IT359
IP address decoy
generating or manually specifying IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address appears to the target that the decoys as well as the host are scanning the network hard to determine which IP was actually scanning the network nmap -D RND:10 nmap -D decoy1, decoy2
hacking
group of people exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources involves modifying system or application features to achieve a goal outside of the creator's original purpose used to steal, pilfer, redistribute intellectual property leading to business loss
vulnerability
help the attacker in fulfilling his intentions attackers try various tools and attack techniques to exploit vulnerabilities in a system to achieve their motives
why penetration testing?
identify threats of an organizations assets, enhance return on security investment, assessment of organizations security, industry regulation, validating security protections and controls, upgrading existing infrastructure, high security vulnerabilities and application level security issues, preparation steps to prevent exploitation
application threats
improper data/input validation, authentication and authorization attack, security misconfiguration, information disclosure, broken session management, buffer overflow issues, cryptography attacks, SQL injection
ethical hacking skills - technical
in depth knowledge of major operating environments, in depth knowledge of networking concepts, computer expert of technical domains, knowledge of security areas and related issue, high technical knowledge to launch attacks
foot printing
first step of any attack on systems in which an attacker collects information about a target network for identifying various ways to intrude into the system
Flaw Hypothesis Methodology
gather information, flaw hypothesis (identify flaws), flaw testing (test exploit system), flaw generalization (similar faults), flaw elimination
passive foot printing
gathering information about a target without directly interacting
active footprinting
gathering information about the target with direct interaction
fingerprinting websites
netcraft to determine the operating system in use by the target organization SHODAN search engine lets you find connected devices censys search engine enables researchers to ask questions about the hosts and networks that compose the internet
black box
no prior knowledge of the infrastructure to be tested blind testing (one has information), double blind testing (no one has information)
UDP scan
open - no three way handshake, system does not respond with a message when the port is open closed - will respond with an ICMP port unreachable message, spyware, trojans horses, and other malicious applications use UDP ports
information obtained in footprinting
organization info - employee details, number, location, background network - domains, blocks, IP addresses, who is record, DNS system info - location of web servers, users and passwords
payload
part of an exploit code that performs the intended malicious action, such as destroying, creating backdoors and hijacking computer
phases of penetration testing - attack
penetrating perimeter, acquiring target, escalating privileges, execution, implantation, retracting
phases of penetration testing - pre attack
planning and preparation, methodology designing, network information gathering
scanning tools - Nmap
use for network inventory, managing server upgrade schedules, monitoring host or service uptime extract information such as live hosts on the network services, type of packet filters/firewalls, operating systems, OS versions
google hacking
use of advanced google search operators for creating complex search queries in order to extract sensitive or hidden information that helps attackers to find vulnerable targets
bot
A software application that can be controlled remotely to execute or automate predefined tasks (used for DDOS attack)
Flaw Hypothesis Methodology
A system analysis (on gernal purpose OS's) and penetration technique where specifications and documentation for the system are analyzed and then flaws in the system are hypothesized
zero-day attack
An attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability.
penetration testing
Method of evaluating the security of a computer system or network, by simulating an attack to find out vulnerabilities that an attacker could exploit security measures are actively analyzed for design weaknesses and technical flaws and vulnerabilities document weaknesses can be exploited results are put into a report to executive management and technical audiences
hack value
Notion among hackers that something is worth doing or is interesting
examples of security testing methodologies
OWASP (open source applications that assist the organizations to purchase, develop and maintain software tools), OSSTMM (peer reviewed high quality security tests), ISSAF (research, develop, publish, promote), EC council LPT (security auditing framework)
doxing
Publishing personally identifiable information about an individual collected from publicly available databases and social media.
vulnerability
existence of weakness, design or implementation error that can lead to an unexpected event compromising the security of the system
black hats (crackers)
extraordinary skills who perform malicious and destructive activities, criminal activities
TCP header flags
URG - data contained in the packet should be processed immediately PSH - sends all buffered data immediately ACK - acknowledges the receipt of a packet FIN - there will be no further transmissions RST - resets a connection SYN - initiates a connection between hosts
exploit
a breach of IT system security through vulnerabilities
ethical hacking skills - non technical
ability to learn, strong work ethics, committed to organizations security policies, awareness of local standards and laws
hacking phases - Passive Reconnaissance
acquiring information without directly interacting with the target (search public records, news releases, trash, social media)
hacking phases - clearing tracks
activities carried out by an attacker to hide malicious acts intentions can include: continuing access to the victims system, remaining unnoticed and uncaught, deleting evidence that might lead to his prosecution attacker overwrites the server, system and application logs to avoid suspicion
misconfiguration attacks
affect web servers, application platforms, databases, networks, frameworks that may result in illegal access or possible owning of the system
monitoring using alerts
alerts are the content monitoring service that provide up to date information based on your preference usually via email
Idle/IP Scan
every IP packet on the internet has a fragment identification number, OS increases the IPID for each packet sent, probing gives an attacker the number of packets sent after the last probe a machine that receives an unsolicited SYN/ACK packet that will response with an RST, unsolicited RST will be ignored
location
finds information for a specific location
hacking phases - scanning (pre attack phase)
attacker scans the network for specific information on the basis of information gathered during reconnaissance
ACK flag probing
attacker send TCP probe packets with ACK flags set to a remote device and then analyze the header information of received RST packets to find out if the port is open or closed if TTL value of RST packet on a port is less than the boundary value of 64, the port is open if WINDOW value of RST packet on a port has a non zero value, the port is open
TCP flag scanning
attacker send TCP probe packets with a TCP flag set or with no flags, no response implies that the port is open while RST means the port is closed
hacking phases - maintaining access
attacker tries to retain ownership of the system attackers may prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits or trojans attackers can upload, download or manipulate data, applications, and configurations on the owned system attackers can use the compromised system to launch further attacks
shrink wrap code attack
attackers exploit default configuration and settings of the off the shelf libraries and code, easier and cheaper
application level attacks
attackers exploit the vulnerabilities in applications running on organizations information system to gain unauthorized access and steal or manipulate data flash player buffer overflow, cross site scripting, SQL injection, man in the. middle, session hijacking, DOS
operating system attack
attackers search for vulnerabilities in an operating system's design, installation or configuration and exploit them to gain access to a system (buffer overflow vulnerabilities, bugs in the system, unpatched operating system)
location of target
attackers use google earth to get the physical location of the target
IP address spoofing
changing source IP addresses so that the packet appears to be from someone else
Nmap ACK scan
check the filtering system of target sends an ACK probe packet with a random sequence number, no response implies that the port is filtered and RST response means that the port is not filtered
scanning tools - HPING
command line network scanning and packet crafting tool for the TCP/IP protocol used for network security auditing, firewall testing, manual path MTU discovery, advanced trace route, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing' hping3 -l 10.10.10.10 hping3 -S 10.10.10.10 -p 80 -c 5 hping3 -A 10.10.10.10 -c 5 -p 80 (if you get a response the port is open) hping3 -8 90-100 -S 10.10.10.10 -V
white box
complete knowledge of the infrastructure that needs to be tested
nmap connect scan
detects when a port is open after completing the three way handshake establishes a full connection and tears it down by sending an RST packet doesn't require the super user privileges
objectives of network scanning
discover live hosts, operating systems, services running on hosts, vulnerabilities in live hosts
cache
displays the web pages stored in the google cache
motives behind security attacks
disrupting business continuity, manipulate data, create fear, financial loss to target, propagate religious or political beliefs, damage reputation, revenge, ransom
state sponsored hackers
employed by governments to penetrate and gain top secret information
penetration testing best practices
establish parameters, appoint a legal penetration tester, suitable set of tests, follow methodology with planning, document results
red team
ethical hackers perform penetration tests on an information system with no or very limited access to the internal resources with or without warning detect network and system vulnerabilities and check security for an attacker's perspective
attacks = equals
motive, method, vulnerability
hacking phases - scanning (port scanner)
include use of dialers, port scanners, network mappers, ping tools, vulnerability scanners
network threat examples
info gathering, sniffing, eavesdropping, spoofing, session hijacking, man in the middle, DNS and ARP poisoning, password based attacks, DOS, compromised key attack, firewall and IDS attacks
hacking phases - reconnaissance
initial preparation phase where an attacker seeks to gather information before launching an attack easier to enter when target is known on a broad scale target range may include organizations clients, employees, operations, network, systems
hacking phases - Active Reconnaissance
interacting with the target directly by any means ( telephone calls or technical department, emails, calls)
daisy chaining
involves gaining access to one network and or computer and then using the same information to gain access to multiple networks and computers that contain desirable information
ethical hacking
involves the use of hacking tools, tricks and techniques to identify vulnerabilities so as to ensure system security simulating techniques used by attackers to verify the existence of exploitable vulnerabilities in the system security perform security assessment of their organization with the permission of concerned authorities to find existing vulnerabilities before attacker
ethical hacking
is necessary as it allows counter attacks from malicious hackers by anticipating methods used by them to break into a system
objectives of foot printing
know security posture, reduce focus area, identify vulnerabilities, draw network map
ethical / legal issues
legal issues for tools in offensive testing (CFAA, unlawful act to stored communications, state and international laws) private data exposed in testing process (cloud customer, provider, third party) unforeseen service downtime/breakage hacking with malicious intent vs ethical hacking
grey box
limited knowledge of the infrastructure that needs to be tested
related
lists web pages that are similar to a specified web page
link
lists web pages that have links to the specified web page
hacking phases - scanning (extract information)
live machines, port, port status, OS details, device type, system uptime, to launch attack
host threats examples
malware, foot printing, profiling, password attacks, DOS, arbitrary code execution, unauthorized access, privilege escalation, backdoor attacks, physical security threats
security testing / pen testing methodology
methodological approach to discover and verify vulnerabilities in the security mechanisms of an information system, enabling administrators to apply appropriate security controls to protect critical data and business functions
website fingerprinting
monitoring and analyzing the target organization's website for information burp suite, paros proxy, website informer, firebug
hacking phases - gaining access
point where the hacker gains control over the operating system or application on the computer or network gain access at the operating system level, application level or network level attacker can escalate privilege to obtain complete control of the system. in the process intermediate systems that are connected to it are also compromised password cracking, buffer overflow, DOS, session hijacking
phases of penetration testing
pre attack phase, attack, post attack
info
presents some information that google has about a particular web page
reasons why organizations recruit ethical hackers
prevent hackers form gaining access to system, uncover vulnerabilities, analyze and strengthen an organizations security posture including policies, preventative measures, safeguard customer data, enhance security awareness
hacktivists
promoting political agendas, traditionally by defecting or disabling the websites or extract info from websites
motive or objective
reason an attacker focuses on a particular system the target system stores or processes something valuable and this leads to threat of an attack on the system
hacking phases
reconnaissance, scanning, gaining access, maintaining access, clearing tracks
network scanning
refers to a set of procedures used for identifying hosts, ports and services in a network one of the components of intelligence gathering which can be used by an attacker to create a profile of the target organization
phases of penetration testing - post attack
reporting, clean up, artifact destruction
nmap stealth scan
reseting the TCP connection between the client and server abruptly before completion of three way handshake signals, making the connection half open bypass firewall rules, logging mechanism, hide themselves as usual under network traffic process: SYN, SYN/ACK, RST, RST
inurl
restricts the results to documents containing the search keyword in the URL
intitle
restricts the results to documents containing the search keyword in the title
site
restricts the results to those websites in the given domain
allintitle
restricts the results to those websites with all of the search keywords in the title
allinurl
restricts the results to those with all of the search keywords in the URL
finding TLDs and sub-domains
search for the target company's external URL in a search engine such as Google subdomains provide an insight into different departments and business units in an organization you may find a company's subdomain by trail and error you can use sublist3r python script that enumerates subdomains across multiple sources at once
white hats (pent tester)
security analyst or individuals with hacking skills using them for defensive purpose
packet fragmentation
sending fragmented probe packets to the intended server which re assembles it after receiving all the fragments splitting of a probe packet into several smaller packets while sending it to a network TCP header is split into several packets so that the packet filters cannot detect what the packet intends to do
blue team
set of security responders perform analysis of a system to assess the efficiency of its controls, has access to all the organizational resources and information, detect and mitigate red team activities and surprise attacks
cyber terrorists
skilled individuals motivated by religious or political beliefs attacking on a large scale to create fear
source routing
specifying the routing path for the malformed packet to reach the intended server router examines the destination IP address and chooses the next hop to direct the packet to attacker makes some or all decisions on the router
method
technique or process used by an attacker to gain access to a target system
Nmap ping sweep
this is not port scanning since the ICMP does not have a port abstraction it is useful in determining which hosts in a network is up by pinging all of them nmap -P cert.org/24.12.123.0/16
script kiddies
unskilled hackers hacking and compromising systems using tools and scripts made by real hackers (use black hat tools)
proxy server
using chain of proxy server to hide the actual source of a scan and evade certain IDS/firewall restrictions
suicide hacker
who aim for destruction without worrying about punishment (bridge through systems)
grey hats
who work for offensive and defensive