Notes on CEH — Part 4
10: IDS/Firewall Evasion and Honeypot
An IDS (Intrusion Detection System) is security software (or hardware) that inspects all traffic entering and leaving the network, looking for suspicious patterns.
Types of IDS
- NIDS: Network based IDS, consists of a machine placed in the network in promiscuous mode, listening to the traffic, able to generate alerts in case of malicious patterns.
- HIDS: Host based IDS, are generally applications (agents) installed on specific hosts, able to audit the events of the host under analysis.
They are hardware (or software) devices that prevent unauthorized access from and to private networks; they are usually placed between the public and private network. The firewall analyzes all packets that enter or leave the network and blocks those that do not respect the set security criteria.
BASTION HOST: It is a system configured to protect resources from attacks, it has two interfaces, one for the private network and one for the Internet.
SCREENED SUBNET: It is more common to call it DMZ (DeMilitarized Zone) and contains hosts that offer services that must be available to the outside world (e.g. webserver), the private zone cannot be reached by internet users.
MULTI-HOMED FIREWALL: These are firewalls with two or more interfaces that allow further subdivision of the network according to security specifications dictated by the company.
DMZ — DeMilitarized Zone
The DMZ is a network that is used as a buffer between the internal network (secure) and the Internet (insecure). It is created using a firewall with three or more network interfaces.
IDS evasion techniques
The main goal is to make to see to the IDS packets that in reality they are other.
This is a type of attack that confuses the IDS into reading invalid packets, the IDS will accept packets that will be rejected by the end systems involved, this will result in data being inserted into the IDS.
It’s an IDS evasion technique, it consists in encoding the packet (containing a payload) in such a way that it’s decipherable only by the target host and not by IDS, usually cryptography or Unicode encoding is used.
Firewall evasion techniques
The identification of firewalls can be done through port scanning and discovery of running services, firewalking that consists in using TTL to determine ACLs and map the network, and banner grabbing for footprinting.
IP Address Spoofing
The attacker masks his IP address as if it were a trusted host, this is done by modifying the header of IP packets in order to bypass the firewall.
Bypassing blocked websites
Some websites allow you to browse other websites through them, thus bypassing the IP-based rules of the firewall.
Firewall bypass using ICMP Tunneling
This technique allows, for example, to encapsulate a backdoor in the data portion of ICMP packets, the payload portion is arbitrary and is not examined by many firewalls so it is possible to encapsulate any kind of data.
11: Hacking Web Application
Web applications provide an interface between the end user and the web server, through a series of dynamically generated (or static) web pages that are served by the web server.
Threats to Web Applications
OWASP Top 10 Application Security Risks (2017)
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Components with known vulnerabilities
- Insufficient Logging and Monitoring
It is a vulnerability that allows unvalidated data to be interpreted and executed by the server, and can be divided into: SQL Injection, Command Injection, LDAP Injection.
An attacker can exploit vulnerabilities in the authentication mechanism or in session management functions such as: exposed accounts, session ID, logout, password management, timeouts, security questions, and more to impersonate an user.
Sensitive Data Exposure
Many web applications do not protect sensitive information from unauthorized access, this can occur if there are flaws such as improper encryption management or information leaks (e.g. access).
XXE — XML External Entity
It is a server-side attack, specifically a SSRF (Server-Side Request Forgery), where the application parses an XML file from an unrecognized source. It takes advantage of errors in the XML parser.
Broken Access Control
Access Control refers to how a web application allows access to its content and functions, this method bypasses authentication.
An attacker using a vulnerability due to misconfiguration (such as using default accounts or managing unprotected files) will gain unauthorized access to the system. It is typically exploited by using invalidated input, form tampering, improper error and exception handling, or insufficient transport security measures.
XSS — Cross-Site Scripting
The XSS attack exploits vulnerabilities in dynamic pages, it allows the attacker to inject code into web pages and have other users execute/display it.
Data Serialization/Deserialization is a process that allows linearization of data objects so that they can be transported to other systems or networks, the attacker injects malicious code and forwards it to the victim.
Use of components with known vulnerabilities
External components, such as libraries and frameworks, which are often used in webapps that run with certain privileges, a flaw in any external component can compromise the entire application and have a very serious impact. An attacker is able to identify weak components and dependencies through scanning or manual analysis.
Insufficient logging and monitoring
This scenario occurs when the application does not perform complete and exhaustive logging or detection systems do not detect any malicious activity (or ignore it completely).
CSRF — Cross-Site Request Forgery
A CSRF attack exploits vulnerabilities in a web page and allows the attacker to force a user’s browser to send malicious requests. The victim has an active session with a trusted website and simultaneously visits a fraudulent website that injects an HTTP request to the trusted site, compromising its integrity.
Web Application Hacking Methodology
Web Infrastructure Footprinting
Footprinting is the first step in webapp hacking and consists of identifying vulnerable applications and selecting victims.
SERVER DISCOVERY: Cataloguing information about the location of servers and their status. Information on IP addresses, DNS names and port scanning allows the service discovery phase to be carried out in a more agile manner.
SERVICE DISCOVERY: Analyze the target to identify the ports in use. Some tools to make this kind of analysis: nmap, netscan tools pro, sandcat.
SERVER IDENTIFICATION: Analyze the header of the server responses to identify the model and version of the web server software, in essence this is banner grabbing.
HIDDEN CONTENT DISCOVERY: Discover hidden content and functionality that is not directly reachable, so that it can be exploited. (Web dir brute forcing, web spidering).
WAF and Proxy Detection
PROXY: It allows you to find out if the target is redirecting requests through a proxy server, usually these servers add some fields in the response header. You can use the TRACE method (HTTP 1.1) to identify changes.
WAF: Check if the web application under analysis is protected by a WAF (Web Application Firewall) via cookies in replies (often WAFs add their own cookies to the response request). Use wafw00f to find out what kind of WAF is present.
12: SQL Injection
SQL Injection is a technique used to take advantage of un-sanitiezed input vulnerabilities to pass SQL commands through a web application for execution by a backend database. An attacker can gain unauthorized access or retrieve information.
SQL Injection Methodology
Extracting Information through Error Messages
Error messages are essential for extracting information from the database: operating system, database type.
Depending on the type of errors found you can vary attack techniques.
Attacker manipulates parameters of GET and POST requests to generate errors.
SQL Injection Black Box PenTesting
- Send single/double quotes as the input data to catch not sanitized input
- Use right square bracket as the input data to catch if is used as part of a SQL identifier without sanitization
- Send long strings of junk data to detect buffer overruns
Perform Error Based SQL Injection
- Syntax error converting the nVARCHAR value db_name to a column of data type int
- When using dynamic SQL within a stored procedure, the app must properly sanitize the user input to eliminate risk of code injection, otherwise there is a chance of executing malicious SQL within the stored procedure
Bypass Website Logins using SQL Injection
You can union results with a known password and MD5 hash of supplied password, the webapp will compare your password and the supplied MD5 hash instead of MD5 from the database.
Some SQL Injection examples:
' OR 1=1--
Interacting with the Operating System
There are two ways to interact with the OS: reading and writing system files from disk, direct command execution via remote shell.
NULL UNION ALL SELECT LOAD_FILE(‘/etc/passwd’)/*
If successful, the injection will display contents of the passwd file.
Network Reconnaissance using SQL Injection
- You can execute the following using the XP_CMDSHELL command:
ipconfig /all, tracert MYIP, arp -a, netstat -ano
- Gathering IP information through reverse lookups.
Finding and Bypassing Admin Panel of a Website
Attackers try to find the admin panel of a website using simple Google Dorks and bypass the admin authentication using SQL Injection attack.
Will follow other articles about CEH