Ethical Hacking - C701
Hacker Classes
Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers. White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner. Gray Hats: Gray hats are the individuals who work both offensively and defensively at various times. Gray hats might help hackers to find various vulnerabilities in a system or network and, at the same time, help vendors to improve products (software or hardware) by checking limitations and making them more secure. Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions. Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity rather than the quality of the attacks that they initiate. Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks. State-Sponsored Hackers: State-sponsored hackers are individuals employed by the government to penetrate, gain top-secret information from, and damage the information systems of other governments. Hacktivist: Hacktivism is when hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both the online and offline arenas. They are individuals who use hacking to promote a political agenda, especially by defacing or disabling websites. Common hacktivist targets include government agencies, multinational corporations, and any other entity that they perceive as a threat. Irrespective of the hacktivists' intentions, the gaining of unauthorized access is a crime.
pulse wave assaults
Comprised of a series of short-lived bursts occurring in clockwork-like succession pulse wave assaults accounted for some of the most ferocious DDoS attacks.
Elements Of Information Security (CIA Triad)
Confidentiality: Authorized users only: EX. Un/PW(minimum level of secrecy) (uses encryption). Classify to properly to protect confidentiality. is accessible only to those authorized to access it. Integrity: Prevent changes: EX. editing database (reliability of info), Hash. Availability: Equipment available for use: ex. reboots, server failures (redundancy, fault tolerance) Authenticity: Digital signature. Genuine. Non-Repudiation: Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Cross Site Request Forgery VS Cross Site Script
Cross Site Request Forgery - an authenticated user is made to perform certain tasks on the web application that an attacker chooses, e.g., a user clicking on a particular link sent through an email or chat. Cross Site Script - bouncing a scripts off the website to the users browser.
In the network layer of the OSI model, the stateful inspection firewall filters the packets at what layer
Data link layer
How many types of SQL injection are there?
Depending on the techniques used, the SQL-injection attacks may be any of several types. Attackers use various types of tricks and techniques to view, manipulate, insert, and delete data from an application's database.
Distribution Attacks
Distribution attacks occur when attackers tamper with hardware or software prior to installation. Attackers tamper the hardware or software at its source or when it is in transit. Examples of distribution attacks include backdoors created by software or hardware vendors at the time of manufacture. Attackers leverage these backdoors to gain unauthorized access to the target information, systems, or network. o Modification of software or hardware during production o Modification of software or hardware during distribution
Passive Attacks
Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data. Hard to detect. Examples of passive attacks: - Footprinting - Sniffing - eavesdropping -Network traffic analysis - Decryption of weakly encrypted traffic
Trojan WannaCry
Port 445 is used by the Trojan WannaCry
hacking Phases
Recon - > Scanning -> Gain Access - > Maintain access -> Clearing tracks
Risk Management phases
Risk Identification Risk Assessment Risk Treatment Risk Tracking and Review
social engineering is categorized into ________types
Social engineering is categorized into three types: human-based, computer-based, and mobile-based.
SQL injection is
a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
blind hijacking
a hacker can inject malicious data or commands into the intercepted communications in a TCP session, even if the victim disables source routing.
A worm is
a special type of malware that can replicate itself and use memory, but cannot attach itself to other programs
advanced persistent threat is defined as
a type of network attack where an attacker gains unauthorized access to a target network and remains undetected for a long period of time.
Session hijacking can be either
active or passive, depending on the degree of involvement of the attacker.
mobile security is
actually becoming more challenging with the emergence of complex attacks that utilize multiple attack vectors to compromise mobile devices.
Blisqy is a tool to
aid web security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability for MySQL/MariaDB only.
Cross-site request forgery (CSRF)
also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious webpage. Financial related websites commonly contain CSRF vulnerabilities.
In a Compromised Availability of Data attack
an attacker deletes the database information, delete logs, or audit information stored in a database.
In a tautology-based SQL injection attack
an attacker uses a conditional OR clause such that the condition of the WHERE clause will always be true.
Host-based assessments
are a type of security check that involve carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server.
active assessments
are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network.
vulnerability assessment reports
are classified into two types: security vulnerability report and security vulnerability summary.
Session-hijacking attacks
are high-level attack vectors that affect many systems.
A PRobability INfinite Chained Elements (PRINCE)
attack is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words.
This testing [function testing] falls within the scope of
black-box testing; as such, it should require no knowledge of the inner design of the code or logic.
GoBuster is a tool for
brute-forcing to discover subdomains, directories, files (URIs), and virtual hostnames on target web servers.
Rootkit Detection: Integrity-based detection
compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
The lifetime of a virus
depends on its ability to reproduce. Therefore, attackers design every virus code in such a manner that the virus replicates itself n number of times.
Static code analysis is performed to
detect the possible vulnerabilities in source code when the code is not executing.
In a wardriving attack, WLANs are
detected either by sending probe requests over a connection or by listening to web beacons.
network assessment
determine the possible network security attacks that may occur on an organization's system. These assessments evaluate the organization's system for vulnerabilities.
In order to improve the transmission and reception, the
directional antenna design allows it to work effectively in only a few directions. This also helps in reducing interference.
Sys.user_objects, sys.user_views, sys.all_tables are all database objects used by attackers for
enumeration.
The Metasploit Payload Module
establishes a communication channel between the Metasploit framework and victim host. It combines arbitrary code that is executed as the result of an exploit succeeding.
Meltdown and Spectre
exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data that are currently processed on the computer.
application assessment
focuses on transactional web applications, traditional client-server applications, and hybrid systems. It analyzes all elements of an application infrastructure, including deployment and communication within the client and server.
The WPA3 protocol provides new features
for personal and enterprise use such as 256-bit Galois/Counter Mode Protocol (GCMP-256), 384-bit Hashed Message Authentication Mode (HMAC), and 256-bit Broadcast/Multicast Integrity Protocol (BIP-GMAC-256).
Attacking TGT: AS-REP Roasting
has the same IDEA of Kerberoasting but is different in the fact that an account needs "Do not require Kerberos pre-authentication". Another difference between the two is AS-REP requests a Kerberos Authentication Ticket (TGT) not a service authentication ticket (TGS)
technical Steganography
hides a message using scientific methods.
six types of vulnerability assessment tools:
host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active/passive tools, and location/data-examined tools.
web-application session management
involves exchanging sensitive information between the server and its clients wherever required. If such session management is insecure, the attacker can take advantage of flawed session management to attack the web application through the session-management mechanism, which is the key security component in most web applications.
Human-based social engineering
involves human interaction in one manner or another. An attacker pretends to be a legitimate user and interacts with an employee of a target organization to gather the organization's sensitive information.
Compression Ratio Info-Leak Made Easy (CRIME) attack
is a client-side attack that exploits vulnerabilities in the data-compression feature of protocols such as SSL/Transport Layer Security (TLS), SPDY, and HTTP Secure (HTTPS).
Qualys VM
is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.
Common Weakness Enumeration (CWE)
is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Broken access control
is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.
CVE (Common Vulnerabilities and Exposures)
is a publicly available and free list or dictionary of standardized identifiers for common software vulnerabilities and exposures. Use of CVE Identifiers, or "CVE IDs," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.
CVSS (Common Vulnerability Scoring System)
is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.
Parameter tampering
is a simple form of attack that takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in an URL) as the only security measure for certain operations.
IPsec Enumeration
is a technique where attackers enumerate sensitive information such as encryption and hashing algorithm, authentication type, key distribution algorithm, and SA LifeDuration.
Structured Query Language (SQL)
is a textual language used by a database server rather than a webserver.
Fileless Malware
is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.
linguistic steganography
is a type of steganography defined as a collection of techniques and methods that allows the hiding of any digital information within texts based on some linguistic knowledge. Linguistic steganography hides the message in the carrier file in some non-obvious way. A carrier file is the specific medium used to communicate or transfer messages or files.
Armored Virus
is a type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling, and reverse engineering more difficult. An Armored virus may also protect itself from antivirus programs, making it more difficult to trace.
Management Information Base (MIB)
is a virtual database containing a formal description of all the network objects that SNMP manages. It is a collection of hierarchically organized information. MIB_II.MIB manages the TCP/IP-based Internet using a simple architecture and system.
Application-level hijacking
is about gaining control over the HTTP user session by obtaining the session IDs. In the application level, the attacker gets control of an existing session and can try to create new unauthorized sessions using stolen data. In general, both of them occur together, according to the system being attacked. In application-level hijacking, the attacker obtains the session IDs to get control of an existing session or to create a new unauthorized session.
Nikto
is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6,700 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
Nessus Professional
is an assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various technologies, such as operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure.
The MANA Toolkit
is an evil access-point implementation by SensePost that performs rogue Wi-Fi AP and MitM attacks.
Steganography
is classified into two areas according to technique: technical and linguistic.
advanced persistent threat
is defined as a type of network attack where an attacker gains unauthorized access to a target network and remains undetected for a long period of time.
vulnerability-management life cycle
is risk assessment, remediation, verification, and monitoring. Risk assessment is an important step to identifying the security weaknesses of an organization. Remediation includes specific, measurable, attainable, relevant, and time-bound steps to mitigate identified vulnerabilities. Verification helps ensure the applied fixes remediate the vulnerability by re-scanning systems. Monitoring involves the use of tools such as IDS/IPS, SIEM, and firewalls to continuously monitor and thwart threats.
Network-level hijacking
is the interception of packets during the transmission between client and server in a TCP/UDP session. A successful attack on network-level sessions will provide the attacker with crucial information, which will then be used to attack the application-level sessions. Attackers especially focus on network-level session hijacking, as it does not require host access (like host-level session hijacking does) and they need not tailor their attacks on a per-application basis as they would at the application level.
Steganalysis
is the process of discovering the existence of the hidden information in a medium. Steganalysis is the reverse process of steganography. The first step in steganalysis is to discover a suspicious image that may be harboring a message. The chi-square method is based on probability analysis to test whether a given stego-object and the original data are the same or not.
Cross-Site Scripting (XSS)
method involves attackers bypassing client-ID security mechanisms and gaining access privileges, and then injecting malicious scripts into specific web pages. These malicious scripts can even rewrite HTML website content.
Defacement Trojans
once spread over the system, can destroy or change all content present in a database. However, they are more dangerous when attackers target websites, as they physically change their underlying HTML format, modifying their content.
passive assessments
passive assessments sniff the traffic present on the network to identify the working systems, network services, applications, and vulnerabilities.
four types of vulnerability assessment solutions
product-based solutions, service-based solutions, tree-based assessment, and inference-based assessment.
MarioNet is a browser-based attack
that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected.
CRLF injection vulnerability attack
the attacker inserts both the carriage return and linefeed characters into user input to trick the server, the web application, or the user into thinking that an object is terminated and another one has started.
clickjacking attack
the attacker loads the target website inside a low opacity iframe.
Slowloris attacks
the attacker sends partial HTTP requests to the target web server or application, and as a result, the target server's maximum concurrent connection pool will be exhausted.
active attack
the attacker takes over an existing session either by tearing down the connection on one side of the conversation or by actively participating.
inference-based assessment
the scanning starts by building an inventory of protocols found on the machine.
In dynamic code analysis
the source code of the application is analyzed during the execution of the code.
There are________________ways to obfuscate a malicious SQL query in order to avoid detection by the IDS—wrapping and SQL-string obfuscation
two
There are ______ basic types of source-code reviews
two. static code analysis and dynamic code analysis.
A Yagi is a
unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF.
The key reinstallation attack (KRACK)
uses nonce reuse technique to exploit the four-way handshake of the WPA2 protocol.
A passive attack
uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords.
Dreambot Trajan
was first spotted in 2014, created on top of the leaked source code of the older Gozi ISFB banking trojan. Dreambot's primary function was to inject malicious content inside browsers and facilitate the theft of banking credentials and the execution of unauthorized financial transactions.
SQL injection is a flaw in
web applications and not a database or webserver issue.
WPA2 makes wireless networks almost as secure as
wired networks. WPA2 supports authentication, so that only authorized users can access the network.
In a wardriving attack
wireless LANs are detected either by sending probe requests over a connection or by listening to web beacons.
Cyber Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives
nbstat (NetBIOS over TCP/IP statistics)
-a RemoteName - Displays the NetBIOS name table of a remote computer, where RemoteName is the NetBIOS computer name of the remote compute -A IP Address - Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer "nbtstat -a <IP address of the remote machine>" can be executed to obtain the NetBIOS name table of a remote computer. "nbtstat -c" can be executed to obtain the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses. -n - Displays the names registered locally by NetBIOS applications such as the server and redirector -r - Displays a count of all names resolved by a broadcast or WINS server
It is difficult to detect a misconfigured
AP because it is an authorized, legitimate device on the network.
Host Discovery Techniques
ARP Ping Scan UDP Ping Scan ICMP Ping Scan ICMP ECHO Ping ICMP ECHO Ping Sweep ICMP Timestamp Ping ICMP Address Mask Ping TCP Ping Scan TCP SYN Ping TCP ACK Ping IP Protocol Scan
Active Attacks
Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. Example: - DOS attack - Malware (virus, worm, ransomware) -modification of information - Spoofing attack - replay attacks
NTP Server
Administrators often overlook the NTP server in terms of security. However, if queried properly, it can provide valuable network information to the attacker.
Insider Attacks
Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems. Examples of insider attacks: o Eavesdropping and wiretapping o Theft of physical devices o Social engineering o Data theft and spoliation o Pod slurping o Planting keyloggers, backdoors, or malware
Information Warfare
Martin Libicki divided information warfare into the following categories: Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control. Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, "intelligence-based warfare" is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace. Electronic warfare: According to Libicki, electronic warfare uses radio-electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information. Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in battle. Hacker warfare: According to Libicki, the purpose of this type of warfare can vary from the shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data. Hackers generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks. Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use). Defensive Information Warfare: Involves all strategies and actions to defend against attacks on ICT assets. Offensive Information Warfare: Involves attacks against the ICT assets of an opponent.
Types of Malware Analysis
Static Malware Analysis: It is also known as code analysis, and it involves going through the executable binary code without actually executing it to gain a better understanding of the malware and its purpose. The general static scrutiny involves analysis of the malware without executing the code or instructions. The process involves the use of different tools and techniques to determine the malicious part of a program or file. It also gathers information about malware functionality and collects the technical pointers or simple signatures that the malware generates. Such pointers include filename, MD5 checksums or hashes, file type, and file size. Dynamic Malware Analysis: It is also known as behavioral analysis, and it involves executing the malware code to know how it interacts with the host system as well as its impact on the host system after it infects the system. Dynamic analysis involves the execution of malware to examine its conduct and operations, and it identifies technical signatures that confirm the malicious intent. It reveals information such as domain names, file path locations, created registry keys, IP addresses, additional files, installation files, DLL, and linked files located on the system or network.
VoIP Enumeration
Svmap is a network scanner for SIP. Similar to nmap, it will scan for devices on ports specified by passing the right command line options.
Port Scanning Techniques
TCP Scanning: Open TCP Scanning Methods TCP Connect/Full Open Scan Stealth TCP Scanning Methods Half-open Scan Inverse TCP Flag Scan Xmas Scan FIN Scan NULL Scan Maimon Scan ACK Flag Probe Scan TTL-Based Scan Window Scan Third Party and Spoofed TCP Scanning Methods IDLE/IP ID Header Scan UDP Scanning: UDP Scanning SCTP Scanning: SCTP INIT Scanning SCTP COOKIE/ECHO Scanning SSDP Scanning: SSDP and List Scanning IPv6 Scanning: IPv6 Scanning
SNMP enumeration
The process of creating a list of the user's accounts and devices on a target computer using SNMP is SNMP enumeration. SNMP uses two, not three, types of software components for communication. there are several countermeasures to SNMP enumerations, including: remove the SNMP agent or turn off the SNMP service; change the default community string name; block access to TCP/UDP ports 161; etc. The trap command is used by the SNMP agent to inform the pre-configured SNMP manager of a certain event.
enumeration
The process of extracting usernames, machine names, network resources, shares, and services from a system or network is called enumeration. Attackers use information collected through enumeration to identify vulnerabilities or weak points in system security. For more information on this. The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS stands for Network Basic Input Output System.
