CEH Part 3
steps to perform pivoting
1. Discover live hosts in the network 2. Set up routing rules 3. Scan ports of live systems 4. Exploit vulnerable services
SYN flood attack
1. The attacker sends a SYN packet to the server and spoofs their IP address. 2. The server creates a Transmission Control Block data structure for the half-open connection in the SYN backlog. The TCB uses memory on the server. The size of the SYN backlog is also limited. 3. The server sends a SYN/ACK packet to the spoofed IP address of the attacker. 4. Since the attacker does not receive an ACK packet to confirm the connection, the server sends further SYN/ACK packets to the supposed client and keeps the connection in a half-open state. 5. While the server is still waiting for a response, new SYN packets from the attacker are received and must be entered into the SYN backlog. 6. At a certain point, there is no more space in the SYN backlog for further half-open connections. The server then rejects incoming SYN packets, and is no longer accessible from the outside.
Hypervisor Level Rootkit
: Attackers create this rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits run in Ring-1, host the operating system of the target machine as a virtual machine, and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor.
Sherlock
: Attackers use this to search a vast number of social networking sites for a target username. This tool helps the attacker to locate the target user on various social networking sites along with the complete URL.
Hardware/Firmware Rootkit
: Hides in hardware devices or platform firmware that are not inspected for code integrity. It use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card.
Spread Spectrum Techniques
: In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data.
Chosen-message attack
: The steganalyst uses a known message to generate a stego-object by using various steganography tools to find the steganography algorithm used to hide the information. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms
history-w
: This command only deletes the history of the current shell, whereas the command history of other shells remain unaffected.
Steganalysis
: This is a process of discovering the existence of the hidden information in a medium.
Enumeration
: is a method of intrusive probing, through which attackers gather information such as network user lists, routing tables, security flaws, and Simple Network Management Protocol (SNMP) data
Service Object Permissions
A misconfigured service permission may allow an attacker to modify or reconfigure the attributes associated with that service.
Hypervisor Level Rootkit
Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
Single Sign On (SSO) system
Advantages are: 1. A reduction in password fatigue for users because they do not need to know multiple passwords when accessing multiple applications. 2. A reduction in system administration overhead since any user login problems can be resolved at the SSO system. 3. Improves usability and user satisfaction through automatic login functionality. 4. Users need not maintain multiple passwords and since authentication is performed at a centralized server it improves security. 5. Improves productivity through single sign in functionality as it reduces the login time. 6. Improves auditing as the SSO system provides easy way of tracking application usage, shared resources usage, etc. 7. Improves account management such as account disabling (Disabling hardware and network accounts).
Heuristic/Behavior- Based Detection
Any deviations in the system's normal activity or behavior may indicate the presence of a rootkit.
Modifiable registry autoruns
Attackers can exploit misconfigured autoruns in registries.
Scanning
Attackers use different types of scanning methods or tools for host discovery, port and service discovery, operating system (OS) discovery, and evading endpoint security devices such as intrusion detection systems (IDSs) and firewalls.
Sherlock
Attackers use this tool to search a vast number of social networking sites for a target username. This tool helps the attacker to locate the target user on various social networking sites along with the complete URL
Robber
DLL Hijacking; is an open-source tool that helps attackers to find executables prone to DLL hijacking. Attackers use this tool to find out which DLLs are executable requests without an absolute path (triggering this search process); attackers can then place their malicious DLL high up the search path so it gets invoked before the original DLL
Mirai
Identify the Botnet Trojan that exhibits the following characteristics: Login attempts with 60 different factory default username and password pairs Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) Connects to CnC to allows the attacker to specify an attack vector Increases bandwidth usage for infected bots Identifies and removes competing malware
Unquoted Service Paths
In Windows OSs, when a service starts running, the system attempts to find the location of the executable file to launch the service successfully. Generally, the executable path is enclosed in quotation marks "", so that the system can easily locate the application binary.
Gaining access
In system hacking, the attacker first tries this step to a target system using information obtained and loopholes found in the access control mechanism of the system.
Substitution Techniques
In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message.
Distortion Techniques
In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message.
Integrity-Based Detection
It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
Chosen-stego attack
Known info -attack takes place when the steganalyst knows both the stego-object and steganography tool or algorithm used to hide the message.
Dylib hijacking:
OS X similar to windows is vulnerable to dynamic library attacks. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process. . Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.
Executing applications
Once the attacker has administrator privileges, they can attempt to install malicious programs such as Trojans, backdoors, rootkits, and keyloggers, which grant them remote system access and enable them to remotely execute malicious codes.
Vulnerability Analysis
Process to identify security loopholes in the target organization's network, communication infrastructure, and end systems.
Boot loader level rootkit
Replaces the original boot loader with the one controlled by a remote attacker. they are serious threats to security because they can help in hacking encryption keys and passwords.
Library Level Rootkit
Replaces the original system calls with fake ones to hide information about the attacker.
Vindicate
Spoofing Detection Toolkit. is an LLMNR/NBNS/mDNS spoofing detection toolkit for network administrators. It is designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit's LLMNR, NBNS, and mDNS spoofers while avoiding false positives
Distinguishing Statistical
The attacker analyzes the embedded algorithm used to detect distinguishing statistical changes along with the length of the embedded data
SECEVENT.EVT
The attacker can manipulate the log files, Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers are able to delete only attack event logs, they will still be able to escape detection.
Known-cover
The attacker compares the stego-object and the cover medium to identify the hidden message.
Escalating privileges
The attacker exploits known system vulnerabilities to escalate user privileges.
Chi-square
The attacker performs Probability Analysis to test whether a given stego object and original data are the same or not.
Alternative Trusted Medium
The infected system is shut down and then booted from an alternative trusted media such as a bootable CD-ROM or USB flash drive to find the traces of the rootkit.
Netcraft
The technique of obtaining information about the target network operating system is called OS fingerprinting. Open this tool in the browser and type the domain name of the target network in the What's that site running? field. Attackers use this tool to identify all the sites associated with the target domain along with the operating system running at each site
Dylib hijacking
This allows an attacker to inject a malicious dylib in one of the primary directories and simply load the malicious dylib at runtime.
Chosen-message
This attack generates stego objects from a Known message using specific steganography tools in order to identify the steganography algorithms.
export HISTSIZE=0
This command disables the BASH shell from saving the history by setting the size of the history file to 0. Disables saving the History.
history -c
This command is useful in clearing the stored history.
shred ~/.bash_history
This command shreds the history file, making its contents unreadable.
Disable auditing
This is the technique where an attacker disables auditing features of the target system to cover the tracks.
Scanning
This refers to a set of procedures used for identifying hosts, ports, and services in a network
Steganography
This refers to the art of hiding data "behind" other data without the target's knowledge.
Signature-based detection
This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
Kernel Level Rootkit
This type of Rootkit is the most difficult to detect and intercept.
Covering Tracks
To remain undetected, it is important for the attackers to erase from the system all evidence of security compromise. To achieve this, they might modify or delete logs in the system.
OllyDbg
Tool to Detect Buffer Overflow Vul., -Debugger for MS Windows. -It debugs multithread applications and attaches to running programs. -It recognizes complex code constructs, such as a call to jump to the procedure
XtremeRAT
Which of the following Trojans uses port number 1863 to perform attack?
Web shell
Which of the following techniques allows attackers to inject malicious script on a web server to maintain persistent access and escalate privileges?
Rootkit
Which one of the following software program helps the attackers to gain unauthorized access to a remote system and perform malicious activities?
NTFS stream
Which one of the following techniques is used by attackers to hide their programs?
NTFS stream
Which one of the following techniques is used by attackers to hide their programs? Enumeration Footprinting Scanning NTFS stream
Unattended Installs
allow attackers to deploy Windows OSs without the intervention of an administrator. Administrators need to manually clean up the unattended install details stored in the Unattend.xml file.
Extended Base Pointer (EBP)
also known as StackBase, stores the address of the first data element stored onto the stack
NTFS Stream
an attacker can almost completely Hide files and their Program within the system. It is easy to use the streams but the user can only identify it with specific software. Explorer can display only the root files; it cannot view the streams linked to the root files and cannot define the disk space used by the streams. As such, if a virus implants itself into ADS, it is unlikely that usual security software will identify it.
TCP fields where data can be hidden
are as follow: IP Identification field: This is an easy approach where a payload is transferred bitwise over an established session between two systems. Here, one character is encapsulated per packet. TCP acknowledgement number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet. TCP initial sequence number: This method also does not require an established connection between two systems. Here, one hidden character is encapsulated per SYN request and Reset packets.
Combinator Attack
attackers combine the entries of the first dictionary with those of the second dictionary. The resultant list of entries can be used to produce full names and compound words.
Markov-Chain Attack
attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database
DLL Hijacking
attackers place a malicious DLL in the application directory; the application will execute the malicious DLL in place of the real DLL.
NetVizor
comes with an unparalleled task to Monitor and recording feature-set that in secret records everything employees do on the network. Chats, keystrokes and emails, site and on-line search activity, application usage, file usage, uploads and downloads, computer software setups, and web traffic represent simply a sampling of this tools activity recording capabilities.
Defend against malicious NTFS streams
do the following: To delete hidden NTFS streams, move the suspected files to FAT partition Use third-party file integrity checker such as Tripwire File Integrity Monitor to maintain Integrity of NTFS partition files against unauthorized ADS Use third-party utilities such as EventSentry or adslist.exe to show and manipulate Hidden streams Avoid writing important or critical data to alternate data streams Use up-to-date antivirus software on your system. Enable real-time antivirus scanning to protect against execution of malicious streams Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory) to help detect creation of additional or new data streams.
Footprinting
in this Vulnerability assessment, an examination of the ability of a system or application, including its current security procedures and controls, to withstand the assault. It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels. An attacker creates a profile of the target organization and obtain information such as its IP address range, namespace, and employees
BasBanke
is a Trojan family that runs on Android.
GlitchPOS
is a fake cat game that is embedded in malware and not displayed at the time of execution. It is a Trojan that masquerades as a cat game. When any victim installs the cat game, the Trojan will be executed in the background. It is used by attackers to grab the credit card information of the victim.
BeRoot
is a post-exploitation tool to check common misconfigurations to find a way to escalate privilege.
Snow
is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent 0s and 1s.
Mirai
is a self-propagating IoT botnet that infects poorly protected Internet devices (IoT devices).
VeraCrypt
is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted just before it is saved and decrypted just after it is loaded without any user intervention
OpenStego
is a steganography application that provides the following functions. Data Hiding: It can hide any data within a cover file (e.g., images)Watermarking: Watermarking files (e.g., images) with an invisible signature. It can be used to detect unauthorized file copying.
CCleaner
is a system optimization, privacy, and cleaning tool. It allows attackers to remove unused files and cleans traces of Internet browsing details from the target PC. With this tool, an attacker can very easily erase his/her tracks
theHarvester
is a tool designed to be used in the early stages of a penetration test. It is used for open-source intelligence gathering and helps to determine a company's external threat landscape on the Internet
Stream Armor
is a tool used to discover hidden ADSs (Alternate Data Streams) and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs that may be present
Scranos
is a trojanized rootkit that masquerades as Legitimate Software. Cracked software or a legitimate application, such as anti-malware, a video player, or an ebook reader, to infect systems and perform data exfiltration that damages the reputation of the target and steals intellectual property. When this rootkit executed, a rootkit driver is automatically installed, which then starts installing other malicious components into the system
A PRobability INfinite Chained Elements (PRINCE) Attack
is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words.
PWdump7
is an application that dumps the password hashes (one-way functions or OWFs) from NT's SAM database. This tool extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database
Spectre vulnerability
is found in many modern processors such as AMD, ARM, Intel, Samsung, and Qualcomm processors. This vulnerability leads to tricking a processor to exploit speculative execution to read restricted data. The modern processors implement speculative execution to predict the future and to complete the execution faster.
Enumeration
is the process of extracting user names, machine names, network resources, shares, and services from a system or network. In the this phase, attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system.
dylib - DYnamically linked LIBrary
it's a library that's loaded at runtime instead of at compile time. They are comparable to a windows *.dll file. They contain generic, unmodifiable code intended to be reused by many applications.
Extended Destination Index (EDI)
maintains the destination index for various string operations
Extended Source Index (ESI)
maintains the source index for various string operations
Application-level rootkit
operates inside the victim's computer by replacing the standard application files (application binaries) with rootkits or by modifying behavior of present applications with patches, injected malicious code, and so on.
GFI LanGuard
scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases
Extended Instruction Pointer (EIP)
stores the address of the Next instruction to be executed
Extended Stack Pointer (ESP)
stores the address of the next data element to be stored onto the stack
Privilege escalation attack
the attackers first gain access to the network using a non-admin user account, and then try to gain administrative privileges. Attackers take advantage of design flaws, programming errors, bugs, and configuration oversights in the OS and software application to gain administrative access to the network and its associated applications.
TCP parameters
the following technique is used by the attacker to Distribute the payload and to create Covert channels?
Fingerprint Attack
the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password.
Stego-only attack
the steganalyst or attacker does not have access to any information except the stego-medium or stego-object. In this attack, the steganalyst must try every possible steganography algorithm and related attack to recover the hidden information
Kernel Level Rootkit
this is at the core of the operating system. This rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit's code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operating systems.
CrypTool
this project develops e-learning programs in the area of cryptography and cryptanalysis
Transform Domain Techniques:
this technique hides the information in significant parts of the cover image, such as cropping, compression, and some other image processing areas.
Zsteg
this tool is used to detect stegano-hidden data in PNG and BMP image files.
BCTextEncoder
this utility simplifies the encoding and decoding of text data. It compresses, encrypts, and converts plaintext data into text format, which the user can then copy to the clipboard or save as a text file. It uses public key encryption methods as well as password-based encryption.
Meltdown
this vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. For example, an attacker requests to access an illegal memory location. He/she sends a second request to conditionally read a valid memory location. In this case, the processor using speculative execution will complete evaluating the result for both requests before checking the first request. When the processor checks that the first request is invalid, it rejects both the requests after checking privileges. Even though the processor rejects both the requests, the result of both the requests remains in the cache memory. Now the attacker sends multiple valid requests to access out of bounds` memory locations.
Library Level Rootkits
work higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker.
