Notes on CEH — Part 2

04: Enumeration

Overview

In the enumeration phase, the attacker creates connections with the system to perform queries and retrieve information directly from it.

Extractable information

Network resources, shares, routing table, service settings, FQDN and SNMP details, hostname, users, groups, applications and banners.

Enumeration techniques

• Estract username with email address
• Estract information with default password
• Estract username with SNMP
• Brute-forcing Active Directory
• Estract Windows user groups
• Estract information with DNS

Services and ports

• TCP/UDP 53: DNS Zone Transfer
• TCP/UDP 135: Microsoft RPC Endpoint Mapper
• UDP 137: NetBIOS Name Service (NBNS)
• TCP 139: NetBIOS Session Service (SMB over NetBIOS)
• TCP/UDP 445: SMB over TCP (Direct Host)
• UDP 161: Simple Network Management Protocol (SNMP)
• TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
• TCP/UDP 3268: Global Catalog Service
• TCP 25: Simple Mail Transfer Protocol (SMTP)
• TCP/UDP 162: SNMP Trap

NetBIOS Enumeration

NetBIOS names are strings of 16 ASCII characters used to identify devices, the first 15 characters are used for the device name, the 16th is reserved for the service or name record type. NBTSTAT is a Windows program that displays NetBIOS statistics, name tables (local and remote), and the NetBIOS name cache. NetBIOS name resolution is not supported on IPv6.

nbtstat commands

• Execute nbtstat.exe -c to obtain NetBIOS cache names, name table and the resolved IP addresses.
• Execute nbtstat.exe -a <remote host IP> to obtain the remote host NetBIOS name table.

Tools

• SuperScan
• Hyena
• Winfingerprint
• NetBIOS Enumerator
• Nsauditor Network Security Auditor
• enum4linux

SNMP Enumeration

SNMP (Simple Network Management Protocol) is widely used for network monitoring, with this protocol you can collect a considerable amount of information about the target such as users, running services, connected devices, configurations and in some cases you can also manage them directly through SNMP.

Tools

• SNMPScanner
• OpUtils 5
• SNScan
• Engineer’s Toolset (solarwind)

LDAP Enumeration

LDAP (Lightweight Directory Access Protocol) is a protocol for querying and modifying directory services, such as Active Directory (AD), or more generally any grouped information that can be expressed as data records and organized hierarchically. LDAP operates on the TCP/389 port; enumeration requires access to the system to be queried. It is possible to extract usernames, domain information, addresses and the organizational structure.

Tools

• Softerra
• JXplorer
• LDAP Admin Tool

NTP Enumeration

NTP (Network Time Protocol) is the protocol responsible for synchronizing the time of systems, it uses UDP port 123. An attacker can query the NTP server to know what hosts are connected to it, IP addresses of a network, hostnames, and operating systems.

NTP Enumeration commands

• ntptrace
• ntpdc
• ntpq

05: System Hacking

Overview

HACKING STAGE:

1. Gaining Access
2. Escalating Privileges
3. Executing Applications
4. Hiding Files
5. Covering Tracks

Vulnerability Assessment

It is the process of discovery of vulnerabilities and design flaws; vulnerabilities are classified by severity and possibility to exploit them. It is the analysis of the ability of a system or application to withstand an attack: it recognizes, classifies and measures vulnerabilities in a system, network or communication channel. A VA is often performed with automated tools that produce a report, which is then reviewed and further investigated by the analyst.

Types of VA

• ACTIVE ASSESSMENT — Uses a network scanner to find host, services and vulnerabilities.
• PASSIVE ASSESSMENT — A technique that, through network sniffing, retrieves systems, network services, applications and vulnerabilities.
• EXTERNAL ASSESSMENT — The assessment is done from the attacker point of view (externally), to verify which of the vulnerabilities are exploitable.
• INTERNAL ASSESSMENT — An internal scan to find vulnerabilities.
• HOST-BASED ASSESSMENT — Determines the vulnerabilities of a specific system (server, workstation), involves assessment of system configurations.
• NETWORK ASSESSMENT — Check what kind of network attacks are possible on the network under analysis.
• APPLICATION ASSESSMENT — Tests the target’s web infrastructure for misconfiguration or known vulnerabilities.
• WIRELESS NETWORK ASSESSMENT — It is performed on the target’s wireless network looking for vulnerabilities to exploit.

Password Cracking techniques

• DICTIONARY ATTACK — A dictionary file is used by the cracking application to access the target account.
• BRUTE FORCE ATTACK — The password cracking program tries all character combinations until it can find the right one to access the account.
• RULE BASE ATTACK — This type of attack is favored when you have some additional information about the password to crack.

Very often the default passwords left by the manufacturers remain in the devices (because the user does not always change them), which makes guessing the password much easier. Passwords can also be stolen via Trojans or spyware installed on the victim’s devices.

Hash Injection Attack

This type of attack allows an attacker to inject the compromised hash into a session and exploit it to access network resources as if it were the rightful owner.

Privilege Escalation techniques

An attacker will typically access a system through a non-administrative account, and as a result it becomes necessary to attempt to get to an admin account. Privilege escalation attacks exploit application design errors, programming errors, bugs, and misconfigurations.

Privilege Escalation through DLL hijacking

Most Windows applications do not use an absolute path when loading an external DLL, which allows an attacker to swap the original DLL for an infected one, making the application vulnerable and exploitable for further attacks.

Privilege Escalation through vulnerabilities

When exploiting a vulnerability, commands are often executed with higher privileges, allowing an attacker to access an admin account through them.

Other Privilege Escalation techniques

• ACCESS TOKEN MANIPULATION
• APPLICATION SHIMMING
• WEAKNESS ON FILE SYSTEM PERMISSIONS
• PATH INTERCEPTION
• SCHEDULED TASK

Countermeasures

1. Restrict privileges for interactive logins
2. Use cryptography
3. Run applications with the minimum permissions necessary for its operation (least privilege)
4. Reduce code that runs in a privileged context
5. Implement multifactor
6. Debugging
7. Run services with unprivileged accounts
8. Test application errors and OS
9. Use separation of duties
10. Patch and update OS

Create and maintain access

Running malicious applications in systems has many objectives including: unauthorized access, password cracking, screenshots, installation of backdoors.

Spyware

Spyware is a stealth program that records the user’s activities without the user noticing, the collected information is sent to the attacker. Spyware hides its processes and files so that they cannot be detected and removed.

Techniques for obfuscating malicious programs

Rootkit

Rootkits are programs that hide their presence and malicious activities of the attacker, replace some system calls and/or tools with their own modified version. The structure of a rootkit includes backdoors, DDoS attack programs, packet sniffers, log removal programs, IRC bots.

Rootkit types

• HYPERVISOR LEVEL ROOTKIT
• HARDWARE/FIRMWARE ROOTKIT
• KERNEL LEVEL ROOTKIT
• BOOT LOADER LEVEL ROOTKIT
• APPLICATION ROOTKIT
• LIBRARY LEVEL ROOTKIT

How to defend from a Rootkit

Reinstall the OS or applications from a certified source after backing up critical data. Perform a kernel memory dump to determine the presence of rootkits. Reinforce workstations/servers against attacks. Install network firewall and host-based firewall. Verify the integrity of system files regularly, using cryptographically strong technologies.

NTFS Data Stream

The NTFS Alternate Data Stream (ADS) is a hidden Windows stream that contains metadata such as attributes, word count, author and access name, and modification date. The ADS allows an attacker to inject malicious code into files.

Steganography

Steganography is an obfuscation technique, it allows messages to be hidden within other (seemingly normal) messages or to different file types such as video, audio and images. It allows you to maintain the confidentiality of the data. The most common use is through images in which the secret message is injected.

Techniques for obfuscating evidence of compromission

Once an attacker has managed to gain administrative access to the system, they will try to hide their tracks to avoid detection:

1. Disable auditing
2. Delete logs
3. Manipulate logs

Cover tracks in BASH

Bash stores the history of executed commands in a file called .bash_history, an attacker can delete or clean up this file with the history -c or history -w command, to perform a deeper deletion you can use the shred $HOME/.bash_history command.

06: Malware

Malware propagation concepts and techniques

Malware is malicious software that can create damage to a system, disable functionality and provide remote control (limited or complete) to the creators, often for fraud or data theft.

Types of malware:

• Trojan horse
• Backdoor
• Rootkit
• Ransomware
• Adware
• Virus
• Worm
• Spyware
• Botnet
• Crypter

Malware distribution techniques on the web

BLACKHAT SEO: It allows sites containing malware to be among the first search results of a search engine.

SOCIAL ENGINEERED CLICK-JACKING: Entice the user to click on a malware page.

SPEARPHISHING SITES: Identical copies of official sites are created to steal information (documents, credentials, credit cards).

DRIVE-BY DOWNLOADS: Browser vulnerabilities are exploited to install malware on systems.

Malware components

• CRYPTER — Protects malware from reverse engineering.
• DOWNLOADER — Trojan that downloads other malware from the network.
• DROPPER — Trojan that installs other malware.
• EXPLOIT — Malicious code that exploits a vulnerability to enter the system.
• INJECTOR — Program that injects code into vulnerable processes.
• OBFUSCATOR —A program that allows the obfuscation of a malware’s code and intent so that detection and removal are difficult.
• PACKER — Program that allows you to “package” all the files necessary for a malware into a single executable, allows you to pass security checks.
• PAYLOAD — Part of software that allows you to gain control of a system (after the exploit).
• MALICIOUS CODE — Commands that define malware functionality, such as credential theft, backdoor creation or other malicious activities.

Overview of Trojans

Trojan

There are many purposes for which installing a Trojan in a system: installing backdoors in systems, disabling firewalls and antivirus, using the system in a botnet, deleting or replacing critical OS files.

Wrapper

A wrapper hides the Trojan executable inside an executable that looks genuine. When the wrapper is started, it first installs the Trojan contained inside.

Crypter

It is a software used to hide viruses, keyloggers and other tools to make them difficult to detect by antivirus.

Antivirus evasion techniques

• A Trojan can be broken down into pieces that are later compressed together.
• Write your own Trojan independently.
• Change the content of the Trojan with a hex editor, so the checksum changes, encrypt the file. These operations break the file signature making detection difficult.

Overview of Viruses and Worms

Viruses are often transmitted via downloaded files, infected USB sticks or disks, and email attachments.

Indicator of compromise

1. Processes take more time and resources
2. Computer beep without any video
3. Drives change label
4. The OS is loading with errors or not loading at all
5. Constant warnings from antivirus
6. The computer crashes frequently or returns errors such as BSOD
7. Missing files and folders
8. Hard disk activity is suspicious
9. Browser window freezes
10. Lack of disk space
11. Unexpected advertising popups

System Virus and File Virus

System/Boot Sector Virus: This type of virus moves the MBR to another location on the disk and auto-copies to the original MBR location. At system startup, the virus code is executed and then control is passed to the original MBR.

Multipartite Virus: It is a virus that infects both the boot sector and normal executable files.

Cluster Virus and Stealth Virus

Cluster Virus: Modifies folder pointings to direct the user or system to malicious code.

Stealth/Tunneling Virus: This type of virus evades antivirus by intercepting calls to the OS.

Worm

These are malicious programs that replicate and execute themselves through the network.

Malware Analysis concepts

SHEEP DIP COMPUTER: This term refers to the analysis of suspicious files or messages for malware. It is a strictly controlled environment.

Introduction to Malware Analysis

It is the process of reverse engineering a malware in order to identify its origin, functionality, and potential impact on systems.

STATIC ANALYSIS: It’s just code analysis, without execution. It is used to understand how the malware works.

DYNAMIC ANALYSIS: Also known as behavior analysis, it runs malicious code to understand how it interacts and what kind of impacts it might have.

Test environment for Malware

1. Prepare a physical system
2. Install a VM
3. Isolate the VM from the network (NIC in host only)
4. Simulate the Internet with special tools such as iNetSim
5. Disable shared folders
6. Install tools Malware Analysis
7. Generate hash for each OS and tool to analyze any modification
8. Copy the malware guest OS.

Detection methods

• SCANNING — Calculated the signature is searched in a database, in case of correspondence an alert is launched.
• INTEGRITY CHECKING — It reads the entire disk and “records” data integrity (like signatures).
• INTERCEPTION — Monitor system calls to OS.
• CODE EMULATION — The antivirus executes the malicious code in a VM (sandbox).
• HEURISTIC ANALYSIS — Check for potential malicious functionality, suspicious activity or system calls.

Notes on CEH — Part 3