Ethical Hacking Lecture 3

Questions and Answers

What is the primary purpose of banner grabbing?

To analyze network traffic passively.

To obtain information about a service or protocol, including its version and software. (correct)

To establish a connection to a specific port.

To scan a network for open ports.

Which of the following tools can be used for banner grabbing?

Telnet

Netcat

Nmap

All of the above (correct)

What is the difference between using telnet and netcat for banner grabbing?

Telnet is more versatile than Netcat.

Netcat is more efficient at grabbing banners than Telnet.

Netcat allows for more flexible connection and data interaction than Telnet. (correct)

Telnet is specifically designed for banner grabbing, while Netcat has other functionalities.

Which of the following protocol(s) typically include banners?

All of the above (D)

What is nc often referred to as?

The Swiss Army Knife of networking (B)

What is the primary objective of active information gathering?

Using a network scanner to enumerate open ports and services. (D)

Which of the following is NOT considered a form of passive information gathering?

Performing a port scan on the target's IP address. (C)

What is the key difference between passive and semi-passive information gathering?

The potential for detection by the target. (C)

Which of the following BEST describes the goal of information gathering within a penetration testing framework?

To gather as much information about the target as possible for future penetration testing phases. (E)

What is the significance of threat modeling in the penetration testing framework?

It helps identify the most likely attack vectors and vulnerabilities to exploit. (B)

Why is active information gathering often considered more risky than passive information gathering?

It can potentially alert the target to the penetration testing activities. (C)

Which of the following is an example of a semi-passive information gathering technique?

Analyzing public DNS records for the target's domain. (C)

Which of the following BEST describes the purpose of the 'Vulnerability Analysis' phase in the penetration testing framework?

Identifying potential weaknesses in the target's systems and applications. (B)

Which statement best summarizes the understanding of 'threat' based on the provided content?

Threats are defined by the potential for harm to assets, and their perception can vary depending on the context and individual. (C)

According to the provided content, which of the following is NOT considered a component of a security problem?

Security Policies (B)

Which of the following is a common reason why the concept of 'threat' is often misunderstood?

The frequent misinterpretation of threats as synonymous with vulnerabilities. (A)

Which of the following best describes the Microsoft SDL (Security Development Lifecycle) Threat Modeling tool's core purpose?

To facilitate a structured process for identifying, analyzing, and mitigating potential security threats. (B)

Based on the provided content, what is a key challenge associated with using the MS SDL Threat Modeling tool?

The potential subjectivity and inconsistency in threat identification and prioritization among different individuals. (A)

Which of the following is NOT explicitly mentioned as a key element or aspect of threat modeling in the content provided?

Active information gathering (C)

According to the content, which combination of factors BEST describes the essence of security problems?

Threats, vulnerabilities, and assets, with the potential for harm to assets. (A)

Which of the following BEST reflects the subjective nature of 'threats' as described in the content?

The perceived severity of a threat varies based on the value and sensitivity of the asset at risk. (A)

What is the purpose of running your own scans to identify what is visible?

To determine which services are accessible from the internet (A)

Which of the following is NOT a step in the Penetration Testing Framework?

Risk Assessment (C)

What is a primary reason to disable unnecessary services?

To reduce the attack surface (A)

When considering "Responsible Disclosure", what is a major concern when balancing the need to inform the public with giving the vendor time to respond?

Preventing the exploitation of the vulnerability before it can be patched (A)

What is the significance of removing banners from your systems?

To prevent attackers from knowing the software version (D)

What is the primary purpose of "Network Intrusion Systems" in the context of countermeasures against Active Information Gathering?

Detecting and blocking malicious traffic (B)

Which of the following describes a threat, according to the content provided?

A potential action that could cause harm to a system (D)

What does "limited disclosure" mean in the context of finding vulnerabilities?

The vulnerability is only revealed to a select group of people (C)

What is the primary goal of 'passive information gathering' in cybersecurity?

Gathering information about a target without their knowledge or consent. (A)

Which of the following is NOT a countermeasure against passive information gathering?

Preventing the use of tools like Nmap for port scanning. (C)

Which of the following services would be most useful for discovering the historical WHOIS records of a domain?

Domaintools.com (B)

Why is 'banner grabbing' considered a type of passive information gathering?

It does not require interacting with the target system directly. (D)

Which of the following is a valid countermeasure against active information gathering?

Limiting access to internal network resources to authorized personnel only. (A)

What is the primary purpose of a 'ping sweep' during target scanning?

Identifying active systems on the network. (A)

Which of the following tools is primarily used for 'banner grabbing' in network security?

Netcat (D)

Which of the following is a valid point of entry for an attacker or pentester?

All of the above. (D)

Flashcards

Telnet Command

A command used to connect to servers remotely, e.g. telnet example.com 21.

Information Gathering Countermeasures

Strategies to prevent active information gathering from potential attackers.

Threat Modelling

The process of identifying and analyzing potential threats to a system.

Responsible Disclosure

The practice of privately reporting vulnerabilities to the vendor before public disclosure.

Vulnerability Analysis

The stage in penetration testing where vulnerabilities are identified and assessed.

Network Segregation

The practice of dividing a computer network into sub-networks to enhance security.

Logs Analysis

Examining logs to distinguish abnormal activities from normal behaviors.

Threat Definition

A potential cause of an unwanted incident affecting system security.

Postmortem Reconnaissance

The target reviews past reconnaissance activities but can't identify sources.

WHOIS Database

A database used to find ownership of domain names.

Metadata Inspection

Reviewing data about data before it is published to ensure privacy.

Passive Information Gathering

Collecting information without alerting the target or being detected.

Active Information Gathering

Directly probing for information that can be suspicious to the target.

Nmap

A network scanning tool used for discovering hosts and services.

Banner Grabbing

A technique to collect service information from networked systems.

Target Scanning

Techniques used to discover hosts, ports, and operating systems in a network.

Potential for Harm

A threat refers to the potential risk of damage to an asset.

Types of Threats

Includes petty criminals, organized crime, and law enforcement.

Threat vs Vulnerability

Threats are often incorrectly used as synonyms for vulnerabilities.

Components of a Security Problem

Threats, vulnerabilities, and assets are key components.

MS SDL Threat Modelling Tool

A Microsoft tool to manage and mitigate security issues through threat modeling.

Challenges in Threat Modelling

Different interpretations can complicate threat models among teams.

Service Information

Data identified through banner grabbing, such as software name, version, and OS.

Telnet

A tool that connects to a port to read and display banners from services.

Netcat

A versatile tool for connecting and reading banners over TCP/UDP, useful for many networking tasks.

OSINT

Open-Source Intelligence; information gathered from publicly available sources.

Semi-Passive Information Gathering

Collecting information that appears like normal internet activity, but is not intrusive.

Information Gathering Phase

Phase of penetration testing focused on gathering as much info as possible.

Study Notes

Ethical Hacking and Penetration Testing - Lecture 3

• The lecture covers Target Scanning (Active Information Gathering) and Threat Modelling.
• An outline includes OSINT Types Recap, Active Information Gathering, Target Scanning and Tools, Banner Grabbing and Tools, Threats Overview, and Threat Modelling.
• A penetration testing framework includes pre-engagement interactions, information gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. A specific link for further information is provided.
• Information Gathering is crucial in penetration testing, as gathering as much information as possible about the target will help in future attacks.
• OSINT (Open Source Intelligence) has three forms: Passive, Semi-passive, and Active.
• Passive Information Gathering uses pre-existing information from publicly available sources.
• Semi-passive Information Gathering is used to get data similar to normal internet traffic.
• Active Information Gathering (this week's topic) should appear suspicious.
• Active gathering involves mapping out the network infrastructure, services, and searching for unpublished files and servers.
• Target scanning encompasses host discovery, port scanning, and operating system discovery, aiming to identify entry points for attackers.
• Scanners like Nmap (with GUI Zenmap) are used for Active Scanning, other tools include netcat, super scan, and angry IP scanner.
• Different scan types exist – including Ping Sweep, TCP Port Scan, UDP Port Scan and Operating System Discovery.
• Banner Grabbing is a method to gather information about systems and services by connecting to services with a target and reading the banner/message it returns.
• Banners contain details like service name, software version ,and other important information.
• Banner Grabbing tools exist like telnet, netcat,and nmap.

Countermeasures

• Countermeasures against passive information gathering involve reviewing public sources, checking for metadata, using anonymous identities, and considering private domain registration.
• It's also important to watch out for archived information using tools like WayBack Machine and reviewing WHOIS domain history.
• Educating staff and employing visitor policies alongside data lifecycle procedures help protect against passive gathering.
• Countermeasures against active information gathering include network topology design that's difficult to scan (segregation), disabling unnecessary services, firewalls, and network intrusion systems.
• Removing banners, log analysis, and network traffic and application logs help in mitigating issues, as well as distinguishing normal from abnormal behavior through scans.

Framework Step 3 - Threat Modelling

• Understanding threats is crucial for security.
• A threat is the intent to inflict damage, consisting of an adverse action on an asset by a threat agent.
• Threat modeling helps identify potential threats, actions, and likely goals of attackers.

Responsible Disclosure

• Responsible disclosure is a best practice when finding vulnerabilities
• It means informing the vendor before the public
• Disclosing findings responsibly typically involves letting the vendor fix them before the public.
• This is advantageous to both parties.

Threat Modeling Techniques

• Different approaches to threat modelling exist including attacker centric, software centric, and asset centric approaches.
• The Microsoft SDL threat modeling approach includes the following steps: describing the system, creating a checklist, assessing impact, and identifying countermeasures

Challenges

• Challenges in threat modeling could involve differences in interpreting threat models by multiple engineers involved in the analysis.

Reflection

• Reflection is crucial for understanding what can and can't be built, what is needed, and recognizing potential gaps.
• Identifying the strengths and weaknesses of a system that's built.
• It's important to assess the need for better design clarity.

Tools

• The tools presented on the slide can help analyze and identify security concerns.

Summary

• An overview of OSINT types, active information gathering, target scans, banner grabbing, overview of threats, and threat modelling.

This Week's Lab

• The lab activities for Week 3 involve active information gathering using Nmap for target scanning, and will use Kali Linux and Metasploitable virtual machines.
• Completing a MySay module survey and reviewing any questions about the coursework.

Reading List

• Links to resources/articles on active information gathering, passive reconnaissance, OSINT Framework, and social engineering resources are included for further reading.

Next Week

• Next week's activities include vulnerability assessment and coursework feedback.

Questions?

• A simple slide asking for any questions if needed.

Description

This lecture delves into Target Scanning and Threat Modelling within the context of ethical hacking. It covers various methods of information gathering, including OSINT types, and introduces essential tools such as Banner Grabbing. Understanding these concepts is critical for effective penetration testing and threat analysis.