Ethical-Hacking-notes 1-8.pdf
Document Details
Uploaded by BrightDandelion6803
Tags
Full Transcript
Information Security Overview Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Information is a critical asset that organizations must sec...
Information Security Overview Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Information is a critical asset that organizations must secure. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, or in other ways. Elements of Information Security Information security is "the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable." It relies on five major elements: confidentiality, integrity, availability, authenticity, and non- repudiation. Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes-the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data). Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems. Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents. Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation. Motives, Goals, and Objectives of Information Security Attacks Attackers generally have motives (goals), and objectives behind their information security attacks. A motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system. The purpose of the attack may be to disrupt the target organization's business operations, to steal valuable information for the sake of curiosity, or even to exact revenge. Therefore, these motives or goals depend on the attacker's state of mind, their reason for carrying out such an activity, as well as their resources and capabilities. Once the attacker determines their goal, they can employ various tools, attack techniques, and methods to exploit vulnerabilities in a computer system or security policy and controls. Attacks = Motive (Goal) + Method + Vulnerability Motives behind information security attacks Disrupt business continuity Propagate religious or political beliefs Perform information theft Manipulating data Create fear and chaos by disrupting critical infrastructures Bring financial loss to the target Achieve a state's military objectives Damage the reputation of the target Take revenge Demand ransom Classification of Attacks According to IATF, security attacks are classified into five categories: passive, active, close-in, insider, and distribution. Passive Attacks Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data. Attackers perform reconnaissance on network activities using sniffers. These attacks are very difficult to detect as the attacker has no active interaction with the target system or network. Passive attacks allow attackers to capture the data or files being transmitted in the network without the consent of the user. For example, an attacker can obtain information such as unencrypted data in transit, clear-text credentials, or other sensitive information that is useful in performing active attacks. Examples of passive attacks: Footprinting Sniffing and eavesdropping Network traffic analysis Decryption of weakly encrypted traffic Active Attacks Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. Attackers launch attacks on the target system or network by sending traffic actively that can be detected. These attacks are performed on the target network to exploit the information in transit. They penetrate or infect the target's internal network and gain access to a remote system to compromise the internal network. Examples of active attacks: Denial-of-service (DoS) attack Bypassing protection mechanisms Malware attacks (such as viruses, worms, ransomware) Modification of information Spoofing attacks Firewall and IDS attack Profiling Arbitrary code execution Privilege escalation Backdoor access Cryptography attacks Replay attacks Password-based attacks Session hijacking Man-in-the-Middle attack DNS and ARP poisoning SQL injection XSS attacks Directory traversal attacks Exploitation of application and OS software Compromised-key attack Close-in Attacks Close-in attacks are performed when the attacker is in close physical proximity with the target system or network. The main goal of performing this type of attack is to gather or modify information or disrupt its access. For example, an attacker might shoulder surf user credentials. Attackers gain close proximity through surreptitious entry, open access, or both. Examples of close-in attacks: Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other methods) Insider Attacks Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. They misuse the organization's assets to directly affect the confidentiality, integrity, and availability of information systems. These attacks impact the organization's business operations, reputation, and profit. It is difficult to figure out an insider attack. Examples of insider attacks: Eavesdropping and wiretapping Theft of physical devices Social engineering Data theft and spoliation Planting keyloggers, backdoors, or malware Distribution Attacks Distribution attacks occur when attackers tamper with hardware or software prior to installation. Attackers tamper the hardware or software at its source or when it is in transit. Examples of distribution attacks include backdoors created by software or hardware vendors at the time of manufacture. Attackers leverage these backdoors to gain unauthorized access to the target information, systems, or network. Examples of Distribution Attacks: Modification of software or hardware during production Modification of software or hardware during distribution Hacking Methodologies and Frameworks Learning the hacking methodologies and frameworks helps ethical hackers understand the phases involved in hacking attempts along with the tactics, techniques, and procedures used by real hackers. This knowledge further helps them in strengthening the security infrastructure of their organization. This section discusses various hacking methodologies such as the Certified Ethical Hacker (CEH) methodology, cyber kill chain methodology, MITRE attack framework, and Diamond Model of Intrusion Analysis. CEH Hacking Methodology (CHM) EC-Council's CEH hacking methodology (CHM) defines the step-by-step process to perform ethical hacking. The CHM follows the same process as that of an attacker, and the only differences are in its hacking goals and strategies. This methodology helps security professionals and ethical hackers understand the various phases followed by real hackers in order to achieve their objectives. An understanding of the CHM helps ethical hackers learn various tactics, techniques, and tools used by attackers at various phases of hacking, which further guide them to succeed in the ethical hacking process. Footprinting Footprinting and reconnaissance constitute the preparatory phase, in which an attacker gathers as much information as possible about the target prior to launching an attack. In this phase, the attacker creates a profile of the target organization and obtains information such as its IP address range, namespace, and employees. Footprinting facilitates system hacking by revealing vulnerabilities. For example, the organization's website may provide employee biographies or a personnel directory, which the hacker can use for social engineering. Conducting a Whois query on the web can provide information about the networks and domain names associated with a specific organization. The footprinting target range may include the target organization's clients, employees, operations, network, and systems. Scanning Scanning is used to identify active hosts, open ports, and unnecessary services enabled on particular hosts. In this phase, the attacker uses the details gathered during reconnaissance to scan the network for specific information. Scanning is a logical extension of active reconnaissance; in fact, some experts do not differentiate scanning from active reconnaissance. However, there is a slight difference in that scanning involves more in-depth probing by the attacker. Often, the reconnaissance and scanning phases overlap, and it is not always possible to separate them. Enumeration Enumeration involves making active connections to a target system or subjecting it to direct queries. It is a method of intrusive probing through which attackers gather information such as network user lists, routing tables, security flaws, shared users, groups, applications, and banners. Vulnerability Analysis Vulnerability assessment is the examination of the ability of a system or application, including its current security procedures and controls, to withstand assault. It recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. Attackers perform vulnerability analysis to identify security loopholes in the target organization's network, communication infrastructure, and end systems. The identified vulnerabilities are used by attackers to perform further exploitation of the target network. System Hacking Attackers follow a certain methodology to hack a system. They first obtain information during the footprinting, scanning, enumeration, and vulnerability analysis phases, which they then use to exploit the target system. Gaining Access This is the phase in which actual hacking occurs. The previous phases help attackers identify security loopholes and vulnerabilities in the target organizational IT assets. Attackers use this information, along with techniques such as password cracking and the exploitation of vulnerabilities including buffer overflows, to gain access to the target organizational system. Gaining access refers to the point at which the attacker obtains access to the operating system (OS) or applications on a computer or network. A hacker's chances of gaining access to a target system depend on several factors, such as the architecture and configuration of the target system, the perpetrator's skill level, and the initial level of access obtained. Once an attacker gains access to the target system, they attempt to escalate privileges to obtain complete control. In this process, they also compromise the intermediate systems connected to it. Escalating Privileges After gaining access to a system using a low-privilege user account, the attacker may attempt to increase their privileges to the administrator level to perform protected system operations so that they can proceed to the next level of the system hacking phase, which is the execution of applications. The attacker exploits known system vulnerabilities to escalate user privileges. Maintaining Access Maintaining access refers to the phase in which an attacker attempts to retain ownership of the system. Once an attacker gains access to the target system with admin- or root-level privileges (thus owning the system), they can use both the system and its resources at will. The attacker can either use the system as a launchpad to scan and exploit other systems or maintain a low profile and continue exploitation. Both of these actions can cause significant damage. Attackers can upload, download, or manipulate data, applications, and configurations on the owned system and also use malicious software to transfer usernames, passwords, and any other information stored in the system. They can maintain control over the system for a long time by closing vulnerabilities to prevent other hackers from exploiting them. Occasionally, in the process, the attacker may provide some degree of protection to the system from other attacks. Attackers use compromised systems to launch further attacks. Clearing Logs To remain undetected, it is important for attackers to erase all the evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log- wiping utilities, thus removing all evidence of their presence. Cyber Kill Chain Methodology The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. This methodology helps security professionals in identifying the steps that adversaries follow in order to accomplish their goals. The cyber kill chain is a framework developed for securing cyberspace based on the concept of military kill chains. This method aims to actively enhance intrusion detection and response. The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. According to Lockheed Martin, cyberattacks might occur in seven different phases, from reconnaissance to the final accomplishment of the objective. An understanding of cyber kill chain methodology helps security professionals to leverage security controls at different stages of an attack and helps them to prevent the attack before it succeeds. It also provides greater insight into the attack phases, which helps in understanding the adversary's TTPs beforehand. Reconnaissance An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before actually attacking. They look for information such as publicly available information on the Internet, network information, system information, and the organizational information of the target. By conducting reconnaissance across different network levels, the adversary can gain information such as network blocks, specific IP addresses, and employee details. Weaponization The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified during analysis, the adversary selects or creates a tailored deliverable malicious payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific network devices, operating systems, endpoint devices, or even individuals within the organization to carry out their attack. For example, the adversary may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. Delivery The previous stage included creating a weapon. Its payload is transmitted to the intended victim(s) as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive. Delivery is a key stage that measures the effectiveness of the defense strategies implemented by the target organization based on whether the intrusion attempt of the adversary is blocked or not. Exploitation After the weapon is transmitted to the intended victim, exploitation triggers the adversary's malicious code to exploit a vulnerability in the operating system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration. Installation The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period. They may use the weapon to install a backdoor to gain remote access. After the injection of the malicious code on one target system, the adversary gains the capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from security controls like firewalls using various techniques such as encryption. Command and Control The adversary creates a command and control channel, which establishes two-way communication between the victim's system and adversary-controlled server to communicate and pass data back and forth. The adversaries implement techniques such as encryption to hide the presence of such channels. Using this channel, the adversary performs remote exploitation on the target system or network. Actions on Objectives The adversary controls the victim's system from a remote location and finally accomplishes their intended goals. The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems. Also, the adversary may use this as a launching point to perform other attacks. Tactics, Techniques, and Procedures (TTPs) The terms "tactics, techniques, and procedures” refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructure of an organization. The word "tactics" is defined as a guideline that describes the way an attacker performs their attack from beginning to end. The word "techniques" is defined as the technical methods used by an attacker to achieve intermediate results during their attack. Finally, the word "procedures" is defined as the organizational approach followed by the threat actors to launch their attack. In order to understand and defend against the threat actors, it is important to understand the TTPs used by adversaries. Understanding the tactics of an attacker helps to predict and detect evolving threats in the early stages. Understanding the techniques used by attackers helps to identify vulnerabilities and implement defensive measures in advance. Lastly, analyzing the procedures used by the attackers helps to identify what the attacker is looking for within the target organization's infrastructure. MITRE ATT&CK Framework MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. MITRE ATT&CK comprises three collections of tactics and techniques, called Enterprise, Mobile, and PRE-ATT&CK matrices, as each collection is represented in a matrix form. ATT&CK for Enterprise contains 14 categories of tactics, which are derived from the later stages (exploit, control, maintain, and execute) of the seven-stage Cyber Kill Chain. This provides a deeper level of granularity in describing what can occur during an intrusion. Diamond Model of Intrusion Analysis The Diamond Model, developed by expert analysts, introduces state-of-the-art technology for intrusion analysis. This model offers a framework and a set of procedures for recognizing clusters of events that are correlated on any of the systems in an organization. The model determines the vital atomic element that occurs in any intrusion activity and is referred to as the Diamond event. Analysts can identify the events and connect them as activity threads for obtaining information regarding how and what transpired during an attack. Analysts can also easily identify whether any data are required by examining the missing features. It also offers a method or route map for analyzing incidents related to any malicious activity and predict the possibility of an attack and its origin. With the Diamond Model, more advanced and efficient mitigation approaches can be developed, and analytic efficiency can be increased. This also results in cost savings for the defender and rising cost for the adversary. The Diamond event consists of four basic features: adversary, capability, infrastructure, and victim. This model is named so because when all the features are arranged according to the relationship between them, it forms as a diamond- shaped structure. Although it appears to be a simple approach, it is rather complex and requires high expertise and skill to traceroute the flow of attack. What is Hacking? Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources. It involves a modifying system or application features to achieve a goal outside its creator's original purpose. Hacking can be done to steal, pilfer, or redistribute intellectual property, thus leading to business loss. Hacking on computer networks is generally done using scripts or other network programming. Network hacking techniques include creating viruses and worms, performing denial-of-service (DOS) attacks, establishing unauthorized remote access connections to a device using trojans or backdoors, creating botnets, packet sniffing, phishing, and password cracking. Who is a Hacker? A hacker is a person who breaks into a system or network without authorization to destroy, steal sensitive data, or perform malicious attacks. A hacker is an intelligent individual with excellent computer skills, along with the ability to create and explore the computer's software and hardware. Usually, a hacker is a skilled engineer or programmer with enough knowledge to discover vulnerabilities in a target system. They generally have subject expertise and enjoy learning the details of various programming languages and computer systems. Types of Hacker Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers. White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner. Gray Hats: Gray hats are the individuals who work both offensively and defensively at various times. Gray hats might help hackers to find various vulnerabilities in a system or network and, at the same time, help vendors to improve products (software or hardware) by checking limitations and making them more secure. Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions. Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity rather than the quality of the attacks that they initiate. They do not have a specific target or goal in performing the attack and simply aim to gain popularity or prove their technical skills. Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks. State-Sponsored Hackers: State-sponsored hackers are skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military organizations. The main aim of these threat actors is to detect vulnerabilities in and exploit a nation's infrastructure and gather intelligence or sensitive information. Hacktivist: Hacktivism is a form of activism in which hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both online and offline arenas. They promote a political agenda especially by using hacking to deface or disable websites. In some incidents, hacktivists may also obtain and reveal confidential information to the public. What is Ethical Hacking? Ethical hacking is the practice of employing computer and network skills in order to assist organizations in testing their network security for possible loopholes and vulnerabilities. White Hats (also known as security analysts or ethical hackers) are the individuals or experts who perform ethical hacking. Nowadays, most organizations (such as private companies, universities, and government organizations) are hiring White Hats to assist them in enhancing their cybersecurity. They perform hacking in ethical ways, with the permission of the network or system owner and without the intention to cause harm. Ethical hackers report all vulnerabilities to the system and network owner for remediation, thereby increasing the security of an organization's information system. Ethical hacking involves the use of hacking tools, tricks, and techniques typically used by an attacker to verify the existence of exploitable vulnerabilities in system security. Why Ethical Hacking is Necessary? Ethical hacking is necessary as it allows to counter attacks from malicious hackers by anticipating methods used by them to break into a system. Ethical hacking helps to predict various possible vulnerabilities well in advance and rectify them without incurring any kind of outside attack. As hacking involves creative thinking, vulnerability testing, and security audits alone cannot ensure that the network is secure. To achieve security, organizations must implement a "defense-in-depth" strategy by penetrating their networks to estimate and expose vulnerabilities. Reasons why organizations recruit ethical hackers To prevent hackers from gaining access to the organization's information systems To uncover vulnerabilities in systems and explore their potential as a risk To analyze and strengthen an organization's security posture, including policies, network protection infrastructure, and end-user practices To provide adequate preventive measures in order to avoid security breaches To help safeguard the customer data To enhance security awareness at all levels in a business Skills of an Ethical Hacker It is essential for an ethical hacker to acquire the knowledge and skills to become an expert hacker and to use this knowledge in a lawful manner. The technical and non-technical skills to be a good ethical hacker are discussed below: Technical Skills In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh In-depth knowledge of networking concepts, technologies, and related hardware and software A computer expert adept at technical domains The knowledge of security areas and related issues High technical knowledge of how to launch sophisticated attacks Non-Technical Skills The ability to quickly learn and adapt new technologies A strong work ethic and good problem solving and communication skills Commitment to an organization's security policies An awareness of local standards and laws Information Security Controls Information security controls prevent the occurrence of unwanted events and reduce risk to the organization's information assets. The basic security concepts critical to information on the Internet are confidentiality, integrity, and availability; the concepts related to the persons accessing the information are authentication, authorization, and non-repudiation. Information is the greatest asset of an organization. It must be secured using various policies, creating awareness, employing security mechanisms. Information Security Laws and Standards Laws are a system of rules and guidelines that are enforced by a particular country or community to govern behavior. A Standard is a "document established by consensus and approved by a recognized body that provides, for common and repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context." This section deals with the various laws and standards dealing with information security in different countries. Module 2 Footprinting Concepts This step acts as a preparatory phase for the attacker, who needs to gather as much information as possible to easily find ways to intrude into the target network. What is Footprinting? An essential aspect of footprinting is identifying the level of risk associated with the organization's publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization's network. After you complete the footprinting process in a methodological manner, you will obtain the blueprint of the security profile of the target organization. Here, the term "blueprint" refers to the unique system profile of the target organization acquired by footprinting. There is no single methodology for footprinting, as information can be traced in a number of ways. However, the activity is important, as you need to gather all the crucial information about the target organization before beginning the hacking phase. For this reason, footprinting needs to be carried out in an organized manner. The information gathered in this step helps in uncovering vulnerabilities existing in the target network and in identifying different ways of exploiting these vulnerabilities. Types of Footprinting Footprinting can be categorized into passive footprinting and active footprinting. Passive Footprinting Passive footprinting involves gathering information about the target without direct interaction. It is mainly useful when the information gathering activities are not to be detected by the target. Performing passive footprinting is technically difficult, as active traffic is not sent to the target organization from a host or anonymous hosts or services over the Internet. We can only collect archived and stored information about the target using search engines, social networking sites, and so on. Active Footprinting Active footprinting involves gathering information about the target with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network. Active footprinting requires more preparation than passive footprinting, as it may leave traces that may alert the target organization. Objectives of Footprinting To build a hacking strategy, attackers must gather information about the target organization's network. They then use such information to identify the easiest way to break through the organization's security perimeter. Footprinting provides an outline of the security posture, such as the placement of firewalls, proxies, and other security solutions. Hackers can analyze the footprinting report to identify loopholes in the security posture of the target organization and build a hacking plan accordingly. A detailed footprint provides maximal information about the target organization, allowing the attacker to identify vulnerabilities in the target systems to select appropriate exploits. Attackers can build their own information database regarding the security weaknesses of the target. Footprinting Threats The following are assorted threats made possible through footprinting: Social Engineering: Without using any intrusion methods, hackers directly and indirectly collect information through persuasion and other means. Hackers gather crucial information from willing employees who are unaware of the hackers' intent. System and Network Attacks: Footprinting enables an attacker to perform system and network attacks. Thus, attackers can gather information related to the target organization's system configuration, the operating system running on the machine, and so on. Using this information, attackers can find vulnerabilities in the target system and then exploit such vulnerabilities. They can then take control of a target system or the entire network. Information Leakage: Information leakage poses a threat to any organization. If sensitive information of an entity falls into the hands of attackers, they can mount an attack based on the information or alternatively use it for monetary benefit. Privacy Loss: Through footprinting, hackers can access the systems and networks of the organization and even escalate the privileges up to admin levels, resulting in the loss of privacy for the organization as a whole and for its individual personnel. Corporate Espionage: Corporate espionage is a central threat to organizations, as competitors often aim to attempt to acquire sensitive data through footprinting. Through this approach, competitors can launch similar products in the market, alter prices, and generally undermine the market position of a target organization. Footprinting through Search Engines Search engines are the main sources of key information about a target organization. They play a major role in extracting critical details about a target from the Internet. Search engines use automated software, i.e., crawlers, to continuously scan active websites and add the retrieved results in the search engine index that is further stored in a massive database. When a user queries the search engine index, it returns a list of Search Engine Results Pages (SERPs). These results include web pages, videos, images, and many different file types ranked and displayed according to their relevance. Many search engines can extract target organization information such as technology platforms, employee details, login pages, intranet portals, contact information, and so on. The information helps the attacker in performing social engineering and other types of advanced system attacks. Footprinting Using Advanced Google Hacking Techniques Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. The accessed information is then used by attackers to find vulnerable targets. Footprinting using advanced Google hacking techniques involves locating specific strings of text within search results using advanced operators in the Google search engine. Advanced Google hacking refers to the art of creating complex search engine queries. Queries can retrieve valuable data about a target company from Google search results. Through Google hacking, an attacker tries to find websites that are vulnerable to exploitation. Attackers can use the Google Hacking Database (GHDB), a database of queries, to identify sensitive data. Google operators help in finding the required text and avoiding irrelevant data. Using advanced Google operators, attackers can locate specific strings of text such as specific versions of vulnerable web applications. When a query without advanced search operators is specified, Google traces the search terms in any part of the webpage, including the title, text, URL, digital files, and so on. To confine a search, Google offers advanced search operators. These search operators help to narrow down the search query and obtain the most relevant and accurate output. What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include: Error messages that contain sensitive information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations Advisories and server vulnerabilities Google Hacking Database Source: https://www.exploit-db.com The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening scope of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords. The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Using GHDB dorks, attackers can rapidly identify all the publicly available exploits and vulnerabilities of the target organization's IT infrastructure. Attackers use Google dorks in Google advanced search operators to extract sensitive information about the target, such as vulnerable servers, error messages, sensitive files, login pages, and websites. Competitive Intelligence Gathering Competitive intelligence gathering is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet. Competitive intelligence means understanding and learning about other businesses to become as competitive as possible. It is non-interfering and subtle in nature compared to direct intellectual property theft carried out via hacking or industrial espionage. It focuses on the external business environment. In this method, professionals gather information ethically and legally instead of gathering it secretly. Competitive intelligence helps in determining: What the competitors are doing? How competitors are positioning their products and services? What customers are saying about competitors' strengths and weaknesses? Companies carry out competitive intelligence either by employing people to search for information or by utilizing a commercial database service, which involves lower costs. The information that is gathered can help the managers and executives of a company make strategic decisions. Footprinting Countermeasures The footprinting countermeasures is the measures or actions taken to prevent or offset information disclosure. Some of the footprinting countermeasures are as follows: Restrict the employees' access to social networking sites from the organization's network. Configure web servers to avoid information leakage. Educate employees to use pseudonyms on blogs, groups, and forums. Do not reveal critical information in press releases, annual reports, product catalogs, etc. Limit the amount of information published on a website or the Internet. Use footprinting techniques to discover and remove any sensitive information that is publicly available. Prevent search engines from caching a web page and use anonymous registration services. Develop and enforce security policies such as information security and password policies to regulate the information that employees can reveal to third parties. Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers. Disable directory listings in the web servers. Conduct security awareness training periodically to educate employees about various social engineering tricks and risks. Opt for privacy services on a Whois lookup database. Avoid domain-level cross-linking for critical assets. Encrypt and password-protect sensitive information. Do not enable protocols that are not required. Always use TCP/IP and IPsec filters for defense in depth. Configure Internet Information Services (IIS) to avoid information disclosure through banner grabbing. Hide the IP address and related information by implementing a VPN or keeping the server behind a secure proxy. Request archive.org to delete the history of the website from the archive database. Keep the domain name profile private. Place critical documents such as business plans and proprietary documents offline to prevent exploitation. Train employees to thwart social engineering techniques and attacks. Sanitize the details provided to the Internet registrars to hide the direct contact details of the organization. Module 3 Overview of Network Scanning Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of intelligence gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target's OS and system architecture, and the ports along with their respective services running on each computer. The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker's particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy. Types of Scanning Port Scanning – Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities. Network Scanning – Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network. Vulnerability Scanning – Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. Objectives of Network Scanning Discover the network's live hosts, IP addresses, and open ports of the live hosts. Using the open ports, the attacker will determine the best means of entering into the system. Discover the OS and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the OS's vulnerabilities. Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities (based on the service) that can be exploited for gaining access to the target system. Identify specific applications or versions of a particular service. Identify vulnerabilities in any of the network systems. This helps an attacker to compromise the target system or network through various exploits. TCP Communication Flags The TCP header contains various flags that control the transmission of data across a TCP connection. Six TCP control flags manage the connection between hosts and give instructions to the system. Four of these flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. The other two flags (PSH and URG) provide instructions to the system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. When a flag value is set to "1," that flag is automatically turned on. TCP communication flags: Synchronize or "SYN": It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts. Acknowledgement or "ACK": It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1,” thus implying that the receiver should pay attention to it. Push or "PSH": When it is set to "1," it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks. Urgent or "URG": It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to “1," priority is given to processing the urgent data first and all the other data processing is stopped. Finish or "FIN": It is set to "1" to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated. Reset or "RST": When there is an error in the current connection, this flag is set to "1" and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports. Host Discovery Scanning is the process of gathering information about systems that are “alive” and responding on the network. Host discovery is considered as the primary task in the network scanning process. To perform a complete scan and identify open ports and services, it is necessary to check for live systems. Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a list of IP addresses to identify whether the target host is up. Port and Service Discovery The network scanning process involves checking the open ports and services in live systems. This discovery of open ports and services can be performed via various port scanning techniques. Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Moreover, sometimes, users unknowingly keep unnecessary open ports on their systems. An attacker takes advantage of such open ports to launch attacks. TCP Connect/Full-Open Scan Source: https://insecure.org TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the OS's TCP connect () system call tries to open a connection to every port of interest on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable. TCP Connect scan completes a three-way handshake with the target machine. In the TCP three- way handshake, the client sends a SYN packet, which the recipient acknowledges with a SYN+ACK packet. Then, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once the handshake is completed, the scanner sends an RST packet to end the connection. Stealth Scan (Half-Open Scan) The stealth scan involves resetting the TCP connection between the client and the server abruptly before completion of the three-way handshake signals, hence making the connection half-open. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This type of scan sends a single frame with the expectation of a single response. The half- open scan partially opens a connection but stops halfway through. The stealth scan is also called a "SYN scan," because it only sends the SYN packet. This prevents the service from notifying the incoming connection. TCP SYN or half-open scanning is a stealth method of port scanning. The stealth scan also implements the three-way handshake methodology. In the last stage, it examines the packets entering the interface and terminates the connection before triggering a new initialization to identify remote ports. The stealth scan process is described below: The client sends a single SYN packet to the server on the appropriate port. If the port is open, the server subsequently responds with a SYN/ACK packet. If the server responds with an RST packet, then the remote port is in the "closed" state. The client sends the RST packet to close the initiation before a connection can be established. Service Version Discovery Every port is assigned a specific service, and every service has its own version. Some versions of the protocols are insecure, and they can allow attackers to compromise the machine by exploiting this vulnerability. Service version detection helps attackers to obtain information about the running services and their versions on a target system. By obtaining accurate service version numbers, an attacker can determine which exploits the target system is vulnerable to. The version detection technique is nothing but examination of the TCP and UDP ports. The probes from the Nmap service- probes database are used for querying various services and matching expressions for recognizing and parsing responses. In Zenmap, the -sv option is used to detect service versions. OS Discovery/Banner Grabbing Banner grabbing, or "OS fingerprinting," is a method used to determine the OS that is running on a remote target system. It is an important scanning method, as the attacker will have a higher probability of success if the OS of the target system is known (many vulnerabilities are OS- specific). The attacker can then formulate an attack strategy based on the OS of the target system. Module 4 What is Enumeration? Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target. The attacker uses the information collected using enumeration to identify vulnerabilities in the system security, which help them exploit the target system. Techniques for Enumeration The following techniques are used to extract information about a target. Extract usernames using email IDs :Every email address contains two parts, a username and a domain name, in the format "username@domainname." Extract information using default passwords :Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases an attacker's task of enumerating and exploiting the target system. Extract user groups from Windows To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command-line method. Extract usernames using SNMP Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames. Services and Ports from enumeration perspective. TCP/UDP 53: DNS Zone Transfer The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. If the DNS message size exceeds the default size of UDP (512 octets), the response contains only the data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol. In the case of lengthy queries for which UDP fails, TCP is used as a failover solution. Malware such as ADM worm and Bonk Trojan uses port 53 to exploit vulnerabilities within DNS servers, helping intruders launch attacks. TCP/UDP 135: Microsoft RPC Endpoint Mapper Source: https://docs.microsoft.com RPC is a protocol used by a client system to request a service from a server. An endpoint is the protocol port on which the server listens for the client's RPCs. The RPC Endpoint Mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. The incorrect handling of malformed messages causes failure. This affects the RPC Endpoint Mapper, which listens on TCP/IP port 135. This vulnerability could allow an attacker to send RPC messages to the RPC Endpoint Mapper process on a server to launch a denial- of-service (DoS) attack. UDP 137: NetBIOS Name Service (NBNS) NBNS, also known as the Windows Internet Name Service (WINS), provides a name- resolution service for computers running NetBIOS. NetBIOS name servers maintain a database of the NetBIOS names for hosts and the corresponding IP address the host is using. NBNS aims to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first. Typically, NBNS uses UDP 137 as its transport protocol. It can also use TCP 137 as its transport protocol for a few operations, though this might never occur in practice. TCP 139: NetBIOS Session Service (SMB over NetBIOS) TCP 139 is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both null-session establishment as well as file and printer sharing. A system administrator considering the restriction of access to ports on a Windows system should make the restriction of TCP 139 a top priority. An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities. TCP/UDP 445: SMB over TCP (Direct Host) Windows supports file- and printer-sharing traffic using the SMB protocol directly hosted on TCP. In earlier OSS, SMB traffic required the NetBIOS over TCP (NBT) protocol to work on TCP/IP transport. Directly hosted SMB traffic uses port 445 (TCP and UDP) instead of NetBIOS. UDP 161: Simple Network Management Protocol (SNMP) SNMP is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, and servers. It consists of a manager and agents. The agent receives requests on port 161 from the managers and responds to the managers on port 162. TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network. By default, LDAP uses TCP or UDP as its transport protocol over port 389. TCP 2049: Network File System (NFS) NFS protocol is used to mount file systems on a remote host over a network, and users can interact with the file systems as if they are mounted locally. NFS servers listen to its client systems on TCP port 2049. If NFS services are not properly configured, then attackers may exploit the NFS protocol to gain control over a remote system, perform privilege escalation, inject backdoors or malware on a remote host, etc. TCP 25: Simple Mail Transfer Protocol (SMTP) SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks. It runs on the connection-oriented service provided by TCP and uses the well-known port number 25. TCP/UDP 162: SNMP Trap An SNMP trap uses TCP/UDP port 162 to send notifications such as optional variable bindings and the sysUpTime value from an agent to a manager. TCP 22: Secure Shell (SSH) Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22. Attackers may exploit the SSH protocol by brute-forcing SSH login credentials. TCP 20/21: File Transfer Protocol FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration. If attackers identify that FTP server ports are open, then they perform enumeration on FTP to find information such as the software version and state of existing vulnerabilities to perform further exploitations such as the sniffing of FTP traffic and FTP brute-force attacks. TCP 23: Telnet The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute- forcing attacks on login credentials, port- forwarding attacks, etc. SNMP Enumeration Countermeasures Remove the SNMP agent or turn off the SNMP service. If turning off SNMP is not an option, then change the default community string names. Upgrade to SNMP3, which encrypts passwords and messages. Implement the Group Policy security option called "Additional restrictions for anonymous connections." Ensure that access to null session pipes, null session shares, and IPsec filtering is restricted. Block access to TCP/UDP port 161. Do not install the management and monitoring Windows component unless required. Encrypt or authenticate using IPsec. Do not misconfigure the SNMP service with read-write authorization. Configure access-control lists (ACLs) for all SNMP connections to allow only legitimate users to access SNMP devices. Regularly audit the network traffic. Encrypt credentials using the "Auth NoPriv" mode, which uses MD5 and SHA for additional protection. SMTP Enumeration Countermeasures SMTP servers should be configured in the following manner: Ignore email messages to unknown recipients. Exclude sensitive information on mail servers and local hosts in mail responses. Disable the open relay feature. Limit the number of accepted connections from a source to prevent brute-force attacks. Disable the EXPN, VRFY, and RCPT TO commands or restrict them to authentic users. Ignore emails to unknown recipients by configuring SMTP servers. Identify spammers through machine learning (ML) solutions. Do not share internal IP/host information or mail relay system information. SMB Enumeration Countermeasures Ensure that Windows Firewall or similar endpoint protection systems are enabled on the system. Install the latest security patches for Windows and third-party software. Implement a proper authentication mechanism with a strong password policy. Implement strong permissions to keep the stored information safe. Implement digitally signed data transmission and communication for accessing SMB resources. Block/disable TCP ports 88, 139, and 445 and UDP ports 88, 137, and 138 to prevent SMB attacks. Enable public profile settings in the firewall system. FTP Enumeration Countermeasures Implement secure FTP (SFTP, which uses SSH) or FTP secure (FTPS, which uses SSL) to encrypt the FTP traffic over the network. Implement strong passwords or a certification-based authentication policy. Ensure that the unrestricted uploading of files on the FTP server is not allowed. Disable anonymous FTP accounts. If this is not possible, monitor anonymous FTP accounts regularly. Restrict access by IP or domain name to the FTP server. Configure access controls on authenticated FTP accounts using access-control lists (ACLs). Restrict login attempts and time. Configure ingress and egress filtering rules for the FTP services. Module 5 What is Vulnerability? A vulnerability refers to a weakness in the design or implementation of a system that can be exploited to compromise the security of the system. It is frequently a security loophole that enables an attacker to enter the system by bypassing user authentication. Common Reasons for the Existence of Vulnerabilities Hardware or software misconfiguration The insecure configuration of the hardware or software in a network can lead to security loopholes. For example, a misconfiguration or the use of an unencrypted protocol may lead to network intrusions, resulting in the leakage of sensitive information. While a misconfiguration of hardware may allow attackers to obtain access to the network or system, a misconfiguration of software may allow attackers to obtain access to applications and data. Insecure or poor design of network and application An improper and insecure design of a network may make it susceptible to various threats and potential data loss. For example, if firewalls, IDS, and virtual private network (VPN) technologies are not implemented securely, they can expose the network to numerous threats. Inherent technology weaknesses If the hardware or software is not capable of defending the network against certain types of attacks, the network will be vulnerable to those attacks. Certain hardware, applications, or web browsers tend to be prone to attacks such as DoS or man-in-the- middle attacks. For example, systems running old versions of web browsers are prone to distributed attacks. If systems are not updated, a small Trojan attack can force the user to scan and clean the entire storage in the machine, which often leads to data loss. End-user carelessness End-user carelessness considerably impacts network security. Human behavior is fairly susceptible to various types of attacks and can be exploited to effect serious outcomes, including data loss and information leakage. Intruders can obtain sensitive information through various social engineering techniques. The sharing of account information or login credentials by users with potentially malicious entities can lead to the loss of data or exploitation of the information. Connecting systems to an insecure network can also lead to attacks from third parties. Intentional end-user acts Ex-employees who continue to have access to shared drives can misuse them by revealing the company's sensitive information. Such an act is called an intentional end- user act and can lead to heavy data and financial losses for the company. What is Vulnerability Assessment? A vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses, and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system. Additionally, it assists security professionals in securing the network by identifying security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them. Vulnerability-Management Life Cycle The vulnerability management life cycle is an important process that helps identify and remediate security weaknesses before they can be exploited. This includes defining the risk posture and policies for an organization, creating a complete asset list of systems, scanning and assessing the environment for vulnerabilities and exposures, and taking action to mitigate the vulnerabilities that are identified. The implementation of a vulnerability management lifecycle helps gain a strategic perspective regarding possible cybersecurity threats and renders insecure computing environments more resilient to attacks. Vulnerability management should be implemented in every organization as it evaluates and controls the risks and vulnerabilities in the system. The management process continuously examines the IT environments for vulnerabilities and risks associated with the system. Organizations should maintain a proper vulnerability management program to ensure overall information security. Vulnerability management provides the best results when it is implemented in a sequence of well-organized phases. Module 6 System Hacking: System hacking is one of the most important, and sometimes, the ultimate goal of an attacker. The attacker acquires information through techniques such as footprinting, scanning, enumeration, and vulnerability analysis and then uses this information to hack the target system. Gaining Access Gaining access involves the use of various techniques by attackers to gain access to the target system. These techniques include cracking passwords and exploiting identified vulnerabilities. Password Cracking Password cracking is the process of recovering passwords from the data transmitted by a computer system or from the data stored in it. The purpose of cracking a password might be to help a user recover a forgotten or lost password, as a preventive measure by system administrators to check for easily breakable passwords, or for use by an attacker to gain unauthorized system access. Buffer Overflow A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data. Buffer overflow or overrun is a common vulnerability in applications or programs that accept more data than the allocated buffer. This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations. Attackers exploit a buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, and so on. Why Are Programs and Applications Vulnerable to Buffer Overflows? Boundary checks are not performed fully, or, in most cases, entirely skipped Applications that use older versions of programming languages involve several vulnerabilities Programs that use unsafe and vulnerable functions fail to validate the buffer size Programs and applications that do not adhere to good programming practices Programmers that fail to set proper filtering and validation principles in the applications Systems that execute code present in the stack segment are vulnerable to buffer overflows Improper memory allocation and insufficient input sanitization in the application lead to buffer overflow attacks Application programs that use pointers for accessing heap memory result in buffer overflows Privilege Escalation A privilege escalation attack is the process of gaining more privileges than were initially acquired. In a privilege escalation attack, attackers first gain access to the network using a non-admin user account and then try to gain administrative privileges. Attackers employ design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications. Once an attacker has gained access to a remote system with a valid username and password, he/she will attempt to escalate the user account to one with increased privileges, such as that of an administrator, to perform restricted operations. These privileges allow the attacker to view critical/sensitive information, delete files, or install malicious programs such as viruses, Trojans, worms, etc. Types of Privilege Escalation Horizontal Privilege Escalation: In a horizontal privilege escalation, the unauthorized user tries to access the resources, functions, and other privileges that belong to an authorized user who has similar access permissions. For instance, online banking user A can easily access user B's bank account. Vertical Privilege Escalation: In a vertical privilege escalation, the unauthorized user tries to gain access to the resources and functions of a user with higher privileges, such as application or site administrators. For example, someone using online banking can access the site using administrative functions. Module 7 Introduction to Malware Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for malicious activities such as theft or fraud. Malware includes viruses, worms, Trojans, rootkits, backdoors, botnets, ransomware, spyware, adware, scareware, crapware, roughware, crypters, keyloggers, etc. These may delete files, slow down computers, steal personal information, send spam, or commit fraud. Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (https://www.sophos.com) Some standard techniques used to distribute malware on the web are as follows: Black hat Search Engine Optimization (SEO): Black hat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages. Social Engineered Click-jacking: Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user. Spear-phishing Sites: This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, credit card and bank account data, and other sensitive information. Malvertising: This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting users. Compromised Legitimate Websites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities. Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website. Spam Emails: The attacker attaches a malicious file to an email and sends the email to multiple target addresses. The victim is tricked into clicking the attachment and thus executes the malware, thereby compromising his/her machine. This technique is the most common method currently in use by attackers. In addition to email attachments, an attacker may also use the email body to embed the malware. Rich Text Format (RTF) Injection: RTF injection involves exploiting features of Microsoft Office such as RTF template files that are stored locally or in a remote machine. RTF templates are used for specifying the document format. Attackers inject malicious macros into RTF files and host them on their servers. When a user opens the document, the malicious template is automatically retrieved from the remote server by evading security systems. Components of Malware Malware authors and attackers create malware using components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access, or merely multiply and occupy space. Malware is capable of propagating and functioning secretly. Some essential components of most malware programs are as follows: Crypter: It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms. Downloader: It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet to a PC or device. Usually, attackers install a downloader when they first gain access to a system. Dropper: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners. Exploit: It is the part the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system's security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, exploits are categorized into local exploits and remote exploits. Injector: This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal. Obfuscator: It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it. Packer: This software compresses the malware file to convert the code and data of the malware into an unreadable format. It uses compression techniques to pack the malware. Payload: It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security. Malicious Code: This is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. What is a Trojan? A computer Trojan is a program in which malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users' specific predefined actions such as unintentionally installing a malicious software, clicking on a malicious link, etc., and upon activation, they can grant attackers unrestricted access to all the data stored on the compromised information system and potentially cause severe damage. For example, users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker. Indications of Trojan Attack The following computer malfunctions are indications of a Trojan attack: The DVD-ROM drawer opens and closes automatically. The computer screen blinks, flips upside-down, or is inverted so that everything is displayed backward. The default background or wallpaper settings change automatically. This can be performed using pictures either on the user's computer or in the attacker's program. Printers automatically start printing documents. Web pages suddenly open without input from the user. The color settings of the operating system (OS) change automatically. Screensavers convert to a personal scrolling message. The sound volume suddenly fluctuates. Antivirus programs are automatically disabled, and the data are corrupted, altered, or deleted from the system. The date and time of the computer change. Module 8 How a Sniffer Works: The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub- network. The machine with that particular address responds to the source machine with its MAC address. The source machine's ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. Network Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. MAC Flooding Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding. Types of Sniffing Passive Sniffing Passive sniffing involves sending no packets. It simply captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic through the hub using passive sniffing. Active Sniffing Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. Therefore, it is cumbersome to sniff switches. However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache in Content Addressable Memory (CAM). CAM is a special type of memory that maintains a record of which host is connected to which port. A sniffer records all the information visible on the network for future review. An attacker can see all the information in the packets, including data that should remain hidden.