CEH v10 EC-Council Certified E-IP Specialist PDF

Document Control Proposal Name : CEH v10: EC-Council Certified Ethical Hacker Complete Training Guide with Practice Labs Document Version : 1.0 Document Release Date : 14-May-18 Refe...

Document Control Proposal Name : CEH v10: EC-Council Certified Ethical Hacker Complete Training Guide with Practice Labs Document Version : 1.0 Document Release Date : 14-May-18 Reference : Certified Ethical Hacking Workbook Copyright © 2018 IPSpecialist LTD. Registered in England and Wales Company Registration No: 10883539 Registration Office at Office 32, 19-21 Crawford Street, London W1H 1PJ, United Kingdom www.ipspecialist.net All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from IPSpecialist LTD, except for the inclusion of brief quotations in a review. Feedback: If you have any comments regarding the quality of this book, or otherwise alter it to suit your needs better, you can contact us by email at [email protected] Please make sure to include the book title and ISBN in your message About IPSpecialist IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND DEDICATED TO YOUR SUCCESS. Our philosophy is to treat our customers like family. We want you to succeed, and we are willing to do anything possible to help you make it happen. We have the proof to back up our claims. We strive to accelerate billions of careers with great courses, accessibility, and affordability. We believe that continuous learning and knowledge evolution are most important things to keep re-skilling and up-skilling the world. Planning and creating a specific goal is where IPSpecialist helps. We can create a career track that suits your visions as well as develop the competencies you need to become a professional Network Engineer. We can also assist you with the execution and evaluation of proficiency level based on the career track you choose, as they are customized to fit your specific goals. We help you STAND OUT from the crowd through our detailed IP training content packages. Course Features: · Self-Paced learning O Learn at your own pace and in your own time · Covers Complete Exam Blueprint O Prep-up for the exam with confidence · Case Study Based Learning O Relate the content to real-life scenarios · Subscriptions that suits you O Get more pay less with IPS Subscriptions · Career Advisory Services O Let industry experts plan your career journey · Virtual Labs to test your skills O With IPS vRacks, you can testify your exam preparations · Practice Questions O Practice Questions to measure your preparation standards · On Request Digital Certification O On request, digital certification from IPSpecialist LTD. About the Authors: We compiled this workbook under the supervision of multiple professional engineers. These engineers specialize in different fields, i.e., Networking, Security, Cloud, Big Data, IoT, and so forth. Each engineer develops content in its specialized field that is compiled to form a comprehensive certification guide. About the Technical Reviewers: Nouman Ahmed Khan AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless), CISSP, CISA, CISM is a Solution Architect working with a major telecommunication provider in Qatar. He works with enterprises, mega- projects, and service providers to help them select the best-fit technology solutions. He also works closely with a consultant to understand customer business processes and helps select an appropriate technology strategy to support business goals. He has more than 14 years of experience working in Pakistan/Middle-East & UK. He holds a Bachelor of Engineering Degree from NED University, Pakistan, and M.Sc. in Computer Networks from the UK. Abubakar Saeed Abubakar Saeed has more than twenty-five years of experience, Managing, Consulting, Designing, and implementing large-scale technology projects, extensive experience heading ISP operations, solutions integration, heading Product Development, Presales, and Solution Design. Emphasizing on adhering to Project timelines and delivering as per customer expectations, he always leads the project in the right direction with his innovative ideas and excellent management. Muhammad Yousuf Muhammad Yousuf is a professional technical content writer. He is Cisco Certified Network Associate in Routing and Switching, holding bachelor’s degree in Telecommunication Engineering from Sir Syed University of Engineering and Technology. He has both technical knowledge and industry sounding information, which he uses perfectly in his career. Table of Contents Chapter 1: Introduction to Ethical Hacking Technology Brief Information Security Overview Data Breach Essential Terminology Elements of Information Security The Security, Functionality, and Usability Triangle Information Security Threats and Attack Vectors Motives, Goals, and Objectives of Information Security Attacks Top Information Security Attack Vectors Information Security Threat Categories Types of Attacks on a System Information Warfare Hacking Concepts, Types, and Phases Hacker Hacking Hacking Phases Ethical Hacking Concepts and Scope Ethical Hacking Why Ethical Hacking is Necessary Scope and Limitations of Ethical Hacking Phases of Ethical Hacking Skills of an Ethical Hacker Information Security Controls Information Assurance (IA) Information Security Management Program Threat Modeling Enterprise Information Security Architecture (EISA) Network Security Zoning Information Security Policies Types of Security Policies Implications for Security Policy Enforcement Physical Security Incident Management Incident Management Process Responsibilities of Incident Response Team Vulnerability Assessment Types of Vulnerability Assessment Network Vulnerability Assessment Methodology Penetration Testing Technology Overview Important for Penetration testing Types of Penetration Testing Phases of Penetration Testing Security Testing Methodology Information Security Laws and Standards Payment Card Industry Data Security Standard (PCI-DSS) ISO/IEC 27001:2013 Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) Chapter 2: Footprinting & Reconnaissance Technology Brief Footprinting Concepts Pseudonymous Footprinting Internet Footprinting Objectives of Footprinting Footprinting Methodology Footprinting through Search Engines Footprinting using Advanced Google Hacking Techniques Footprinting through Social Networking Sites Website Footprinting Email Footprinting Competitive Intelligence Monitoring Website Traffic of Target Company WHOIS Footprinting DNS Footprinting Network Footprinting Footprinting through Social Engineering Footprinting Tool Lab 02-1: Maltego Tool Overview Lab 02-2: Recon-ng Overview Lab 02-3: FOCA Tool Overview Countermeasures of Footprinting Lab 2-4: Gathering information using Windows Command Line Utilities Lab 2-5: Downloading a Website using Website Copier tool (HTTrack) Lab 2-6: Gathering information using Metasploit Chapter 3: Scanning Networks Technology Brief Overview of Network Scanning TCP Communication Creating Custom Packet Using TCP Flags Scanning Methodology Checking for Live Systems Check for Open Ports Lab 3-1: Hping Commands: Lab 3-2: Hping Commands: Lab 3-3: Xmas Scanning Scanning Beyond IDS OS Fingerprinting & Banner Grabbing Draw Network Diagrams Lab 3-4: Creating Network Topology Map using Tool Prepare Proxies Chapter 4: Enumeration Technology Brief Enumeration Concepts Enumeration Techniques for Enumeration Services and Ports to Enumerate Lab 4-1: Services Enumeration using Nmap NetBIOS Enumeration NetBIOS Enumeration Tool Lab 4-2: Enumeration using SuperScan Tool Enumerating Shared Resources Using Net View Lab 4-3: Enumeration using SoftPerfect Network Scanner Tool SNMP Enumeration SNMP Enumeration Simple Network Management Protocol LDAP Enumeration Lightweight Directory Access Protocol (LDAP) LDAP Enumeration Tool: NTP Enumeration Network Time Protocol (NTP) SMTP Enumeration Simple Mail Transfer Protocol (SMTP) SMTP Enumeration Technique DNS Zone Transfer Enumeration Using NSLookup Enumeration Countermeasures Chapter 5: Vulnerability Analysis Technology Brief Vulnerability Assessment Concept: Vulnerability Assessment Vulnerability Assessment Life-Cycle Vulnerability Assessment Solutions Vulnerability Scoring Systems Vulnerability Scanning Lab 5.1: Vulnerability Scanning using Nessus Vulnerability Scanning Tool Chapter 6: System Hacking Technology Brief System Hacking System Hacking Methodology Password Cracking Lab 6-1: Online tool for default passwords Lab 6-2: Rainbow Table using Winrtgen tool Lab 6-3: Password Cracking using Pwdump7 and Ophcrack tool. Escalating Privileges Executing Applications Hiding Files Lab 6-4: NTFS Stream Manipulation Lab 6-5: Steganography Lab 6-6: Image Steganography Covering Tracks Lab 6-7: Clearing Audit Policies on Windows Lab 6-8: Clearing Logs on Windows Lab 6-9: Clearing logs on Linux Chapter 7: Malware Threats Technology Brief Malware Trojan Concept Trojan Virus and Worms Concepts Viruses Virus Analysis and Detection Methods Malware Reverse Engineering Sheep Dipping Malware Analysis Lab 7-1: HTTP RAT Trojan Lab 7-2: Monitoring TCP/IP connection using CurrPort tool Chapter 8: Sniffing Technology Brief Sniffing Concepts Introduction to Sniffing Working of Sniffers Types of Sniffing Hardware Protocol Analyzer SPAN Port Wiretapping MAC Attacks MAC Address Table / CAM Table MAC Flooding Switch Port Stealing Defend against MAC Attacks DHCP Attacks Dynamic Host Configuration Protocol (DHCP) Operation DHCP Starvation Attack Rogue DHCP Server Attack Defending Against DHCP Starvation and Rogue Server Attack ARP Poisoning Address Resolution Protocol (ARP) ARP Spoofing Attack Defending ARP Poisoning Spoofing Attack MAC Spoofing/Duplicating Lab 8-1: Configuring locally administered MAC address DNS Poisoning DNS Poisoning Techniques How to Defend Against DNS Spoofing Sniffing Tools Wireshark Lab 8-2: Introduction to Wireshark Countermeasures Defending Against Sniffing Sniffing Detection Techniques Sniffer Detection Technique Promiscuous Detection Tool Chapter 9: Social Engineering Technology Brief Social Engineering Concepts Introduction to Social Engineering Phases of a Social Engineering Attack Social Engineering Techniques Types of Social Engineering Insider Attack Impersonation on Social Networking Sites Social Engineering Through Impersonation on Social Networking Sites Risks of Social Networking in a Corporate Networks Identity Theft Identify Theft Overview The process of Identity theft Social Engineering Countermeasures Lab 09-1: Social Engineering using Kali Linux Chapter 10: Denial-of-Services Technology Brief DoS/DDoS Concepts Denial of Service (DoS) Distributed Denial of Service (DDoS) How Distributed Denial of Service Attacks Work DoS/DDoS Attack Techniques Basic Categories of DoS/DDoS Attacks DoS/DDoS Attack Techniques Botnets Botnet Setup Propagation of Malicious Codes Botnet Trojan DoS/DDoS Attack Tools Pandora DDoS Bot Toolkit Other DDoS Attack tools DoS and DDoS Attack Tool for Mobile Lab 10-1: SYN Flooding Attack using Metasploit Lab 10-2: SYN Flooding Attack using Hping3 Counter-measures Detection Techniques DoS/DDoS Countermeasure Strategies Techniques to Defend against Botnets Enabling TCP Intercept on Cisco IOS Software Chapter 11: Session Hijacking Technology Brief Session Hijacking Session Hijacking Techniques Session Hijacking Process Types of Session Hijacking Session Hijacking in OSI Model Spoofing vs. Hijacking Application Level Session Hijacking Application-Level Hijacking Concept Compromising Session IDs Using Man-in-the-Middle Attack Compromising Session IDs Using Man-in-the-Browser Attack Compromising Session IDs Using Client-side Attacks Session Replay Attack Session Fixation Network-level Session Hijacking The 3-Way Handshake TCP/IP Hijacking Source Routing RST Hijacking Blind Hijacking Forged ICMP and ARP Spoofing UDP Hijacking Countermeasures Session Hijacking Countermeasures IPSec Chapter 12: Evading IDS, Firewall and Honeypots Technology Brief IDS, Firewall and Honeypot Concepts Intrusion Detection Systems (IDS) Firewall Honeypot IDS, Firewall and Honeypot System Intrusion Detection Tools Evading IDS Insertion Attack Evasion Denial-of-Service Attack (DoS) Obfuscating False Positive Generation Session Splicing Unicode Evasion Technique Evading Firewalls Firewall Identification IP Address Spoofing Source Routing By passing Techniques Bypassing through SSH Tunneling Method Bypassing Firewall through External Systems IDS/Firewall Evasion Counter-measures Lab 12-1: Configuring Honeypot on Windows Server 2016 Chapter 13: Hacking Web Servers Technology Brief Web server Concepts Web Server Security Issue Open Source Web server Architecture IIS Web Server Architecture Web server Attacks DoS/DDoS Attacks DNS Server Hijacking DNS Amplification Attack Directory Traversal Attacks Man-in-the-Middle/Sniffing Attack Phishing Attacks Website Defacement Web server Misconfiguration HTTP Response Splitting Attack Web Cache Poisoning Attack SSH Brute-force Attack Web Application Attacks Attack Methodology Information Gathering Web server Footprinting Lab 13-1: Web Server Footprinting using Tool Mirroring a Website Vulnerability Scanning Session Hijacking Hacking Web Passwords Countermeasures Countermeasures Patch Management Patches and Hotfixes Patch Management Lab 13-2: Microsoft Baseline Security Analyzer (MBSA) Lab 13-3: Web server Security Tool Chapter 14: Hacking Web Applications Technology Brief Web Application Concepts Server Administrator Application Administrator Client How do Web Applications works? Web 2.0 Web App Threats Web App Hacking Methodology Analyze Web Applications Attack Authentication Mechanism Authorization Attack Schemes Session Management Attack Perform Injection Attacks Attack Data Connectivity Countermeasures Encoding Schemes Chapter 15: SQL Injection Technology Brief SQL Injection Concepts SQL Injection The scope of SQL Injection How SQL Query works SQL Injection Tools Types of SQL Injection In-Band SQL Injection Inferential SQL Injection (Blind Injection) Out-of-band SQL Injection SQL Injection Methodology Information Gathering and SQL Injection Vulnerability Detection Launch SQL Injection Attacks Advanced SQL Injection Evasion Techniques Evading IDS Types of Signature Evasion Techniques Counter-measures Lab 15-1: Using IBM Security AppScan Standard Chapter 16: Hacking Wireless Networks Technology Brief Wireless Concepts Wireless Networks Wi-Fi Technology Types of Wireless Antenna Wireless Encryption WEP Encryption WPA Encryption WPA2 Encryption Wireless Threats Access Control Attacks Integrity and Confidentiality Attacks Availability Attacks Authentication Attacks Rogue Access Point Attack Client Mis-association Misconfigured Access Point Attack Unauthorized Association Ad Hoc Connection Attack Jamming Signal Attack Wireless Hacking Methodology Wi-Fi Discovery GPS Mapping Wireless Traffic Analysis Launch Wireless Attacks Bluetooth Hacking Bluetooth Attacks Bluetooth Countermeasures Wireless Security Tools Wireless Intrusion Prevention Systems Wi-Fi Security Auditing Tool Lab 16-1: Hacking Wi-Fi Protected Access Network using Aircrack-ng Countermeasures Chapter 17: Hacking Mobile Platforms Technology Brief Mobile Platform Attack Vectors OWASP Top 10 Mobile Threats Mobile Attack Vector Hacking Android OS Introduction to Android Operating System Hacking iOS iPhone Operating System Jailbreaking iOS Hacking Windows Phone OS Windows Phone Hacking BlackBerry BlackBerry Operating System BlackBerry Attack Vectors Mobile Device Management (MDM) Mobile Device Management Concept Bring Your Own Device (BYOD) BYOD Architecture Framework Mobile Security Guidelines Chapter 18: IoT Hacking Technology Brief Internet of Things (IoT) Concept How does the Internet of Things works? IoT Communication Models Understanding IoT Attacks Challenges to IoT OWASP Top 10 IoT Vulnerabilities IoT Attack Areas IoT Attacks IoT Hacking Methodology Information Gathering Vulnerability Scanning Launch Attack Gain Access Maintain Attack Countermeasures: Chapter 19: Cloud Computing Introduction to Cloud Computing Types of Cloud Computing Services Cloud Deployment Models NIST Cloud Computing Reference Architecture Cloud Computing Benefits Understanding Virtualization Cloud Computing Threats Data Loss/Breach Abusing Cloud Services Insecure Interface and APIs Cloud Computing Attacks Service Hijacking using Social Engineering Attacks Service Hijacking using Network Sniffing Session Hijacking using XSS Attack Session Hijacking using Session Riding Domain Name System (DNS) Attacks Side Channel Attacks or Cross-guest VM Breaches Cloud Security Cloud Security Control Layers Responsibilities in Cloud Security Cloud Computing Security Considerations Cloud Security Tools Core CloudInspect CloudPassage Halo Chapter 20: Cryptography Technology Brief Cryptography Concepts Cryptography Types of Cryptography Government Access to Keys (GAK) Encryption Algorithms Ciphers Data Encryption Standard (DES) Advanced Encryption Standard (AES) RC4, RC5, RC6 Algorithms The DSA and Related Signature Schemes RSA (Rivest Shamir Adleman) Lab 20-1: Example of RSA Algorithm Message Digest (One-way Hash) Functions Secure Hashing Algorithm (SHA) SSH (Secure Shell) Cryptography Tools MD5 Hash Calculators Lab 20-2: Calculating MD5 using Tool Hash Calculators for Mobile: Cryptography Tool Lab 20-3: Advanced Encryption Package 2014 Public Key Infrastructure(PKI) Certification Authorities (CA) Signed Certificate Vs. Self Signed Certificate Email Encryption Digital Signature SSL (Secure Sockets Layer) SSL and TLS for Secure Communication Pretty Good Privacy (PGP) Disk Encryption Cryptography Attacks Code Breaking Methodologies References Chapter 1: Introduction to Ethical Hacking 22 Technology Brief 22 Information Security Overview 22 Data Breach 22 Essential Terminology 23 Elements of Information Security 24 The Security, Functionality, and Usability Triangle 26 Information Security Threats and Attack Vectors 27 Motives, Goals, and Objectives of Information Security Attacks 27 Top Information Security Attack Vectors 27 Information Security Threat Categories 30 Types of Attacks on a System 32 Information Warfare 33 Hacking Concepts, Types, and Phases 34 Hacker 34 Hacking 35 Hacking Phases 35 Ethical Hacking Concepts and Scope 36 Ethical Hacking 36 Why Ethical Hacking is Necessary 36 Scope and Limitations of Ethical Hacking 37 Phases of Ethical Hacking 37 Skills of an Ethical Hacker 38 Information Security Controls 39 Information Assurance (IA) 39 Information Security Management Program 39 Threat Modeling 40 Enterprise Information Security Architecture (EISA) 41 Network Security Zoning 41 Information Security Policies 42 Types of Security Policies 43 Implications for Security Policy Enforcement 44 Physical Security 44 Incident Management 45 Incident Management Process 46 Responsibilities of Incident Response Team 46 Vulnerability Assessment 47 Types of Vulnerability Assessment 47 Network Vulnerability Assessment Methodology 47 Penetration Testing 50 Technology Overview 50 Important for Penetration testing 50 Types of Penetration Testing 51 Phases of Penetration Testing 52 Security Testing Methodology 52 Information Security Laws and Standards 53 Payment Card Industry Data Security Standard (PCI-DSS) 53 ISO/IEC 27001:2013 54 Health Insurance Portability and Accountability Act (HIPAA) 54 Sarbanes Oxley Act (SOX) 54 Chapter 2: Footprinting & Reconnaissance 57 Technology Brief 57 Footprinting Concepts 57 Pseudonymous Footprinting 57 Internet Footprinting 57 Objectives of Footprinting 57 Footprinting Methodology 58 Footprinting through Search Engines 58 Footprinting using Advanced Google Hacking Techniques 64 Footprinting through Social Networking Sites 66 Website Footprinting 69 Email Footprinting 79 Competitive Intelligence 81 Monitoring Website Traffic of Target Company 82 WHOIS Footprinting 86 DNS Footprinting 92 Network Footprinting 96 Footprinting through Social Engineering 99 Footprinting Tool 101 Lab 02-1: Maltego Tool Overview 101 Lab 02-2: Recon-ng Overview 104 Lab 02-3: FOCA Tool Overview 109 Countermeasures of Footprinting 111 Lab 2-4: Gathering information using Windows Command Line Utilities 112 Lab 2-5: Downloading a Website using Website Copier tool (HTTrack) 116 Lab 2-6: Gathering information using Metasploit 122 Chapter 3: Scanning Networks 138 Technology Brief 138 Overview of Network Scanning 138 TCP Communication 138 Creating Custom Packet Using TCP Flags 140 Scanning Methodology 142 Checking for Live Systems 142 Check for Open Ports 145 Lab 3-1: Hping Commands: 146 Lab 3-2: Hping Commands: 149 Lab 3-3: Xmas Scanning 155 Scanning Beyond IDS 165 OS Fingerprinting & Banner Grabbing 165 Draw Network Diagrams 167 Lab 3-4: Creating Network Topology Map using Tool 168 Prepare Proxies 170 Chapter 4: Enumeration 176 Technology Brief 176 Enumeration Concepts 176 Enumeration 176 Techniques for Enumeration 176 Services and Ports to Enumerate 177 Lab 4-1: Services Enumeration using Nmap 178 NetBIOS Enumeration 181 NetBIOS Enumeration Tool 183 Lab 4-2: Enumeration using SuperScan Tool 184 Enumerating Shared Resources Using Net View 187 Lab 4-3: Enumeration using SoftPerfect Network Scanner Tool 187 SNMP Enumeration 191 SNMP Enumeration 191 Simple Network Management Protocol 192 LDAP Enumeration 194 Lightweight Directory Access Protocol (LDAP) 194 LDAP Enumeration Tool: 194 NTP Enumeration 195 Network Time Protocol (NTP) 195 SMTP Enumeration 198 Simple Mail Transfer Protocol (SMTP) 198 SMTP Enumeration Technique 198 DNS Zone Transfer Enumeration Using NSLookup 199 Enumeration Countermeasures 200 Chapter 5: Vulnerability Analysis 202 Technology Brief 202 Vulnerability Assessment Concept: 202 Vulnerability Assessment 202 Vulnerability Assessment Life-Cycle 203 Vulnerability Assessment Solutions 204 Vulnerability Scoring Systems 205 Vulnerability Scanning 207 Lab 5.1: Vulnerability Scanning using Nessus Vulnerability Scanning Tool 211 Chapter 6: System Hacking 227 Technology Brief 227 System Hacking 227 System Hacking Methodology 228 Password Cracking 228 Lab 6-1: Online tool for default passwords 231 Lab 6-2: Rainbow Table using Winrtgen tool 234 Lab 6-3: Password Cracking using Pwdump7 and Ophcrack tool. 244 Escalating Privileges 255 Executing Applications 257 Hiding Files 261 Lab 6-4: NTFS Stream Manipulation 263 Lab 6-5: Steganography 271 Lab 6-6: Image Steganography 273 Covering Tracks 277 Lab 6-7: Clearing Audit Policies on Windows 278 Lab 6-8: Clearing Logs on Windows 281 Lab 6-9: Clearing logs on Linux 283 Chapter 7: Malware Threats 290 Technology Brief 290 Malware 290 Trojan Concept 291 Trojan 291 Virus and Worms Concepts 297 Viruses 297 Virus Analysis & Detection Methods 301 Malware Reverse Engineering 302 Sheep Dipping 302 Malware Analysis 302 Lab 7-1: HTTP RAT Trojan 304 Lab 7-2: Monitoring TCP/IP connection using CurrPort tool 313 Chapter 8: Sniffing 320 Technology Brief 320 Sniffing Concepts 320 Introduction to Sniffing 320 Working of Sniffers 320 Types of Sniffing 321 Hardware Protocol Analyzer 322 SPAN Port 323 Wiretapping 324 MAC Attacks 325 MAC Address Table / CAM Table 325 MAC Flooding 327 Switch Port Stealing 327 Defend against MAC Attacks 327 DHCP Attacks 328 Dynamic Host Configuration Protocol (DHCP) Operation 328 DHCP Starvation Attack 329 Rogue DHCP Server Attack 330 Defending Against DHCP Starvation and Rogue Server Attack 330 ARP Poisoning 331 Address Resolution Protocol (ARP) 331 ARP Spoofing Attack 332 Defending ARP Poisoning 333 Spoofing Attack 336 MAC Spoofing/Duplicating 336 Lab 8-1: Configuring locally administered MAC address 336 DNS Poisoning 342 DNS Poisoning Techniques 342 How to Defend Against DNS Spoofing 343 Sniffing Tools 344 Wireshark 344 Lab 8-2: Introduction to Wireshark 344 Countermeasures 348 Defending Against Sniffing 348 Sniffing Detection Techniques 348 Sniffer Detection Technique 348 Promiscuous Detection Tool 349 Chapter 9: Social Engineering 350 Technology Brief 350 Social Engineering Concepts 350 Introduction to Social Engineering 350 Phases of a Social Engineering Attack 351 Social Engineering Techniques 351 Types of Social Engineering 351 Insider Attack 355 Impersonation on Social Networking Sites 355 Social Engineering Through Impersonation on Social Networking Sites 355 Risks of Social Networking in a Corporate Networks 356 Identity Theft 356 Identify Theft Overview 356 The process of Identity theft 356 Social Engineering Countermeasures 358 Lab 09-1: Social Engineering using Kali Linux 358 Chapter 10: Denial-of-Services 371 Technology Brief 371 DoS/DDoS Concepts 371 Denial of Service (DoS) 371 Distributed Denial of Service (DDoS) 372 How Distributed Denial of Service Attacks Work 372 DoS/DDoS Attack Techniques 372 Basic Categories of DoS/DDoS Attacks 372 DoS/DDoS Attack Techniques 373 Botnets 376 Botnet Setup 376 Propagation of Malicious Codes 378 Botnet Trojan 379 DoS/DDoS Attack Tools 379 Pandora DDoS Bot Toolkit 379 Other DDoS Attack tools 379 DoS and DDoS Attack Tool for Mobile 380 Lab 10-1: SYN Flooding Attack using Metasploit 380 Lab 10-2: SYN Flooding Attack using Hping3 386 Counter-measures 388 Detection Techniques 388 DoS/DDoS Countermeasure Strategies 388 Techniques to Defend against Botnets 388 Enabling TCP Intercept on Cisco IOS Software 389 Chapter 11: Session Hijacking 391 Technology Brief 391 Session Hijacking 391 Session Hijacking Techniques 391 Session Hijacking Process 392 Types of Session Hijacking 393 Session Hijacking in OSI Model 393 Spoofing vs. Hijacking 394 Application Level Session Hijacking 394 Application-Level Hijacking Concept 394 Compromising Session IDs Using Man-in-the-Middle Attack 395 Compromising Session IDs Using Man-in-the-Browser Attack 395 Compromising Session IDs Using Client-side Attacks 396 Session Replay Attack 396 Session Fixation 396 Network-level Session Hijacking 397 The 3-Way Handshake 397 TCP/IP Hijacking 397 Source Routing 398 RST Hijacking 398 Blind Hijacking 398 Forged ICMP and ARP Spoofing 398 UDP Hijacking 398 Countermeasures 398 Session Hijacking Countermeasures 398 IPSec 399 Chapter 12: Evading IDS, Firewall & Honeypots 403 Technology Brief 403 IDS, Firewall and Honeypot Concepts 403 Intrusion Detection Systems (IDS) 403 Firewall 408 Honeypot 416 IDS, Firewall and Honeypot System 416 Intrusion Detection Tools 416 Evading IDS 418 Insertion Attack 418 Evasion 419 Denial-of-Service Attack (DoS) 420 Obfuscating 420 False Positive Generation 420 Session Splicing 420 Unicode Evasion Technique 420 Evading Firewalls 421 Firewall Identification 421 IP Address Spoofing 422 Source Routing 422 By passing Techniques 422 Bypassing through SSH Tunneling Method 423 Bypassing Firewall through External Systems 423 IDS/Firewall Evasion Counter-measures 423 Lab 12-1: Configuring Honeypot on Windows Server 2016 424 Chapter 13: Hacking Web Servers 432 Technology Brief 432 Web server Concepts 432 Web Server Security Issue 432 Open Source Web server Architecture 432 IIS Web Server Architecture 433 Web server Attacks 434 DoS/DDoS Attacks 434 DNS Server Hijacking 435 DNS Amplification Attack 435 Directory Traversal Attacks 435 Man-in-the-Middle/Sniffing Attack 435 Phishing Attacks 435 Website Defacement 435 Web server Misconfiguration 435 HTTP Response Splitting Attack 436 Web Cache Poisoning Attack 436 SSH Brute-force Attack 436 Web Application Attacks 436 Attack Methodology 436 Information Gathering 436 Web server Footprinting 437 Lab 13-1: Web Server Footprinting using Tool 437 Mirroring a Website 438 Vulnerability Scanning 439 Session Hijacking 439 Hacking Web Passwords 439 Countermeasures 439 Countermeasures 440 Patch Management 440 Patches and Hotfixes 440 Patch Management 441 Lab 13-2: Microsoft Baseline Security Analyzer (MBSA) 441 Lab 13-3: Web server Security Tool 448 Chapter 14: Hacking Web Applications 452 Technology Brief 452 Web Application Concepts 452 Server Administrator 452 Application Administrator 453 Client 453 How Web Applications works? 453 Web 2.0 454 Web App Threats 454 Web App Hacking Methodology 456 Analyze Web Applications 456 Attack Authentication Mechanism 456 Authorization Attack Schemes 456 Session Management Attack 456 Perform Injection Attacks 456 Attack Data Connectivity 457 Countermeasures 458 Encoding Schemes 458 Chapter 15: SQL Injection 460 Technology Brief 460 SQL Injection Concepts 460 SQL Injection 460 The scope of SQL Injection 460 How SQL Query works 460 SQL Injection Tools 462 Types of SQL Injection 462 In-Band SQL Injection 462 Inferential SQL Injection (Blind Injection) 463 Out-of-band SQL Injection 463 SQL Injection Methodology 463 Information Gathering and SQL Injection Vulnerability Detection 463 Launch SQL Injection Attacks 464 Advanced SQL Injection 464 Evasion Techniques 464 Evading IDS 464 Types of Signature Evasion Techniques 464 Counter-measures 465 Lab 15-1: Using IBM Security AppScan Standard 465 Chapter 16: Hacking Wireless Networks 472 Technology Brief 472 Wireless Concepts 472 Wireless Networks 472 Wi-Fi Technology 475 Types of Wireless Antenna 480 Wireless Encryption 481 WEP Encryption 481 WPA Encryption 482 WPA2 Encryption 483 Wireless Threats 484 Access Control Attacks 484 Integrity & Confidentiality Attacks 484 Availability Attacks 484 Authentication Attacks 485 Rogue Access Point Attack 485 Client Mis-association 485 Misconfigured Access Point Attack 485 Unauthorized Association 485 Ad Hoc Connection Attack 485 Jamming Signal Attack 485 Wireless Hacking Methodology 486 Wi-Fi Discovery 486 GPS Mapping 486 Wireless Traffic Analysis 486 Launch Wireless Attacks 486 Bluetooth Hacking 487 Bluetooth Attacks 487 Bluetooth Countermeasures 487 Wireless Security Tools 488 Wireless Intrusion Prevention Systems 488 Wi-Fi Security Auditing Tool 488 Lab 16-1: Hacking Wi-Fi Protected Access Network using Aircrack- ng 489 Countermeasures 497 Chapter 17: Hacking Mobile Platforms 499 Technology Brief 499 Mobile Platform Attack Vectors 499 OWASP Top 10 Mobile Threats 499 Mobile Attack Vector 500 Hacking Android OS 501 Introduction to Android Operating System 501 Hacking iOS 504 iPhone Operating System 504 Jailbreaking iOS 504 Hacking Windows Phone OS 506 Windows Phone 506 Hacking BlackBerry 507 BlackBerry Operating System 507 BlackBerry Attack Vectors 507 Mobile Device Management (MDM) 508 Mobile Device Management Concept 508 Bring Your Own Device (BYOD) 511 BYOD Architecture Framework 512 Mobile Security Guidelines 515 Chapter 18: IoT Hacking 516 Technology Brief 516 Internet of Things (IoT) Concept 516 How the Internet of Things works? 517 IoT Communication Models 519 Understanding IoT Attacks 522 Challenges to IoT 522 OWASP Top 10 IoT Vulnerabilities 522 IoT Attack Areas 523 IoT Attacks 523 IoT Hacking Methodology 524 Information Gathering 524 Vulnerability Scanning 525 Launch Attack 525 Gain Access 525 Maintain Attack 526 Countermeasures: 526 Chapter 19: Cloud Computing 527 Introduction to Cloud Computing 527 Types of Cloud Computing Services 527 Cloud Deployment Models 528 NIST Cloud Computing Reference Architecture 528 Cloud Computing Benefits 529 Understanding Virtualization 530 Cloud Computing Threats 531 Data Loss/Breach 531 Abusing Cloud Services 531 Insecure Interface and APIs 531 Cloud Computing Attacks 532 Service Hijacking using Social Engineering Attacks 532 Service Hijacking using Network Sniffing 533 Session Hijacking using XSS Attack 533 Session Hijacking using Session Riding 533 Domain Name System (DNS) Attacks 533 Side Channel Attacks or Cross-guest VM Breaches 533 Cloud Security 534 Cloud Security Control Layers 534 Responsibilities in Cloud Security 535 Cloud Computing Security Considerations 536 Cloud Security Tools 537 Core CloudInspect 537 CloudPassage Halo 537 Chapter 20: Cryptography 540 Technology Brief 540 Cryptography Concepts 540 Cryptography 540 Types of Cryptography 540 Government Access to Keys (GAK) 541 Encryption Algorithms 541 Ciphers 541 Data Encryption Standard (DES) 542 Advanced Encryption Standard (AES) 543 RC4, RC5, RC6 Algorithms 545 The DSA and Related Signature Schemes 546 RSA (Rivest Shamir Adleman) 546 Lab 20-1: Example of RSA Algorithm 547 Message Digest (One-way Hash) Functions 548 Secure Hashing Algorithm (SHA) 549 SSH (Secure Shell) 550 Cryptography Tools 550 MD5 Hash Calculators 550 Lab 20-2: Calculating MD5 using Tool 551 Hash Calculators for Mobile: 556 Cryptography Tool 557 Lab 20-3: Advanced Encryption Package 2014 557 Public Key Infrastructure(PKI) 562 Certification Authorities (CA) 562 Signed Certificate Vs. Self Signed Certificate 563 Email Encryption 564 Digital Signature 564 SSL (Secure Sockets Layer) 564 SSL and TLS for Secure Communication 564 Pretty Good Privacy (PGP) 566 Disk Encryption 566 Cryptography Attacks 567 Code Breaking Methodologies 568 References 569 About this Workbook This workbook covers all the information you need to pass the EC-Council’s Certified Ethical Hacking 312-50 exam. The workbook is designed to take a practical approach to learning with real-life examples and case studies.  Covers complete CEH blueprint  Summarized content  Case Study based approach  Ready to practice labs on VM  Pass guarantee  Mind maps CEHv10 Update CEH v10 covers new modules for the security of IoT devices, vulnerability analysis, focus on emerging attack vectors on the cloud, artificial intelligence, and machine learning including a complete malware analysis process. Our CEH workbook delivers a deep understanding of applications of the vulnerability analysis in a real-world environment. EC-Council Certifications The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and information security skills. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) certification, and as well as many others certification schemes, that are offered in over 87 countries globally. Figure 1 EC-Council Certifications Skill Matrix EC-Council mission is to validate information security professionals having necessary skills and knowledge required in a specialized information security domain that helps them avert a cyber-war, should the need ever arise”. EC- Council is committed to withholding the highest level of impartiality and objectivity in its practices, decision making, and authority in all matters related to certification. EC-Council Certification Tracks Figure 2 Cisco Certifications Track How does CEH certification help? The purpose of the CEH credential is to:  Establish and govern minimum standards for credentialing professional information security specialists in ethical hacking measures.  Inform the public that credentialed individuals meet or exceed the minimum standards.  Reinforce ethical hacking as a unique and self-regulating profession. About the CEH Exam  Number of Questions: 125  Test Duration: 4 Hours  Test Format: Multiple Choice  Test Delivery: ECC EXAM, VUE  Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE) A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but lawfully and legitimately to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.  Background 04%  Analysis/Assessments 13%  Security 25%  Tools/Systems/Programs 32%  Procedures/Methodology 20%  Regulation/Policy 04%  Ethics 02% Prerequisites All the three programs, CEH, CHFI, and ECSA, require the candidate to have two years of work experience in the Information Security domain and should be able to provide proof of the same as validated through the application process unless the candidate attends official training. Chapter 1: Introduction to Ethical Hacking Technology Brief Information Security Overview The methods and processes to protect information and information systems from unauthorized access, the disclosure of information, usage or modification. Information security ensures the confidentiality, integrity, and availability. An organization without security policies and appropriate security rules are at great risk, and the confidential information and data related to that organization are not secure in the absence of these security policies. An organization along with well-defined security policies and procedures helps in protecting the assets of that organization from unauthorized access and disclosures. In the modern world, with the latest technologies and platforms, millions of users interacting with each other every minute. These sixty seconds can be vulnerable and costly to the private and public organizations due to the presence of various types of old and modern threats all over the world. Public internet is the most common and rapid option for spreading threats all over the world. Malicious Codes and Scripts, Viruses, Spams, and Malware are always waiting for you. That is why the Security risk to a network or a system can never eliminate. It is always a great challenge to implement a security policy that is effective and beneficial to the organization instead of the application of an unnecessary security implementation which can waste the resources and create a loophole for threats. Our Security objectives are surrounding these three basic concepts: Data Breach eBay Data Breach One of the real-life examples describing the need for information and network security within the corporate network is eBay data breach. eBay is well-known online auction platform that is widely used all over the world. eBay announced its massive data breach in 2014 which contained sensitive data. 145 million customers were estimated having data loss in this attack. According to eBay, the data breach compromised the following information including: Customers' names Encrypted passwords Email address Postal Address Contact Numbers Date of birth These sensitive information must be stored in an encrypted form that uses strong encryption. Information must be encrypted, instead of being stored in plain text. eBay claims that no information relating to Security numbers like credit cards information was compromised, although identity and password theft can also cause severe risk. eBay database containing financial information such as credit cards information and other financial related information are claimed to be kept in a separate and encrypted format. The Origin of eBay data breach for hackers is by compromising a small number of employees credentials via phishing in between February & March 2014. Specific employees may be targeted to get access to eBay's network or may eBay network was entirely being monitored and then compromised. They claimed detection of this cyberattack within two weeks. Google Play Hack A Turkish Hacker, “Ibrahim Balic” hacked Google Play twice. He conceded the responsibility of the Google Play attack. It was not his first attempt; he acclaimed that he was behind the Apple's Developer site attack. He tested vulnerabilities in Google's Developer Console and found a flaw in the Android Operating System, which he tested twice to make sure about it causing crash again and again. Using the result of his vulnerability testing, he developed an android application to exploit the vulnerability. When the developer’s console crashed, users were unable to download applications and developers were unable to upload their applications. The Home Depot Data Breach Theft of information from payment cards, like credit cards is common nowadays. In 2014, Home Depot’s Point of Sale Systems were compromised. A released statement from Home Depot on the 8th of September 2014 claimed breach of their systems. The attacker gained access to third-party vendors login credentials and accessed the POS networks. Zero-Day Vulnerability exploited in Windows which created a loophole to enter the corporate network of Home Depot to make a path from the third-party environment to Home Depot’s network. After accessing the corporate network, Memory Scrapping Malware was released then attacked the Point of Sale terminals. Memory Scraping Malware is highly capable; it grabbed millions of payment cards information. Home Depot has taken several remediation actions against the attack, using EMV Chip-&-Pin payment cards. These Chip-& Pin payment cards has a security chip embedded into it to ensure duplicity with magstripe. Essential Terminology Hack Value The term Hack Value refers to a value that denotes attractiveness, interest or something that is worthy. Value describes the targets’ level of attraction to the hacker. Zero-Day Attack Zero-Day Attacks referrs to threats and vulnerabilities that can exploit the victim before the developer identify or address and release any patch for that vulnerability. Vulnerability The vulnerability refers to a weak point, loophole or a cause in any system or network which can be helpful and utilized by the attackers to go through it. Any vulnerability can be an entry point for them to reach the target. Daisy Chaining Daisy Chaining is a sequential process of several hacking or attacking attempts to gain access to network or systems, one after another, using the same information and the information obtained from the previous attempt. Exploit Exploit is a breach of security of a system through Vulnerabilities, Zero-Day Attacks or any other hacking techniques. Doxing The term Doxing referrs to Publishing information or a set of information associated with an individual. This information is collected publicly, mostly from social media or other sources. Payload The payload referrs to the actual section of information or data in a frame as opposed to automatically generated metadata. In information security, Payload is a section or part of a malicious and exploited code that causes the potentially harmful activity and actions such as exploit, opening backdoors, and hijacking. Bot The bots are software that is used to control the target remotely and to execute predefined tasks. It is capable to run automated scripts over the internet. The bots are also known as for Internet Bot or Web Robot. These Bots can be used for Social purposes such as Chatterbots, Commercial purpose or intended Malicious Purpose such as Spambots, Viruses, and Worms spreading, Botnets, DDoS attacks. Elements of Information Security Confidentiality We want to make sure that our secret and sensitive data is secure. Confidentiality means that only authorized persons can work with and see our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access to the data. There are two types of data in general: data in motion as it moves across the network and data at rest, when data is in any media storage (such as servers, local hard drives, cloud). For data in motion, we need to make sure data encryption before sending it over the network. Another option we can use along with encryption is to use a separate network for sensitive data. For data at rest, we can apply encryption at storage media drive so that no one can read it in case of theft. Integrity We do not want our data to be accessible or manipulated by unauthorized persons. Data integrity ensures that only authorized parties can modify data. Availability Availability applies to systems and data. If authorized persons cannot get the data due to general network failure or denial-of-service(DOS) attack, then that is the problem as long as the business is concerned. It may also result in loss of revenues or recording some important results. We can use the term “CIA” to remember these basic yet most important security concepts. CIA Risk Control Loss of privacy. Encryption. Unauthorized access to Confidentiality Authentication. Access information. Control Identity theft. Maker/Checker. Quality Information is no longer reliable Integrity Assurance. or accurate. Fraud. Audit Logs Business continuity. Business disruption. Loss of Plans and test. Backup Availability customer’s confidence. Loss of storage. Sufficient revenue. capacity. Table 1-01: Risk and Its Protection by Implementing CIA Authenticity Authentication is the process which identifies the user, or device to grant privileges, access and certain rules and policies. Similarly, Authenticity ensures the authentication of certain information initiates from a valid user claiming to be the source of that information & message transactions. The process of authentication through the combined function of identities and passwords can achieve Authenticity. Figure 1-1 Elements of Information Security Non-Repudiation Nonrepudiation is one of the Information Assurance (IA) pillar which guarantees the information transmission & receiving between the sender and receiver via different techniques such as digital signatures and encryption. Non-repudiation is the assurance the communication and its authenticity, so the sender cannot deny from what he sent. Similarly, the receiver cannot deny from receiving. Digital contracts, signatures and email messages use Nonrepudiation techniques. The Security, Functionality, and Usability Triangle In a System, Level of Security is a measure of the strength of the Security in the system, Functionality, and Usability. These three components are known as the Security, Functionality and Usability triangle. Consider a ball in this triangle, if the ball is centered, it means all three components are stronger, on the other hand, if the ball is closer to security, it means the system is consuming more resources for security and feature and function of the system and Usability requires attention. A secure system must provide strong protection along with offering all services and features and usability to the user. Figure 1-2 Security, Functionality & Usability Triangle Implementation of High level of Security typically impacts the level of functionality and usability with ease. The system becomes nonuser-friendly with a decrease in performance. While developing an application, deployment of security in a system, Security experts must keep in mind to make sure about functionality & ease of usability. These three components of a triangle must be balanced. Information Security Threats and Attack Vectors Motives, Goals, and Objectives of Information Security Attacks In the information security world, an attacker attacks the target system with the three main components behind it. "Motive or Objective" of an attack makes an attacker focus on attacking a particular system. Another major component is "Method" that is used by an attacker to gain access to a target system. Vulnerability also helps the attacker to fulfill his intentions. These three components are the major blocks on which an attack depends. Motive and Objective of an attacker to attack a system may depend upon something valuable stored in that specific system. The reason might be ethical or non-ethical. However, there must be a goal to achieve for the hacker, which leads to the threat to the system. Some typical motives of behind attacks are information theft, Manipulation of data, Disruption, propagation of political or religious beliefs, attack on target's reputation or taking revenge. Method of attack & Vulnerability runs side by side. Intruder applies various tools and number of advanced & older techniques to exploit a vulnerability within a system, or security policy to breach & achieve their motives. Figure 1-3 Information Security Attack Top Information Security Attack Vectors Cloud Computing Threats Cloud Computing is the most common trend & popularly in use nowadays. It does not mean that threats to cloud computing or cloud security are fewer. Mostly, the same issues as in traditionally hosted environments also exist in the cloud computing. It is very important to secure Cloud computing to protect services and important data. Figure 1-4 Cloud Computing Threats The following are some threats that exist in the Cloud Security: In the Cloud Computing Environment, a major threat to cloud security is a single data breach that can to result loss. Additionally, it allows the hacker to further have access to the records which allows the hacker to have access to multiple records over the cloud. It is the extremely worst situation where compromising of single entity leads to compromise multiple records. Data Loss is one of the most common potential threats that is vulnerable to Cloud security as well. Data loss may be due to intended or accidental means. It may be large scales or small scale; however massive data loss is catastrophic & costly. Another Major threat to Cloud computing is the hijacking of Account over cloud and Services. Applications running on a cloud having software flaws, weak encryption, loopholes, and vulnerabilities allows the intruder to control. Furthermore, there are several more threats to Cloud computing which are: Insecure APIs Denial of Services Malicious Insiders Poor Security Multi-Tenancy Advanced Persistent Threats An advanced persistent threat (APT) is the process of stealing information by a continuous process. An Advanced Persistent Threat usually focuses on private organizations or for political motives. The APT process relies upon advanced, sophisticated techniques to exploit vulnerabilities within a system. The "persistent" term defines the process of an external command and controlling system that is continuously monitoring and fetching data from a target. The "threat" process indicates the involvement attacker with potentially harmful intentions. Characteristics of APT Criteria are: Characteristics Description Objectives Motive or Goal of threat Timeliness Time spend in probing & accessing the target Resources Level of Knowledge & tools Risk tolerance tolerance to remain undetected Skills & Methods Tools & Techniques used throughout the event Actions Precise Action of threat Attack origination points Number of origination points Numbers involved in Number of Internal & External System attack involved Knowledge Source Discern information regarding threats Table 1-2 Advanced Persistent Threat Criteria Viruses and Worms Term "Virus" in Network and Information security describes malicious software. This malicious software is developed to spread, replicate themselves, and attach themselves to other files. Attaching with other files helps to transfer onto other systems. These viruses require user interaction to trigger and initiate malicious activities on the resident system. Unlike Viruses, Worms are capable of replicating themselves. This capability of worms makes them spread on a resident system very quickly. Worms are propagating in different forms since the 1980s. Some types of emerging worms are very destructive, responsible for devastating DoS attacks. Mobile Threats Emerging mobile phone technology, especially Smartphones has raised the focus of attacker over mobile devices. As Smartphones are popularly used all over the world, it has shifted the focus of attackers to steal business and personal information through mobile devices. The most common threat to mobile devices are: Data leakage Unsecured Wi-Fi Network Spoofing Phishing Attacks Spyware Broken Cryptography Improper Session Handling Insider Attack An insider attack is the type of attack that is performed on a system, within a corporate network, by a trusted person. Trusted User is termed as Insider because Insider has privileges and it is authorized to access the network resources. Figure 1-5 Insider Threats Botnets Combination of the functionality of Robot and Network develop a continuously working Botnet on a repetitive task. It is the basic fundamental of a bot. They are known as the workhorses of the Internet. These botnets perform repetitive tasks. The most often of botnets are in connection with Internet Relay Chat. These types of botnets are legal and beneficial. A botnet may use for positive intentions but there also some botnets which are illegal and intended for malicious activities. These malicious botnets can gain access to the systems using malicious scripts and codes either by directly hacking the system or through "Spider." Spider program crawls over the internet and searches for holes in security. Bots introduce the system on the hacker’s web by contacting the master computer. It alerts the master computer when the system is under control. Attacker remotely controls all bots from Master computer. Information Security Threat Categories Information Security Threats categories are as follows: Network Threats The primary components of network infrastructure are routers, switches, and firewalls. These devices not only perform routing and other network operations, but they also control and protect the running applications, servers, and devices from attacks and intrusions. The poorly configured device offers intruder to exploit. Common vulnerabilities on the network include using default installation settings, open access controls, Weak encryption & Passwords, and devices lacking the latest security patches. Top network level threats include: Information gathering Sniffing & Eavesdropping Spoofing Session hijacking Man-in-the-Middle Attack DNS & ARP Poisoning Password-based Attacks Denial-of-Services Attacks Compromised Key Attacks Firewall & IDS Attacks Host Threats Host threats are focused on system software; Applications are built or running over this software such as Windows 2000,.NET Framework, SQL Server, and others. The Host Level Threats includes: Malware Attacks Footprinting Password Attacks Denial-of-Services Attacks Arbitrary code execution Unauthorized Access Privilege Escalation Backdoor Attacks Physical Security Threats Application Threats Best practice to analyze application threats is by organizing them into application vulnerability category. Main threats to the application are: Improper Data / Input Validation Authentication & Authorization Attack Security Misconfiguration Information Disclosure Broken Session Management Buffer Overflow Issues Cryptography Attacks SQL Injection Improper Error handling & Exception Management Types of Attacks on a System Operating System Attacks In Operating System Attacks, Attackers always search for an operating system's vulnerabilities. If they found any vulnerability in an Operating System, they exploit to attack against the operating system. Some most common vulnerabilities of an operating system are: Buffer overflow vulnerabilities Buffer Overflow is one of the major types of Operating System Attacks. It is related to software exploitation attacks. In Buffer overflow, when a program or application does not have well-defined boundaries such as restrictions or pre-defined functional area regarding the capacity of data it can handle or the type of data can be inputted. Buffer overflow causes problems such as Denial of Service (DoS), rebooting, achievement of unrestricted access and freezing. Bugs in the operating system In software exploitation attack & bugs in software, the attacker tries to exploit the vulnerabilities in software. This vulnerability might be a mistake by the developer while developing the program code. Attackers can discover these mistakes, use them to gain access to the system. Unpatched operating system Unpatched Operating System allows malicious activities, or could not completely block malicious traffic into a system. Successful intrusion can impact severely in the form of compromising sensitive information, data loss and disruption of regular operation. Misconfiguration Attacks In a corporate network while installation of new devices, the administrator must have to change the default configurations. If devices are left upon default configuration, using default credentials, any user who does not have the privileges to access the device but has connectivity can access the device. It is not a big deal for an intruder to access such type of device because default configuration has common, weak passwords and there are no security policies are enabled on devices by default. Similarly, permitting an unauthorized person or giving resources and permission to a person more than his privileges might also lead to an attack. Additionally, Using the organization in Username & password attributes make it easier for hackers to gain access. Application-Level Attacks Before releasing an application, the developer must make sure, test & verify from its end, manufactures or from developer’s end. In an Application level attack, a hacker can use: Buffer overflow Active content Cross-site script Denial of service SQL injection Session hijacking Phishing Shrink Wrap Code Attacks Shrink Wrap code attack is the type of attack in which hacker uses the shrink wrap code method for gaining access to a system. In this type of attack, hacker exploits holes in unpatched Operating systems, poorly configured software and application. To understand shrink wrap vulnerabilities, consider an operating system has a bug in its original software version. The vendor may have released the update, but it is the most critical time between the release of a patch by vendor till client’s systems updates. During this critical time, unpatched systems are vulnerable to the Shrinkwrap attack. Shrinkwrap attack also includes vulnerable to the system installed with software that is bundled with insecure test pages and debugging scripts. The developer must have to remove these scripts before release. Information Warfare Information warfare is a concept of warfare, to get involved in the warfare of information to gain the most of information. The term, “Information Warfare” or “Info War” describes the use of information and communication technology (ICT). The major reason or focus of this information war is to get a competitive advantage over the opponent or enemy. The following is the classification of Information warfare into two classes: - 1. Defensive Information Warfare Defensive Information warfare term is used to refer to all defensive actions that are taken to defend from attacks to steal information and information-based processes. Defensive Information ware fare areas are: - Prevention Deterrence Indication & Warning Detection Emergency Preparedness Response 2. Offensive Information Warfare The offensive term is associated with the military. Offensive warfare is an aggressive operation that is taken against the enemies dynamically instead of waiting for the attackers to launch an attack. Accessing their territory to gain instead of losing territory is the fundamental concept of offensive warfare. The major advantage of offensive warfare is to identify the opponent, strategies of the opponent, and other information. Offensive Information warfare prevents or modifies the information from being in use by considering integrity, availability, and confidentiality. Hacking Concepts, Types, and Phases Hacker Hacker is the one who is smart enough to steal the information such as Business data, personal data, financial information, credit card information, username & Password from the system he is unauthorized to get this information by taking unauthorized control over that system using different techniques and tools. Hackers have great skill, ability to develop software and explore software and hardware. Their intention can be either doing illegal things for fun or sometimes they are paid to hack. Figure 1-6 Types of Hacker Hacking The Term "Hacking" in information security refers to exploiting the vulnerabilities in a system, compromising the security to gain unauthorized command and control over the system resources. Purpose of hacking may include modification of system resources, disruption of features and services to achieve goals. It can also be used to steal information for any use like sending it to competitors, regulatory bodies or publicizing the sensitive information. Hacking Phases The following are the five phases of hacking: - 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Clearing Tracks Reconnaissance Reconnaissance is an initial preparing phase for the attacker to get ready for an attack by gathering the information about the target before launching an attack using different tools and techniques. Gathering of information about the target makes it easier for an attacker, even on a large scale. Similarly, in large scale, it helps to identify the target range. In Passive Reconnaissance, the hacker is acquiring the information about target without interacting the target directly. An example of passive reconnaissance is public or social media searching for gaining information about the target. Active Reconnaissance is gaining information by acquiring the target directly. Examples of active reconnaissance are via calls, emails, help desk or technical departments. Scanning Scanning phase is a pre-attack phase. In this phase, attacker scans the network by information acquired during the initial phase of reconnaissance. Scanning tools include Dialler, Scanners such as Port scanners, Network mappers, client tools such as ping, as well as vulnerabilities scanner. During the scanning phase, attacker finally fetches the information of ports including port status, operating system information, device type, live machines, and other information depending upon scanning. Gaining Access Gaining access phase of hacking is the point where the hacker gets the control over an operating system, application or computer network. Control gained by the attacker defines the access level such as operating system level, application level or network level access. Techniques include password cracking, denial of service, session hijacking or buffer overflow and others are used to gain unauthorized access. After accessing the system; the attacker escalates the privileges to obtain complete control over services and process and compromise the connected intermediate systems. Maintaining Access / Escalation of Privileges Maintaining access phase is the point when an attacker is trying to maintain the access, ownership & control over the compromised systems. Similarly, attacker prevents the owner from being owned by any other hacker. They use Backdoors, Rootkits or Trojans to retain their ownership. In this phase, an attacker may steal information by uploading the information to the remote server, download any file on the resident system, and manipulate the data and configuration. To compromise other systems, the attacker uses this compromised system to launch attacks. Clearing Tracks An attacker must hide his identity by covering the tracks. Covering tracks are those activities which are carried out to hide the malicious activities. Covering track is most required for an attacker to fulfill their intentions by continuing the access to the compromised system, remain undetected & gain what they want, remain unnoticed and wipe all evidence that indicates his identity. To manipulate the identity and evidence, the attacker overwrites the system, application, and other related logs to avoid suspicion. Ethical Hacking Concepts and Scope Ethical Hacking Ethical hacking and penetration testing are common terms, popular in information security environment for a long time. Increase in cybercrimes and hacking create a great challenge for security experts and analyst and regulations over the last decade. It is a popular war between hackers and security professionals. Fundamental Challenges to these security experts are of finding weaknesses and deficiencies in running and upcoming systems, applications, software and addressing them proactively. It is less costly to investigate proactively before an attack instead of investigating after falling into an attack, or while dealing with an attack. For security aspect, prevention and protection, organizations have their penetration testing teams internally as well as contracted outside professional experts when and if they are needed depending on the severity and scope of the attack. Why Ethical Hacking is Necessary The rise in malicious activates, cybercrimes and appearance of different forms of advanced attacks require to need of penetration tester who penetrate the security of system and networks to be determined, prepare and take precaution and remediation action against these aggressive attacks. These aggressive and advanced attacks include: - Denial-of-Services Attacks Manipulation of data Identity Theft Vandalism Credit Card theft Piracy Theft of Services Increase in these type of attacks, hacking cases, and cyber attacks, because of increase of use of online transaction and online services in the last decade. It becomes more attractive for hackers and attackers to tempt to steal financial information. Computer or Cybercrime law has slowed down prank activities only, whereas real attacks and cybercrimes rise. It focuses on the requirement of Pentester, a shortened form of Penetration tester for the search for vulnerabilities and flaw within a system before waiting for an attack. If you want to beat the attacker and hacker, you have to be smart enough to think like them and act like them. As we know, hackers are skilled, with great knowledge of hardware, software, and exploration capabilities. It ensures the need and importance of ethical hacking which allows the ethical hacker to counter the attack from malicious hackers by anticipating methods. Another major advantage and need for ethical hacking are to uncover the vulnerabilities in systems and security deployments to take action to secure them before they are used by a hacker to breach security. Scope and Limitations of Ethical Hacking Ethical Hacking is an important and crucial component of risk assessment, auditing, counter frauds. Ethical hacking is widely used as penetration testing to identify the vulnerabilities, risk, and highlight the holes to take remedial actions against attacks. However, there is also some limitations where ethical hacking is not enough, or just through ethical hacking, the issue could not resolve. An organization must first know what it is looking for before hiring an external pentester. It helps focus the goals to achieve and save time. The testing team dedicated in troubleshooting the actual problem in resolving the issues. The ethical hacker also helps to understand the security system of an organization better. It is up to the organization to take recommended actions by the Pentester and enforce security policies over the system and network. Phases of Ethical Hacking Ethical Hacking is the combination of the following phases: - 1. Footprinting & Reconnaissance 2. Scanning 3. Enumeration 4. System Hacking 5. Escalation of Privileges 6. Covering Tracks Skills of an Ethical Hacker A skilled, ethical hacker has a set of technical and non-technical skills. Technical Skills 1. Ethical Hacker has in-depth knowledge of almost all operating systems, including all popular, widely- used operating systems such as Windows, Linux, Unix, and Macintosh. 2. These ethical hackers are skilled at networking, basic and detailed concepts, technologies, and exploring capabilities of hardware and software. 3. Ethical hackers must have a strong command over security areas, related issues, and technical domains. 4. They must have detailed knowledge of older, advanced, sophisticated attacks. Non-Technical Skills 1. Learning ability 2. Problem-solving skills 3. Communication skills 4. Committed to security policies 5. Awareness of laws, standards, and regulations. Mind Map Information Security Controls Information Assurance (IA) Information Assurance, in short, known as IA, depends upon the components that are Integrity, Availability, Confidentiality, and Authenticity. With the combination of these components, assurance of information and information systems are ensured and protected during the processes, usage, storage, and communication. These components are defined earlier in this chapter. Apart from these components, some methods and processes also help in the achievement of information assurance such as: - Policies and Processes. Network Authentication. User Authentication. Network Vulnerabilities. Identifying problems and resources. Implementation of a plan for identified requirements. Application of information assurance control. Information Security Management Program Information Security Management programs are the programs that are specially designed to focus on reducing the risk and vulnerabilities towards information security environment to train the organization and users to work in the less vulnerable state. The Information Security Management is a combined management solution to achieve the required level of information security using well-defined security policies, processes of classification, reporting, and management and standards. The diagram on the next page shows the EC-Council defined Information Security Management Framework: - Figure 1-7 Information Security Management Framework Threat Modeling Threat Modeling is the process or approach to identify, diagnose, and assist the threats and vulnerabilities of the system. It is an approach to risk management which dedicatedly focuses on analyzing the system security and application security against security objectives. This identification of threats and risks helps to focus and take action on an event to achieve the goals. Capturing data of an organization, implementing identification and assessment processes over the captured information to analyze the information that can impact the security of an application. Application overview includes the identification process of an application to determine the trust boundaries and data flow. Decomposition of an application and identification of a threat helped to a detailed review of threats, identification of threat that is breaching the security control. This identification and detailed review of every aspect expose the vulnerabilities and weaknesses of the information security environment. Figure 1-8 Threat Modelling Enterprise Information Security Architecture (EISA) Enterprise Information Security Architecture is the combination of requirements and processes that help in determination, investigation, monitoring the structure of behavior of information system. The following are the goals of EISA: - Figure 1-9 EISA Network Security Zoning Managing, deploying an architecture of an organization in different security zones is called Network Security Zoning. These security zones are the set of network devices having a specific security level. Different security zones may have a similar or different security level. Defining different security zones with their security levels helps in monitoring and controlling of inbound and outbound traffic across the network. Figure 1-10 Network Security Zoning Information Security Policies Information Security Policies are the fundamental and the most dependent component of the information security infrastructure. Fundamental security requirements, conditions, rules are configured to be enforced in an information security policy to secure the organization's resources. These policies cover the outlines of management, administration and security requirements within an information security architecture. Figure 1-11 Steps to enforce Information Security The basic goals and objectives of the Information Security Policies are: - Cover Security requirements and conditions of the organization Protect organizations resources Eliminate legal liabilities Minimize the wastage of resources Prevent against unauthorized access / modification etc. Minimize the risk Information Assurance Types of Security Policies The different types of security policies are as follows: - 1. Promiscuous policy 2. Permissive policy 3. Prudent policy 4. Paranoid Policy Promiscuous policy The promiscuous policy has no restriction on usage of system resources. Permissive policy The permissive policy restricts only widely known, dangerous attacks or behavior. Prudent Policy The prudent policy ensures maximum and strongest security among them. However, it allows known, necessary risks, blocking all other service but individually enabled services. Every event is log in prudent policy. Paranoid Policy Paranoid Policy denied everything, limiting internet usage. Implications for Security Policy Enforcement HR & Legal Implication of Security Policies HR department has the responsibility of making sure the organization is aware regarding security policies as well as providing sufficient training. With the cooperation of the management or administration within an organization, the HR department monitors the enforcement of security policies & deals with any violation, issues arise in the deployment. Legal implication of security policies enforces under the supervision of the professionals. These professionals are legal experts, consultant which comply with laws, especially local laws and regulations. Any violation of legal implication leads to lawsuits against the responsible. Physical Security Physical Security is always the top priority in securing anything. In Information Security, it is also considered important and regarded as the first layer of protection. Physical security includes protection against human-made attacks such as theft, damage, unauthorized physical access as well as environmental impacts such as rain, dust, power failure and fire. Figure 1-12 Physical Security Physical security is required to prevent stealing, tampering, damage, theft and many more physical attacks. To secure the premises and assets, setup of fences, guards, CCTV cameras, intruder monitoring system, burglar alarms, deadlocks to secures the premises. Important files and documents should be available on any unsecured location even within an organization or keep locked, available to authorized persons only. Function area must be separated, biometrically protected. Continuous or frequent monitoring such as monitoring of wiretapping, computer equipment, HVAC, and firefighting system should also be done. Incident Management Incident Response Management is the procedure and method of handling an incident that occurs. This incident may be any specific violation of any condition, policies, or else. Similarly, in information security, incident responses are the remediation actions or steps taken as the response of an incident depending upon identification of an event, threat or attack to the removal or elimination (when system become stable, secure and functional again). Incident response management defines the roles and responsibilities of penetration testers, users or employees of an organization. Additionally, incident response management defines actions required when a system is facing a threat to its confidentiality, integrity, authenticity, availability depending upon the threat level. Initially, the important thing to remember is when a system is dealing with an attack, it requires sophisticated, dedicated troubleshooting by an expert. While responding to the incident, the professional collects the evidence, information, and clues that are helpful for prevention in future, tracing the attacker and finding the holes and vulnerabilities in the system. Incident Management Process Incident Response Management processes include: - 1. Preparation for Incident Response 2. Detection and Analysis of Incident Response 3. Classification of an incident and its prioritization 4. Notification and Announcements 5. Containment 6. Forensic Investigation of an incident 7. Eradication and Recovery 8. Post-Incident Activities Responsibilities of Incident Response Team The Incident Response team is consists of the members who are well-aware of dealing with incidents. This Response team is consists of trained officials who are expert in collecting the information and secure all evidence of an attack from the incident system. As far as the member of Incident response team is concerned, this team includes IT personnel, HR, Public Relation officers, Local Law enforcement, and Chief Security officer. The major responsibility of this team is to take action according to Incident Response Plan (IRP). If IRP is not defined, not applicable on that case, the team has to follow the leading examiner to perform a coordinated operation. Examination and evaluation of event, determination of damage or scope of an attack. Document the event, processes. If required, take the support of external security professional or consultant. If required, take the support of local law enforcement. Facts Collection. Reporting. Mind Map Vulnerability Assessment Vulnerability assessment is the procedure of examination, identification, and analysis of system or application abilities including security processes running on a system to withstand any threat. Through vulnerability assessment, you can identify weaknesses and threat to a system, scope a vulnerability, estimate the requirement and effectiveness of any additional security layer. Types of Vulnerability Assessment The following are the types of vulnerability assessment: 1. Active Assessment 2. Passive Assessment 3. Host-based Assessment 4. Internal Assessment 5. External Assessment 6. Network Assessment 7. Wireless Network Assessment 8. Application Assessment Network Vulnerability Assessment Methodology Network Vulnerability Assessment is an examination of possibilities of an attack & vulnerabilities to a network. The following are the phases of Vulnerability Assessment: 1. Acquisition 2. Identification 3. Analyzing 4. Evaluation 5. Generating Reports Figure 1-13 Network Vulnerability Assessment Methodology Acquisition The acquisition phase compares and review previously- identified vulnerabilities, laws, and procedures that are related to network vulnerability assessment. Identification In the Identification phase, interaction with customers, employees, administration or other people that are involved in designing the network architecture to gather the technical information. Analyzing Analyzing phase reviews, the gathered, collected information in the form of a collection of documentation or one-to-one interaction. Analyzing phase is basically: - Review information. Analyzing previously identified vulnerabilities results. Risk Assessment. Vulnerability and Risk Analysis. Evaluation of the effectiveness of existing security policies. Evaluation Evaluation phase includes: - Inspection of Identified Vulnerabilities. Identification of flaws, gaps in existing & required Security. Determination of Security Control required resolving issues & Vulnerabilities. Identify modification and Upgrades. Generating Reports Reporting phase is documentation of draft report required for future inspection. This report helps identify vulnerabilities in the acquisition phase. Audit and Penetration also require these previously collected reports. When any modification in security mechanism is required, these reports help to design security infrastructure. Central Databases usually holds these reports. Reports contain: - Task did by each member of the team. Methods & tools used. Findings. Recommendations. Collected information from different phases. Mind Map Penetration Testing Technology Overview In the Ethical Hacking environment, the most common term that often uses is "pentester." Pentesters are the penetration tester that has permission to hack a system by owner. Penetration testing is the process of hacking a system with the permission from the owner of that system, to evaluate security, Hack Value, Target of Evaluation (TOE), attacks, exploits, zero-day vulnerability & other components such as threats, vulnerabilities, and daisy chaining. Figure 1-13 Comparing Pentesting Important for Penetration testing If you want to be ready for an attack, you must be smart, to think like them, act like them. Hackers are skilled, having detailed information of hardware’s, software, networking and other related information. The need and importance of penetration testing, in the modern world where variously advanced threat such as Denial-of-service, Identity theft, theft of services, stealing information is common, system penetration ensure to counter the attack from malicious threat by anticipating methods. Some other major advantages and need for penetration testing is to uncover the vulnerabilities in systems and security deployments in the same way an attacker gains access: - To identify the threats and vulnerabilities to organizations assets. To provide a comprehensive assessment of policies, procedures, design, and architecture. To set remediation actions to secure them before they are used by a hacker to breach security. To identify what an attacker can access to steal. To identify what information can be theft and its use. To test and validate the security protection & identify the need for any additional protection layer. Modification and up-gradation of currently deployment security architecture. To reduce the expense of IT Security by enhancing Return on Security Investment (ROSI). Figure 1-14 Comparing Blue & Red Teaming Types of Penetration Testing Three types of Penetration testing are important to be differentiated because a penetration tester may have asked to perform any of them. Black Box The black box is a type of penetration testing in which the pentester is blind testing or double-blind testing, i.e. provided with no prior knowledge of the system or any information of the target. Black boxing is designed to demonstrate an emulated situation as an attacker in countering an attack. Gray box Gray box, is a type of penetration testing in which the pentester has very limited prior knowledge of the system or any information of targets such as IP addresses, Operating system or network information in very limited. Gary boxing is designed to demonstrate an emulated situation as an insider might have this information and to counter an attack as the pentester has basic, limited information regarding target. White box The white box is a type of penetration testing in which the pentester has complete knowledge of system and information of the target. This type of penetration is done by internal security teams or security audits teams to perform auditing. Phases of Penetration Testing Penetration testing is a three-phase process. 1- Pre-Attack Phase 2- Attack Phase 3- Post-Attack Phase Figure 1-15 Penetration Testing Phases Security Testing Methodology There are some methodological approaches to be adopted for security or penetration testing. Industry-leading Penetration Testing Methodologies are: - Open Web Application Security Project (OWASP) Open Source Security Testing Methodology Manual (OSSTMM) Information Systems Security Assessment Framework (ISAF) EC-Council Licensed Penetration Tester (LPT) Methodology Mind Map Information Security Laws and Standards Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) is a global information security standard by “PCI Security Standards Council,” available for organizations to develop, enhance and assess security standards for handling cardholder information and security standard for payment account security. PCI Security Standards Council develops security standards for payment card industry and provides tools required for enforcement of these standards like training, certification, assessment, and scanning. Founding members of this council are: - American Express, Discover Financial Services JCB International MasterCard Visa Inc. PCI data security standard deals with basically cardholder data security for debit, credit, prepaid, e-purse, ATM and POS cards. A high-level overview of PCI-DSS provide: - Secure Network Strong Access Control Cardholder data security Regular Monitoring and Evaluation of Network Maintaining Vulnerability program Information security policy ISO/IEC 27001:2013 International Organization for Standardization (ISO) and International Electro-Technical Commission (IEC) are organizations that globally develop and maintain their standards. ISO/IEC 27001:2013 standard ensures the requirement, for implementation, maintenance and improvement of an information security management system. This standard is a revised edition (second) of the first edition ISO/ISE 27001:2005. ISO/IEC 27001:2013 cover the following key point in information security: - Implementation and maintaining Security requirements. Information security management processes. Assurance of Cost effective risk management. Status of Information Security Management Activities. Compliant with laws. Health Insurance Portability and Accountability Act (HIPAA) Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress. HIPAA runs with Department of Health and Human Services (HHS) to develop and maintain regulation that associates with privacy and security of health information. HIPAA Security rules ensure what information is protected, additionally, the safeguards that must apply to secure electronic protected health information. HIPAA defines Electronic protected information, general rules, risk analysis, and management. Administrative safeguards including physical safeguards, technical safeguards ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI). The major domains in information security where HIPAA is developing and maintain standards and regulations are: - Electronic Transaction and Code Sets Standards Privacy Rules Security Rules national Identifier Requirements Enforcement Rules Sarbanes Oxley Act (SOX) Sarbanes Oxley Act (SOX) key requirements or provisions organizes in the form of 11 titles which are as follows: - Title Majors Title I Public company accounting oversight board Title II Auditor independence Title III Corporate responsibility Title IV Enhanced financial disclosures Title V Analyst conflicts of interest Title VI Commission resources and authority Title VII Studies and reports Title VIII Corporate and criminal fraud accountability Title IX White-collar crime penalty enhancements Title X Corporate tax returns Title XI Corporate fraud and accountability Table 1-03 SOX Titles Some other regulatory bodies are offering the standards that are being deployed worldwide including Digital Millennium Copyright Act (DMCA) and Federal Information Security Management Act (FISMA). DMCA is United States copyright law whereas FISMA a framework for ensuring information security control effectiveness. According to Homeland Security, FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA). Mind Map Chapter 2: Footprinting & Reconnaissance Technology Brief Footprinting phase allows the attacker to gather the information regarding internal and external security architecture; he has to face a target. Collection of information also helps to identify the vulnerabilities within a system, which exploits, to gain access. Getting deep information about target reduces the focus area & bring attacker closer to the target. The attacker focuses the target by mean of the range of IP address he has to go through, to hack target or regarding domain information or else. Footprinting Concepts The first step to ethical hacking is Footprinting. Footprinting is the collection of every possible information regarding the target and target network. This collection of information helps in identifying different possible ways to enter into the target network. This collection of information may have gathered through publicly- available personal information and sensitive information from any secret source. Typically, footprinting & reconnaissance is performing social engineering attacks, system or network attack, or through any other technique. Active and passive methods of reconnaissance are also popular for gaining information of target directly or indirectly. The overall purpose of this phase is to keep interaction with the target to gain information without any detection or alerting. Pseudonymous Footprinting Pseudonymous footprinting includes footprinting through online sources. In Pseudonymous footprinting, information about a target is shared by posting with an assumed name. This type information is shared with the real credential to avoid trace to an actual source of information. Internet Footprinting Internet Footprinting includes the Footprinting and reconnaissance methods for gaining information through the internet. In Internet Footprinting, processes such as Google Hacking, Google Search, Google Application including search engines other than Google as well. Objectives of Footprinting The major objectives of Footprinting are: - 1. To know security posture 2. To reduce focus area 3. Identify vulnerabilities 4. Draw network map Footprinting Methodology It is not a big deal to get information regarding anyone as the internet, social media, official websites and other resources have much information about their users which are not sensitive, but a collection of information may fulfill the requirements of an attacker and attacker can gather enough information by a little effort. Below are more often techniques used by h

CEH v10 EC-Council Certified E-IP Specialist PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue