Lecture 3_merged.pdf

Transcript

Reconnaissance
and Footprinting
[Social
Engineering]

Lecture 3
Lecture Objectives
Define What is social engineering
Understand Social engineering attack techniques
Perform Social engineering attack by using SEToolkit

CYB234_Lectuer#3 2
What is social engineering
Social engineering refers to all techniques aimed at talking a target
into revealing specific information or performing a specific action for
illegitimate reasons.

CYB234_Lectuer#3 3
Social engineering attack techniques
Phishing Attacks
▪ DNS Spoofing and Cache Poisoning Attacks
▪ Scareware Attacks
▪ Watering hole attacks
▪ Physical social engineering
▪ USB baiting

CYB234_Lectuer#3 4
Phishing Attacks
Phishing attackers pretend to be a trusted institution or individual in
an attempt to persuade you to expose personal data and other
valuables.
Voice phishing (vishing)
SMS phishing (smishing)
Email phishing
Angler phishing
Search engine phishing
URL phishing

CYB234_Lectuer#3 5
DNS Spoofing and Cache Poisoning Attacks
DNS spoofing manipulates your browser and web servers to travel to
malicious websites when you enter a legitimate URL. Once infected
with this exploit, the redirect will continue unless the inaccurate
routing data is cleared from the systems involved.
DNS cache poisoning attacks specifically infect your device with
routing instructions for the legitimate URL or multiple URLs to
connect to fraudulent websites.

CYB234_Lectuer#3 6
Scareware Attacks
Scareware is a form of malware used to frighten you into taking an
action. This deceptive malware uses alarming warnings that report
fake malware infections or claim one of your accounts has been
compromised.

CYB234_Lectuer#3 7
Watering hole attacks
Watering hole attacks infect popular webpages with malware to
impact many users at a time. It requires careful planning on the
attacker’s part to find weaknesses in specific sites. They look for
existing vulnerabilities that are not known and patched — such
weaknesses are deemed zero-day exploits.

CYB234_Lectuer#3 8
Physical social engineering
Certain people in your organization--such as help desk staff,
receptionists, and frequent travelers--are more at risk from physical
social engineering attacks, which happen in person.
The organization should have effective physical security controls such
as visitor logs, escort requirements, and background checks.
Employees in positions at higher risk for social-engineering attacks
may benefit from specialized training from physical social engineering
attacks.
Example: Tailgating Attacks
Tailgating , or piggybacking, is the act of trailing an authorized staff member
into a restricted-access area
CYB234_Lectuer#3 9
Baiting
Baiting abuses your natural curiosity to coax you into exposing
yourself to an attacker. Typically, potential for something free or
exclusive is the manipulation used to exploit you. The attack usually
involves infecting you with malware.
Popular methods of baiting can include:
USB drives left in public spaces, like libraries and parking lots.
Email attachments including details on a free offer, or fraudulent free
software.

CYB234_Lectuer#3 10
Active Reconnaissance Techniques
In the Passive reconnaissance the attacker is not actually connecting
to the target system, it is impossible for an intrusion detection system
(IDS) to detect the scan.
Active scans are far more reliable but may be detected by the target
system.
There are a few types of active scans,
Port Scanning
Enumeration
Wireshark
Maltego
OSINT Tools
CYB234_Lectuer#3 11
Lab3
SEToolKit
Introduction
to
Penetration
Testing
Lecture 1
Lecture Objectives
Understand what is penetration testing.
Understand penetration testing methodologies.
Understand various penetration testing approaches.
Have a strong understanding of the ethics of penetration testing.
Comprehend legal issues associated with penetration testing.

CYB234_Lectuer#1 2
What Is Penetration Testing
The penetration test is the utilization of actual hacking techniques in
order to test the security of a target system.
Hacking is a process of attempting to understand a system by finding
and exploiting flaws in that system.
The goal of penetration testing is to attempt to exploit flaws in a
target system.
How does penetration testing differ from hacking?

CYB234_Lectuer#1 3
Terminology
Ad hoc testing: Testing carried out with no systematic approach or
methodology.
Hacker: One who tries to learn about a system by examining it in
detail by reverse-engineering or probing the system. Hackers are not
necessarily criminals.
Black hat hacker: A hacker who does break the law.
Cracker: One who breaks into a system in order to do something
malicious, illegal, or harmful. Synonymous with black hat hacker.
Ethical hacker: Someone who is using hacking techniques for legal
and ethical purposes.

CYB234_Lectuer#1 4
Terminology
Footprinting: Scanning a target to learn about that target.
Gray hat hacker: A hacker who usually obeys the law but in some
instances will cross the line into black hat hacking.
Script kiddy: A slang term for an unskilled person who purports to be a
skilled hacker.
White hat hacker: A hacker who does not break the law, often
synonymous with ethical hacker.

CYB234_Lectuer#1 5
Methodologies
Methodology is one of the key elements that separate penetration
testing from hacking.
There are three broad categories of penetration testing. They are
usually termed:
black box,
white box,
gray box.

CYB234_Lectuer#1 6
Black Box
A black box test involves the penetration tester having as little
information about the target network as possible, perhaps only the
organization’s name and URL or IP address of their gateway router.
The goal of such tests is to simulate an external attacker attempting
to breach the network.
The most significant drawback to this approach is that it will always
be more costly.
It takes significantly more time to conduct a black box test, because
the penetration tester must first learn about the target network.

CYB234_Lectuer#1 7
White Box
This approach to penetration testing involves the tester having
extensive knowledge of the target system. This will include the
following:
IP addresses of workstations and servers
Operating system information for computers
IP addresses for switches and routers
Information regarding security devices such as firewalls and intrusion
detection systems
The tester will have no need for a discovery or scanning phase, and
will often have specific targeted items to test.
The main disadvantage involves the use of internal staff,
CYB234_Lectuer#1 8
Gray Box
The tester is given some network information but not all
information.
The penetration tester is given whatever system information is readily
available, with no need for an exhaustive assembly of all information.

CYB234_Lectuer#1 9
Ethical Issues
A penetration tester is literally being asked to attempt to hack into a
network. That would require a high level of ethics.
During a penetration test you will see a great deal of private
information. That is inevitable if you are able to successfully breach
that organization’s network.
Everything Is Confidential

CYB234_Lectuer#1 10
Ethical Issues- Saudi Arabia
Saudi Arabia has the Anti-Cyber Crime Law (Royal Decree No. M/17
dated 8 Rabi1 1428). Article 6 of that law provides for up to 5 years in
prison and fines equivalent to about 800,000 U.S. dollars for a range
of offences including
“production, preparation, transmission, or storage of material
impinging on public order, religious values, public morals, and privacy,
through the information network or computers.”

CYB234_Lectuer#1 11
Certifications
CEH: The Certified Ethical Hacker
GPEN: GIAC Penetration Tester (GPEN)
OSCP: The Offensive Security Certified Professional (OSCP)
Mile2: Mile2 security training
CISSP: The Certified Information System Security Professional (CISSP)

CYB234_Lectuer#1 12
 Pentation Testing Stages
Reporting

Clearing Tracks

Maintain
Access
Gain Access

Scanning

Reconnaissance

CYB234_Lectuer#1 13
Reconnaissance
The first penetration testing phase is reconnaissance.
In this phase, the tester gathers as much information about the target
system as they can, including information about the network
topology, operating systems and applications, user accounts, and
other relevant information. The goal is to gather as much data as
possible so that the tester can plan an effective attack strategy.
Reconnaissance can be categorized as either active or passive
depending on what methods are used to gather information

CYB234_Lectuer#1 14
Scanning
Once all the relevant data has been gathered in the reconnaissance
phase, it’s time to move on to scanning.
In this penetration testing phase, the tester uses various tools to
identify open ports and check network traffic on the target system.
Because open ports are potential entry points for attackers,
penetration testers need to identify as many open ports as possible
for the next penetration testing phase.
This step can also be performed outside of penetration testing; in
those cases, it’s referred to simply as vulnerability scanning and is
usually an automated process.

CYB234_Lectuer#1 15
Gain Access
Gaining access phase of hacking is the point where the hacker gets
the control over an operating system, application or computer
network.
Control gained by the attacker defines the access level such as
operating system level, application level or network level access.
Techniques include password cracking, denial of service, session
hijacking or buffer overflow and others are used to gain unauthorized
access.
After accessing the system; the attacker escalates the privileges to
obtain complete control over services and process and compromise
the connected intermediate systems.
CYB234_Lectuer#1 16
Maintain Access and Escalation of Privileges
Maintaining access phase is the point when an attacker is trying to
maintain the access, ownership & control over the compromised
systems.
Similarly, attacker prevents the owner from being owned by any other
hacker. They use Backdoors, Rootkits or Trojans to retain their
ownership.
In this phase, an attacker may steal information by uploading the
information to the remote server, download any file on the resident
system, and manipulate the data and configuration.
To compromise other systems, the attacker uses this compromised
system to launch attacks.
CYB234_Lectuer#1 17
Clearing Tracks
An attacker must hide his identity by covering the tracks.
Covering tracks are those activities which are carried out to hide the
malicious activities.
Covering track is most required for an attacker to fulfill their
intentions by continuing the access to the compromised system,
remain undetected & gain what they want, remain unnoticed and
wipe all evidence that indicates his identity.
To manipulate the identity and evidence, the attacker overwrites the
system, application, and other related logs to avoid suspicion.

CYB234_Lectuer#1 18
Reporting

Report generated in this
final penetration testing
phase can be used to fix any
vulnerabilities found in the
system and improve the
organization’s security
posture.

CYB234_Lectuer#1 19
Lab #1

Setting up a simple Pen
Tester lab

CYB234_Lectuer#1 20
Reconnaissance
and Footprinting

Lecture 2
Lecture Objectives
Perform passive reconnaissance
Perform active reconnaissance
Gather information from public sources

CYB234_Lectuer#2 2
Reconnaissance
Reconnaissance/Footprinting is the process of collecting as much
information as possible about a target system, to identify various
ways to intrude into an organization's system.
One of the first steps will be to gather as much information as you can
about the target network.
When conducting a black box test, you will be provided very little
information, and must find it all out on your own.
Reconnaissance Types:
Passive Reconnaissance
Active Reconnaissance

CYB234_Lectuer#2 3
Passive Reconnaissance Techniques
Passive reconnaissance is the process of gathering information about
a target network without actually connecting to the network.
We will examine some tools and techniques for performing passive
reconnaissance.
Netcraft
BuiltWith
Shodan
Social Media
Google Searching

CYB234_Lectuer#2 4
Active Reconnaissance Techniques
In the Passive reconnaissance the attacker is not actually connecting
to the target system, it is impossible for an intrusion detection system
(IDS) to detect the scan.
Active scans are far more reliable but may be detected by the target
system.
There are a few types of active scans,
Port Scanning
Enumeration
Wireshark
Maltego
OSINT Tools
CYB234_Lectuer#2 5
Passive Reconnaissance
Techniques
Netcraft
Netcraft is a UK company that tracks
websites. From this data, they’re able to
calculate market share for web servers,
uptime, etc. Another service is data about
websites. This data can be extremely
valuable to the hacker.

CYB234_Lectuer#2 7
Netcraft
https://www.netcraft.com
Choose What's that site running?
Type any webiste URL
Then press: LOOK UP

CYB234_Lectuer#2 8
CYB234_Lectuer#2 9
BuiltWith
https://builtwith.com
Type any webiste URL
Then press: lookup

CYB234_Lectuer#2 10
CYB234_Lectuer#2 11
Shodan
https://www.shodan.io
Type any webiste URL
Then press: lookup

CYB234_Lectuer#2 12
CYB234_Lectuer#2 13
Google Searching
Info about a site: info:http://www.google.com
Find related sites: related:http://www.google.com
Search the cache: cache:http://google.com search
Word in URL: inurl:http://google search
Restrict search to a site: site:http://somesite.net
Similar items: search ~tips
The OR operator: cats | dogs

CYB234_Lectuer#2 14
Example
For example, if you are searching for information about XYZ company, and you would like
insight into their company policies, you might try
policies site:xyz.com

Or if you are specifically looking for PDF documents from that company, you could try
one of the following
policies filetype:pdf site:xyz.com

CYB234_Lectuer#2 15
Google Advanced Search

CYB234_Lectuer#2 16
Social Networking
▪ Social networking sites are tools to connect people.
▪ E.g., Facebook, Twitter, LinkedIn (useful for all sorts of business purposes).
Attackers use social engineering trick to gather sensitive information
from social networking websites such as Facebook, MySpace,
LinkedIn, Twitter, Pinterest, Google+, etc.

Attackers create a fake profile on social networking sites and then use
the false identity to lure the employees to give up their sensitive
information.

CYB234_Lectuer#2 17
Active Reconnaissance
Techniques
Whois
▪ WHOIS databases are maintained by Regional Internet Registries (RIRs) and contain
the personal information of domain owners.
▪ To grab information out of the regional Internet registry (RIR), you would use the whois
program.
▪ Whois is a program that can be used on the command line on most Unix-like systems
▪ There are also websites that have implementations of whois if you don’t have a Unix-
like system handy.

CYB234_Lectuer#2 19
Whois

Information obtained from WHOIS database assists an attacker to
Gather personal information that assists to perform social engineering
▪ WHOIS query returns:
▪ Domain name details
▪ Contact details of domain owner
▪ Domain name servers
▪ When a domain has been created
▪ Expiry records
▪ Records last updated
Name and contact information of the registrar (the organization or commercial entity
that registered the domain name)

CYB234_Lectuer#2 20
Whois Query Example
CYB234_Lectuer#2 21
Nslookup
▪ A tool that questions a DNS server for its host records. It’s accessible for Linux and
Windows.
▪ In the following code, you can see the use of nslookup for name Resolution

Name server IP

Answer came from
cache. Not the
authoritative server

IP of sybex.com
CYB234_Lectuer#2 22
Maltego
Maltego is an open source intelligence and forensics application
offering extraordinary data mining and intelligence gathering
capabilities.
The community version is free.

CYB234_Lectuer#2 23
OSINT Website
https://osintframework.com provides a simple online tool whereby you can drill down on
a specific search.
Searches can be conducted on email addresses, domains, Bitcoin transactions, and many
other items.
For a penetration tester, searching a target domain will be useful.

CYB234_Lectuer#2 24
CYB234_Lectuer#2 25
Lab2
Basics of Footprinting
Methodologies