message identification and routing
Internet Layer - crucial layer which serves as main component to allow communication
Middleware Layer - sits between application and hardware; handles data and device management, data analysis and aggregation
Application Layer - responsible for delivery of services and data to the user
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Methods of Communicating
Device to Device - Direct communication between two devices.
Device to Cloud - Communicates directly to a cloud service.
Device to Gateway - Communicate to a centralized gateway that gathers data and then sends it to an application server based in the cloud.
Back-End Data Sharing - Used to scale the device to the cloud model to allow for multiple devices to interact with one or more application servers.
---------------------------------------------------------------------------------------------------------------------------------------------------------------
IoT Technology Protocols
Short-Range Wireless:
Bluetooth Low-energy (BLE)
Light-Fidelity (Li-Fi)
Near Field Communication (NFC)
QR Codes & Barcodes
Radio-frequency Identification (RFID)
Wi-fi / Direct
Z-wave
Zigbee
Medium-Range Wireless:
Ha-Low
LTE-Advanced
Long-Range Wireless:
Low-power Wide-area Networking (LPWAN)
LoRaWAN
Sigfox
Very Smart Aperture Terminal (VSAT)
Cellular
Wired Communications:
Ethernet
Power-Line Communication (PLC)
Multimedia over Coax Alliance (MoCA)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
IoT Operating Systems
RIOT OS - Embedded systems, actuator boards, sensors; is energy efficient
ARM Mbed OS - Mostly used on wearables and other low-powered devices
RealSense OS X - Intel's depth-sensing version; mostly found in cameras and other sensors
Nucleus RTOS - Used in aerospace, medical and industrial applications
Brillo - Android-based OS; generally found in thermostats
Contiki - OS made for low-power devices; found mostly in street lighting and sound monitoring
Zephyr - Option for low-power devices and devices without many resources
Ubuntu Core - Used in robots and drones; known as "snappy"
Integrity RTOS - Found in aerospace, medical, defense, industrial, and automotive sensors
Apache Mynewt - Used in devices using Bluetooth Low Energy Protocol
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Common IoT Attack Areas
Device memory containing credentials
Device / Ecosystem Access Control
Device Physical Interfaces / Firmware extraction
Device web interface
Device Firmware
Device network services
Devices administrative interface(s)
Unencrypted Local data storage
Cloud interface(s)
Device update mechanism(s)
Insecure APIs (vendor & third-party)
Mobile application
Confidentiality and Integrity issues across the ecosystem
Network traffic
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
IoT Threats
DDoS Attack
HVAC System attacks - Attacks on HVAC systems
Rolling code attack - Used to steal cars; The ability to jam a key fob's communications, steal the code and then create a subsequent code
BlueBorne attack - Attacks against Bluetooth devices
Jamming attack
Remote access via backdoors
Remote access via unsecured protocols such as TELNET
Sybil attack - Uses multiple forged identities to create the illusion of traffic; happens when an insecure computer is hijacked to claim multiple identities.
Rootkits / Exploit kits
Ransomware
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
IoT Hacking Methodology
Steps:
Information Gathering - gathering information about the devices;
Tools:
Shodan
Censys
Thingful
Google
Vulnerability Scanning - same as a normal methodology - looks for vulnerabilities
Tools:
Nmap
Multi-ping
RIoT Vulnerability Scanner
Foren6 (traffic sniffer)
beSTORM
Launching Attacks
Tools:
RFCrack
Attify Zigbee Framework
HackRF
Firmalyzer
Gaining Access - same objectives as a normal methodology
Maintaining Access - same objectives as a normal methodology
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Countermeasures to help secure IoT devices:
Firmware updates
Block ALL unnecessary ports
Disable insecure access protocols such as TELNET
Only use encrypted communication protocols
Use strong passwords
Encrypt ALL data and communications coming into, being stored in, and leaving the device
Use account lockout
Configuration management and baselining of devices along with compliance monitoring
Use multi-factor authentication
Disable UPnP
19~Cloud Computing
Cloud computing is the on-demand delivery of IT capabilities on metered services. It is the practice of using a network of remote servers hosted on the internet to store, manage, and process data; rather than a local server, or a personal computer.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Cloud computing is typically classified in two ways:
Location of the cloud computing
Type of services offered
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Services Offered
Based upon the services offered, clouds are classified in the following ways:
Infrastructure as a service (IaaS): Involves offering virtual machines, abstracted hardware and operating systems using the principles of cloud computing. As the name implies, only the infrastructure is purchased while the software is owned by the user. Leading vendors that provide Infrastructure as a service are, Amazon EC2, Amazon S3, Rackspace Cloud Servers and Flexiscale.
Platform as a Service (PaaS): Involves offering a development platform, configuration management on the cloud. Platforms provided by different vendors are typically not compatible. Examples include Googles Application Engine, Microsoft's Azure, Salesforce.com, force.com.
Software as a service (SaaS): Provides complete software offering on the cloud. Users can use on-demand basis, e.g. Salesforce.com, Google cs and Microsoft online version of office called BPOS (Business Productivity Online Standard Suite).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Threats and attacks on cloud:
Deletion without a backup
Data Breach
Hardware failures
Natural disasters
Authentication attacks
VM level attacks
Malicious insiders
Unknown risk profile
Vulnerable co-existents
Compliance risks
E-discovery is difficult across cross-borders.
Loss of the encoding key
Unauthorized access
Account, Service & Traffic Hijacking
Man-in-the-middle attacks
Denial-of-service attacks.
Cloud service provider may go out of business.
Cloud service provider may decide to hold the data as a hostage if there is a dispute.
Need to ensure that its private data is stored separately from others. If another client is the victim of a hack attack, it might affect the availability or integrity of the data of other companies located in the same environment.
Data transfer across borders makes the laws to be applied even more complicated and consequently resulting in the private information to be even more vulnerable.
SQL injection attacks allow attackers to gain unauthorized access to a database.
Cross Site Scripting (XSS)
Cryptanalysis attacks
Side channel attacks
Social engineering attacks
DNS attacks
20~Cryptography
Cryptography
Cryptography is the conversion of data into scrambled code that is decrypted and sent across a private or public network.
Cryptography is used to protect confidential data such as email messages, chat sessions, web transactions, personal data, corporate data, e-commerce applications, etc.
------------------------------------------------------------------------------------------------------------------------------------------------
Objectives:
Confidentiality
Integrity
Authentication
Non-repudiation
-------------------------------------------------------------------------------------------------------------------------------------------------------
Key terms:
Plain text: Message to be encrypted
Ciphertext: Encrypted message
Encryption: Process of converting plain text into cipher text.
Decryption: Process of converting ciphertext into plain text.
Algorithm: The method used to encrypt/decrypt the plain text.
Key: The data used for encrypting/decrypting
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Types of Cryptography
Symmetric Encryption: Symmetric encryption (secret key, shared key, and private key) uses the same key for encryption as it does for decryption.
Symmetric encryption is also known as secret key cryptography as it uses only one secret key to encrypt and decrypt the data.
Asymmetric Encryption: Asymmetric encryption (public key) uses different encryption keys for encryption and decryption. These keys are known as public and private keys
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Ciphers
Ciphers are algorithms used to encrypt or decrypt data.
Block ciphers: Deterministic algorithm operating on the block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. Most modern ciphers are block ciphers. These are widely used to encrypt bulk data. Examples include DES, AES, IDEA, etc.
Stream ciphers: Symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). Here, the user applies the key to each bit, one at a time. Examples include RC4, SEAL, etc.
---------------------------------------------------------------------------------------------------------------------------------------------------------
Message Digest Function: MD5
MD5 algorithm takes a message of arbitrary length as input and outputs a 128-bit fingerprint or message digest of the input.
MD5 hash is a 32-digit hexadecimal number.
MD5 is not collision resistant, the use of the latest algorithms such as SHA-2 and SHA-3 is recommended.
It is still deployed for digital signature applications, file integrity checking, and storing passwords.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Secure Hashing Algorithm (SHA)
It is an algorithm for generating a cryptographically secure one-way hash, published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard.
SHA1: It produces a 160-bit digest from a message with a maximum length of (2^64-1) bits, and resembles the MD5 algorithm.
SHA2: It is a family of two similar hash functions, with different block sizes, namely SHA-256 which uses 32-bit words, and SHA-512 which uses 64-bit words.
SHA3: SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which is then invertible permuted.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Email Encryption
Digital Signature
Digital signature used asymmetric cryptography to simulate the security properties of a signature in digital, rather than written form.
A digital signature may be further protected, by encrypting the signed email for confidentiality.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
SSL (Secure Sockets Layer)
SSL is an application layer protocol developed by Netscape for managing the security of a message transmission on the Internet.
It uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Transport Layer Security (TLS)
TLS is a protocol to establish a secure connection between a client and a server and ensure the privacy and integrity of information during transmission.
It uses the RSA algorithm with 1024 and 2048-bit strengths.
TLS Handshake Protocol: It allows the client and server to authenticate each other, select the encryption algorithm, and exchange symmetric keys prior to data exchange.
TLS Record Protocol: It provides secured connections with an encryption method such as Data Encryption Standard (DES).
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates.
Components of PKI:
Certificate Management System: Generates, distributes, stores, and verifies certificates.
Digital Certificates: Establishes the credentials of a person when doing online transactions.
Validation Authority (VA): Stores certificates (with their public keys)
Certificate Authority (CA): Issues and verifies digital certificates.
End User: Requests, manages, and uses certificates.
Registration Authority (RA): Acts as the verifier for the certificate authority.