Notes on CEH — Part 1

01: Introduction to Ethical Hacking

Information Security overview

Terminology

• HACK VALUE — Notion that indicates how much it is worth it to acquire the target.
• VULNERABILITY — Existence of a flaw, implementation or design error that can be exploited by an unexpected event to compromise the security of a system.
• EXPLOIT — A breach in the security of an IT system through a vulnerability.
• PAYLOAD — The payload is the part of an exploit code that performs malicious activities such as creating a backdoor, encrypting files.
• ZERO-DAY — Vulnerability not yet patched by the vendor. An 0-day attack exploits this type of vulnerability before the patch is released.
• DAISY CHAINING — It consists of accessing a network and/or computer and using them to access additional networks and/or computers that contain the desired information.
• DOXING — Posting of an individual’s personal information collected from open sources (e.g., Social Media).
• BOT — A bot is software that can be controlled remotely to perform or automate certain tasks.

Elements of Information Security

• CONFIDENTIALITY — Ensures that information is accessible only to authorized individuals.
• INTEGRITY —The reliability of data or resources in terms of preventing improper or unauthorized changes.
• AVAILABILITY — Ensures that the systems responsible for delivering, storing, and processing information are accessible when an authorized user requests it.
• AUTHENTICITY — Authenticity refers to the characteristic of a communication, document, or data to be genuine.
• NON-REPUDIATION — Ensures that the sender of a message cannot deny having sent it and the recipient can’t deny having received it.

Understand Information Security Threats and Attack Vectors

Motives, goals, and objectives of information security attacks

ATTACK = MOTIVE + METHOD + VULNERABILITY

• The reason arises when the target system stores or processes some valuable information and this leads to the threat of an attack on the system.
• Attackers use various tools and attack techniques to exploit vulnerabilities in a system and achieve their goal.

The motives behind an attack can be: theft of information, data manipulation, interrupting business continuity, instilling fear and chaos by disrupting the operation of critical infrastructure, economic losses, religious or political propaganda, achieving government objectives, ruining reputations, revenge, ransom demands.

Popular Attack Vectors

1. CLOUD COMPUTING THREATS — Cloud computing offers on-demand IT resources where organizations often store their own and their customers’ data. A breach in one customer’s cloud application could grant an attacker access to other customers’ data.
2. ADVANCED PERSISTENT THREATS — APT is a type of attack whose purpose is to steal information from victims without being detected, it is also used to identify structured hacker groups (APT38).
3. VIRUS E WORM — Viruses and worms are the most popular threats and are capable of infecting networks and systems very quickly.
4. RANSOMWARE — Ransomware inhibits access to computers or files by encrypting them and demanding a ransom for the release of the files.
5. MOBILE THREATS — The increase in the use of mobile devices (smartphones and tablets) has increased the threats to these types of devices that are now used for both personal and business purposes.

Types of System Attacks

Overview of Hacking concepts, types and phases

Hacking is the ability to exploit vulnerabilities in a system and compromise security controls to access resources; it can include changes to the system or application features.

Who is a hacker

1. Excellent computer skills
2. For some hackers it can be just a hobby
3. Intentions may be simple curiosity to increase one’s knowledge or doing something illegal

• Blackhat — Malicious Hacker. The intention is to do something illegal or cause harm.
• Greyhat — A hacker operating on both sides. The intention may or may not be malicious.
• Whitehat — A “good guy” hacker. Helps organizations secure their systems.
• Hacktivist — It has a political, often rebellious purpose.
• State sponsored hacker — They are hackers hired by governments to penetrate other governments.
• Cyber Terrorists —They are motivated by religious or political beliefs.
• Suicide Hacker — A hacker who doesn’t care about going to jail or receiving punishment (fines).
• Script Kiddies — A hacker with low technical knowledge using tools developed by others.

Hacking phases

1. Reconnaissance — PASSIVE RECON: without interaction with the target audience. ACTIVE RECON: with direct interaction with the target audience.
2. Scanning — PRE-ATTACK PHASE: A scan of the network is performed looking for specific information based on the information obtained during the previous step. PORT SCANNER: Tools such as port scanner, vulnerability scanner and network mapper are used. EXTRACT INFORMATION: The attacker extracts information such as active machines and port status.
3. Gaining Access — Refers to gaining access to an OS or application. The attacker can gain access to the operating system via the application layer or the network layer, he tries to scale his privileges to gain complete control of the system. Passwords are cracked, buffer overflows are exploited, session hijacking and DoS are performed.
4. Maintaining Access — The attacker tries to maintain control of the system, he makes sure to secure his privileged access with backdoors, rootkits or Trojans. It can manipulate data, applications, and system configurations, plus it uses the compromised system to launch further attacks.
5. Clearing Tracks — Traces of the intrusion or attack are hidden. Access gained remains hidden. Logs are overwritten to eliminate suspicion.

Concepts and Purposes of Ethical Hacking

What is Ethical Hacking

Ethical Hacking involves tools and techniques to identify vulnerabilities, it relies on techniques that simulate the behavior of an attacker to verify the possibility of exploiting those vulnerabilities. Ethical Hackers work only with the permission of the client (target).

Why Ethical Hacking is necessary

To defeat a hacker you have to think like one!

Ethical Hacking prevents hackers from gaining access to our systems, makes us aware of vulnerabilities, improves corporate cybersecurity, prevents breaches, safeguards customer data and increases security awareness.

An Ethical Hacker should ask these questions:

• What can an attacker find in the target system?
• What can you do with this information?
• Would anyone notice the intrusion attempts at the target system?
• Are all system components protected?
• How much effort is required to achieve adequate protection?
• Do the security measures taken comply with legal and industry standards?

Information Security controls

Ensuring Information

Information assurance refers to ensuring that the integrity, availability, confidentiality and authenticity of information and information systems are protected during the use, processing, storage and transmission of information.

Information Security Management Program

They are programs that enable organizations and businesses to operate in a state where risk is reduced, includes all organizational and operational processes and participants relevant to information security. It is a combination of policies, processes, procedures, standards and guidelines to establish the required level of information security.

Enterprise Information Security Architecture (EISA)

EISA refers to a set of requirements, processes, principles, and models that determine the structure and behavior of organizations’ information systems.

Network Security Zoning

Network Security Zoning helps to monitor and control inbound and outbound traffic. It also helps organizations manage their secure networks by selecting the right level of security based on the different zones of internet and intranet networks.

Information Security Policy

Policies are the foundation of the security infrastructure and define the minimum security requirements and rules to enable proper protection of systems.

Policy types

• PROMISCUOUS POLICY — No restrictions on the use of systems and related resources.
• PERMISSIVE POLICY — It’s a pretty lax policy, it only blocks behavior that could cause harm, it needs to be updated regularly.
• PRUDENT POLICY — Provides a high level of security, blocks all services except those needed and/or recognized, all movements are tracked.
• PARANOID POLICY — This type of policy blocks everything.

Designing security policies

1. Identify risks through a Risk Assessment
2. Learning from others and guidelines
3. Include management in policy development
4. Fines for non-compliance
5. Provide the final version of the policy to everyone
6. Make sure everyone understands the policy
7. Develop tools to reinforce policies
8. Train employees
9. Regularly review and update policies

Physical Security

It is the first layer of protection, providing protection of corporate assets from environmental or man-made threats. It prevents unauthorized access, data theft, espionage, and social engineering attacks.

What is risk

Risk refers to the level of uncertainty or expectation that a negative event will cause damage to the system. A risk matrix is used to verify the actual size by considering the probability, likelihood, and consequences (impact) of the risk.

Risk Management

Risk Management is the process of reducing and maintaining risk at an acceptable level.

Phases
Risk Identification -> Risk Assessment -> Risk Treatment -> Risk Tracking -> Risk Review

Incident Management

Incident Management is a set of defined processes designed to identify, analyze, prioritize, and resolve security incidents.

The phases are divided into:

• Vulnerability Handling,
• Incident Handling: Triage, Incident Response, Reporting and Detection, Analysis
• Artifact Handling,
• Announcements,
• Alerts

Incident Management Process

1. Incident Handling and Response Preparation
2. Detection and analysis
3. Classification and prioritization
4. Notification
5. Containment
6. Forensic Investigation
7. Eradication and Recovery
8. Post-Incident Activities

02: Footprinting e Reconnaissance

Footprinting concepts

What is Footprinting

Footprinting is the first phase of any attack and it aims to acquire as much information about the target network as possible, in order to identify the possible ways to break into the system. The types of footprinting are divided into 2 categories: Passive (there is no interaction with the target) and Active (direct interaction with the target). It is possible to obtain information regarding the company and its internal organization, the company network and the systems used.

Footprinting Goals

Footprinting with Search Engines

Attackers use search engines to extract information about their targets including: technology platforms in use, employee details, and login pages.

Footprinting using advanced Google Hacking techniques

This technique allows you to do advanced Google searches, using operators to create more complex queries in order to obtain hidden information that can help the attacker find vulnerabilities.

CACHE: Show pages saved in Google cache (old versions of results)

LINK: List only results that have links to the specified page

LOCATION: Find information for a specific location

FILETYPE: Search only certain file types

Google Hacking Database

GHDB is an indispensable source for even broader searches than simple Google searches, in fact it is a public repository of exploits and vulnerable software. Also known as exploit-db.

Footprinting with web services

TLD and subdomains

To search for Top Level Domains and subdomains of a company you can use online services such as netcraft.com, while tools such as sublist3r (python script) are used to enumerate subdomains which in turn can give information about the internal structure of companies.

Target geolocation

An attacker can use Google Earth/Maps to get the geographical location of the target, it is useful when you want to perform a social engineering attack. Often the information about the location is not accurate.

Information Gathering with LinkedIn

InSpy is a tool that allows enumeration on LinkedIn and has two features: TECHSPY that allows you to analyze job descriptions looking for technologies used, EMPSPY instead analyzes employees.

Determine Operating System

The determination of the Operating System in use is essential when we want to launch an attack; some indispensable tools are netcraft, shodan that is a search engine for any device connected to the network and censys that allows to deepen the attack surface knowing which hosts are on the network.

Footprinting techniques for websites

Website footprinting is understood as the monitoring and analysis of our target’s websites. Tools such as BURP SUITE, ZAPROXY or other tools are used to capture headers, which are fundamental for the analysis of HTML code and cookies.

Web spiders

Web spiders are software that perform automated searches on the target in question. The information they collect can be used for further footprinting and social engineering attacks. One of the tools for spidering is WEBDATA EXTRACTOR.

Mirroring

It is a technique that allows a website to be copied entirely locally for asynchronous, offline analysis.

Archive.org

An attacker uses archive.org to retrieve old versions of websites that are no longer online; the operation is similar to Google’s cache, but archive.org contains more temporal snapshots.

Extract metadata from public documents

Extracting metadata from public documents can be useful to derive information such as employees’ personal data so as to perform further attacks (phishing, social engineering).

Email Footprinting Techniques

Email Tracking

It is a technique used to track the delivery of emails to the specified recipient and can be used to gather information about the target audience. With an HTML email, information such as IP addresses, mail server, and geographic location can be detected. Some tools are POLITEMAIL, YESWARE, CONTACTMONKEY and READNOTIFY.

Competitive Intelligence Techniques

Competitive Intelligence Gathering

Competitive Intelligence Gathering is the process of identifying, collecting, and analyzing competitor information; it is a passive process.

Track the target audience’s online reputation

Online Reputation Management (ORM) is a process of monitoring the online reputation of a company (or entity in general). Negative reviews are, in general, the most useful as an angry user tends to be more detailed: an eventual attacker could use this information for a social engineering attack.

Whois and DNS Footprinting

WHOIS

WHOIS databases are maintained by RIRs (Regional Internet Registries) and contain the personal information of domain owners: domain details, owner contact information, name server, expiration and creation date.

RIR list:

• ARIN — America
• AFRINIC — Africa
• RIPENCC — Europe
• LACNIC — America Latina and Central America
• APNIC — Asia (pacific)

DNS

An attacker can determine, via DNS, which hosts play an important role in the network to perform more complex attacks.

Network Footprinting

IP range information assists attackers in creating a network map, IP ranges are found using ARIN tools and subnets are found using the Regional Internet Registry.

Traceroute

The traceroute works thanks to the ICMP protocol and the use of the TTL (time-to-live) field present inside the packet header, this allows to discover the routers that the packet crosses. The attacker can thus extract information regarding the network topology, “trusted” routers and the location of firewalls; this information helps the attacker to build a network map.

TOOLS: geospider, visualroute, path analyzer.

Footprinting tools

• Maltego (GUI, capable of drawing graphics, pdf export, integration with different services)
• recon-ng (command line tool)
• FOCA (Fingerprinting Organization with Collected Archives)
• recondog (command line tool, exposes API)
• OSRFramework (OSINT tool)
• sn1per
• LHF (Low Hanging Fruit)

03: Scanning

Overview

Network scanning is a set of procedures to identify hosts, ports and services of a system, it is used to create a profile of the target.

TCP Flag

• URG —Indicates that the contents of the package are urgent and therefore require immediate processing.
• PSH — It asks to send the buffered data immediately.
• FIN —Indicates that there will be no more transmissions.
• ACK — Indicates that the packet has been received.
• RST — Reset the connection.
• SYN —Initializes the connection between 2 hosts.

TCP/IP Handshake (three-way handshake)

SYN -> SYN+ACK -> ACK

TCP/IP — Session Termination

FIN -> ACK & FIN -> ACK

Custom Packets

There are many tools that allow customization of packet flags, nmap does this with some specific arguments, while a packet crafter for windows is COLASOFT PACKET BUILDER. Packet customization allows you to perform certain types of attacks and to evade firewalls and IDS.

Scanning Tool

NMAP — It is one of the most used tools for network scanning, it is able to perform discovery of active hosts, open/closed/filtered ports and services. It can be used both via CLI and via GUI with Zenmap.

HPING — Packet generator and analyzer, the operation is similar to the ping command, however with hping you can use protocols other than ICMP and customize the IP packet parts.

AMAP — Next-generation scanning tool. Identifies applications listening on ports even if the service is not running on the default port.

Scanning Techniques

Inverse TCP Flag Scanning

A TCP packet is sent with FIN, URG, PSH flags set (or without flags), if the target responds (RST/ACK) the port is closed, if it does not respond then the port is open.

ACK Flag Probe Scanning

This type of scan can be performed in two ways:

• TTL based — If the TTL of the RST packet is less than 64 the port is open.
• Window based — If the value of the RST packet window is different from 0 (zero), then the port is open

This technique is also used to determine if a port is filtered or not: the attacker sends an ACK packet with a random sequence number, if he receives no reply then the port is filtered (so there is a firewall), otherwise it is not filtered receiving an RST packet.

IDLE/IPID Header Scan

Each IP packet has an identification number (IPID) for the fragment in question; the operating system takes care of increasing the IPID for each packet sent.

UDP Scanning

In the UDP protocol there is no three-way handshake and the target will not send a reply if the port is open. In case a UDP packet was sent to a closed port, the target would send an ICMP Port Unreachable packet to the sender. UDP ports are also typically heavily used by spyware, trojans, and other malware.

OPEN UDP PORT -> no response

CLOSED UDP PORT -> ICMP PORT UNREACHABLE

Scanning techniques with IDS/Firewall evasion

IDS/Firewall evasion techniques

• PACKET FRAGMENTATION — Fragmented packets are sent that only the recipient will reassemble.
• SOURCE ROUTING — You specify the routing path that the modified packet will need to take to reach the target.
• IP ADDRESS DECOY —The generated packets will use a “decoy” IP address so as to make it more difficult for the IDS/firewall to trace the real sender. Reply packets arrive at all “used” IPs.
• IP ADDRESS SPOOFING — The IP address of the sender is changed so that it looks like the packet came from someone else. Reply packets arrive at the spoofed address.
• PROXY SERVER — A chain of proxy servers is used to hide the real origin of a scan and evade some IDS/firewall checks.

Banner grabbing

Banner grabbing can be passive or active, it is the method used to determine the target’s operating system or versions of exposed services.

OS target identification

Identifying the Operating System in use by the target provides an aid in identifying vulnerabilities that can be exploited. An attacker can identify the operating system of a target based on the TTL or WINDOW SIZE of the TCP packet, in fact the tcp/ip stack is implemented differently on each OS. Error messages are equally useful for identification.

Banner grabbing countermeasures

• Modify original banners with fake ones
• Turn off unnecessary services to limit the information our system can provide to an attacker
• Hide file extensions to hide the technologies in use (web server)

Notes on CEH — Part 2