Ethical Hacking

Cyberattack Flow

Common flow of a cyberattack includes 5 steps: Reconnaissance, Weaponization, Delivery, Exploit and Execute, and Command and Control

Phishing

Common method used to steal info from victims, such as emails, facebook credentials, and more. Attackers clone websites and apps to trick victims into thinking they offer authentic services and lead the to enter their credentials. Websites can be cloned using tools like SEToolkit (Social-Engineer Toolkit), simply involves uploading an HTML page onto the local server and sending the malicious link to victims. Attackers often purchase domains that have the same look as a targeted website to enhance their social engineering scheme.

FIN

Marks the end of the communication

Confidentiality

Refers to keeping personal data secured using appropriate classifications and processing while preventing unauthorized access to it. Example: using login credentials and protectively logging personal info to ensure that an account remains private.

Fragmentation

An IDS usually relies on signatures and byte patterns when trying to identify malicious traffic. By fragmenting the traffic and sending it in pieces, it is possible to bypass an IDS. nmap -f<target>

Timing

An Intrustion Detection System (IDS) will usually create an alert only when a threshold is reached regarding the level of scans. By performing a slow scan with delays between packets, any IDS is likely to be evaded. nmap -T<0-5><target>

Man-in-the-Middle

An On-Path attack allows the attacker to collect data between two nodes. Can be used to: Eavesdrop on communications; Obtain infor secretly; Allow control over network traffic; Can be executed on LANs

PSH

An instruction to send all buffered data immediately

Cyberattack Flow: Command and Control

An undetected backdoor will be created to allow the attacker access to the victim's system undetected. The backdoor can be created using kernel-mode rootkits, and other such tools.

Live Attack Map

Many security vendors create web-based cyberattack maps. Most show the attacks graphically, but not everything is obvious to see. Cyberattack maps tell a story that the attacks never stop.

Fingerprints

Many services and operating systems use banners and network queries that can provide info about versions and the different OS being used. This data can help with finding relevant vulnerabilities.

Hacking

Means altering the functionality or behavior of a product to do something other than what it was initially intended to do. In cybersecurity: associated with obtaining unauthorized access to a local or remote system.

Hacker Teams: Blue Team

Members are InfoSec and cybersecurity experts who are mainly involved in defending systems via settings and configurations, and in the implementation of many other security measures throughout the system.

Hacker Teams: Red Team

Members are security experts responsible for the active investigation and probing (hacking) of systems. Develop bench tests as well as tests on live systems. Known as penetration testers.

Cyberattack Tools Kali OS

Most attacks today are prepared and created using Kali OS. Designed for advanced PT (penetration testing) and security analysis. Specifically suits the needs of professional penetration testers. Includes a large number of tools that help PTs through the entire PT process, from info gathering to final reporting. Although it includes built-in hacking, forensics, and exploitation tools, some are limited, and additional features require paid registration. Contains a Live mode that enables you to use the system without installation. Doesn't save its states. When turned off, all of its data is erased.

Nmap Tool

Most complete network scanning tools and includes advanced scanning features. Standard service detection tool that reveals which services are running on the target server. Powerful tool that can be used together with other features and scripts to collect info about the target. nmap <ip/address> Needs high levels of privilege: sniffing network traffic with libpcap, opening raw sockets and sending raw network traffic.

Ports

Most services use default ports. If a port is associated with a service is open and listening for transmissions, it is a strong indication that the specific service is available on the scanned host.

Code of Ethics: Penetration Testers

Must follow a code of ethics that will ensure the client's or organization's trust, and safeguard data and data transfer among the various groups and associates. Avoid the use of illegal means as a method of accomplishing the goals of info security. Testers are requested to sign a non-disclosure agreement to protect clients and stay within the boundaries of both public and private law. Must consider the client's location, since laws vary. Must be up to date regarding current laws and must maintain ethical and professional integrity at all times.

Hacker Teams: Purple Team

Attempt to merge the advantages and methods of both the red and blue teams.

CIA Triangle

Confidentiality, Integrity, Availability

Command Flags: -sT

Full TCP scan

RST

Resets the current connection

Script Run Control Rule: Postrule

Runs after any hosts are scanned

TCP Flags

SYN; ACK; PSH; URG; RST; FIN

SYN

Starts synchronization for a new connection

Active Scan

Those conducted by nmap-sV and -O, specially crafted packets are created to obtain info.

Command Flags: -sU

UDP port scan

Ping Scan

An ICMP echo request can be used to test if a host is online by checking that an ICMP echo reply is received. If a reply is not received, the host is unavailable. Are easily detected and have recently become less efficient since most firewalls are preconfigured to drop ICMP echo requests.

Threats

Possibilities of assets being compromised due to breaches that may harm the system.

-p

Scan for specific ports

Malware Types: Trojan

A malicious software that often arrives via email or is pushed to users when they visit and infected website. Must be executed by the victim, typically provides remote access for attacker. Trojans can be hidden in legitimate files and attackers can push the files via social engineering, letting victims execute the program on their own. Some can be detected by anti-virus apps or firewalls, but others may pass through undetected.

Malware

A piece of software that carries a payload used to exploit a vulnerability in the system and perform various unauthorized actions.

Vulnerability

A security flaw that an attacker can exploit to gain access to a network, system, or application. Some services and applications will always be vulnerable due to outdated versions, bugs, or features.

Malware Types: Virus

A type of malicious software that replicates itself when executed. It modifies other computer programs and inserts code that infects other files. Attackers will spend a lot of time on social engineering fraud and exploits to help spread the virus. Most viruses are not meant to steal info but will usually target the OS to damage it and other computer components.

Malware Types: Ransomware

A type of malware that encrypts system data and holds it hostage while waiting for cryptocurrency in return. The target is typically an organization or individual with abundant economic means that make them vulnerable to such attacks.

Malware Types: Worm

A type of malware that spreads copies of itself from one computer to another. Do not need to attack themselves to software or programs to cause damage. Worm can choose any object and duplicate itself until it finds the intended target. Can cause damage similar to viruses by exploiting security faults in software and potentially stealing sensitive info.

Backdoor

A typical method of bypassing normal authentication and providing persistent access to a system

ARP Poisoning: ARP Table

ARP protocol is to act as a cache and allow the clients better communication. This cache is stored in memory and can be removed with the command netsh interface IP delete arp cache. It requires admin privilege. After successful execution of the command, the OS rebuild the table.

Nmap Scripting Engine

Ability to execute scripts as part of the scan. Can use Lua scripts to automate processes and check for vulnerabilities and other info. --script=[name/category] - execute a single script or run group of scripts. --script flag can be used with wildcard conditions and --script-args=[args] to run a script with arguments. Default location - /usr/share/nmap/scripts/

ACK

Acknowledges data reception

Tailgating

Attacker lurk around restricted areas in an attempt ot enter a site when it is left unattended, or control their entry using electronic means. Attackers find ways to tailgate, or simply walk in behind a person who has legitimate access. Attackers can pretend to be delivery or maintenance employees to gain access to restricted areas. By accessing a restricted area, an attacker can collect info without anyone suspecting illegal behavior.

Address Resolution Protocol (ARP) Scan

Attackers can hack into a network and target specific devices. ARP is a protocol that can be used to obtain info about devices on a network to protect them from possible hacker attacks. It scans local networks and lists device types according to their MAC and IP addresses.

Masscan

Can scan thousands of IPs in a matter of seconds, testing for open ports. Very fast, it may be less effective than other tools, like Nmap. Can send 10 million packets per second; Use asynchronous transmission. Also has its own syntax that can be displayed by using masscan --help or man masscan commands in terminal.

FIN Scan

Closed ports tend to reply to your FIN packet with the proper RST, whereas an open port simply ignores these packets. An attacker can determine with port is open by the reply from the server.

Exploits

Implementations of vulnerabilities in the form of code or Proof of Concept. PoC: is when an attacker finds a vulnerability, reports it, and then records the explanation of how to reach the exploit and use it.

Address Resolution Protocol (ARP)

Main purpose is to allow network discovery by using the link-layer address (MAC). Resolves IP addresses to MAC addresses. Layer 2 protocol in LANs. Used in broadcast communication. Resolves info saved in ARP tables. Allows users to communicate around LAN networks.

Hacker Types: Black Hat

Malicious hackers who violate computer security mostly for personal gain, such as money, power, politics, revenge, or even just for the sake of causing damage. Usually operate alone or in small groups, mostly criminal and illegal.

Cyberattack Flow: Exploit and Execute

When the victim executes the payload, a remote shell will be opened, and various system commands can be run by the attacker

Hacker Types: White Hat

Ethical hackers who are experts in compromising computer security systems. Use their abilities for good (legal) purposes, such as identifying system or network vulnerabilities before they are compromised by hackers with malevolent intentions.

Script Run Control Rule: Hostrule

Defines the IP address or hostname of the target

Script Run Control Rule: Portrule

Defines the port/s to scan

Malware

Describes some types of malicious programs that are designed to be harmful to systems. Malware seeks to damage or harm personal computers or whole networks, and in some cases mobile devices, usually by taking full control over a device's operations. Purpose: to steal, encrypt, or delete your data; alter or hijack core computer functions; and spy on your computer activity without your knowledge or permission.

Services

Detecting services is useful when deciding on an attack vector to use. Knowing the available services on a network will make searching for vulnerabilities much easier.

Half Open Scanning

Determines if a port is open by performing the first half of a three-way handshake, but never completes it. It sends an SYN packet and waits for an answer to the server (SYN/ACK). According to the response of the victim, the attacker can understand whether the port is open or not. Used to scan thousands of IPs in a matter of seconds.

Command Flags: -Pn

Don't check if the host is up via ping

Command Flags: -6

Enable IPv6 scan

Command Flags: -O

Enable OS detection

Command Flags: -sS

Enable stealth scan

Filtered Ports

If a conclusive answer cannot be determined regarding a port's state, it is considered filtered. Another option is that no response was received after a certain amount of time.

The Dark Web

Exists on the Darknet and is accessed by special browser (TOR). Behind standard sites lie hidden sites that are not readily available to the general public. Such sites are encrypted and use unique IP addresses, whereby only the special browsers can access and work with them, providing anonymity for users. To connect to dark web: acquire a VPN service, download and install TOR browser, then connect to the browser service.

Hosts

Finding the IPs of online hosts provides insight into how many stations are currently operating on the network. Those stations can later be inspected carefully and in more detail.

Zenmap

Has preconfigured scan options, but manual commands can also be used to allow for the creation of customized profile scans. The primary added value of Zenmap or Nmap comes from its sub-menus and visualization of topologies and host details.

URG

Indicates an urgent packet that needs to be processed immediately

Hacker Types: Grey Hat

Indifferent hackers, somewhere between White Hats and Black Hats. Are not motivated by personal gain or to cause damage, but they may nonetheless technically perform illegal actions.

Cyberattack Flow: Reconnaissance

Initial step before an attack. Includes scanning, enumeration, and data collection from outside of the organization

Hping3

Is a TCP/IP packet assembler and network analysis tool. Design is similar to the ping method, as it sends different types of request. Supports more advanced packets. Hping3 -1 [target mask] --randdest -I [interface] -fast can be used to scan random addresses on the network.

Zero-Day Vulnerability

Is a computer or software flaw that was just discovered and is still unknown to others. Most vulnerabilities of this kind are quickly patched to prevent damage by others if and when they are discovered. Many companies will pay to have Zero-Day discovery info and, in some cases, will pay.

Asynchronous Transmission

Is a method of transmitting data so that each character has its own start and stop bits with uneven intervals between them; in this way, each character is transmitted as a self-contained unit.

Arpsoof

Is a part of dSniff, which is a group of password sniffing and network traffic analysis tools. Initiates ARP spoofing/poisoning on a target machine. Is a popular tool for Kali Linux systems and is often used to initiate On-Path attacks.

Netdiscover

Is a simple scanner based on ARP protocol that can be used to scan hosts on a network. Features: Working in active and passive modes; Ability to scan multiple subnets; Produces a live display of identified hosts; Can sleep between each ARP request; Displays user-friendly output; Dedicated to networks without DHCP; Can also sniff ARP replies.

Cyberattack

Is any attempt by an outside source to target, steal, spy, damage, or destroy a computer network.

Integrity

Is ensuring that data passes through a network in an uncompromised and unauthorized way. Example: Controlling user access permissions for sensitive data and preparing backups of all important data, in case crucial files are deleted or a natural disaster occurs.

Availability

Is having info ready at all times, even when it is stored by ISPs, IR teams, IT teams, and others. Backups are kept in safe locations that can be accessed when needed.

Passive tools

Like p0F, can passively collect info by listening to the network. Usually better in terms of anonymity but may miss a lot of valuable data.

Network Scanning

Main features are: Mapping the network structure, collecting crucial info about the network, and identifying devices on the network. Primary difference: protocols and syntax.

Script Run Control

Nmap Script Engine (NSE) script utilization, also called script control, is a set of rules defining when and how the script should be executed. A script contains a function and instructions. The rules, which determine when a script will run, must be defined in the script's file.

Command Flags

Nmap comes with lot of options that can make the utility very useful but on the same hand difficult for new users.

Cyberattack Flow: Delivery

Once the payload is ready, it is delivered to the victim in various ways, such as via WhatsApp, email, or even a USB device.

Social Engineering

Refers to the psychological manipulation of people to get them to disclose personal information. An attacker may use this method to collect info, scam a victim, or gain access to a system. PTs use social engineering to understand how sensitive info can be obtained, and how to train personnel to avoid falling victim to that method of operation.

Script Run Control Rule: Prerule

Runs before any hosts are scanned.

Connect

Scan preforms a full TCP handshake. Considerably slower because it requires more packets to be sent. If an SYN request is answered with an RST packet (reset connection) instead of SYN-ACK, this means the host is online, but the port to which it was addressed is closed.

Proxies

Scans can also be redirected through proxies. This will not evade a firewall but will mask the attacker's address and prevent detection. nmap --proxy<host>[:<port>]

Decoys

This method of evasion aims to hide the scan, rather than bypass the protection. When using decoys, packets with fake IPs are also sent to make it look like the scan is coming from multiple locations. nmap -d <decoy>

On-Path Positioning

Two main attack positions: Wireless networks automatically allow On-Path positions with various attack vectors; LANs require physical connections to view network traffic. An attacker needs to be a member of a network to operate as a man in the middle.

Automated Scanning

Sparta is a GUI tool that can be used to scan, fingerprint, and test different hosts for vulnerabilities using third-party tools. Sparta can run different enumeration scripts against detected services and test for default logins.

Cybersecurity

The act of protecting networks from various attacks. Done by locking down your private network at home and installing some sort of security solution, but usually, its done by a staff of IT who perform service for you.

Information Security

The collective process and means employed to prevent unauthorized access to data in private accounts, databases, mobile phones, servers, workstations, and other devices and data sources. Info can be secured using: cryptography, forensics, physical equipment, and many other ways.

Execution Steps

The hacker is impersonating both sides of the conversation to gain access by placing itself in the middle of a communication. The attacker convinces each side that they are the person the other one wants to talk to, and the victims have no idea their communication is being intercepted. After a successful deception, potentially sensitive info about a client can be collected as the communication continues. Can be collected and displayed by many tools, such as WireShark.

ARP Poisoning: ARP

The main purpose of ARP is to allow network discovery by using the link-layer address. Main features: Resolves IP addresses to MAC addresses; Layer 2 protocol in LANs; Used in broadcast communications; Resolves info saved in ARP tables; Allow users to communicate around LAN networks.

Payload

The piece of code that runs on the vulnerable system after the exploitation. The payload is the name given to the code executing the malicious actions.

Cybercrime

The use of computerized interfaces to perform illegal activities. Include: spreading computer viruses, performing unauthorized access, creating digital deception of any type, and stealing sensitive personal data.

Network Layout

Understanding the network layout, IP range, and available hosts is the first stage of preparing any attack; identifying the different devices on the network will help to determine better targets.

UDP Scan

Used to detect services like DNS, SNMP, and DHCP. Empty packets are sent to ports, and if an error occurs, the port is deemed closed. If it is unknown whether a port is closed or open, it is considered to be filtered.

Cyberattack Flow: Weaponization

When a vulnerability is identified, a payload is generated according to info obtained during reconnaissance. The payload can open a backdoor once it is executed.

Manual Banner Grabbing

When more info is needed on an open port on a scanned service, we can use banner grabbing techniques. Some banners can be uncovered or investigated manually and without using automated tools. Simply relies on collecting errors and disclosed info, it can be done using most network tools, like nc and telnet. To prevent banner disclosure, some services will hide banners or send false info. Nc can be handy when you are trying to obtain the banner of the service from the other side.

Malware Types: Botnet

Word botnet is a combo of robot and network and used to indicate malicious activity. Refers to computers on a private network that have been infiltarated with malicious software that the attacker uses for nefarious purposes. By creating botnet, an attacker gains the capability of creating powerful DDoS attacks and can send spam, steal data, and access devices remotely. The owner can control everything with a C&C server, or a command and control sever.

ARP Poisoning: Process

aka ARP spoofing. Is a network attack that floods the ARP tables of a switch. Done by gratuitous ARP, which is a request or reply that is not normally needed according to ARP specifications but is sent anyway. Exploits ARP vulnerabilities, such as lack of authentication. When an ARP request is sent, the destination will reply without authenticating the request sender. Once an ARP table is flooded, the switch will act as a Layer 1 hub device instead of crashing completely, enabling an attacker to sniff all network traffic. By sniffing network traffic, an attacker will be able to launch attacks such as On-Path, DoS, session hijacking and others. In other cases, requests are sent as if by the victim and allow the attacker to sniff all the data.