Lecture 3_merged.pdf
Document Details
Uploaded by SubstantiveRing
King Abdulaziz University
Tags
Related
- Certified Cybersecurity Technician Exam 212-82 Impersonation (Vishing) PDF
- Certified Cybersecurity Technician PDF
- Certified Cybersecurity Technician Information Security Attacks PDF
- Certified Cybersecurity Technician Exam 212-82 Behaviors Vulnerable to Attacks PDF
- Certified Cybersecurity Technician PDF Exam 212-82
- Certified Cybersecurity Technician Exam 212-82 PDF
Full Transcript
Reconnaissance and Footprinting [Social Engineering] Lecture 3 Lecture Objectives Define What is social engineering Understand Social engineering attack techniques Perform Social engineering attack by using SEToolkit CYB234_Lectuer#3 2 What is social...
Reconnaissance and Footprinting [Social Engineering] Lecture 3 Lecture Objectives Define What is social engineering Understand Social engineering attack techniques Perform Social engineering attack by using SEToolkit CYB234_Lectuer#3 2 What is social engineering Social engineering refers to all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons. CYB234_Lectuer#3 3 Social engineering attack techniques Phishing Attacks ▪ DNS Spoofing and Cache Poisoning Attacks ▪ Scareware Attacks ▪ Watering hole attacks ▪ Physical social engineering ▪ USB baiting CYB234_Lectuer#3 4 Phishing Attacks Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables. Voice phishing (vishing) SMS phishing (smishing) Email phishing Angler phishing Search engine phishing URL phishing CYB234_Lectuer#3 5 DNS Spoofing and Cache Poisoning Attacks DNS spoofing manipulates your browser and web servers to travel to malicious websites when you enter a legitimate URL. Once infected with this exploit, the redirect will continue unless the inaccurate routing data is cleared from the systems involved. DNS cache poisoning attacks specifically infect your device with routing instructions for the legitimate URL or multiple URLs to connect to fraudulent websites. CYB234_Lectuer#3 6 Scareware Attacks Scareware is a form of malware used to frighten you into taking an action. This deceptive malware uses alarming warnings that report fake malware infections or claim one of your accounts has been compromised. CYB234_Lectuer#3 7 Watering hole attacks Watering hole attacks infect popular webpages with malware to impact many users at a time. It requires careful planning on the attacker’s part to find weaknesses in specific sites. They look for existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day exploits. CYB234_Lectuer#3 8 Physical social engineering Certain people in your organization--such as help desk staff, receptionists, and frequent travelers--are more at risk from physical social engineering attacks, which happen in person. The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks. Employees in positions at higher risk for social-engineering attacks may benefit from specialized training from physical social engineering attacks. Example: Tailgating Attacks Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area CYB234_Lectuer#3 9 Baiting Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically, potential for something free or exclusive is the manipulation used to exploit you. The attack usually involves infecting you with malware. Popular methods of baiting can include: USB drives left in public spaces, like libraries and parking lots. Email attachments including details on a free offer, or fraudulent free software. CYB234_Lectuer#3 10 Active Reconnaissance Techniques In the Passive reconnaissance the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. Active scans are far more reliable but may be detected by the target system. There are a few types of active scans, Port Scanning Enumeration Wireshark Maltego OSINT Tools CYB234_Lectuer#3 11 Lab3 SEToolKit Introduction to Penetration Testing Lecture 1 Lecture Objectives Understand what is penetration testing. Understand penetration testing methodologies. Understand various penetration testing approaches. Have a strong understanding of the ethics of penetration testing. Comprehend legal issues associated with penetration testing. CYB234_Lectuer#1 2 What Is Penetration Testing The penetration test is the utilization of actual hacking techniques in order to test the security of a target system. Hacking is a process of attempting to understand a system by finding and exploiting flaws in that system. The goal of penetration testing is to attempt to exploit flaws in a target system. How does penetration testing differ from hacking? CYB234_Lectuer#1 3 Terminology Ad hoc testing: Testing carried out with no systematic approach or methodology. Hacker: One who tries to learn about a system by examining it in detail by reverse-engineering or probing the system. Hackers are not necessarily criminals. Black hat hacker: A hacker who does break the law. Cracker: One who breaks into a system in order to do something malicious, illegal, or harmful. Synonymous with black hat hacker. Ethical hacker: Someone who is using hacking techniques for legal and ethical purposes. CYB234_Lectuer#1 4 Terminology Footprinting: Scanning a target to learn about that target. Gray hat hacker: A hacker who usually obeys the law but in some instances will cross the line into black hat hacking. Script kiddy: A slang term for an unskilled person who purports to be a skilled hacker. White hat hacker: A hacker who does not break the law, often synonymous with ethical hacker. CYB234_Lectuer#1 5 Methodologies Methodology is one of the key elements that separate penetration testing from hacking. There are three broad categories of penetration testing. They are usually termed: black box, white box, gray box. CYB234_Lectuer#1 6 Black Box A black box test involves the penetration tester having as little information about the target network as possible, perhaps only the organization’s name and URL or IP address of their gateway router. The goal of such tests is to simulate an external attacker attempting to breach the network. The most significant drawback to this approach is that it will always be more costly. It takes significantly more time to conduct a black box test, because the penetration tester must first learn about the target network. CYB234_Lectuer#1 7 White Box This approach to penetration testing involves the tester having extensive knowledge of the target system. This will include the following: IP addresses of workstations and servers Operating system information for computers IP addresses for switches and routers Information regarding security devices such as firewalls and intrusion detection systems The tester will have no need for a discovery or scanning phase, and will often have specific targeted items to test. The main disadvantage involves the use of internal staff, CYB234_Lectuer#1 8 Gray Box The tester is given some network information but not all information. The penetration tester is given whatever system information is readily available, with no need for an exhaustive assembly of all information. CYB234_Lectuer#1 9 Ethical Issues A penetration tester is literally being asked to attempt to hack into a network. That would require a high level of ethics. During a penetration test you will see a great deal of private information. That is inevitable if you are able to successfully breach that organization’s network. Everything Is Confidential CYB234_Lectuer#1 10 Ethical Issues- Saudi Arabia Saudi Arabia has the Anti-Cyber Crime Law (Royal Decree No. M/17 dated 8 Rabi1 1428). Article 6 of that law provides for up to 5 years in prison and fines equivalent to about 800,000 U.S. dollars for a range of offences including “production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, and privacy, through the information network or computers.” CYB234_Lectuer#1 11 Certifications CEH: The Certified Ethical Hacker GPEN: GIAC Penetration Tester (GPEN) OSCP: The Offensive Security Certified Professional (OSCP) Mile2: Mile2 security training CISSP: The Certified Information System Security Professional (CISSP) CYB234_Lectuer#1 12 Pentation Testing Stages Reporting Clearing Tracks Maintain Access Gain Access Scanning Reconnaissance CYB234_Lectuer#1 13 Reconnaissance The first penetration testing phase is reconnaissance. In this phase, the tester gathers as much information about the target system as they can, including information about the network topology, operating systems and applications, user accounts, and other relevant information. The goal is to gather as much data as possible so that the tester can plan an effective attack strategy. Reconnaissance can be categorized as either active or passive depending on what methods are used to gather information CYB234_Lectuer#1 14 Scanning Once all the relevant data has been gathered in the reconnaissance phase, it’s time to move on to scanning. In this penetration testing phase, the tester uses various tools to identify open ports and check network traffic on the target system. Because open ports are potential entry points for attackers, penetration testers need to identify as many open ports as possible for the next penetration testing phase. This step can also be performed outside of penetration testing; in those cases, it’s referred to simply as vulnerability scanning and is usually an automated process. CYB234_Lectuer#1 15 Gain Access Gaining access phase of hacking is the point where the hacker gets the control over an operating system, application or computer network. Control gained by the attacker defines the access level such as operating system level, application level or network level access. Techniques include password cracking, denial of service, session hijacking or buffer overflow and others are used to gain unauthorized access. After accessing the system; the attacker escalates the privileges to obtain complete control over services and process and compromise the connected intermediate systems. CYB234_Lectuer#1 16 Maintain Access and Escalation of Privileges Maintaining access phase is the point when an attacker is trying to maintain the access, ownership & control over the compromised systems. Similarly, attacker prevents the owner from being owned by any other hacker. They use Backdoors, Rootkits or Trojans to retain their ownership. In this phase, an attacker may steal information by uploading the information to the remote server, download any file on the resident system, and manipulate the data and configuration. To compromise other systems, the attacker uses this compromised system to launch attacks. CYB234_Lectuer#1 17 Clearing Tracks An attacker must hide his identity by covering the tracks. Covering tracks are those activities which are carried out to hide the malicious activities. Covering track is most required for an attacker to fulfill their intentions by continuing the access to the compromised system, remain undetected & gain what they want, remain unnoticed and wipe all evidence that indicates his identity. To manipulate the identity and evidence, the attacker overwrites the system, application, and other related logs to avoid suspicion. CYB234_Lectuer#1 18 Reporting Report generated in this final penetration testing phase can be used to fix any vulnerabilities found in the system and improve the organization’s security posture. CYB234_Lectuer#1 19 Lab #1 Setting up a simple Pen Tester lab CYB234_Lectuer#1 20 Reconnaissance and Footprinting Lecture 2 Lecture Objectives Perform passive reconnaissance Perform active reconnaissance Gather information from public sources CYB234_Lectuer#2 2 Reconnaissance Reconnaissance/Footprinting is the process of collecting as much information as possible about a target system, to identify various ways to intrude into an organization's system. One of the first steps will be to gather as much information as you can about the target network. When conducting a black box test, you will be provided very little information, and must find it all out on your own. Reconnaissance Types: Passive Reconnaissance Active Reconnaissance CYB234_Lectuer#2 3 Passive Reconnaissance Techniques Passive reconnaissance is the process of gathering information about a target network without actually connecting to the network. We will examine some tools and techniques for performing passive reconnaissance. Netcraft BuiltWith Shodan Social Media Google Searching CYB234_Lectuer#2 4 Active Reconnaissance Techniques In the Passive reconnaissance the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. Active scans are far more reliable but may be detected by the target system. There are a few types of active scans, Port Scanning Enumeration Wireshark Maltego OSINT Tools CYB234_Lectuer#2 5 Passive Reconnaissance Techniques Netcraft Netcraft is a UK company that tracks websites. From this data, they’re able to calculate market share for web servers, uptime, etc. Another service is data about websites. This data can be extremely valuable to the hacker. CYB234_Lectuer#2 7 Netcraft https://www.netcraft.com Choose What's that site running? Type any webiste URL Then press: LOOK UP CYB234_Lectuer#2 8 CYB234_Lectuer#2 9 BuiltWith https://builtwith.com Type any webiste URL Then press: lookup CYB234_Lectuer#2 10 CYB234_Lectuer#2 11 Shodan https://www.shodan.io Type any webiste URL Then press: lookup CYB234_Lectuer#2 12 CYB234_Lectuer#2 13 Google Searching Info about a site: info:http://www.google.com Find related sites: related:http://www.google.com Search the cache: cache:http://google.com search Word in URL: inurl:http://google search Restrict search to a site: site:http://somesite.net Similar items: search ~tips The OR operator: cats | dogs CYB234_Lectuer#2 14 Example For example, if you are searching for information about XYZ company, and you would like insight into their company policies, you might try policies site:xyz.com Or if you are specifically looking for PDF documents from that company, you could try one of the following policies filetype:pdf site:xyz.com CYB234_Lectuer#2 15 Google Advanced Search CYB234_Lectuer#2 16 Social Networking ▪ Social networking sites are tools to connect people. ▪ E.g., Facebook, Twitter, LinkedIn (useful for all sorts of business purposes). Attackers use social engineering trick to gather sensitive information from social networking websites such as Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+, etc. Attackers create a fake profile on social networking sites and then use the false identity to lure the employees to give up their sensitive information. CYB234_Lectuer#2 17 Active Reconnaissance Techniques Whois ▪ WHOIS databases are maintained by Regional Internet Registries (RIRs) and contain the personal information of domain owners. ▪ To grab information out of the regional Internet registry (RIR), you would use the whois program. ▪ Whois is a program that can be used on the command line on most Unix-like systems ▪ There are also websites that have implementations of whois if you don’t have a Unix- like system handy. CYB234_Lectuer#2 19 Whois Information obtained from WHOIS database assists an attacker to Gather personal information that assists to perform social engineering ▪ WHOIS query returns: ▪ Domain name details ▪ Contact details of domain owner ▪ Domain name servers ▪ When a domain has been created ▪ Expiry records ▪ Records last updated Name and contact information of the registrar (the organization or commercial entity that registered the domain name) CYB234_Lectuer#2 20 Whois Query Example CYB234_Lectuer#2 21 Nslookup ▪ A tool that questions a DNS server for its host records. It’s accessible for Linux and Windows. ▪ In the following code, you can see the use of nslookup for name Resolution Name server IP Answer came from cache. Not the authoritative server IP of sybex.com CYB234_Lectuer#2 22 Maltego Maltego is an open source intelligence and forensics application offering extraordinary data mining and intelligence gathering capabilities. The community version is free. CYB234_Lectuer#2 23 OSINT Website https://osintframework.com provides a simple online tool whereby you can drill down on a specific search. Searches can be conducted on email addresses, domains, Bitcoin transactions, and many other items. For a penetration tester, searching a target domain will be useful. CYB234_Lectuer#2 24 CYB234_Lectuer#2 25 Lab2 Basics of Footprinting Methodologies