EH3_Contents_ch2.pdf

Full Transcript

Applied College Shaqra Ethical Hacking (3) SYS 2004 Dr. Majid H. Alsulami [email protected] 2024 Copyright 2024 - All Rights Reserved Applied College Shaqra No part of this presentation may be reproduced or transmitted in any form whatsoever, electronic, or mechanical, including photocopying, recording, or by any informational storage or retrieval system without express written, dated and signed permission from the creator. Applied College Shaqra Course Main Objective(s): Basics of the ethical hacking Foot printing and scanning Techniques for system hacking Malware and their attacks and detect and prevent them Signature of different attacks and prevent them Detect and prevent the security attacks in different environments Applied College Shaqra Course Content No 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 List of Topics Basics of the ethical hacking Foot printing and scanning Foot printing and scanning Foot printing and scanning Techniques for system hacking Techniques for system hacking Techniques for system hacking Malware and their attacks and detect and prevent them Malware and their attacks and detect and prevent them Signature of different attacks and prevent them Signature of different attacks and prevent them Signature of different attacks and prevent them Detect and prevent the security attacks in different environments Detect and prevent the security attacks in different environments Detect and prevent the security attacks in different environments Review Total Contact Hours 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 64 Applied College Shaqra Students Assessment Activities No 1 2 3 4 5 6 Assessment Activities * Midterm 1 Midterm 1 Quizzes Participation labs Final written Examination Assessment timing Percentage of Total Assessment Score (in week no) 7-8 14-15 4-11 weekly 16 End of semester 15% 15% 10% 10% 10% 40% *Assessment Activities (i.e., Written test, oral test, oral presentation, group project, essay, etc.) Applied College Shaqra References and Learning Resources Essential References 1. Gray Hat Hacking the Ethical Hackers Handbook, 3rd Edition by Shon Harris, Gideon Lenkey, Allen Harper, Jonathan Ness and Chris Eagle (2011, Trade Paperback). 2. The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy by Patrick Engebretson, Syngress; 2 edition. 3..Hands-On Ethical Hacking & Network Defense - By James Corley, Kent Backman, & Michael Simpson. Supportive References Codecademy – Python - https://www.codecademy.com/tracks/python List of Open Source Software/learning website: ∙ https://hackaday.com/ Electronic Materials ∙ https://breakthesecurity.cysecurity.org/ ∙ https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/ ∙ https://www.hackthissite.org Other Learning Materials PowerPoint, Videos Applied College Shaqra Chapter 2 Foot printing and scanning Applied College Shaqra What is Ethical Hacking? Ethical Hacking is identifying weakness in computer systems and/or computer networks and coming with countermeasures that protect the weaknesses. Ethical hackers must abide by the following rules: Get written permission from the owner of the computer system and/or computer network before hacking. Protect the privacy of the organization been hacked. Transparently report all the identified weaknesses in the computer system to the organization. Inform hardware and software vendors of the identified weaknesses. Applied College Shaqra Applied College Shaqra Phases in Hacking Hacking is usually not a one-step activity. But a process consisting of several phases. There are five phases in hacking: Phase 1: Reconnaissance Reconnaissance or foot printing involves gathering preliminary data or intelligence on the target organization to enable a hacker plan for the attack. Phase 2: Scanning The phase uses technical tools to gather more detailed intelligence on the systems and applications on the target organisation’s network. An example is the use of a vulnerability scanner to collect information on the weaknesses inherent in the target network. Applied College Shaqra Phases in Hacking Phase 3: Gaining Access in this phase An attacker gains control of one or more network devices which he uses to obtain data from the target system or network. He may also use the device he controls to launch further attacks on other systems and networks. Phase 4: Maintaining Access An attacker uses this phase to maintain his presence on the target network to gather as much information as possible. The attacker must remain stealthy to avoid detection. Phase 5: Covering Tracks The final phase requires the attacker to take the necessary steps to remove all traces of his activities. The attacker uses this phase to return the system to its previous state to avoid detection by the administrators of the host network. Applied College Shaqra Phases in Hacking 1- Reconnaissance Reconnaissance or foot printing involves gathering preliminary data or intelligence on the target organization to enable a hacker plan for the attack. 2- Scanning The phase uses technical tools to gather more detailed intelligence on the systems and applications on the target organisation’s network. An example is the use of a vulnerability scanner to collect information on the weaknesses inherent in the target network. Applied College Shaqra Applied College Shaqra Foot printing is the process used to gather information about the target network in order to find the weaknesses that may be used to exploit the system. Foot printing involves profiling an organisation to collect information about the systems, network and people associated with to the organisation. An ethical hacker spends a lot of time gathering information about the target organisation’s computer systems and uses this information to penetrate the network. Foot printing enables an ethical hacker to know as much as possible about a system, its ports and services, security capabilities and whether it supports remote access. Applied College Shaqra Why businesses use foot printing to identify vulnerabilities so they can address them and make changes to the business policy. Applied College Shaqra Foot printing enables an ethical hacker to achieve the following purposes: Know Security Posture: Hackers use data gathered during foot printing to know the security posture of the company such as the presence of a firewall, IDS/IPS, security configurations of applications etc. Reduce Attack Surface: This enables hackers to identify and focus on a specific range of systems. This will significantly reduce the time and effort required for penetration testing. Identify vulnerabilities: Foot printing enables hackers and security professionals to gain additional knowledge about the vulnerabilities and threats in the target network and the kinds of exploits that may be launched against it. Draw Network map: It helps to map the networks in the target environment, including the topology, trusted routers, firewalls, and servers. Applied College Shaqra What Information Is Collected in Foot printing? The goal of foot printing is to gather as much information about the target as possible in order to increase the likelihood of success when actually planning and executing an attack. This includes identifying any security weaknesses and gathering contact information for system administrators and other users who may access sensitive data. During foot printing, various types of information may be collected. Applied College Shaqra Network topology: Collecting this type of information involves identifying the IP addresses and hostnames of all systems on the network and mapping out the connections among them. Operating systems and applications: Information about the target’s operating system and applications can be used to identify potential security vulnerabilities. For example, if a company uses an outdated version of Windows, it may be vulnerable to specific attacks that are not possible against newer versions. User accounts: Foot printing can reveal usernames and passwords for user accounts on the target system, which can be helpful in the later stages of an attack. Web servers: This includes the servers’ software versions, installed modules, and enabled features. Applied College Shaqra Other information can be collected such as: Details about an organisation, employees and email addresses. Relationship with other companies. Projects involving other companies. Legal documents of the company. News relating company website. Patents and Trademarks. Important dates about new projects. Applied College Shaqra Types of foot printing Active foot printing Passive foot printing Applied College Shaqra Types of foot printing Active foot printing Active foot printing describes the process of using tools and techniques, like using the traceroute commands or a ping sweep -Internet Control Message Protocol sweep -- to collect data about a specific target. This often triggers the target's intrusion detection system (IDS). It takes a certain level of stealth and creativity to evade detection successfully. Applied College Shaqra Types of foot printing Passive foot printing As the name implies, passive foot printing involves collecting data about a specific target using innocuous methods, like performing a Google search, looking through Archive.org, using NeoTrace, browsing through employees' social media profiles, looking at job sites and using Whois, a website that provides the domain names and associated networks fora specific organization. It is a stealthier approach to foot printing because it does not trigger the target's IDS. Passive foot printing is a way of collecting information about a system remotely. This involves a situation where an attacker does not engage a target computer on the network directly. Applied College Shaqra How to Identify and Mitigate Gaps in Your Security Program https://www.youtube.com/watch?v=ESr5vu4W1iA Applied College Shaqra How do you start foot printing? Reconnaissance is similar to foot printing and is a crucial part of the initial hacking exercise. It is a passive foot printing exercise where one collects data about the target's potential vulnerabilities and flaws to exploit while penetration testing. Foot printing processes start with: determining the location and objective of an intrusion. Once ethical hackers identify a specific target, they gather information about the organization using nonintrusive methods, such as accessing the organization's own webpage, personnel directory or employee bios. Applied College Shaqra Steps in Foot printing Several steps need to be followed during foot printing to collect all relevant information: 1. Identifying Targets: The first step is to identify which systems or organizations to footprint by scanning networks for open ports or performing reconnaissance using Google searches and tools like Shodan. 2. Gathering Information: After the target has been identified, the next step is to gather as much information about it as possible using tools like Nmap, Netcat, and Whois to identify open ports and services, usernames and passwords, web server information, and more. Applied College Shaqra Steps in Foot printing 3. Analyzing Results After all relevant data has been collected, it needs to be analyzed to determine the most vulnerable points. This is done by identifying common weaknesses across multiple systems or comparing results against known exploits. 4. Planning Attacks The final step is to use the information gathered during foot printing to plan a successful attack against the target’s systems, networks, and devices. This may involve developing custom exploits or choosing a suitable attack vector based on the data collected. Applied College Shaqra Sources of Information Gathering Social Media: Many people post personal information online. Some of this information is sensitive, and hackers can use it to launch attacks against unsuspecting social media users online. For example, hackers may create a fake account using stolen details of genuine individuals. These accounts may be used to defraud or obtain personal information from other social media users. Job Websites: Job postings give details of available positions as well as personal and technical requirements. The technical requirements may 8 contain information about the operating systems, network devices and hardware the organisation uses. It may also give a hacker an idea of the systems and network configuration of the organisation. Hackers can use this information to determine the vulnerabilities in the hardware and software which the organisation uses. They can also create a list of possible attacks that may be used to take advantage of the vulnerabilities. Applied College Shaqra Sources of Information Gathering Search Engines: Hackers use search engines such as Google to carry out detailed searches on an individual or devices. An attacker can use the right keywords on Google search to find relevant personal information such as an address, phone number, net worth, etc. about a target. A hacker can also use an approach known as Google hacking to combine basic search techniques with advanced operators such as “inurl:”,”allinurl:”,”filetype:”, etc. to carry out devastating attacks. This method can be used to find internet enabled devices By typing a search string such as inurl:”ViewerFrame?Mode=” will help an attacker find public web cameras. “The “link:” search operator in Google can be used to obtain results only from specified sites. Google’s advanced search features enable a hacker to find websites that are affiliated to the target. Affiliate websites belong to vendors, suppliers and clients and contain back-links to the victim’s website. Applied College Shaqra Sources of Information Gathering Google Groups: Google Groups contain a wide array of publicly available personal information, such as domain names, IP addresses and usernames. Members share a lot of information on Google Groups, and some of this information may relate to a system and network security. Social Engineering: This approach uses various forms of human interaction to obtain information from targets of attack. Organisation’s Website: Organisations use their websites to share information with clients, customers, or the general public. This is the best place to begin for an attacker who wants to gain access to know about products and service offerings as well as personal details of names, ranks, email addresses and telephone numbers of key personnel. Applied College Shaqra Sources of Information Gathering Web Crawling: Web crawling involves mirroring a website and downloading all the publicly accessible files from the website. This allows a hacker to scan the target website offline. An attacker can use the saved website to uncover information about the configuration and layout of the website, files and directories, the source code for the web pages, names and addresses of IT employees and comments about the workings of code. Using NeoTrace: NeoTrace is a powerful tool that provides path information between a source and a remote site. The tool can produce a graphical display of the route between an attacker and the remote site. The tool also uses a GUI to display information on all intermediate nodes, including IP address, contact information, and location. Applied College Shaqra Sources of Information Gathering Who is: Hackers use the Whois website to obtain information about the domain name, emailid and domain owner. It is a tool for Website Foot printing; that is, it enables a hacker to trace a website. Applied College Shaqra Advantages of Foot printing  Hackers use foot printing to know the basic security configurations of a target machine or network. It also provides information about network route and data flow.  It simplifies the hacking process. A hacker who finds vulnerabilities can focus on specific attacks that can be launched against the target machine.  It reduces the attacks surface. It allows the hacker to identify which machines are most vulnerable and can be attacked easily. Applied College Shaqra Scanning Applied College Shaqra This methodology involves two main activities: Check for Live Systems: This is achieved by using ping scan to send ICMP echo request packets to discover systems that are active on the network. Any active system responds with ICMP echo reply packet containing details such as packet size, Time-to-Live (TTL), packet size etc. Check for Open Ports: This helps the hacker to discover open ports, services running on them, their versions etc. NetScan Tools Pro and Nmap are powerful tools used mainly for this purpose. An ethical hacker uses a network analyser, such as Wireshark to monitor network traffic on open ports. Applied College Shaqra Scanning represents the active phase of reconnaissance. It involves probing the target network or system to identify live hosts, open ports, and active services. This active process provides ethical hackers with real-time insights into the target’s vulnerabilities. Scanning refers to the use of complex and aggressive reconnaissance techniques to identify live hosts, ports, and services, as well as operating system and architecture of a target system. This enables the hacker to know the vulnerabilities and threats inherent in the network. Applied College Shaqra This methodology involves two main activities: Check for Live Systems: This is achieved by using ping scan to send ICMP echo request packets to discover systems that are active on the network. Any active system responds with ICMP echo reply packet containing details such as packet size, Time-to-Live (TTL), packet size etc. Check for Open Ports: This helps the hacker to discover open ports, services running on them, their versions etc. NetScan Tools Pro and Nmap are powerful tools used mainly for this purpose. An ethical hacker uses a network analyser, such as Wireshark to monitor network traffic on open ports. Applied College Shaqra Phases in Scanning The phases an ethical hacker goes thorough in carrying out scanning on a network are presented as follows: 1. 2. 3. 4. 5. 6. 7. 8. Detect Live Systems -> Look for Open Ports -> Find out the running services -> Identify the Operating System (OS Footprinting) -> Scan Vulnerabilities -> Document details and draw Network diagram - > Prepare Proxies to avoid being caught -> Proceed with Exploitation. Applied College Shaqra How does a pair of computers or devices establish communication? Applied College Shaqra TCP 3-Way Handshake Process Transmission Control Protocol (TCP) provides a secure and reliable connection between two devices using the 3-way handshake process. TCP uses the full-duplex connection to synchronize (SYN) and acknowledge (ACK) each other on both sides. There are three steps for both establishing and closing a connection. They are − SYN, SYN-ACK, and ACK. Applied College Shaqra 3-Way Handshake Connection Establishment Process The following diagram shows how a reliable connection is established using 3-way handshake. It will support communication between a web browser on the client and server sides whenever a user navigates the Internet. Applied College Shaqra Synchronization Sequence Number (SYN) − The client sends the SYN to the server When the client wants to connect to the server, then it sends the message to the server by setting the SYN flag as 1. The message carries some additional information like the sequence number (32-bit random number). The ACK is set to 0. The maximum segment size and the window size are also set. For example, if the window size is 1000 bits and the maximum segment size is 100 bits, then a maximum of 10 data segments can be transmitted in the connection by dividing (1000/100=10). Applied College Shaqra Synchronization and Acknowledgement (SYN-ACK) to the client The server acknowledges the client request by setting the ACK flag to 1. The ACK indicates the response of the segment it received and SYN indicates with what sequence number it will start the segments. For example, if the client has sent the SYN with sequence number = 500, then the server will send the ACK using acknowledgment number = 5001. The server will set the SYN flag to '1' and send it to the client if the server also wants to establish the connection. The sequence number used for SYN will be different from the client's SYN. The server also advertises its window size and maximum segment size to the client. And, the connection is established from the client-side to the server-side. Applied College Shaqra Acknowledgment (ACK) to the server The client sends the acknowledgment (ACK) to the server after receiving the synchronization (SYN) from the server. After getting the (ACK) from the client, the connection is established between the client and the server. Now the data can be transmitted between the client and server sides. Applied College Shaqra 3 -Way Handshake Closing Connection Process To close a 3-way handshake connection, First, the client requests the server to terminate the established connection by sending FIN. After receiving the client request, the server sends back the FIN and ACK request to the client. After receiving the FIN + ACK from the server, the client confirms by sending an ACK to the server. Applied College Shaqra Applied College Shaqra Ethical hacker uses three major types for scanning: 1. Port scanning 2. Network scanning 3. Vulnerability scanning Applied College Shaqra 1. Port scanning Port Scanning is used to discover open ports on the network and the services that run on such ports. This process involves sending client requests to the range of ports on the target network and saving the details about the ports that respond to the requests. The ports are assigned values, and each value references a specific port. There are three types of ports: 1. Well known Ports: assigned numbers ranging from 0 to 1023 2. 2. Registered ports: assigned numbers ranging from 1024 to 49151 3. 3. Dynamic Ports: assigned numbers ranging from 49152 to 65535. Applied College Shaqra Common Port Numbers Port Number Service 20 and 21 23 25 80 443 110 500 53 FTP Telnet SMTP HTTP HTTPS POP3 IPSec; DNS Applied College Shaqra A set of tools are used to carry out port scanning. One of such is NMAP. NMAP is a very popular tool used for port scanning. It is available for Windows command-line interface (CLI) as Nmap, and for the graphical user interface as (GUI) as Zenmap. Applied College Shaqra 2. Network Scanning Network scanning is one of the methods of intelligence gathering. It is a mechanism for information retrieval used by an attacker to identify active hosts, ports and the services used by the target application on a network. This technique is mainly used to find an IP address in the network of the target. An ethical hacker uses this approach to identify 25 the vulnerabilities in the system before a malicious hacker can use the same weaknesses to exploit the network. This can be done using tools or scripts to probe all IP addresses on the network and obtain a list of the active nodes and their IP addresses. Applied College Shaqra Objectives of Network Scanning To detect active hosts/computer, IP address and open ports. To detect services that are running on a device. To identify the operating system and architecture of the target system or network. To identify and address vulnerabilities in active hosts. Applied College Shaqra Nmap for Network Scanning Nmap is a free and open-source tool for network scanning. You can scan a network with Nmap either by using the IP address of the target. Nessus for Network Scanning Nessus is one of the most potent tools for vulnerability scanning. Applied College Shaqra 3. Vulnerability Scanning Vulnerability scanning is the proactive and automated identification of vulnerabilities in a system or network. Pen-testers use this technique to 27 detect the likelihood of network security attacks. Vulnerability scanning identifies weaknesses due to application programming errors or network misconfiguration. The can technique to detect weaknesses such as unnecessary services, missing updates, weak authentication or weak encryption algorithm. You should compile a list of vulnerabilities found during scanning. Note that vulnerability scanning requires an internet connection and the use of automated tools. Applied College Shaqra Tools and Steps Used for Vulnerability Scanning You can perform manual ICMP (Internet Control Message Protocol) scanning by following the following steps: Open Windows OS Press Win+R (Run) buttons in combination In the Run, type- cmd Type the command: ping IP Address or type: ping DomainName Applied College Shaqra Ping Ping works by sending an ICMP echo request to the target’s domain name or IP address. The target will respond with an ICMP Reply if it is active. This will also help a hacker to know if ICMP request can bypass a firewall. Most organisations block ICMP requests to prevent attacks. See Figure 9 for an illustration of the ICMP probe. Applied College Shaqra Nessus is a popular tool for ping scanning. It is also a powerful tool which can identify many gives vulnerabilities on the target. The tool helps in data collection, identification of live hosts, port scanning and preparation of vulnerability of report. Nessus can detect vulnerabilities in databases and provides a brief description of each vulnerability. It can also reveal the risk level or 28 severity of the vulnerabilities. Applied College Shaqra Lab1: Duration: 28.55 minutes Mark: 3. Each student is required to watch this content. Practice it and then write a report on your practice. Footprinting and Scanning https://www.youtube.com/watch?v=8Vn5VKXL6fw Applied College Shaqra On Line Quiz 1 (5) Marks Next Week Applied College Shaqra References: https://www.techtarget.com/searchsecurity/definition/footprinting https://www.linkedin.com/pulse/footprinting-scanning-cybersecurity-unveiling-secrets-willy-tchuilenqx7zc/ https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/footprinting-steps-penetrationtesting/ CST 804 Course Title: Ethical Hacking and Penetration Testing, ACETEL. https://www.tutorialspoint.com/tcp-3-way-handshake-process https://medium.com/@kusal95/tcp-3-way-handshake-process-1fd9a056a2f4