Notes on CEH — Part 2
In the enumeration phase, the attacker creates connections with the system to perform queries and retrieve information directly from it.
Network resources, shares, routing table, service settings, FQDN and SNMP details, hostname, users, groups, applications and banners.
- Estract username with email address
- Estract information with default password
- Estract username with SNMP
- Brute-forcing Active Directory
- Estract Windows user groups
- Estract information with DNS
Services and ports
- TCP/UDP 53: DNS Zone Transfer
- TCP/UDP 135: Microsoft RPC Endpoint Mapper
- UDP 137: NetBIOS Name Service (NBNS)
- TCP 139: NetBIOS Session Service (SMB over NetBIOS)
- TCP/UDP 445: SMB over TCP (Direct Host)
- UDP 161: Simple Network Management Protocol (SNMP)
- TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
- TCP/UDP 3268: Global Catalog Service
- TCP 25: Simple Mail Transfer Protocol (SMTP)
- TCP/UDP 162: SNMP Trap
NetBIOS names are strings of 16 ASCII characters used to identify devices, the first 15 characters are used for the device name, the 16th is reserved for the service or name record type. NBTSTAT is a Windows program that displays NetBIOS statistics, name tables (local and remote), and the NetBIOS name cache. NetBIOS name resolution is not supported on IPv6.
nbtstat.exe -cto obtain NetBIOS cache names, name table and the resolved IP addresses.
nbtstat.exe -a <remote host IP>to obtain the remote host NetBIOS name table.
- NetBIOS Enumerator
- Nsauditor Network Security Auditor
SNMP (Simple Network Management Protocol) is widely used for network monitoring, with this protocol you can collect a considerable amount of information about the target such as users, running services, connected devices, configurations and in some cases you can also manage them directly through SNMP.
- OpUtils 5
- Engineer’s Toolset (solarwind)
LDAP (Lightweight Directory Access Protocol) is a protocol for querying and modifying directory services, such as Active Directory (AD), or more generally any grouped information that can be expressed as data records and organized hierarchically. LDAP operates on the TCP/389 port; enumeration requires access to the system to be queried. It is possible to extract usernames, domain information, addresses and the organizational structure.
- LDAP Admin Tool
NTP (Network Time Protocol) is the protocol responsible for synchronizing the time of systems, it uses UDP port 123. An attacker can query the NTP server to know what hosts are connected to it, IP addresses of a network, hostnames, and operating systems.
NTP Enumeration commands
05: System Hacking
- Gaining Access
- Escalating Privileges
- Executing Applications
- Hiding Files
- Covering Tracks
It is the process of discovery of vulnerabilities and design flaws; vulnerabilities are classified by severity and possibility to exploit them. It is the analysis of the ability of a system or application to withstand an attack: it recognizes, classifies and measures vulnerabilities in a system, network or communication channel. A VA is often performed with automated tools that produce a report, which is then reviewed and further investigated by the analyst.
Types of VA
- ACTIVE ASSESSMENT — Uses a network scanner to find host, services and vulnerabilities.
- PASSIVE ASSESSMENT — A technique that, through network sniffing, retrieves systems, network services, applications and vulnerabilities.
- EXTERNAL ASSESSMENT — The assessment is done from the attacker point of view (externally), to verify which of the vulnerabilities are exploitable.
- INTERNAL ASSESSMENT — An internal scan to find vulnerabilities.
- HOST-BASED ASSESSMENT — Determines the vulnerabilities of a specific system (server, workstation), involves assessment of system configurations.
- NETWORK ASSESSMENT — Check what kind of network attacks are possible on the network under analysis.
- APPLICATION ASSESSMENT — Tests the target’s web infrastructure for misconfiguration or known vulnerabilities.
- WIRELESS NETWORK ASSESSMENT — It is performed on the target’s wireless network looking for vulnerabilities to exploit.
Password Cracking techniques
- DICTIONARY ATTACK — A dictionary file is used by the cracking application to access the target account.
- BRUTE FORCE ATTACK — The password cracking program tries all character combinations until it can find the right one to access the account.
- RULE BASE ATTACK — This type of attack is favored when you have some additional information about the password to crack.
Very often the default passwords left by the manufacturers remain in the devices (because the user does not always change them), which makes guessing the password much easier. Passwords can also be stolen via Trojans or spyware installed on the victim’s devices.
Hash Injection Attack
This type of attack allows an attacker to inject the compromised hash into a session and exploit it to access network resources as if it were the rightful owner.
Privilege Escalation techniques
An attacker will typically access a system through a non-administrative account, and as a result it becomes necessary to attempt to get to an admin account. Privilege escalation attacks exploit application design errors, programming errors, bugs, and misconfigurations.
Privilege Escalation through DLL hijacking
Most Windows applications do not use an absolute path when loading an external DLL, which allows an attacker to swap the original DLL for an infected one, making the application vulnerable and exploitable for further attacks.
Privilege Escalation through vulnerabilities
When exploiting a vulnerability, commands are often executed with higher privileges, allowing an attacker to access an admin account through them.
Other Privilege Escalation techniques
- ACCESS TOKEN MANIPULATION
- APPLICATION SHIMMING
- WEAKNESS ON FILE SYSTEM PERMISSIONS
- PATH INTERCEPTION
- SCHEDULED TASK
- Restrict privileges for interactive logins
- Use cryptography
- Run applications with the minimum permissions necessary for its operation (least privilege)
- Reduce code that runs in a privileged context
- Implement multifactor
- Run services with unprivileged accounts
- Test application errors and OS
- Use separation of duties
- Patch and update OS
Create and maintain access
Running malicious applications in systems has many objectives including: unauthorized access, password cracking, screenshots, installation of backdoors.
Spyware is a stealth program that records the user’s activities without the user noticing, the collected information is sent to the attacker. Spyware hides its processes and files so that they cannot be detected and removed.
Techniques for obfuscating malicious programs
Rootkits are programs that hide their presence and malicious activities of the attacker, replace some system calls and/or tools with their own modified version. The structure of a rootkit includes backdoors, DDoS attack programs, packet sniffers, log removal programs, IRC bots.
- HYPERVISOR LEVEL ROOTKIT
- HARDWARE/FIRMWARE ROOTKIT
- KERNEL LEVEL ROOTKIT
- BOOT LOADER LEVEL ROOTKIT
- APPLICATION ROOTKIT
- LIBRARY LEVEL ROOTKIT
How to defend from a Rootkit
Reinstall the OS or applications from a certified source after backing up critical data. Perform a kernel memory dump to determine the presence of rootkits. Reinforce workstations/servers against attacks. Install network firewall and host-based firewall. Verify the integrity of system files regularly, using cryptographically strong technologies.
NTFS Data Stream
The NTFS Alternate Data Stream (ADS) is a hidden Windows stream that contains metadata such as attributes, word count, author and access name, and modification date. The ADS allows an attacker to inject malicious code into files.
Steganography is an obfuscation technique, it allows messages to be hidden within other (seemingly normal) messages or to different file types such as video, audio and images. It allows you to maintain the confidentiality of the data. The most common use is through images in which the secret message is injected.
Techniques for obfuscating evidence of compromission
Once an attacker has managed to gain administrative access to the system, they will try to hide their tracks to avoid detection:
- Disable auditing
- Delete logs
- Manipulate logs
Cover tracks in BASH
Bash stores the history of executed commands in a file called .bash_history, an attacker can delete or clean up this file with the
history -c or
history -w command, to perform a deeper deletion you can use the
shred $HOME/.bash_history command.
Malware propagation concepts and techniques
Malware is malicious software that can create damage to a system, disable functionality and provide remote control (limited or complete) to the creators, often for fraud or data theft.
Types of malware:
- Trojan horse
Malware distribution techniques on the web
BLACKHAT SEO: It allows sites containing malware to be among the first search results of a search engine.
SOCIAL ENGINEERED CLICK-JACKING: Entice the user to click on a malware page.
SPEARPHISHING SITES: Identical copies of official sites are created to steal information (documents, credentials, credit cards).
DRIVE-BY DOWNLOADS: Browser vulnerabilities are exploited to install malware on systems.
- CRYPTER — Protects malware from reverse engineering.
- DOWNLOADER — Trojan that downloads other malware from the network.
- DROPPER — Trojan that installs other malware.
- EXPLOIT — Malicious code that exploits a vulnerability to enter the system.
- INJECTOR — Program that injects code into vulnerable processes.
- OBFUSCATOR —A program that allows the obfuscation of a malware’s code and intent so that detection and removal are difficult.
- PACKER — Program that allows you to “package” all the files necessary for a malware into a single executable, allows you to pass security checks.
- PAYLOAD — Part of software that allows you to gain control of a system (after the exploit).
- MALICIOUS CODE — Commands that define malware functionality, such as credential theft, backdoor creation or other malicious activities.
Overview of Trojans
There are many purposes for which installing a Trojan in a system: installing backdoors in systems, disabling firewalls and antivirus, using the system in a botnet, deleting or replacing critical OS files.
A wrapper hides the Trojan executable inside an executable that looks genuine. When the wrapper is started, it first installs the Trojan contained inside.
It is a software used to hide viruses, keyloggers and other tools to make them difficult to detect by antivirus.
Antivirus evasion techniques
- A Trojan can be broken down into pieces that are later compressed together.
- Write your own Trojan independently.
- Change the content of the Trojan with a hex editor, so the checksum changes, encrypt the file. These operations break the file signature making detection difficult.
Overview of Viruses and Worms
Viruses are often transmitted via downloaded files, infected USB sticks or disks, and email attachments.
Indicator of compromise
- Processes take more time and resources
- Computer beep without any video
- Drives change label
- The OS is loading with errors or not loading at all
- Constant warnings from antivirus
- The computer crashes frequently or returns errors such as BSOD
- Missing files and folders
- Hard disk activity is suspicious
- Browser window freezes
- Lack of disk space
- Unexpected advertising popups
System Virus and File Virus
System/Boot Sector Virus: This type of virus moves the MBR to another location on the disk and auto-copies to the original MBR location. At system startup, the virus code is executed and then control is passed to the original MBR.
Multipartite Virus: It is a virus that infects both the boot sector and normal executable files.
Cluster Virus and Stealth Virus
Cluster Virus: Modifies folder pointings to direct the user or system to malicious code.
Stealth/Tunneling Virus: This type of virus evades antivirus by intercepting calls to the OS.
These are malicious programs that replicate and execute themselves through the network.
Malware Analysis concepts
SHEEP DIP COMPUTER: This term refers to the analysis of suspicious files or messages for malware. It is a strictly controlled environment.
Introduction to Malware Analysis
It is the process of reverse engineering a malware in order to identify its origin, functionality, and potential impact on systems.
STATIC ANALYSIS: It’s just code analysis, without execution. It is used to understand how the malware works.
DYNAMIC ANALYSIS: Also known as behavior analysis, it runs malicious code to understand how it interacts and what kind of impacts it might have.
Test environment for Malware
- Prepare a physical system
- Install a VM
- Isolate the VM from the network (NIC in host only)
- Simulate the Internet with special tools such as iNetSim
- Disable shared folders
- Install tools Malware Analysis
- Generate hash for each OS and tool to analyze any modification
- Copy the malware guest OS.
- SCANNING — Calculated the signature is searched in a database, in case of correspondence an alert is launched.
- INTEGRITY CHECKING — It reads the entire disk and “records” data integrity (like signatures).
- INTERCEPTION — Monitor system calls to OS.
- CODE EMULATION — The antivirus executes the malicious code in a VM (sandbox).
- HEURISTIC ANALYSIS — Check for potential malicious functionality, suspicious activity or system calls.