Advance Ethical Hacking Course by Diwakar Sharma

1|P a g e

1. Introduction



2. Author’s Profile

 

3. Ethical Hacking & Penetration Testing  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of the Ethical Hacker  Customer Expectations  Skills of the Hacker  Relevant Laws  Preparation  Types of Attacks 4. Methodology Overview  Your Goals  Reconnaissance [passive, active]  Scanning  Service Enumeration  Vulnerability Assessment  Vulnerability Exploitation  Penetration & Access  Privilege Escalation & Owning the Box  Evading Defenses & Erasing Tracks  Maintaining & Expanding Access 5. Reconnaissance (Foot printing)  Passive Reconnaissance  Using WHOIS & Other Tools  Active Reconnaissance 2|P a g e

Active Reconnaissance Tools & Methods Putting It All Together Reconnaissance Demo

6. Scanning  Scanning For Hosts  TCP Connection Basics  TCP Scan Types  UDP & ICMP Scanning  Scanning Demonstration using NMAP 7. Port & Service Enumeration  Identifying Ports & Services  OS Fingerprinting  Popular Scanners  Demonstration 8. Data Enumeration  Data Enumeration  SNMP Enumeration  DNS Zone Transfers  Windows Null Sessions  NetBIOS Enumeration  Active Directory Extraction 9. Vulnerability Assessment  Vulnerabilities & Exploits  OS Vulnerabilities  Web Server Vulnerabilities  Database Vulnerabilities  TCP Stack Vulnerabilities  Application Vulnerabilities  Vulnerability Assessment

10. Penetration/Access/Compromi se Pt.1  Penetrating the System Pt.1  Penetrating the System Pt.2  Bypassing Access Controls  Password Cracking Pt.1  Password Cracking Pt.2  Social Engineering 11. Penetration/Access/Compromi se Pt.2  Session Hijacking Pt.1  Session Hijacking Pt.2  Privilege Escalation  Maintaining & Expanding Access  System Compromise 12. Evading Defenses & Erasing Tracks  Where Your Actions Recorded Pt.1  Where Your Actions Recorded Pt.2  Deleting Log Files & Other Evidence Pt.1

3|P a g e

   

Deleting Log Files & Other Evidence Pt.2 Rootkits Steganography Evading IDS & Firewalls

13. Introduction to Hacking Techniques Pt.1  Encryption  Sniffer  Wireless hacking  SQL Injection 14. Introduction to Hacking Techniques Pt.2  Buffer Overflows  Rootkits  Spoofing  Denial of Service Attacks  Web Hacking 15. Popular Tools  nmap Pt.1  nmap Pt.2  SuperScan  Nessus

4|P a g e

1. Introduction: I will be explaining some of the exciting new developments in Information Security Environment and performing vulnerability assessments in the networks on operating systems which you might find in todayâ&#x20AC;&#x2122;s environments.So, thatâ&#x20AC;&#x2122;s going to be the basic topic throughout our course which are basically going to take us from taking the security in the defense methodologies and kind of turning them in reverse so that we can use our attack skills to try to reverse engineer the defenses that we might usually find on the network.This should allow us the insight of the hacker mentality and allow us to better develop our security systems so that we can protect ourselves from malicious activities. For us to take a few moments and look at some of the material that we will be covering. The very first chapter we are going to cover the basics. We are going to talk about the concept behind ethical hacking, what the methodologies are that are actually involved there and then we will actually move in to some of the activities and concepts that you will actually be performing in the field when doing penetration testing and vulnerability assessment. The first of which is Reconnaissance. We are going to spend some time talking about doing your research and basically just foot printing the company or the network which you plan on performing ethical hacking against. Next, we will talk about scanning. Scanning is little bit more active than Reconnaissance And in actual go through and give you a more accurate picture , what you might find in the network or what you might find running on a particular host in that network. Next, we move onto service enumeration, which is going to give us even more detailed operating system information and application information about what we might find running on various computers in the network Then we go into a little bit more technical detail and move into vulnerability assessment and exploitation. This is actually the point where you have as much information as you need and you close in on the target, find out the vulnerabilities exist and exploit those vulnerabilities to gain access to the systems and this is really where the weakness is usually pointed out in most networks. So, this is kind of the highlight if you will, of the overall process.Than after we have gained access to that system, we need to understand the differences in the concepts behind penetrating the system or the network and gaining access to that and also what is involved in the compromise of the systems and once we have identified those vulnerabilities, exploit any vulnerabilities that exist, gain access to the system effectively compromising it. 5|P a g e

Now we actually get to perform actions against our newly found system. These different things can include items such as privilege escalation or we can bump ourselves up to system administrator or possibly you route and owning the box is basically a slang term for using the box for things that you want to , in other words doing things with that machine that werenâ&#x20AC;&#x2122;t normally intended when that machine was installed. After we have been able to get onto machine do what we wish, our next goal is going to be to evade any defenses that exist and try to erase our tracks effectively acting as a ghost. So, maintaining and then possibly using previous compromises and exploitations to produce even more access. So, once we have our box owned, we are going to want to expand that out and get as many as we can on that network. Because most likely a network with one vulnerability is going to have a lot more. In wrapping things up we are going to go into a little bit evolve topics stuff such as some special hacking topics such as steganography and encryption , that will come into play and be a factor when we are performing these vulnerability assessments and also cover some popular tools which you might use in your travels as a ethical hacker. We cover some of the outstanding exams that exist if you plan on getting certified and finally we will discuss a little bit more about my background and bobbyâ&#x20AC;&#x2122;s background. This should give you a pretty good idea of what we are planning on covering on your course I hope you enjoy the course and look forward to working with you.

6|P a g e

2. Ethical Hacking & Cyber Security 2.1 What is ethical hacking? 2.2 Type of ethical hacking 2.3 Responsibility of ethical hacker 2.4 Customer expectations 2.5 Skill of hacker 2.6 Relevant Laws 2.7 Preparation 2.8 Type of attacks

1. What is Ethical Hacking To start things off we are going to basically taking introductory view to the concepts of ethical hacking and penetration testing. We are going to start out by defining the concept all together what exactly is ethical hacking? What does it mean to us and where does it fall in to the role of the information security in todayâ&#x20AC;&#x2122;s networks and companies. We are going to define various types of ethical hacking. We are also going to talk about the responsibilities of an ethical hacker, In other words what you should and should not do and what steps you should take to make sure as you handle your job in responsible and professional manner. We are also going to define some of the expectations that customer might have on performing vulnerability assessments or penetration testing against their networks. Especially as a consultant you want to take the time to really define what the customers are looking for because there are so many different venues of attacks and disclosures. Itâ&#x20AC;&#x2122;s very possible that things can be misinterpreted to and from a customer. So, spending some time on this is definitely a good investment. Than we talk about what skills will be required of the person performing ethical hacking and penetration testing as well. We are also going to take some time to define some of the laws that actually apply to penetration testing and ethical hacking. In addition we will cover some preparation in preparing for the job and the various types of attacks that you might perform against the companyâ&#x20AC;&#x2122;s network or system.

7|P a g e

So, where does ethical hacking fall into a category, does it neatly file a way into information assurance or information security. And basically it is a very integrated part of an ongoing process that is your security architecture. The definition of ethical hacking can mean many different things, but we are going to define it here as being the art and science of understanding and determining vulnerabilities inside your information infrastructure. We want to be able to defend against attacks that’s the primary goal here and the idea behind ethical hacking is we want to put ourselves in hacker’s shoes, we want to be able to see what they see, do what they do and by doing that should gain a better in depth understanding of how can we defend ourselves against those hackers. History has shown us that hackers have always been several steps ahead of network security professionals and that being for a couple of reasons. Usually your people that are in corporate information security don’t have the background in being a security or spending some time on the internet doing some malicious things or really understanding how attacks take place. So, what you are going to find is understanding the attack methodologies and the attacks venues available. Than you can better lock you network down and defend against those attacks. Ethical hacking is generally performed by highly skilled and experienced security professionals. There’s been some controversy in past about whether you should hire convicted fellows that are hackers to be security professionals. And without getting into a lot of the detail involved there the most important thing to remember here is that above all else even above skills these must be professional and ethical security professionals. People that have the self control to find these exploits and responsibly disclose how they work and what problems they might bring with them. So, bury in mind our goal here is that we are working for the good guys. We are not the bad guys. We are not out to hurt these companies. We are out to help them better with their security infrastructure. We are basically going to be attacking the weaknesses in the network and we want to beat the hackers to that. Again, like I said it’s always been that we have been several steps behind the hackers. So this is kind of an effort for us to try to catch up with them or possibly even be steps ahead of them by pre hacking our network almost and finding those holes before they do. We are going to rely on the exact same techniques and tools that we develop from people out there in the trenches, performing live hacks against companies. So, this is been studied and reviewed and ultimately implemented as a methodology using similar tools and techniques what hackers would use. We want to find these holes, find these 8|P a g e

weaknesses and these various exploits and vulnerabilities and we want to protect ourselves against them by their mitigation, risk management or overall network defense and death. So, this should give a pretty good idea about what you should be looking for when you are looking to get into the process of ethical hacking. So, knowing the definition is definitely the valuable asset knowing what should be there for what role you are going to play in the large scope of information security. 02. Types of Ethical Hacking Now we are going to take some time to take a look at different types of ethical hacking and all those different approaches you might take at a high level when attacking systems in ethical manner. So the first thing we are going to define is white box testing and white box testing basically defines that you have full disclose knowledge of the network you are attacking. In other words, the person that you are working with or working for has said there is a SQL server running at this IP Address. Take a look at that SQL server, here is the version information, here is the applications that rely on it, here is the current patch level, find out if there are any vulnerabilities on that server and that’s definitely some great information to know because it allows you to save time in trying to fingerprint that system and do research on it and just go straight into the assessment of the boxes for its exploits vulnerabilities and those type things are concerns. The problem of white box testing is it’s not always going to be realistic from a true hacker’s perspective because we know that level of information than we are going to be able to say, ok well we know we can go straight in and perform this exploit and again if you are looking to get short to the point reports and understand what the vulnerabilities are that’s a great way to go about that. A lot of companies however are going to want you to do black box testing. And basically you have zero knowledge about how that company’s network is setup. You don’t know what operating systems they are running, you don’t what IP ranges they are using, where there DMC is at, what directory systems, any of those things you have no idea and that’s actually also a great way to approach it because it allows you to foot print and finger print through organization and try to gain information. Again, just that part of it alone, is a huge part of the hacking methodology, gaining as much public information about their company as you can and then moving in and trying to get as much information as possible. So there are definitely benefits and drawbacks associated with both white box and black box testing.

9|P a g e

Now, in addition to these two clean cut definitions you also have a little bit more grey area and hence the name Grey box testing which is not a clearly defined method or type of ethical hacking. But it basically means that you have some level of knowledge of the network going into it but you don’t have explicit details involved in tr ue white box testing. Again either way you go here, it’s a great way because you are still performing these assessments against your networks and gaining the knowledge there in. this is usually going to be defined by the organization or the group that you are working with and performing these vulnerabilities assessments. Speaking of vulnerability assessments we can actually breakdown the additional type of assessments that we are doing by defining vulnerability asessmnet and penetration testing. So, you can actually perform white or black box penetration testing or you can perform white or black box vulnerability assessment. So, after you define the level of knowledge you are going to have the next thing to define is how deep are you going to attempt to go, as for as assessment and testing against this network. And vulnerability assessment is actually kind of a lighter way to go about that process. Generally, you are going to use automated tools and scanners things like NSA’s and MBSA from Microsoft to go in and find out where those weaknesses are. Now, this is ok because it allows you to usually check for patch level which is very important , are they fully patched or they configure properly, are there any known vulnerabilities that exist in that network. Now, the problem that arises in vulnerability assessments is that it’s never going to be as in depth as penetration testing because you are relying on these automated tools to do your work for you. You are only going to get as good information as your tool has. In other words, if there is a live exploit working today on the internet that no one knows about than if you don’t know about it how is it going to be configured in your tool. The benefit of doing vulnerability assessments with this automated tools is that it generally requires a lot less work load and fewer people doing the job. So, again there is kind of a benefit there of, it’s a quick scan, it happens automatically, I don’t have to put a lot of effort into it and I can get a pretty decent preliminary report back to tell me the basic security information involved in my network. Now, on the opposite end of the spectrum there is true penetration testing and this is where you go very very far beyond vulnerability assessment. Vulnerability assessment is actually a very small piece of penetration testing. we are going to identify those vulnerabilities just like we would in vulnerability assessment. We are going to take a step further and look for vulnerabilities that are not configured in our tool. We are going to even create vulnerabilities if necessary. There have been a lot of environments that have been in the past for running custom compiled operating systems and applications that were in house developed and fortunately vulnerability assessment doesn’t take you very far because if that person of the company making the tools never heard of your 10 | P a g e

target, obviously they are not going to be prepared for it. So, being able to compile your own tools on the fly and have an in depth understanding to the level required to perform penetration testing, you definitely going to get a lot better results on custom networks. So, penetration testing is going to go far beyond that and actually perform the exploits or mark perform those exploits and write up information based on that.

3. Responsibilities of Ethical Hacker When trying to understand the responsibilities of an ethical hacker, all this really breaks down into what are you expected to do in preparation and throughout the process of the penetration testing or the vulnerability assessment. And the first thing that we are going to harp on and we actually continue to talk about this throughout our course is using this knowledge and these tools only for good side, only for legal purposes because again you are going to be under a lot of scrutiny when you in there performing assessments against these companies. First of all, companies donâ&#x20AC;&#x2122;t like to hear that they have two hundred or three hundred vulnerable systems sitting on their network and they are going to be watching you like a hawk. So, understanding what your responsibilities are as far as ethically and legally are very important. We only want to use our hacking skills to identify issues keeping in mind that our ultimate goal is to defend the network. In other words, hacking a system and spending a lot of time and resources against a vulnerability that is really not that important is not our goal. We are not there to identify every single little small vulnerability that might exist. We are there to find out what the hackers can see, we want to see it from their prospective and we want to defend ourselves based on that. So, we want to keep this in mind throughout the process. It is very easy to get caught up in, I am going to break into the system, I am going to root this box, and I am going to do this and this. Be sure to concentrate, we are here to defend the network. If we are going to succeed with an attack, letâ&#x20AC;&#x2122;s find out what we can do to mitigate that. As always and as I mentioned several times throug hout the course we always have to get management approvals. And the term management is kind of used loosely because that can mean corporate executives, legal counsel, local and federal law enforcements depending on your target. There is lot of parties invo lved in that process. We want to create a plan and again we are not just going to sit in the basement with a blackly hacking away on a Linux box all day long, thatâ&#x20AC;&#x2122;s not our goal. We have to be more corporate and project plan minded. We want to create our project plan or our test 11 | P a g e

plan, identify the perimeters. When I say perimeters, that means what exactly are we goon do, what tools are we going to use, what attack venues are we going to explore, what are ultimately going to be goals of this test. In other words, if the goal is to identify one system and the associated vulnerabilities on a particular tier-one application for example a very important application, that’s all we are going to do , we identify that, we establish a timeline, we go in, we perform the work, than we come out with a completed vulnerability assessment or penetration test. We also want to get that plan approved by management, make sure they understand fully what the process is that you are going through, so they can identify those, if they have any ideal systems running on the network and watch for abnormal activities on the servers. So, you want to be clear about our notification and again I know I have hold on this already your job is to be there to strengthen the network, to help them define those vulnerabilities, so that they can protect against them, so always keep that in mind. 4. Customer Expectations Probably one of the most overlooked aspects of working as a consultant is customer relationship and specially when dealing with penetration testing and security type scenarios is the expectations of the customer. It’s absolutely critical that we clearly define everything that we plan to do and make sure that we are really on the same edge. So, basically we want to make sure that we clearly define the goals and expectations through interviewing with the customer and establishing that level of communication so that we have a good understanding of what they are really looking for. We don’t want to surprise the customer with things they didn’t anticipate and we definitely don’t want to embarrass them by showing them lots of vulnerabilities or going above this person’s head. We want to make sure that we clearly communicate how are we going to do everything up to and including the conclusion presentation and all levels of communication. Probably one of the biggest mistakes that you can make as a consultant when doing penetration testing and ethical hacking is publishing the results or communicating the results with an external third party especially when not authorized to do so. So, it’s very important that we closely guard the results and all the information related to the relationship confidential. We also want to clearly establish ownership of the resultant data for that particular consult. In other words, if we go in and we find vulnerabilities with a certain product on that customer’s network any communication of those vulnerabilities usually will have to go through that company. There was a situation a while back where a coworker and I found a vulnerability that was previously undiscovered by the vendor of that software package and there was a big legal issue there because morally we were torn between 12 | P a g e

going directly to the vendor and telling them how we found the flaw. But we were concerned that might break the relationships and legal boundaries with the company that we were dealing with. So make sure that you clearly communicate your intentions early in the game about scenarios like that. Just about every customer you are going to deal with is going to expect and will require full disclosure on everything and what we mean by full disclosure is you need to go in there and be completely open, disclose everything that you find, even the smallest vulnerability, all the way up to potential fixes and things they can do to better their network. We never want to hide information from the customer. If we find something and a particular manager comes to you and begs you not to tell the security team, I am sorry you need to make sure you pay attention to your contract because most likely itâ&#x20AC;&#x2122;s going to say that you are legally bound to fully disclose all information with that company and the person in that company that brought you on board. So really the overall result that we can get from discussing the expectations of our customers is that we need to communicate well with our customers. We need to make sure that we properly interview interested parties and people that are important in this security chain. We also need to pay special attention to the fine print and how the relationship between you and your customer will be handled, make sure we know what the data is going to provide for the customer as well as who is going to be responsible for maintaining that data and owning that data.

5. Skills of the Hacker When saying that I think itâ&#x20AC;&#x2122;s extremely important that we discuss all the skills that are actually required of a hacker or a penetration tester. And let me just start out by saying this you have to know everything about everything. And I know that sounds really unrealistic but itâ&#x20AC;&#x2122;s absolutely true. When you are attacking a system or remote network, there is absolutely no way for you to predict the version numbers and the software vendors that these individual companies are going to be going through. So, you really have to be prepared for everything. You got to be prepared for intrusion attraction, you got to be prepared for encryption and firewalls and defensive mechanism as well as just plain dumb luck or bad luck. So, definitely be aware that you are expected to have the resources available or already know everything about everything. So I think it is needless to that say extensive knowledge is going to be required about any type of system or targeted network that we are attacking. Basically you should already have your beginnings and security in one way or another example what we use here is perimeter security, having that knowledge and 13 | P a g e

understanding of perimeter security is definitely useful when you're coming in from the other side. So, you definitely need to have some experience Weather it be in intrusion detection, perimeters encryption whatever it is, be prepared to expand on that knowledge during your travels as an ethical hacker. In addition to security experience you should have a pretty good bid as the network or systems administrators far as experiences concern because it's absolutely critical that you have a good working knowledge of the actual systems themselves. you can't hack a PBX box if you don't know how to operate one and you can't hack a UNIX system if you don't know what commands are available on that system and thatâ&#x20AC;&#x2122;s again one of those reasons we say you have to know it all or you at least have to know where to go to find that information. You should be familiar with several different types of operating systems, all the way up from embedded Linux operating system such as Lynxes routers, down the Cisco IOS, BSD, Linux, UNIX, Windows, Macintosh, you need to know all of these things because there is a pretty good chance you are going to run into each and every one of these at one point or another. So, you at least at a minimum need to have a working knowledge of how to move around and do basic administrative tasks in nearly every operating system available. Itâ&#x20AC;&#x2122;s also absolutely critical that you have a great understanding of the TCP/IP protocol and associated ports and protocols therein. You need to at least understand what Port A being open really means to us, usually it's a Web server and being able to determine that by simply looking at a list of numbers is extremely important. So, you have to be able to drop down at the binary and hexadecimal level and really get a good grasp and understanding of porch protocols and network-based protocol suites. You also need to have a great understanding of common security vulnerabilities, understand what a buffer overflow is, understand what Unicode attacks are. These are different types of skills that we need to know what we can build on that knowledge and get more specific as we go. Itâ&#x20AC;&#x2122;s also important not only to understand the vulnerability itself but what moves might be taken to mitigate that vulnerability or protect yourselves against it. and finally a good understanding of the tools that you going to be using to perform a hacking and penetration testing, as well as the techniques that those tools win themselves to. You can be the best hacker in the world and without tools you only going to get so far, and the same goes both ways, you can have all the best hacking tools in the world, but you got to know how to use them and you got to understand what the techniques mean. 14 | P a g e

6. Relevant Laws As I mentioned previously it's also very important to understand what the limitations are. As far as being a penetration tester or ethical hacker and some of these limitations are clearly defined for us through various laws that have been defined by the federal government. We are going to go over a couple of very important laws and some kind of general laws and get a good understanding of where we stand and where those limitations are defined for us at a national level. First, we are going to talk about is title 18 USC 1029 and basically this just defines telecommunications and some of the limitations of devices on telecommunication networks. This is originally built in the days of Kevin Mitnick and exploits using public phone systems. I am going to summarize it as how it's going to relate us and saying that the usage of counterfeit devices is definitely illegal, we should not be improperly using devices to alter data transmissions, we shouldn't have any effect on communication equipment when using that to gain access to other devices and we are not allowed to gain access to transactions of communications. all of these are enforced by the Secret Service and generally are activated on access or manipulation or fact of over $1000, which is a very small amount of money a single infraction could easily amount to 10, 20, 30, $40,000 so basically if you perform any of these actions against a network that you are not authorized to be on and even sometimes on that you are the Secret Service has the authority to investigate based on that. USC 1030 can go a step further for us. It says that you're not allowed access a computer without permission, especially if you're doing so to obtain confidential information. But in order to be investigated or prosecuted under USC 1030 it has to be proven that you have either malicious intent or perform malicious activities on that system, a limitation as far as monetary values concern here is $5000. USC 3121 through 3127 is called the pen registers and trap and trace and basically this says, that you can interact with anything except for the contents of communication, what that really means is that it's saying that this particular code is put into place to say, you can be aware that the communication took place, be aware of the devices and addresses associated with that communication which are not authorized to access the contents of that communication. basically letâ&#x20AC;&#x2122;s take a basic TCP/IP communication process I can know the IP address of the sender and receiver, I can know what operating systems might be running on those, I can know any kind of information I want about, when the transaction happened, the size of the transaction, what protocol was used but once I delve into the contents of that transaction on than violating USC 3121 through 3127.

15 | P a g e

Now 2510 through 2522 take it in the exact opposite direction. We are not allowed to understand the contents of the message, we are not allowed to understand the actual components of the message whether that be who is communicating when, how and where they're communicating to. So basically 3121 and 2510 series kind of overlap in to each other and provide overall definition of how you can and cannot interact with communication processes and contents. there are also some other statutes that have some affect but not a significant effect on our topic, that being the Patriot Act which was recently passed to address cyber terrorism. Also, USC 2701 which basically follows up on the various USC saying that not only can you not affect communications in transit but you also cannot access protected stored records, meaning if data sitting on a database somewhere it really wouldn't be covered by any of these codes because we are talking about data in Transit whereas this is talking about any records stored anywhere that are protected or private or off-limits to us. in addition USC 1362 takes another step forward in the right direction by defining the denial service attacks because in the denial service attacks we are not modifying data, we are not accessing data and we are not affecting communications other than taking it off-line. So, we have lost some backup up there with USC 1362. 7. Preparation When Preparing yourself to go through the process and methodology of ethical hacking, we are going to talk about some of the preparation steps, that are some things that you should have gone over and discover before the process starts. Right after that I know we mentioned it several times before, we are going to mention it again, get signed approval for everything that you do, clearly communicate your processes, procedures, tools, methodologies, everything clearly communicate that with the target. We need to sign any available confidentiality agreements and I know this may sound strange but you would almost want to go to the companies and say, let me sign a confidentiality agreement. I want you to tell me what my limitations are for information disclosure if they don't do that and you carry that information out keeping in mind that you haven't signed an NDA , security information out , you give it to somebody, it comes up in court, now the court is to decide what happens, what the limitations should have been. So, we want them to clearly define our limitations there. Another very important and often overlooked step in the preparation part is getting approval from collateral parties, such as Internet service providers, business partners, customers if necessary what that means by saying collateral party is someone that may be inadvertently affected by the penetration test that you are performing against this company. Company A may be fully aware and okay with your penetration test but, company A's business partner company B may be drastically affected if you take down one of the WAN links between the two companies during a vulnerability test of a router. Therefore, because they were unaware of it and technically you're affecting their 16 | P a g e

systems then you are in violation of various USC codes. So, definitely a good point to bring up to the customer because they may not have thought of that, make sure they understand what the limitations are what you can do based on federal law and the steps they need to take to get you approval from those collateral parties. We put our team together and go ahead and build our tool knowledge base, what that means is find a team of skilled folks if you are going to do it alone, that's great. usually when you perform ethical hacking itâ&#x20AC;&#x2122;s going to be in a group, we want to go ahead and gather the tools together and it's important to define the tools early in the process based on the information the customer has given you and that may mean giving the customer huge spreadsheet of 10,000 tools and say, hey we are going to use some of these especially, in a black box environment. anyway we need to put together those teams, the tools get everything defined early in the game and speaking of defining things we wanted to define our goals, what exactly does the customer want us to do, have a clear goal statement, a project plan put together and ready to rock 'n roll for that, so you know what your target is. We want to identify our ground rules, a lot of companies already being a little nervous about the concept of vulnerability assessment and penetration testing really are going to be nervous about this. so we want to be able to go in and say, look you know here is what are we going to do, we are going to perform this test, this test and this test and this test may in fact cause an ally of service, by identifying that early they can say, look we donâ&#x20AC;&#x2122;t want to run that test, we want to run a different test, that may be a little less intrusive. The reason that that's important is if you tell the company, I am going to go in and I'm going to analyze your systems and find vulnerabilities. You go in there and when you are running Nessus against this particular computer, it crashes that system, cost the company millions of dollars, they can come back and say, you know you didnâ&#x20AC;&#x2122;t tell us about this, you know you didn't identify that these are possible risks. So, making sure that you understand what their limitations are for tolerance on this vulnerability assessment process in making sure they understand what the risks are. So, by setting these ground rules it makes it, so that everybody can play nice in the playground. We want to set a schedule, a lot of companies don't want you coming in and working with their systems during business hours. So, you need to postpone that to a weekend, maybe a holiday for example when there's not a lot of traffic on the network. So clearly identify again, falling into the ground rules category of when can we do this. In addition to all of this, we want to notify the appropriate parties. Now, depending on the type of test that you're doing whether it be a white box, black box or a backend test, I have seen scenarios where a chief information security officer would actually have someone come in and not tell anybody in the department that they are going to be doing this, just to see how well the department would handle it. so depending on how you are going about this process and how the company want you do it you want to notify the appropriate parties even if they know it's going to happen the 17 | P a g e

morning of or the night of, send them an email, hey I am about to get started, here is what we are going to do tonight, just as a reminder so they can be aware of that.

8. Types of Attacks

Now I know we have mentioned some various types of penetration testing and ethical hacking. But I want to go into a little more detail, kind of the third level of detail if you will just before you get into the technical aspect and that being the different types of attacks that can be performed against a given system on the network or network in general. The first of which is full penetration and that means there are no limits, go in tear the network up and let's look at whatâ&#x20AC;&#x2122;s left and see if we can pick something back together. We are going to take all of the restrictions off and actually treat as if we are a real hacker, go in no limitations, try to hide your tracks, protect ourselves. When itâ&#x20AC;&#x2122;s all set and done, we can get really true picture of what the network looks like. Denial of service attack is basically to see if that attacking can come off-line, a lot of companies are really sensitive about this although it's important, lot of companies don't like you to play around with these tools. Some of the companies I worked with in the past have actually specifically outlined in their definition for goals and restrictions that no denial service checks be performed. It protects them from losing the accessible system, should I be successful in executing of denial service. Specific information, some companies may come to you and say we are worried that someone might gain access to our stored credit card information. Say I am an online bookseller for example I want you to see if you can get to my credit card information well that's a great example of faster disclosure of information, so we want to see if we can gain access to those records that means everything else is off limits unless is necessary to get to that point. So thatâ&#x20AC;&#x2122;s another great example of type of attack that you might be asked to perform. Another very common type of attack and this actually can play a role in any combination of these is social engineering. Basically the act of tricking someone into doing something for you or giving you information that you wouldn't normally be able to gain access to or perform certain actions. So, social engineering like I said generally play a role in a lot of these but in some circumstances can be its own form of penetration testing.

18 | P a g e

3. Methodology Overview 3.1 Your goals 3.2 Formal methodologies 3.3 Reconnaissance 3.4 Scanning 3.5 Service Enumeration 3.6 Vulnerability Assessment 3.7 Vulnerability Exploitation 3.8 Privilege Escalation and Owning a box 3.9 Evading Defenses and Erasing Tracks 3.10 Maintaining and Expanding Access 1. Your Goal We are going to take a few moments to talk about one of the most important components of ethical hacking and that is the methodology. So we are going to do kind of an overview of what methodologies are out there, the idea behind using a methodology for hacking and penetration testing and even what some common methodologies have in common. So, to start things off we are going to talk about the primary goals of having a methodology and what it might mean to us to establish one. We are going to talk about some formal publications of security methodologies that are out there and some that might be good for you to adopt and kind of call your own for use. Then, we are going to actually move into kind of a high level overview of each step that most of the standardize methodologies have in common, that including reconnaissance, scanning, service enumeration, vulnerability assessment followed by vulnerability exploitation, penetration and access, escalation and owning the box, evading defenses and erasing tracks and finally maintaining and expanding access. So, these are basically the step-by-step procedures we are going to go through during our full penetration test process. So, moving on into what are your goals, again we are going to define these goals and having that methodology will be of use to us in obtaining those goals and reaching them, depending on whether you're just looking for simple penetration access or they are trying to steal specific information or mock steal that information, any deni al service activities that can also be a goal as well as part of the process or simply just to determine the vulnerabilities and how they might be exploited rather than going into a lot of detail and exploiting those explicitly.

19 | P a g e

So, depending on the goals that you have your methodology will actually change, to kind of wrap around the ultimate in result. The most important thing is to spend some time, review these methodologies that are out there, understand what they mean and ultimately to develop your own methodology that works well for you. but it's important that your methodology be flexible, in other words if going through and performing exploitation of vulnerabilities is not part of your goal and your methodology is not flexible enough to move around that, it’s not going to be effective in a true penetration testing process. 2. Formal Methodologies Let’s take a look at some of the former methodologies and the reason they exist and what they might have in common. Basically these methodologies that we are going to talk about provide structured framework for processes and procedures for testing against various targets. And the great thing about having an established formal methodology is it allows you to be consistent so that you do not overlook any possible attack venues or vulnerabilities or maybe there is a corner of the network sitting off over there that you forgot about because you never wrote down the step-by-step process. In other words having a methodology formalized and establishes definitely va luable and ultimately the goal of methodology in these formal methodology specifically is to provide the most comprehensive testing possible. So, we are going to take a look at four common established and published methodologies. The first one we are going to look at is the OSSTMM or open source security testing methodology manual. And this is actually the particular methodology that I tend to lean most towards and that's just a personal preference. Each one of these have major benefits to using them so I am going to give you kind of the cookie-cutter information associated with each one per the associated description of that particular methodology. So for the OSSTMM is basically a methodology for performing security tests and metrics. it’s going to break out cases into five different channels or sections which basically test different targets such as information and data controls, personnel security awareness, fraud and engineering control, computer and telecommunications, wireless devices, mobile devices, physical security access, security processes and physical locations and associated security such as buildings and parameters. So it’s a very comprehensive methodology but it may be a little overkill just to use for penetration and hacking methodologies. There is a lot more involved in the OSSTMM than just security testing. Next, we are going to talk about is the NIST special publication 800 – 42 which basically just provides guidance on network security testing specifically by identifying security testing requirements, prioritization of testing activities with limited resources and basically breaking down the network security testing techniques and tools associated. So the NIST is actually fairly regularly used by federal state and local law enforcement 20 | P a g e

officers especially, for those departmental or state organizations. This is actually designed specifically for that purpose. Next we are going to talk about is the TRAWG sometimes called travelogue and that stands for threat and risk assessment working guide and again this is actually proposing bill for IT systems, but the concept of threat and risk assessment is not just limited to that. This particular guide provides guidance for an individual or department carrying out a threat and risk assessment for different proposed IT systems. Itâ&#x20AC;&#x2122;s going to help determine which critical assets are most at risk within those systems and ultimately lead to recommendations for safeguards to kind of move that risk up to acceptable level. So it deals a lot with as its name suggests risk assessment. Octave is also commonly used methodology and stands for operationally critical threat assess and vulnerability evaluation. The idea behind octave is that it provides criteria to define a standard approach for risk driven access asset and practice-based information security evaluation. Basically just meaning that identifying the causes and the individual goals defined for a security evaluation, octave can provide for risk driven asset and practice-based information requirements. Basically octave is going to be used for larger corporation environments which are heavily reliant on the metrics associated with the risk driven environment. So, as you can see each of the individual former methodologies we discussed here each have strengths and weaknesses. Some of them might be risk-based some of them might be particular process-based or might be built for specific organization. I definitely recommend that you go through and thoroughly analyze and understand all four of these different methodologies and even any additional ones that you can find. Again the ultimate goal building your own personalized methodology that works well for you and that you can rely on. Again itâ&#x20AC;&#x2122;s got to be flexible. 3. Reconnaissance We have covered the basics of the concepts of methodologies and some that are available. Itâ&#x20AC;&#x2122;s time to talk about some of the steps involved in penetration testing and ethical hacking methodologies and this is actually all paperwork and standardization aside. This is the list of steps that we are going to take during the actual attack process. The first of which is going to be reconnaissance. Reconnaissance is absolutely important and more so for larger companies and people that might be housing sensitive data simply because reconnaissance will allow us to identify weaknesses and information disclosure for particular companies. The basic idea is to gather as much information about the target company or charter organization as possible including network infrastructure information, company policy information, even personnel information such as names phone numbers and email addresses. all of these different things put together can actually correlate to a high level of vulnerability if left unchecked. 21 | P a g e

We can actually break reconnaissance out into two different types that being active and passive reconnaissance. Passive reconnaissance generally means if we are going through and we are using techniques and possibly even tools that are undetectable buyer target. in other words we might go to their website for example and see what's listed on their website, see if there any job postings that might list out specific technical requirements they are looking for in a particular IT person that would help us identify some of the information about what's inside their network. If they are looking for a sequel design engineer for Microsoft SQL 2000 with experience in distributed transactions and possibly DTS packages for example, though we already know just by looking at a job description that those are actively in use inside that company's organization or will be once that job role is filled. So just that little bit of information which is publicly available and made so by the company we can do a lot of things. Now active reconnaissance is when we actually start touching the company and what I mean by that is calling people calling the secretary and querying for information about the availability of a particular person, possibly even going into the company walking through the front doors' and seeing wha t kind of physical security they have, may be gaining access to systems where we can kind of look at them and tell that they're running particular IBM servers or gateway servers. They may have bios information that might be vulnerable. So once we move into active reconnaissance which generally is post passive reconnaissance than we start taking a little bit more of an intrusive role against the company that might mean emailing people inside the company and contacting them or just maybe looking at the source code of their website or things like that. a lot of the difference reconnaissance tools and methods and particular processes are not clearly defined as being active or passive, great example of this would be gaining access to one of the systems by using one of unknown tool that's not really an exploit maybe uploading the file to FTP server great example of that it's an anonymous public FTP server no legal issues there. But doing a little research that could be considered active or passive because it may or may not be detectable by the target. So, again donâ&#x20AC;&#x2122;t worry too much about classifying reconnaissance is active in passive, just understand the concept of reconnaissance itself. 4. Scanning Often depending on where you start and the vulnerability assessment/ethical hacking process lowers depending on whether it's grey box, white box or black box testing. You may or may not start off with scanning or reconnaissance. Reconnaissance is usually going to be black box testing. Now, assuming we go ahead and move on into the scanning phase, whether it be after reconnaissance or the beginning of the process itself. 22 | P a g e

The concept of scanning is really where we start touching the computers and interacting with various network nodes and components for the first time. The idea here is that we have scanned the networks to determine what's out there, what hosts are living on the networks, what individual routers might be out there, just kind of get the middle picture or using the program she opts. For example get a visual picture of how the network is laid out. If there are multiple subnets there might be various VLANs for example a Traficant crosser traverse. This is going to give us a pretty good starting point for establishing a good picture of the network and what's out there. There are different types of scans and different types of tools to perform scans. There are probably 150,000 different tools out there that can be used to scan networks. So, each individual tool has strengths and weaknesses, Nap is probably one of the most common specific scanning tools because its sole purpose in life is to scan systems, check for ports, see if the system is alive, possibly enumerate information about that system. Its primary goal is to get out there and scan the network and discover hosts and information about those hosts. So, depending on the type of scans necessary, you are going to probably swap your Swiss Army knife of tools around little bit to accomplish that goal. Now, one thing that should definitely be noted about scanning is that it is very easily picked up by intrusion detection systems and although that might seem kind of scary at First from performing vulnerability assessment. Itâ&#x20AC;&#x2122;s actually not a big deal for us because scans happen on such a regular basis on the Internet and sometimes even on the local network that a lot of intrusion detection systems will simply disregard those or the people reading the logs from the intrusion detection system will disregard those. so you don't really worry too much about getting picked up by an idea system when scanning is occurring because you probably will, the chances are no one will pay a lot of attention unless you consistently scan over and over again. And there are definitely ways of performing scanning that will try to avoid being picked up by intrusion detection system, such as alternating targets and bounce around the network. So it doesn't look like you're consecutively scanning numbers. Now once we have scanned the network and gathered up basically a list of nodes t hat exist out there. We are going to be ready to move on to our next part which is gathering even more information about those nodes on the network. 5. Service Enumeration So this point we discovered what nodes relive on the network and maybe a little bi t of information about them. we later moved to the next point which is where we want to get as much detail as possible and the next step is kind of Tossed back and forth between the name service enumeration and fingerprinting, and the reason that there are some confusion there is, we determine a live host in the network. Now, we want to discover 23 | P a g e

what's actually running on those hosts. In other words I might be running a Web server, a database server and maybe a network file system server, well by discovering that type of information it usually helps us in identifying or fingerprinting the operating system and associated applications. In addition to the service enumeration process discovering those services we might be able to discover specific versioning i nformation about those services which is also sometimes called fingerprinting the service and the concept here is we want to gather the information about what's running on the system and we want specifics. In other words IIS 5.0 is running on their system, we discovered that while fingerprinting the IIS service discovered during service enumeration. This tells us that the operating system is Windows 2000, Again part of the fingerprinting process. So now you can kind of get an idea of why we decided to combine service enumeration and fingerprinting into one logical step because they definitely overlap in a significant way. Now for the most part the reason that we want to discover the services, information in the fingerprinting is that we want to understand what potential vulnerabilities might be running on that server and how we might exploit them, a great example of this is, letâ&#x20AC;&#x2122;s go back to the IIS 5.0 example. So, starting from the very beginning we do little reconnaissance, we check out that they have a Web server, we decide to scan the Web server, it finds the host is being up, gives us an IP address and then we perform enumeration/fingerprinting of that system. Basically just poking and prodding to see what we can find from outside the box. We discovered that it is running an IIS 5.0 server on port 80. Again, probably picked up by either scanning or service enumeration. By understanding that we now know that we have a Web server obviously, we have an open port, port 80, we have a vulnerable service tha t is running on that system. IIS 5.0 has hundreds and hundreds of vulnerability that could potentially be exploited and because we know that's 5.0 we now know that's hosted on a Windows 2000 box which in itself has hundreds and hundreds of vulnerabilities that could be exploited. So, as you can see this process is basically giving us a little bit of information on what we could potentially do to that box to exploit it and gain access to it. So, the most part usually some of the tools you are going to use are going to include fingerprinting service enumeration in scanning all in one, a great example of this is going back to nap. NMAP has the capability to scan all ports on the system and if you're not already familiar with ports versus services, generally a port which is a number associated to a service running on that operating system. So, by doing a port scan in combination with a ping sweep, within that we can determine what hosts are alive and what is running on those hosts.

24 | P a g e

6. Vulnerability Assessment The next step after we have discovered the services and the various fingerprints of everything on the network, it’s time to move into the assessment of what vulnerabilities might exist there and this almost takes service enumeration and fingerprinting a step further by checking various vulnerabilities against an application or service running on the system. So, let’s say we go out and we go back to our IIS 5.0 example. We do a scanning against a server using Nessus. Nessus has a known vulnerability da tabase and is actually one of the most popular assessment tools out there, because it is free, it’s very comprehensive and has great reporting and output. But when we perform our vulnerability assessment, Nessus is going to check as much information as it can about that system. We know its Windows 2000, let's say its service pack one for example, running IIS.Well Nessus is going to go back to its vulnerability database and say okay what vulnerabilities exist for Windows 2000 service pack one and what vulnerabilities exist for the IIS 5.0 Web server and what if any vulnerabilities exist with the combination of the two. So, it’s definitely an awesome tool, there's one catch because we have to have a known vulnerability database, any previously undiscovered vulnerabilities will never be detected. Now generally various high quality vulnerability assessment tools will have at least a warning saying that this could potentially be a problem. Nessus luckily for us is one of those tools, So Nessus will say, hey although there aren't any known exploits for this, this looks like it could potentially cause a security concern. so we are basically going to go out, grab as much information as we can, we are ready to perform vulnerability assessment, we are going to gather even more detailed information and take that information, cross reference it with the known vulnerabilities that exist and look at what we might be able to do to exploit that system or what problems might exist there. Generally, vulnerability assessments are operating system specific, so it’s important to select a tool such as Nessus that can handle vulnerability assessment for all popular operating systems and applications. We don’t want to limit ourselves, a great example of this is the MBSA, The Microsoft baseline security analyzer, it much like Nessus performs vulnerability assessment by looking at the configuration of the machines. the only catch is it doesn't work on NetWare, Linux, BSD, Macintosh or any other system other than Windows and in addition this is going to have the same weakness that Nessus and any other automated vulnerability assessment tool has and that is you got to know about it to check for it. 7. Vulnerability Exploitation After we have gone through and assessed what vulnerabilities exist, we are ready to start piecing together the exploitation of those vulnerabilities and basically we are going 25 | P a g e

to take the output from an automated vulnerability assessment tool and any other manual vulnerability assessments we might've performed a nd look at what available exploits exist. So, we might even have to move into the development of new exploits and this is where having the thinking outside of the box mentality comes in to play. a great example of this are custom programmed web applications. A customer that has worked with in the past employed a new web application. It was written using PHP which is a very common web language and worked great for them. The company that built it never really gave a lot of thought to security of the application itself. Well running automated vulnerability assessments against the box and doing all the basic steps I didnâ&#x20AC;&#x2122;t discover any major vulnerabilities, everything looks to be pretty well locked down. But once I started looking a little deeper into the PHP application running on that server I determined that there were a lot of vulnerabilities that exist in such as information disclosure vulnerabilities where when spinning back errors it would actually show me a lot more information than what I should be seeing as a public accessory of the website. in addition there are a lot of vulnerable forms where I could use SQL injection or possibly try to manipulate the form from the backhand and then post that back to the database to retrieve more information. So, having enough skill and mentality to be able to move outside the automated process of vulnerability discovery and exploitation is extremely valuable. Ultimately, after we've assessed all those vulnerabilities, we put ourselves in the place and target the exploitation. we are going to try to gain access to the systems using these vulnerabilities and that kind of leads us into the next portion, that being penetration and access, and this is where we are using our exploits and our information we've gathered so far to actually penetrate and gain access to the systems. this is where we break the line, this is where going from legal to illegal can happen very quickly. So, assuming you have permission, we move forward based on the previous stages that we've gone through. Basically, everything before this is many planning and preparation and information gathering phase, based on those exported vulnerabilities we have discovered, we gain access to those systems and we can do that at various levels depending on what all vulnerabilities exist but the ultimate goal here again, gain access to that system. So, at this point we can effectively say if we were successful in our penetration attempt that this system has a very serious vulnerability. So, a great example going back to that PHP application, me being able to run SQL commands against a database through the PHP application was effectively going from research to penetration. I am actually into the system, I'm retrieving customer records that are confidential. So, wit hout that user's permission, I have actually moved into the illegal phase now where I could be prosecuted for my actions. so keep that in mind once you reach this step in the methodology.

26 | P a g e

8. Privilege Escalation and Owing a Box At this point we have gained access to the system and now we have to figure out what to do with that access, depending on the level of access gained by the exploit or vulnerability, we have a couple of different things here and that's why this step is been moved in, just after gaining access to the system. Privilege escalation and owning the box basically means that we want to have administrative access or more access than we currently have, possibly gaining access to privileged information or gaining a privileged account. a great example of this is starting out a guest level for example as a web browser or Internet user account and moving up from normal user or guest user to increase the privilege levels to power user or possibly an administrative group or even the administrator or the root account. The term owning the box means gaining full control over the system. Often this might mean stopping services, changing vulnerabilities around, a very common tactic out of the field is actually to take the system over and we want to lock that system down so even the SysAdmins canâ&#x20AC;&#x2122;t get to it and other hackers can exploit it as well. So, when you see a live hacker in the field performing attacks against somebody without permission they want to get access to it and they want to own that bo x by having full control over the system, usually more so than even the administrators have. So, privilege escalation can be defined out forcing a great example, letâ&#x20AC;&#x2122;s go back to that PhP application we were talking about earlier. In the particular statements that I was running against that web application, i was able to read the records in the database as it would go in and actually see what was happening inside the database by running certain queries and post statements against the database to web application. Well I may have wanted to perform even more and see just how far I could go with that by trying to escalate their privileges that I was using to query the database. So, I might go ahead and try to drop a table for example or remove the table from the database. If I get a permission denial, I want to elevate those privileges so that I can perform that action. I can do that in a lot of different ways, if there is PHP session IDs or if there are possibly user accounts that might exist, we got to login to that system and I would try to possibly manipulate the record for one of the accounts that has SysAdmin privileges and login into that account and perform the actions that I want. So, again privilege escalation is a very common process involved once yo u gain access to the system so that you can ultimately on that box 9. Evading Defenses and Erasing Tracks Now that we have moved in to the network we have probably compromised a host or two and at this point our primary concern is to actually try to protect what we have gained here that being a compromised system and the most important way to do that and in addition to not get caught is to try to evade any defense techniques and erase 27 | P a g e

our tracks. In other words when someone comes and logs on that system we don’t want them to see a security event log full of failed logon from a user that doesn't exist or maybe successful logons from an administrative account that was supposed to be disabled. We want to hide those tracks. So, our idea is to either during the attack process to evade detection or to erase tracks to prevent future detection. So there are a couple of different methods to obtaining the same goal of not being detected, effectively being a shadow or a ghost on the network. Now, depending on how quickly and what method you were detected to penetration may be cut off immediately, someone notices trough IDS alerts that you were performing Unicode attack against an IS server then they are probably going to go track that server down and shut that server off or potentially try to watch into your forensics investigation to determine who attacked the system. So, really in a hacker's mind their livelihood depends on their skills and evading defenses and erasing their tracks. in our mind we have to have t hat same mentality of how might I go about covering my tracks and in doing that how might I protect myself in my network from an attacker doing the same thing. Now, common methods for evading defenses might be fragmenting packets. There are programs out there that specifically do that called flag route and a couple of others that attempt to evade intrusion detection systems. There are various port redirectors and encoders that will change the flow and the look and feel of various traffic to actually pass through firewalls. If we have an intrusion prevention system, there are actually methods to evade those, so that they don’t cut off our attack stream. Now once we are in the system we want to cover our tracks, then we actually move into things like deleting log files. Great example of this is the IIS log file. Unicode attacks have a very specific pattern when logged into the IIS log file. We want to go in and remove those log entries, we don’t want to delete the entire log or remove all entries from it because that would be even more suspicious. But, we want to go in just remove the entries that mention anything about the attack that we were performing. We might want to change some permissions around, for example if we had to bump up the permissions on a particular account to get into the system, then we want to bump those permissions back down and maybe create a backdoor account similar to another account in the system. Again, these are just little small tweaks that you might do or an attacker might do during the evasion process. We also want to try to protect and hide our hacker tools. There have been a lot of scenarios before doing a forensics investigations where attackers would come in and just use the system for a few days to upload some movie files or MP3s and then they would leave the system alone and go somewhere else, but what they don’t realize is that when they leave their tools behind, they leave their tracks, any traces of what they had been doing. It allows us to take the information gathered and move that over to protect the rest of the systems. Well, in a hacker's mind they shouldn’t leave those tools, they should either encrypt them, hide 28 | P a g e

them or delete them from the system so that they won't be tracked down and used by systems administrators to come back on the hacker or defend against them. Overall the story is we want to make sure that when we get in that even if we can hide and manipulate information, understanding how to do that can protect ourselves from having that happen to us.

10. Maintaining and Expanding Access Our final goal is going to be to maintain and potentially expand access throughout the network. Mostly what that means is at this point we have successfully done everything necessary to evade techniques for detection, we gained access to the system, we escalate our privilege to own a box and now we are locked into the system. Now our goal is going to be to protect our access to that system and potentially if the system is on a network in a DMZ or something, we might want to expand that access to include other boxes. the best attack method for companies from the inside, if you can compromise a server on the inside of the company then you can actually attack other systems and potentially go unnoticed, whereas attack from the outside might be suspicious. So, we want to maintain access to that system because it could be gold for a Slater. Usually we are going to rely on different tools such as root kits or backdoor accounts or various backdoor software programs to help us maintain access. I have seen a lot of scenarios in the past where hackers will come in takeover a box, remove all accounts but theirs and effectively lock everyone else out, the only way then to solve that problem is to shut the system down reformatted it and start it over again. So other methods can be useful, there are some root kits out there that basically just hide the fact a hacker is running around the system. The user is only going to see what the operating system shows them. If the operating system is compromised to root kit or some other type of manipulation program the user would never know what's going on. So once we have ensured that we can maintain access to our existing system, than we want to start expanding out to other systems on the network. A great example of this is in the DMZ. If you can compromise a Web server there may be other management servers or workstations in the DMZ that are protected from Internet access but don't have IP restrictions between other DMZ nodes. A great example of this would be a very common task or a very common method used by corporations is to place a management box on the network in the DMZ and only use that box to manage various services that run in the DMZ. Letâ&#x20AC;&#x2122;s say we got a Web server for example that Web server only allows access to a certain interface through the management box. So we got to go login into that management box and itâ&#x20AC;&#x2122;s the only machine on the DMZ, no internal traffic allowed if we can compromise that Web server then we can use that Web server to gain access to that management machine. Again, expanding our access to possibly moving into the actual backend of the network. So, we are taking an indirect 29 | P a g e

path, but we are expanding our access in that process. this is definitely one of those optional components in methodology process, but it is commonly used and exploited by hackers because people simply don't expect their Web server to attack their management machine, so they lower the defenses on the management machine because it only talks to Web server, so we can use this expanding access methodology component to exploit basically weaknesses in the users thinking inside the box.

30 | P a g e

4. Reconnaissance 4.1. Passive Reconnaissance 4.2. Using WHOIS and Other Tools 4.3. Active Reconnaissance 4.4. Active Reconnaissance Tools& Methodologies 4.5. Putting It All Together 4.6. Reconnaissance Demo 1. Passive Reconnaissance At this point where you start talking about the reconnaissance step in our methodology process and reconnaissance is basically just going to offer us a method for gathering information. Reconnaissance can be broken down in two categories. So, we are going to start off first talking about passive reconnaissance. This is basically gathering information in a nonintrusive manner. After we define and put some pretty good concept of passive reconnaissance, we are going to move over to gathering information with various passive reconnaissance tools such as â&#x20AC;&#x153;who isâ&#x20AC;? and other web-based research tools. So after quick reviews from the available options there, we are going to talk about active reconnaissance. Active reconnaissance is going to take passive just a step further, where we are actually touching systems and have a very limited possibility of being discovered throughout the reconnaissance and discovery process. So, we are going to be a little bit more interactive here and after we have defined some concepts, we are going to move over into some of the tools and methods available when performing active reconnaissance. After its all set and done we are going to put it all together into a true reconnaissance methodology step and see how it can help us in our ultimate goal. And finally we will go through a quick demonstration of some things we might perform when doing reconnaissance in the wild. So to start things off we are going to talk about passive reconnaissance and the overall concept here is we want to gather as much information as we can based on our target and our reconnaissance methods are going to differ depending on that target. Some examples we have here of targets are companies, network's, users would be a target, groups of users, departments or even so much as an organization like a government entity or depending on who is hiring us on for that penetration testing job. The general idea about passive reconnaissance is its generally going to take place in a black box scenario or maybe as part of the contract from white box scenario just from an informational standpoint, but overall we want to avoid being detected and that's why we call it passive reconnaissance. It is a general rule by following the guidelines of 31 | P a g e

passive reconnaissance you have a zero chance of getting caught for the most part, close you'll do anything that actually moves over that line and in active reconnaissance you are not going to draw any attention to yourself. And we are usually going to be targeting publicly available information and sometimes information shouldnâ&#x20AC;&#x2122;t be publicly available but is. There are actually a lot of sources out there available for information that's freely available for the public and won't raise suspicion. Examples of these might include company websites, exchange commissions, any type of business tracking system that handles complaints and compliments, any type of published company literature, job postings are definitely a huge one, as well as partner sites that might exist out there and contain information about various companies. So as you can see passive reconnaissance can net us quite a bit of information with allowing us to be as low-profile as possible and kind of start getting that feel and the idea of what our target is going to look like. So, the type of information that can be commonly found in performing passive reconnaissance is going to include things like names of company officers, addresses of locations such as data centers or various operational centers, often that will be inclusive information about networks and connectivity as far as business is concerned between partners, as well as types of systems used. And this is usually found when researching through job postings and the background information on some of the higher level executives. We can even discover information about owned domain names by that company and IP address spaces and subnets where they reside. So, oftentimes you can track a company down to a subnet. it is registered through a certain group has a certain location and based on the information we get we can nail down the names of all the executives, the phone numbers to customer service and those executives in some scenarios, as well as the physical location, address and network information, possibly even server operating system and web languages. With all of that information combine we can provide a pretty effective social engineering attack against the company. calling into customer service, dropping a couple of high-level executive names, mentioning a few technical details and before you know it you're connected in to a network engineer with the direct line who may not be up to speed on security practices. So at this step alone we are already to a point where we could attack a certain organization or group of people.

2. Using WHOIS and Other Tools There are actually several different tools and methods to gathering information when using the step of passive reconnaissance and basically what we are going to focus on this point is a very simple tool called whois, which is a domain name registration process, where you can track the owner, the contact information, the registrar, all of those different things can be tracked by a simple query against the WHOIS database.

32 | P a g e

You can obtain very extensive information such as the names of the administrators, the IP address space that exists, you can even query and find out how many different domain names are owned by a particular IP address space. If a company is hosting their own Web servers then you can search against the IP addresses associated with that, and find out what various Web servers and websites and domains are hosted there. You can also find very key information such as phone numbers, email addresses. You can even find addresses and contact information associated with that. So, more over the story is whois is probably one of your stronger passive reconnaissance tools that are available out there. Probably second coming up behind that would be tools such as web-based tools like Sam Spade for example. Sam Spade will actually go out and do a plethora of different options against a particular target. It will do trace routes, it will do pings, it will check DNS records, it will actually go through quite a few different things. There are also a lot of web-based tools out there and that's basically going to define for us things like Google for example. We can actually go through and based on the way Google is structured you can actually query against the Google database of websites to try and determine how many records exist in Google for this particular domain. A great example of that would be Microsoft. Microsoft has hundreds and hundreds of subdomains out there update.Microsoft.com, office.Microsoft.com and there are probably several hundred that no one knows about, things like remoteaccess.Microsoft.com or VPN.Microsoft.com. So, those are the different things that you might be able to discover by browsing the web and doing searches and trying to find information that you normally wouldn't be able to get. We are going to take a look in our demo at the website that actually keeps track of ways to go through and perform reconnaissance agains t systems and in even more detail level called JohnnyIhackstuff.com. Itâ&#x20AC;&#x2122;s actually got what's called the Google hacking database or a list of references and queries that can be performed to attempt to determine where particular information lies in the Google database.

3. Active Reconnaissance With Active reconnaissance we are going to go a step further and we are going to use methods and tactics that are actually going to go beyond the passive nature that we were talking about before. We are going to go in there and we are actually going to actively touch our targets, we are going to communicate with them, we are going to interact with them and we are going to try to extract as much information as we can, basically without getting caught or dropping to a technical level such as scans and things of that nature.

33 | P a g e

So pretty much anything that wouldn't show up on intrusion review could be considered active reconnaissance. It is a matter of fact you'll notice as we go through these different steps of methodologies that active reconnaissance and passive reconnaissance have a very gray area between them. Some things such as going through and trying various URLs on the website such as remoteaccess.Microsoft.com would raise suspicion when looking at hitting those DNS servers. So that could be borderline active reconnaissance, but we are going to call it passive because most companies don't monitor that. So, as you can see those lines are very gray. So, active reconnaissance sometimes could bleed over into more advanced versions of our methodology. So we are going to cover some relatively high level reconnaissance methods for active reconnaissance and always keep in mind even when performing passive and active reconnaissance, the goal here is to think outside the box because that's what hackers are going to be doing and we want to be on that same level with them. So we want to be thinking of ways that we can extract information from that company using fairly normal methods. So, hackers might find for example, a number that was accidently listed in the phonebook that points back to a secure area where they can call and talk to people who may not be up to speed on what information they can give out over the phone. I've had several scenarios in the past where users would get phone calls from outside people requesting information, warning email addresses and contact things that are not normally listed on the outside, that is going to be active reconnaissance and those are the type of things that we want to put ourselves in. So, basically we are going to do everything we can, just shy of scanning and hacking the system to gain as much information in preparation for that step. So oftentimes we can actually go to the physical location, see what kind of the physical security they have set up. in some scenarios lot of companies will give tours of their data center for example or things of that nature or actually go to lady at the front desk and find out what it takes to get through the door, do we have to register with someone, do we have to have a sponsor and then so a lot of the things that you are going to learn in the passive reconnaissance process such as executive names and phone numbers would be a great example. you go at the front desk, you say my name is so and so I'm here to speak with, drop one of the names you learned during passive reconnaissance possibly even give their extension or their phone number and often times they wonâ&#x20AC;&#x2122;t go through the verification process because someone at that level probably doesn't want to have to answer to a higher level boss. So the scenario that I dealt with in the past with a relatively large financial institution is we go through the door, we walk up to the front desk and we say hi, we are here to see the CEO. Bob the CEO requested that we came in, we are running a few minutes late. he's already in the meeting room and we need to get in there as quickly as possible, can you give us visitor passes and naturally the secretary is going to assume on her part she's not going to be able to reach the CEO in that meeting. She doesn't want to go through the process of trying to track them down and cause us to be even more late for the meeting than we already are. So, itâ&#x20AC;&#x2122;s a general rule you can just pass right through 34 | P a g e

with a visitorâ&#x20AC;&#x2122;s pass signed in and everything. So, keep in mind that would be an example of active reconnaissance.

4. Active Reconnaissance Tools and Methods Now that we get a pretty good definition of active reconnaissance. Letâ&#x20AC;&#x2122;s talk about some of the tools and methods associated with that step in the methodology. Some examples that we have listed out here are banner grabbing, and banner simply defines information given out by a system or service. They can be useful in fingerprinting that particular system or service. An example of this would be telmeading into various routers and switches. So, if you're at the outside of a company's network and figured out a Web server located, chances are in front of those Web servers are going to be highavailability systems, possibly relatively fast switches, in some case firewalls and chances are in addition to that they are managed through SSH. A lot of the routers and firewalls are built to have that capability, so you could theoretically connect into that system and read the banner, find out a lot of times it will actually tell you operating system information such as Cisco IOS version X and various associations with that. You could also get this type of information from mail servers, DNS servers, Web servers, almost anything that listens on a port can be fingerprinted through banner grabbing. Metal bouncing is another very interesting technique used to gather information about email servers, DNS resolution and various things as well. We are going to take a look at email bouncing in just a few minutes. DNS zone transfers can also be an excellent source of information especially when DNS servers for public and private domains are not separated properly. So, great example of this would be, I want to find out what all records that are contained within the Internet DNS associated with this. Particular company name or website extension whatever the case may be, so you go out, you bring up a DNS server, you initiate a transfer, you pull it down and you parse that data for the record you're looking for. You can discover quite a bit of information. We can also actually go through public website source code in the directory structure associated with that, that can tell us additional information, about how that's can be structured. A lot of websites out there will actually go out and have a files directory, a website directory, they will have an FTP directory, in addition they may have directory such as modules, extensions with names like that. It definitely leads you to believe that there might be additional modules such as administrator or hidden modules available to be found. So, that can actually kind of lead you in the right direction as far as finding additional information about that company's infrastructure. another probably one of the best tools associated with active reconnaissance is social engineering which is something I kind of touched on with the example of walking in the 35 | P a g e

building and requesting the pass to see the CEO but that actually goes quite a step further. social engineering can involve finding out where the IT administrator goes after business hours, maybe there's a particular bar or restaurant, that this person goes to, strike up a conversation with him, happened to meet them there a few times in a row and within a few weeks this person will probably open up and start talking about work problems they're having, and this system crashing, especially if you are a fellow IT person and can relate with them. So, there are definitely a lot of options available with social engineering and the new innovative techniques of social engineering are where we want to be. We want to find those holes in policies and trust in human relationships that haven't been discovered. Shoulder surfing is a very common technique as well where you stand o ver someone's shoulder and watch what they're doing, Watch them type their password and watch what websites they go to. Dumpster diving is another thing that's been really common over the last 10 and 15 years for retrieving information about companies and users. Right now it's probably one of the more common techniques for local people to steal identities and steal confidential information right behind Ad-Aware and spyware. Piggy backing and following up on site visits is also another common method which kind of lead into the social engineering, almost an alternate avenue for that where we are going to follow people and visit sites, find out what it takes to accomplish certain goals at that physical location. One often overlooked component of the hacking is physical security be able to access that system console by walking in the building and going in and sit down at the server. So, keep all of these things in mind when considering active reconnaissance as part of your methodology for penetration testing and ethical hacking.

5. Putting it all together Let us take a few moments and talk about putting all of this together, both passive and active reconnaissance to use an overall research strategy. So we are going to use these various techniques to foot print the entire organization structure and network. And I guarantee if you spend enough time and put enough effort and careful thought, again thinking outside the box into this, then you would be able to walk away from this process with tons of information related to the penetration test and the ethical hacking exercise. So, this is probably one of the most important steps in the entire methodology process when performing black box testing on a network or a target because your actions are going to be based on the information that you gather at this point. Now in a white box 36 | P a g e

test generally we don’t perform these techniques again, unless someone says, hey we are interested to see what kind of information you can find out about us without us knowing about it. But, then again that's more of a black box scenario. In a white box scenario this information is going to be purely additional. This should be provided to you by the organization that’s requesting the penetration test or the hacking exercise. The overall concept behind both passive and active reconnaissance is to gather that publicly available information or information that might be easily extracted about our target that being the user organization or group of users. We are going to go ahead and take this information to try to lay out the network, the boundaries of the organization and find those weaknesses in the organization where a penetration point might be possible. When we are trying to gather information, what we are going to be looking for is information that can be used for social engineering and for research purposes, ultimately leading to very critical and specific information about systems. We are going to start out with the basic stuff names, addresses, phone numbers, titles, various information about company personnel. We also want to find out IP addresses, the domain structure whether that be public and private. a great example of that is in the past some internal email addresses were referenced where it might be for example one email address for internal and one email address for outside the company, some of that information will slip across, whether it be where a person forwards an email to an internal and external person, those are the type of things you are looking for, and we are looking to extract the layout of the infrastructure maybe software that's being used within the company, oftentimes you can look at the source code of the website and it will carry the signature of the program used to generate it and if we look for vulnerabili ties in the way that program creates and generates that web content, then we are going to be able to identify weaknesses in the armor of that organization and like I mention this is going to be the feed point for everything that follows.

6. Reconnaissance Demo We are going to go ahead and take a look at some various technological options available to us for reconnaissance on particular targets. So, an example that I have here, I have got a simple web search interface pulled up and let's say for example I want to find out all of the various subdomains associated with a particular website. An example of this would be site; Marketmarts.com and that’s going to show me all of the sites that are unique records in the Google database. So, we have the rootMarketmarts.com, jobs.Marketmarts.com, we have maroot assuming I am pronouncing that correctly, apex, flash5, LCMS.Marketmarts.com, so there are various sites associated. This a great example for us to go and start doing research okay, obviously there's some job search and recruitment capabilities here, we have various universities linked in with this, that’s part of the process for the partners. 37 | P a g e

So, we can take this information and start looking at each one of those individual subdomains. Now if we want to go a little bit deeper into that process, then we could actually move into the active reconnaissance and telnet into a particular server on port 80 and try to retrieve information based on that. now I'm actually going to bounce around from target to target depending on the tool, simply because of the level of sensitive information that could be displayed based on some of these tools and I have actually gone through and tested these already, but you should know that's why I'm going from internal network to external network, so that I don't reveal sensitive information during this process. So I am actually going to telnet into one of my servers that I have set up for this process. Now I am going to do so on port 80, I have established that connection and I am actually logged in and right now that server thinks I'm a web browser and I have connected to it and I'm browsing that site and I can actually type in commands here and continue typing commands and the overall game plan here is to kind of freak the server out enough, so that it spits back a code and it says hey look that doesn't work for me but here's some useful information that might help in troubleshooting. The problem with that is that allows me to fingerprint various components of that system. In this example we are able to determine that we are running Apache version 2.0.55 on a Windows box, whether that be Windows 2000 or Windows 2003 we don't know yet, running PHP version 5.1.2. Now at this point if I knew vulnerabilities for particular Windows operating systems, particular versions for Apache and PHP I can start the exploitation process at this point. So we've really jumped ahead by going through and looking at the banner output here as part of our active reconnaissance process. Now, we could even go several steps further and actually do a little bit more web research at this point and see if we can locate critical information about a particular site. So, we are going to go to WHOIS.net which is one of the regional registrars that track domain registration information. So, if we want to go out there and look at Marketmarts.com itâ&#x20AC;&#x2122;s going to lead us over to the network solutions. And at this point we can see that it's actually registered to a Keith Provost, there's our various information such as mailing contacts, phone numbers available to us for technical and administrative contacts. We can see when that record was created, when it expires, where the DNS servers exist if we wanted to initiate his own transfer for example and there is just tons of information that can be gained by going through this process. Now bear in mind a lot of this information can be protected and in some scenarios it will be not visible to the public eye. An example of this would be if I wanted to do the same process but I want to do that against BradCausey.com, as you can see all of that information is listed under WHOIS privacy protection service, no truly sensitive information is going to be released on this particular record and we can continue to go further and actually use a program called Sam Spade, which basically combines some of the tools we are using here and allows us to get additional information. in this 38 | P a g e

scenario we can scroll down and we can even see the same information we were seeing before but we also have options available to us such as what IP block this is set on, there you go, the IP block, its owned by hurricane electric and there are the different options available to us. We can dig through that and try to research DNS information, we can do visual trace routes to that, we can ping that information. So there is lot of things available to us and at this point that company really doesn't know exactly what we are doing. They have not seen anything triggered on intrusion detection system and they're not going to raise an eyebrow to our actions, again because they're not aware. The last tool I want a demo for you on the topic of reconnaissance is Johnny.ihackstuff.com and I am just going to show you one example from the Google hacking database which is this particular search query, which is looking for Microsoft IIS 5.0 servers. An example of this would be notice it actually gives you the DNS name associated with that. So, in this scenario if we wanted to look at that we could say and then we might even try sub-URLs or subdomains based on the research we did in the earlier phases, such as we are not going to pull any results back on this but if we wanted to, we saw that there was a Marketmarts.com, have they been running a Microsoft IIS 5.0 server we might be able to extract that information and go a little bit deeper into what they are running on the infrastructure. So, as you can see there is a plethora of available resources for various types of reconnaissance. So make sure you think sharp, stay outside the box and use the tools that are available at your fingertips.

39 | P a g e

5. Scanning 5.1. Scanning For Host 5.2. TCP Connections Basics 5.3. TCP Scan Types 5.4. UDP 7 ICMP Scanning 5.5. Scanning Demonstration Using NMAP 1. Scanning for Hosts At this point in our methodology we are prepared to move into the discovery of host via scanning. So, we are going to go over couple of different things starting off with scanning for live hosts. We are going to basically talk about some of the basics of discovering live hosts and enumerating those on the network, after we have covered that we are going to move over to the TCP connection basics, so that we can get a basic understanding of how the TCP communication protocol works and how we can use it to our advantage during the discovery and enumeration of hosts and services. Next we move over to talking about some of the different TCP scan types followed by UDP scanning and finally ICMP scanning. Once we have got a pretty good handle on everything, we are going to move over and next we do a demonstration on using one of the more common scanners NMAP. So starting things off we are going to talk about scanning for live hosts and this is the basic idea of taking the first active step and enumerating information about the target network. Our idea overall is to look for hosting systems and responding on the target network so that we can identify them for further investigation later in hacking process. One of the things that you should know during the scanning p rocess is depending on the method of scanning that you use when attacking the target network, you can actually be detected and picked up by IDEA sensors and other intrusion detection equipment on the network. Also depending on the state and/or country that you're performing the scanning on it may be illegal even with or without permission. So make sure you have a pretty good understanding of the laws that exist before you go through this process. Administrators commonly use scanning as a might come in the future. So, it may be a administrators and security administrators that the benefits here is that because scanning is 40 | P a g e

method to identify possible attacks that possibility that you would alert system your attack is soon to follow. Now one of such a common thing to happen on the

Internet and even in some corporate networks, itâ&#x20AC;&#x2122;s possible that security administrators will overlook this and wait for a more telling attack to take place. There are various methods that exist to reduce the visibility of your scans. NMAP actually has a lot of great features and most good scanners such as super scan and NMAP do. So make sure you know your scanner very well and know what options are available before performing the scan so that you can use those various methods that are built in to elude detection.

2. TCP Connections Basics One of the Things that we would like to do at this point is kind of chew you up on knowledge as far as TCP connections are concerned. So itâ&#x20AC;&#x2122;s important to cover the basics, so that we have a good working knowledge of whatâ&#x20AC;&#x2122;s available to us as far as the technology is concerned. So, the basic concept here is that during TCP communication, there are six available TCP flags that can be utilized during packet transmission and the basic idea here is that we can use these flags to indicate what point in the session and what active process were going through in that session that we might be. Flags are going to indicate whether packets are sent packets or open session request acknowledgment packets, fi nish packets, urgent packets, push or reset packets and depending on this combination of the flags here we can set various session connections in various components at certain times in the communication process. This will allow us to identify where we are in the communication or session establishment process and gain further information about the host and how they want to communicate. TCP as a communication protocol uses an initial three -way handshake to establish and maintain any sessions that are necessary. And the process basically works like this: the source originating system sends a synchronization request or a sent packet to the host or to the target, the target is going to reply back with a sent ack or a synchronization request and an acknowledgment to the initial synchronization request service. So the source system is going to receive that and reply back to the target synchronization request with an acknowledgment, and it is basically at this point the host has sent a sent and receive ack and the target has sent a sent and receive ack as well. So we are in a full two way process of communication via the TCP three-way handshake process. Attacks or hacking techniques are going to use nonstandard combinations of these flags also known as malformed packets to take advantage of the TCP protocol itself. Overall idea here is to receive responses or particular sequences back from the target to gain information that you would not normally be able to see.

41 | P a g e

A great example of this would be to send a certain packet with certain flags turned on and turned off, so that the host would respond back in a predictable manner. So, based on the response of the host we can identify certain information such as operating system or services associated with the response over the TCP connection. An example of this process that can be used for malicious reasons is something called a sin flood. And the sin flood utilizes the three -way handshake process by sending only synchronization request to the intended target. So the intended target receives that synchronization request, it opens a slot in RAM for that connection and sends a synchronization acknowledgment back to the originator. If the originator ignores that and the three-way handshake is never fully completed, then in theory the amount of RAM allocated must remain open until the timeout expires. Letâ&#x20AC;&#x2122;s say for example you have a 30 seconds timeout on failed TCP handshakes. Well in 30 seconds you can send probably around 40 million packets. So, I can initiate 40 million synchronization requests before the initial synchronization request times out and the RAM is reallocated. So even if we only open one Kilobyte of RAM for every synchronization request not too many systems have 40,000,000 kB of RAM. So, as you can see we can immobilize that system by forcing it to open half-open TCP connection attempts and definitely it will stop responding to legitimate requests or fail altogether. So at this point you should have a pretty good idea of the basics of TCP connections and sessions and how they are established and maintained via the flags in the packets. This information is going to be extremely valuable to get into more detail about the TCP scan types.

3. TCP Scan Types Now that we have got a pretty good idea about what type of technology is available to us and the various connection technologies associated with TCP. It is time to move into some more detailed information and talk about scan types and methods that are available to us when using the TCP protocol which we indefinitely will be using. Basically these scan types are descriptions and details associated with methods for enumerating information from hosts on the network. Basically that means we are going to scan the systems and depending on the scan we have used, we are going to find out certain information. So, there are several dozen versions of scans available to us and we are going to cover the most common and what the benefits and drawbacks are. The first one we are going to talk about is the full scan also known as a Connect Scan and basically this is going to complete a full three-way TCP handshake. This scan will 42 | P a g e

establish the most important information about individual ports that are going to be open and we should probably go ahead and talk about ports now. A port is basically a number associated to a service that runs on a remote or target system and if that port is opened that means that service is enabled and because every operating system has a different subset of services that run by default and ca n be installed by determining what ports or services are running on that system, then we can fingerprint that operating system. So, if 139 for example is open on the remote system that's going to be the default SMB sharing and network services port for Windows. If that Port is open, we can pretty well determine thatâ&#x20AC;&#x2122;s a Microsoft Windows operating system and so on and so forth for each individual operating system. So, basically different scans are going to be useful for different systems depending on how they respond to our request. So, the full scan or the connect scan is going to be the most effective because it actually completes the communication process and it will give us a more accurate result of whether the ports are open or not and the major drawback here is that because you're completing TCP communication, there are a 100 different places that could be logged. Probably the system thatâ&#x20AC;&#x2122;s receiving the communication will log it, any intrusion detection systems will definitely take note of that. So, it interacts so much with the network and with the host, that itâ&#x20AC;&#x2122;s easily traced and easily detected. Now the next type of scan is a half open or send scan which only initiates the first of the three step process with the remote host or target. This is probably the second most effective method of scanning, right behind a connect scan. The reason that this is so effective is because it appears like legitimate traffic and legitimate communication attempts. It goes out of the system, it sends a synchronizatio n request, and the system replies back to us and we ignore that and that lets us know if they replied back on that particular port then that port must be open, and another great thing about this is that we are actually evading most firewalls depending on the frequency of how we do this, to the firewall it looks like a standard TCP connection request. So its definitely an effective method of scanning, it is also very fast because we are only sending one packet and waiting for one packet to come back, then we can assure ourselves that it is going to go pretty fast on the scan process. Now there are actually several different methods of stealth scans. When we say stealth scan in this respect, we are actually referring to a frequency and a sequence in which we scan hosts. An example of this would be there are up to 65,500 and some odd ports that are available to be open on a system. Well if we scan starting with the number 1, 2, 3 and so on until we reach 65,000, it's going to be pretty obvious that we are doi ng the sequence port scan. So, in order to avoid that we might scan random ports until we reach all the ports that we want to scan. In addition if we scan at a very high rate of speed normal applications and traffic don't move across 150 different ports in three seconds. So, we can reduce the speed in which that happens and that will allow us to attempt to evade detection when performing the scan. 43 | P a g e

generally we do not use full connect scans or full scans in combination with stealth scans although we can, itâ&#x20AC;&#x2122;s still easily detected and doing so on a large scale makes it even easier to detect. so in general the sin scan is also known as a stealth scan in fact in most cases itâ&#x20AC;&#x2122;s called a sin stealth scan but you can use other forms of scan such as Christmas scans in combination with stealth techniques that will allow you to attempt to go unmonitored. The next type of scan that we are going to talk about is a little bit less effective but it uses defend, urgent and push flags to try to bypass firewalls. now the Christmas scan kind of falls hand-in-hand with the Finn scan and the null scan and basically their sole purpose in life is enumerating open ports and services from UNIX -based operating systems. So they are not going to work at all against the Windows operating system and in some cases some BSD operating systems. So it's important to be familiar with what scans can enumerate what information from what operating systems. So keep in mind the Christmas scan does not work against the Microsoft Windows system. Now the last scan that we are going into detail about before we move into UDP and ICMP is going to be the act scan, and basically the act scan is unique and that it is trying to evade intrusion detection and intrusion protection systems specifically firewa ll rule sets. What it basically does is try to map out what rule sets are available from the firewall. so we are going to be looking for those reset packets to come back on open ports and by doing that we can identify what systems are running on the remote system. When we receive those resets back that let us know that, that Port or service is unfiltered between point A and point B which is where a firewall would usually reside. so as you can see there are a lot of good scanning options available to us and one thing I want you to keep in mind is that these are very generalized types of scans, probably would be safe to say that they are the most common types of scans but there are hundreds and hundreds of different scan types available. The more popular tool NMAP allows us to actually set individual flags. So, instead of setting just an ack flag for example we could set ack and reset flags and see what we get. So we have a lot of control over how that takes place. So you can pick and match what flag you want to use and create your own scan types. But these are the ones that are most frequently going to be used in a pen testing environment.

4. UDP 7 ICMP Scanning UDP scanning is kind of the other side of the fence from TCP scanning. UDP standing for user datagram protocol is a connectionless oriented protocol that is a best effort delivery, where TCP is a connection oriented data delivery guaranteed. So the problem we run into with UDP-based services, we are only going to scan for things that respond via UDP. it's going to be less reliable than TCP scanning because remember if it's connectionless oriented and the service is not really going to care if we successfully 44 | P a g e

received or sent any information, meaning that it's going to be a lot less reliable when we are trying to determine if that service is present. Often times UDP or ICMP based packets are blocked at the firewall level and even at the host level in some cases. But I want to take a moment to discuss the dynamics of UDP scanning on a target network. So imagine for a moment that you decided to do a UDP scan. There are several different problems that are going to arise during that process. The first of which is you can scan across the board for UDP so let's say you start at port 1, port 1 is closed. So therefore the host is going to send an ICMP unreachable back to you and that's great. So, we know that port is closed because we did not get a UDP response back. Well unfortunately we will never get a UDP response back because that is how the UDP protocol works. So, we will keep scanning and we will keep getting ICMP unreachable requests until we find a service that is running UDP. Letâ&#x20AC;&#x2122;s say on port 21, 21 will not reply back if it successfully received the data because UDP again doesn't care about the connection. So, we can only assume that because it doesn't reply back that it is in fact open, the problem with that is maybe the ICMP reply got lost somewhere in the transmission process. Well in general your scanner will retransmit the UDP packet to the host on that port and wait for the timeout process. So, we really don't know that it's open because it never told us that, that port was open we can only assume that it might be open because we didn't get a response. So, some administrators or highly skilled security professionals will purposely configure ports to not respond to UDP scanning. So, when it really comes down to it we really don't know what we have even with extensive UDP scanning results. Unfortunately ICMP scanning is going to fall much in the same boat except it's more noisy than a connect scan in some scenarios meaning that it would be picked up very easily. ICMP scanning is also called ping scanning or scanning through for host identification or host presence and the idea is we just send out a bombardment of pings across the board to every node that could potentially be on the network and based on the replies that we get back from live hosts, then we can actually determine, hey there listening for ICMP traffic and we might attempt to do some exploits based on that. Unfortunately there are not a lot of ICMP-based exploits running around this is generally going to be used just for network enumeration. So we want to go out and say, host A is up, host B is up and host C are all applying for ICMP, thatâ&#x20AC;&#x2122;s a guaranteed shot that they're running on the network and could potentially be a target for us. Intrusion detection systems are always listening for network scans. In addition a lot of network scanners provide support for it but don't have a way to make it silent. So, be aware this is a great way to alert a security administrator that a scan is taking place.

45 | P a g e

5. Scanning Demonstration using NMAP At this point we are going to take a look at a demonstration of scanning for hosts on a network using the NMAP tool. Now couple of things I would like to say here, first of all NMAP is an open source software program meaning that's freely available to anyone who wants to download it and use it. It is downloadable in formats for every operating system from windows to BST to Macintosh to Linux. Now this tool is available from the website www.insecureorinSECURE.org. Now, when using NMAP you should be aware that NMAP is a very intrusive tool and is largely considered a hacking utility. So using this tool against systems that you either don't own or don't have permission to scan can be considered illegal. So make sure you use it responsibly and generally scan your own network for testing or lab purposes. So let’s take a look at a quick demonstration. Now at this point we basically just want to find out what's going to be on our network and a very simple way to do that is to use a ping scan type of NMAP scan. So we are going to do a V for verbose and SP for scan ping followed by the actual subnet that we want to scan. Now we are on the 192.168.66 subnet with a 24-bit subnet mask. So we are going to initiate that scan and actually have that scan in a text file that we can take a look at real quick. As you can see that scan went really fast, we have gotten a couple of different IP's that are up. I am going to go ahead and pull up k-write, so we can see and the file that I have is actually named Kwrite as well. So this is an example of what you just saw and if we look through this, we will eliminate the items that are showing down. So we clean this up a little bit, we are not too worried about DNS resolution, those are almost statistical performance counters if you will, and it is also going to tell us the Mac address obviously of the host that we are scanning, because that's going to be contained within the ping request itself. So there you go, these are all the systems that are up and running. So that’s a pretty clean cut look at what's available to us on our network. now as you can see we really haven't got a lot of information other than the fact that there are X number of IP addresses that are responding to ping requests and although this is valuable information we might want to get a little bit more detailed and that's where we move into the future of what we are going to talk about next being enumeration of information. for now I also want to show you some of things that we mentioned about doing UDP scanning, an example of what we just did, this is essentially an ICMP scan, so happens very quickly and for us happens to be very responsive, but for all we know there could be a lot more IP addresses out there that are responding to ICMP. So, we might try a UDP scan. Again, it’s going to be slow and it may not give us the results that we are looking for but I definitely want to show you how it works. We are going to ask for that verbose again but this time we are going to do a scan, you for scan UDP.

46 | P a g e

same network and because this is going to take a pretty good amount of time, I am actually going to go ahead and show you the file I have created, so we can look at what the results are going to be. This is going to be the results of the UDP scan we just initiated and its actually giving us quite a bit of information, we can see that on this particular host, we can see various UDP style ports are open and offering their services such as network time, Net BIOS name resolution as well as Microsoft services. If we move down a little bit we can also see that we picked up another system dot128 which is running the DHCP client as well as trivial file transfer protocol. But one thing to keep in mind is that there could be a 100 other ports listening on this system that simply don't respond to UDP information. So, although this is all great and wonderful information you can see we've got lots of responses, but one of the things to keep in mind this may be the exact opposite of what's open. In some scenarios UDP will say yes all of these are open when in fact it's exactly the reverse all the things that are not shown here are open and these are all closed. I don't believe that's the case in this scenario but we will have to find out more information as we go along.

47 | P a g e

6. Port & Service Enumeration 6.1. Identifying Ports & Services 6.2. OS Fingerprinting 6.3. Popular Scanners 6.4. Demonstration

1. Identifying Ports and Services So at this point of our methodology, we have gone through and we have done our reconnaissance both passive and active. We have gone through our scanning process is to determine what nodes are up and running on the network. At this point we are ready to start gathering large chunks of information about these individual systems to determine what steps need to be taken next. So we are going to focus on the enumeration of services and operating systems running on the host that we have determined to be up. So, specifically we are going to start out by talking about the concept of identifying ports and services and why that's important. Next we are going to talk about ports and services and how we are going to go about scanning them, what techniques can be used and how we are going to gain information. Next, we are going to talk about operating system fingerprinting which is basically our attempt to determine what operating system and its version might be running on associated host. Then we will talk about popular scanners that are available on the market and where you might download those and finally we will do a quick demonstration of port and service and even OS enumeration. So, basically at this point we've done our ping scan, we have determined what systems are up on the network and we are ready to start identifying services on these hosts. Now, just to kind of clarify, a service is generally something that runs on a server that is linked to a port, which is a number, 1 through 65,536 that basically offer something. For example the RDP service or Remote Desktop protocol service is a TCP-based service that offers the ability for you to remotely connect to a system and it does so over port 3389. so it's a process running on that box associated with a number that does something and thatâ&#x20AC;&#x2122;s the kind of information that we are going to find out because that is going to be the point of vulnerability for most systems. So, by identifying that we can also do more information about that particular box such as what operating system might be running on that. So, just identifying the service itself is great but we can take it a step further and identify a combination of services that actually mean something. So once we have determined what services are running and what operating system resides on that system than we can start putting together exploits for those individual services. Basically we are going to run port scans to determine what port a computer is listening 48 | P a g e

on, port 80 usually translates to mean a Web server. So as you can see doing those port scans are going to give us direct information link to a particular service. And usually the ping sweeps, the port and service scans are all run using the same tool. If you have noticed we can actually go back to NMAP and perform the same thing but ask for more detailed information and we would get port-based information. So identifying these ports and services is probably one of the most critical steps in the overall hacking and penetration testing methodology.

2. OS Fingerprinting Operating system fingerprinting is basically a process that is used to determine what operating system the remote target is running and our goal ultimately being that we can determine vulnerable systems or vulnerabilities within that specific operating system to exploit. So, one thing to keep in mind about OS fingerprinting and a method that is very frequently used is how the OSs implement the TCP/IP stack and the basic idea behind this is there is an RFC or request for comments out there that outlines the community deems standard for how TCP/IP should be implemented, well because one person may not like something about it or this company chooses to do it this way, each individual operating system has its own unique implementation of TCP/IP. So, an exact same query sent to one machine will respond differently from the exact same query sent to a different machine. So this usually allows for us to enumerate information about the operating system based on the scans that we use. So if we send a TCP request with a certain flag to this system and its programmed to work a certain way, say BSD for example versus Windows, then we are going to get two different responses and therefore it will allow us to either eliminate or identify the operating system that might be running there. So it is definitely a useful method in determining that information. We can also use port enumeration or service enumeration to determine that. One of the things that you will find on nearly every operating system is that when you perform a default install of that operating system, certain services will be installed by default, things that are needed for that operating system to work properly and when you install a service, especially if it uses any kind of network activity, then it's going to be associated to a port number which is probably going to be opened. So, a great example of this are the ports 137, 138, 139 and 445 which all combined together to produce a Windows 2000 or newer operating system, because only Windows 2000 utilizes all four of the ports and on a relatively frequent basis you can actually look at any combination of these such as 139 and 445, the combination of just those two can identify a certain version of Windows, such as windows XP or server 2003.

49 | P a g e

So there are lots of ways to actually fingerprint an operating system and even more once the operating system has been configured and various software packages have been installed. a lot of this is actually just common sense or intuitive, for example if MS SQL is running on a certain port you can pretty much bet that that's not a Linux, Macintosh or BSD-based system because it's running a Microsoft SQL product.

2. Popular Scanners There are actually dozens and dozens of popular scanners that exist and ultimately it's up to you to find a scanner that fits your needs. Basically, what you should look for in a good scanner is a multifunctional tool that does everything you needed to do, as far scanning and enumeration is concerned. The ideal scanner would perform ping sweeps, port and service scans, and in addition offers OS fingerprinting. It should also be highly flexible and user-friendly. so a couple of examples that we have here is found stones super scan which is a Windows-based scanner and is supported by foundstone.com and as part of their free tools download base. NMAP which we've already seen is probably the most popular scanner across all platforms and is actually UNIX-based or Linux-based, but it does have a Windows version. Now, let me will warn you I haven't been that impressed with the Windows version, it doesn't always do what you think it should. You are definitely better off sticking with NMAP on a Linux box, but if you're LINUX phobic you should definitely stick with found stones super scan on a Windows box. All the ones we have discussed here are going to offer you full half stealth and UDP scans. now another great connect Sca nner is the angry IP scanner which you can actually search at ithinkitsangryziver.com but the basic concept there is it's actually a connect-based, but itâ&#x20AC;&#x2122;s a very fast connect based scan with pretty good output. So you are not going to get the level of configurability in detail, but if you're looking for a quick scan of the network, then the angry IP scanner can do that for you. But again spend some time, learn your scanners because you are going to spend most of your research time scanning systems to de termine what's available. So make sure you spend the time doing research on this.

4. Demonstration So at this point we are going to look into some more specific enumeration style scanning. Again this is one of those scenarios where it is important to remember that 50 | P a g e

this can harm systems and can be considered hacking in most arenas. So, our first look is going to be at the super scan 4.0 from Pound stone. So I have already downloaded it and it’s a simple executable file that you double-click on and it opens up for you. So, if we want to look at host and service discovery then we can actually come in here and choose what ports we want to scan, we can do data and ICMP scans, we can specify source ports and it’s all graphically configured. So we are going to choose send scan and we have basically already selected a lot of the more common ports. This list is pre-populated for you by the person or group that developed super scan. We can also come under scan options and choose the different types of scans that we want to go for and we can add various tools in as well. We can even look for specific Windows enumeration type scanning. So we are going to go ahead and put in our IP range here. So I have got to add it in and we are going to go ahead and kick it off. So once going through that process, we are going to go ahead and move over to our other system and do a more detailed NMAP scan. So this time we are still going to ask for the verbosity that we were seeing before but we are going to go into a little bit of a stealth scan and we are also going to ask for operating system enumeration. So, by specifying this information we can be very specific, we can also add additional scan option and such as version information identification. So, we're going to go ahead and identify our network through NMAP, and let it go through its processes as well, and we are actually going to port that to a text file and this is going to be the enum scan. So we can jump back over to a Windows box and see what kind of information super scan came back with us. so if we look at the HTML results which is basically just a nicely formatted report, super scan provides us, we can see that this particular system, that BIOS name and the associated step that was running on it, TCP ports we found six, UDP ports we found one and there are various components of banner information that we were able to determine and we continue to go through and in this scenario we were actually able to login to this particular system using an anonymous FTP account and we can even see the version associated with the FTP service and that it's UNIX. We can see that it’s an X Windows running on port 6000. We are able to get quite a bit of information associated with this. we continue down we can see even more NetBIOS names and we can see that this is a Microsoft system, we can see that we are running what appears to be some type of Windows Trojan for example and other banners. So as you can see we have got a lot of detailed information here. We were able to fingerprint most of the individual operating systems and even in some scenarios we were able to identify certain versions of services and ports running on that system. So we can even see links to the associated systems here. So if we wanted to open up and look at what's r unning on this system, we get an error but we are able to connect to that system over port 80 using a browser.

51 | P a g e

So let’s go back and see what NMAP has given us and it looks like it’s still running. So we give it a few seconds to finish that and then we will go ahead and open up our enum scan file and see what we came back with. So, I have to refine the search a little bit and we basically are going to just target IP 132 which is a Web server on the network, so let’s see what we came out with. So as you can see here is the information associated with that server and we were able to fingerprint quite a bit of services as well as the operating system. So we can see we are running the FTP daemon 5.0, okay which immediately tells us that we are probably on Windows version 5.0 which translates to Windows 2000. We can also see we are running MySQL, MS-SQL and various other services that lead us to believe that we are probably running a Windows box, especially based on the path of the MS task server in the Win NT folder. So, based on all of this we can see the scanning enumeration when combined can be an extremely useful tool to determine what systems are running on what servers on our target network.

52 | P a g e

7. Data Enumeration 7.1. Data Enumeration 7.2. SNMP Enumeration 7.3. DNS Zone Transfers 7.4. Windows Null Sessions 7.5. NetBIOS Enumeration 7.6 Active Directory Extraction 1. Data Enumeration So at this point in our hacking methodology, we have gone through and gathered quite a bit of information about various systems, that are going to be on our target network. At this point we are looking for ways to get in the network. We have already enumerated what services might be running on some systems, may be even fingerprinted those individual services or possibly even the operating system. Now, we are looking to get information such as usernames, groups, physical drives, logical drives any kind of additional information that can be useful for us during our penetration testing process. Well data enumeration is definitely going to be the next step for us. So, starting things off we are going to go over the concept of data enumeration and what we are looking to gain by doing that. Next, we are going to move into SNMP or simple network management protocol and the associated possibilities for enumeration there, followed by DNS zone transfers because DNS is such a critical component of the Internet and most enterprise networks, there is a good bet that, there's a lot of great information there that we could use for hacking. Also, we are going to talk about Windows null sessions which is a problem that's been created by some of the sharing and advertisement capabilities that Windows offers in some of the older clients. We are also going to talk about NetBIOS or network basic input output system and we are going to talk about some of the different options that are available there as far as that name resolution type is concerned and finally we are going to talk about active directory and some of the associated vulnerabilities and enumeration capabilities that exist. So to start things off, data enumeration is the basic concept of grabbing as much detailed system information as we can without alerting any of the individual intrusion detection or administrators that might be watching. So this is a very passive type of information gathering. We are basically going to utilize various techniques but we are not going to actually exploit anything. We are basically going to use built-in features of various systems to gain information by using them for their intended purpose. In a few 53 | P a g e

cases we might actually twist around a little bit, what it was intended to do and do some things that may not be explicitly intended. But, altogether these are not necessarily exploits they may be flaws or they may be steps but they're not to be considered as exploit type information gathering techniques and because of the nonintrusive nature of data enumeration and the types of technologies we are going to be talking about, we can do this in a very quiet manner. Thereâ&#x20AC;&#x2122;s actually a plethora of information that can be gained through data enumeration in the methods we are going to talk about. We are going to go over a couple of the different spoils of war if you will that we might gain during the enumeration process. The first one we are going to talk about is SNMP. We are going to gain information about the SNMP communities which are basically workgroups or names that describe groups of SNMP enabled devices. Here is what we are really actually going for, the management information base sometimes called the message information base or various terms associated with it but the MIB is basically a list of potential problems that could happen on a system. For example if we have a router that could potentially reach 90% utilization and there might be an entry in the information base that says when the router reaches 90% utilization fire off an alert. We are going to talk more about that when we actually get into specifics of SNMP enumeration. We are also going to be looking for usernames and groups which are definitely valuable pieces of information that we might use to try to brute force an account or may be make our test user account a member of that group to check for permissions. We are looking for advertisement of services, a great example of that is the master browser service which is an election process used by Microsoft systems to determine who wins in local NetBIOS name resolution. We are also going to be looking for specifics associated with drives that might be publicly shared, but are possibly locked down or might have associated permissions to them as well as hidden administratively shared drives. These are the ones we are really going to be looking for because they generally house the most critical information. We are also going to be taking a look at how we can get network role information such as servers advertising that they play a certain role and therefore they might make themselves a target during our penetration test. We are also going to be looking for installed software and services on particular systems that can be gained through enumeration and we are also going to be looking for DNS records because DNS is again such a critical part, we want to be looking out for that information. Now, there is also one of other different type of information you might be able to gain, but these are the key things, we are going to be looking for so that we can gain as much information as possible.

54 | P a g e

2. SNMP Enumeration Let's take a quick look at simple network management protocol and the associated features that we might be able to utilize to gain information. Right after that I want to talk about community strings, to go into a little bit of detail about community strings they are basically names associated with groups of systems that communicate with each other. example of this would be joining a particular network node to the default public community string, so that it can communicate with various management interfaces that can receive traps from it and the basic idea here is that when a system has a problem or needs to send a message to an administrator, it’s going to use the SNMP protocol, and it’s going to send that information to a workstation or to an analytical point where that information can be gathered and alerts can be fired off and when it performs that communication process it’s going to utilize the group that it’s been made a member of. by default all systems with SNMP are made a member of the public community string and what that means is that because it's the default and it’s a public community string almost anyone with no permissions at all can actually read information from that and even in some cases because the public string can have various permissions assigned, you can actually write to it or make modifications to the way it acts. So, as you can imagine this is definitely a vulnerability or at least a point of interest for security professionals. Another thing that we have mentioned in passing is to management or message information base and this is basically something that contains a list of all possible system issues that could ever take place. So it is going to contain information about services, about software, user accounts, utilization peaks all these different features and all of these things are very interesting to us when we are trying to break into a network. Now the great thing is for all intents and purposes we only need read access for the public community string to be in place in order for us to gain extensive information. Now it’s really a bonus to us if the public community string has write privileges than we can really do some damage on the network by changing certain settings around and turning off alert systems. In this whole enumeration process obvious ly it’s going to be effective for any individual network device or group of devices with SNMP enabled. Now I should mention that there are some newer versions of SNMP that set read access to deny for public which actually forces the administrators to move over to a private community string and potentially encrypt and password protect that information. So, any good system administrator or security administrator is probably going to take the time to go in and lock that down but you'd be very surprised probably a good 50 to 75% of devices on corporate networks are not configured for anything other than the public community string with default permissions. So let's take a quick look at what we might be able to grab as far as SNMP information is concerned. So we are going to go over to our tax system and in one of our previous 55 | P a g e

scans we will take a quick look at, we identified a system that was running quite a few services and that particular system was the advocate Web server at dot 132. So, we are going to focus here on 132 a little bit and as we look through we may not notice that SNMP is enabled. But we are going to test out any theories that we might have because remember systems change all the time and it's possible that we might be able to enumerate some information from it. So, we are going to use the SNMP enum pearl script that comes with the backtrack distribution. So we are going to use SNMP enum and we are going to point it over to our server that we suspect might have some valuable information for us and we are going to specify the public community string because again that's the default and not everybody makes changes to that. We are going to specify the Windows configuration file because we know it's running the Windows operating system. So, as you can see it's actually dumping information across as we speak, it’s telling us about all the different things that are installed, it's in the workgroup domain as we scroll back up to the output here, we can see that it's running a wins server, it’s running WMI, let's see what else we can find here it's supporting the Intel M security process which we expect from Windows box, it’s running RPC which is a commonly exploited protocol, we see FTP, DFS, remote registry is enabled, we can see the SNMP trap services there, IIS admin service. So, as you can see as we kind of scroll through there are ton of different things running here, a lot of these actually have vulnerabilities that are existent and we can exploit right now. So, as we scroll up through we can see we are running a DNS server quite a bit of information here and if we continue to go up, we can see listening TCP ports. Now remember this is definitely going to be accurate because the system reported back to us the information it knew about itself. We basically use the public string to read the information associated with SNMP on the remote system. So, we know this information is going to be accurate because it was provided to us, there is our UDP ports, additional system information, here are any running services so we can actually see the individual executable name for the running processes. we can see the discs we have apparently three different disk associated here, we can see the users that are currently logged on to the system, there is the SNMP hostname, how long this system's been up and here's a great example of some things that are installed on the system, there is a venture go server, we have got a MySQL server, a MS SQL Server, software called “give me free data” and looks like web folders, we even have Java runtime version 5 running on this system. So, as you can see a lot of things can be gained from a simple SNMP enumeration. This is information that would've probably taken us days to gather using dozens of different tools, but we were able to get it immediately using SNMP. So, I have saved this as a file, so we might be able to utilize it later for our hacking processes.

56 | P a g e

3. DNS Zone Transfers Another great source for network-based information is DNS or domain naming service. This is basically a core name resolution that is used for just about every single organization in existence. It is relied upon heavily by the Internet. It’s a matter of fact without DNS the Internet wouldn't work at all. So, the reason for me saying all that is it’s a very important piece of the puzzle for all organizations and what makes it so great for us is that it is that core piece of the organization. So, it's going to house great information. And DNS servers communicate with each other and they do so via DNS lookups, recursive requests and zone transfers, So that they can synchronize and communicate the records to each other. There are two extremely common implementations of DNS and that's bind or Barclays Internet name Damon and Microsoft's implementation of DNS. Now they differ a little bit but for the most part they're still a database full of records that are associated to IP addresses throughout the world or in a single organization. Individual zones are generally owned by one or more DNS servers. So basically you will have an authority of DNS server for a particular zone which can house multiple DNS records. So the great thing about that is we can actually query the DNS zone owner for a particular website and then set our default DNS server to that system and start enumerating records from that DNS server. So it's definitely a great tool for us and we are just utilizing the existing functionality of DNS to work against the system owners. One of the greatest tools out there for what we are talking about is the DNS lookup tool and DNS lookup tool is present on almost every operating system out there and it basically provides a simple command line name resolution interface. So we drop into DNS lookup command and we can actually use that for on the fly zone tra nsfers. So we can initiate the zone transfer from the DNS server, something that would only normally happen between two DNS servers. So we are almost tricking the DNS server into transferring its zone information to us even though we are not a DNS server a nd the information that you can gain from a DNS zone transfer is almost endless. there are tons of different types of records you've got host records, pointer records, service records, mail records you name it, there is All this information is associated there and we can almost use that to have a one-stop shop for network enumeration and network foot printing. So it’s going to be very much like some of the scanning that we did earlier but we are doing it in a nonintrusive way because generally DNS servers don't mind doing DNS transfers because it's a built-in feature it's not going to raise a lot of flags. So let’s take a quick look at a DNS zone transfer. So we are actually going to get out of Linux for a few minutes and use the Windows box because its implementation of DNS lookup is a little bit better than what's on the backtrack distribution. So, the first thing we are going to do is drop into DNS lookup, so we are pulled down into that and right now our default name server is set to 66.2 and we can change that relatively easily by typing 57 | P a g e

in server and then the associated name of the DNS server that we are looking for and remember we are kind of picking on the advocate Web server right now which is at 66.132 so because we've seen in the past that it's running DNS we know it will accept our request for DNS and maybe even zone transfers if we are fortunate. So we are going to change a few settings here and this is going to basically tell my DNS lookup client that I'm looking for any records that exist out there and we can also accomplish some of the same goal by using all. So at this point we are going to do LS just like we might do in a directory on a UNIX machine and specify an ID and type in the name of the DNS records we are looking for. The particular company that we are going to be looking for is secretcompany.SEC and we are going to go ahead and port that into a text file. So, it looks like I was successful, and we have received nine records. So we can come out here to the actual dump file that we specified and see what kind of records we got. So, there is a couple of great examples here we can see that the advocate Web server is basically the start of authority for secretcompany.SEC meaning that it is the zone owner of that particular domain name. We can also see 8 records or host records listed out for various systems that are registered under secretcompany.SEC. This is extremely valuable for us so if we take a look we can see on some of these systems we have got advocate Web server of course, we can see what appears to be a Linux server and this is definitely interesting. We have two servers called secret data server and secret Web server and they are actually in a completely different network than what we are currently scanning. So, this is a great example of hey you know what there's probably some type of high-security network that might be interesting for us to get access to. So, we might even start turning our head more towards some of the secret servers and see what we can find out and here's another very interesting set of 8 records and I want you to notice that this particular WS net 107A system, I am not really sure what that is yet but we can see that it's a multi home system, it actually has what appears to be a network interface on two different networks. one of those being a network that we are currently in. now, the reason this is especially interesting for us is that we may be able to compromise this system and once we have we could use it to compromise the next network in the chain because we know the systems on both networks. We can attack it from the internal interface and then make that system our base of operations to continue exploiting systems and other networks and who knows that might even lead us into the secret network that we actually don't have access to right now. So, again just a quick DNS zone transfer netted us a significant amount of information that otherwise would have been very difficult to obtain through scanning it would have been nearly impossible for us to find the two other networks associated with this particular company.

58 | P a g e

4. Windows Null Sessions Continuing forward with our enumeration process, the next thing we are going to talk about are Windows null sessions and this is been tossed around and is probably one of the most critical vulnerabilities or flaws if you want to call it, associated with the Windows operating system. And basically it utilizes the server message block communication which is used for data sharing and advertisement and basically network communications that are specific to Windows machines. So, this is only going to be found on a Windows box with the exception of CIFS, and CIFS is basically a UNIX or NetWare replacement for SMB and associated Windows file sharing. CIFS is going to be vulnerable or susceptible to many of the same attacks that SMB will be, so CIFS is also something we will be looking out for. CIFS stands for common Internet file system by the way. so there's actually an authentication flaw built into CIFS and SMB that allow for the concept of null sessions and null sessions are basically going to live up to their name by establishing an authentication and a session by using a null user account. So, we are going to authenticate but we are going to do it with no credentials at all, and once the null session has been established, it can be used to do all types of different things and the basic idea which we might use this for is to browse the file system for example depending on how this system reacts. so we can also use it to gain system information such as associated shares and drives, user accounts you name it, there is a lot of information that can be gained there, and the basic flaw itself is the LSA authority or the LSA service will auto create a user account under the name of S-1-5-7 and that's the SID or security identifier that is associated to that account. So, because it does create a SID for a no user, it allows you to have permissions on the system and the permissions will disappear and on the configuration and type of system you are attacking. So, letâ&#x20AC;&#x2122;s take a quick look at a null session in action. We are going to go back to our XP attack base system. We are going to continue to pick on the advocate Web server, because it has been so good to us in the past and the command is actually pretty simple. We are going to do a standard net use command what you might see when you're mapping a drive or setting up a printer on LPT one and we are going to go ahead and specify our target which is going to be dot 132. now the thing that we are going to do differently hear is, we actually going to request the IPC share and notice that I put the $ sign after that. the IPC share is a special share used for certain services on a Windows box and the reason that it has that $ sign after it, is it's an administratively hidden share meaning we are not supposed to be able to see it by simply browsing the network, even if we do have permissions. And we are going to actually specify our blank user account like so, if we press enter we ca n see that the command completed successfully and by doing a simple net view we can see that it's now been mounted along with some other systems, there you go, so can see that's been added in there. So, if we want to try to authenticate that system, and again this depends on the system and the configuration associated with it, we are going to go ahead and see if we can 59 | P a g e

access the administratively shared root of the C Drive and remember this is kind of the Mecca of hacking because if you can get access to the C Drive with read and write permissions you can do anything you want to do on a system. So let's see if we were able to accomplish that with a simple null authentication attempt. So its look like it is thinking about it and pretty soon there we go. So we actually now have access to the Win NT folder for this system and remember we haven't authenticated to it except for a null user. we can see here we have Microsoft's SQL information chances are will have access to the various tables, there you go, there's every single table associated with the Microsoft SQL servers running here. So, we can walk away with the master table or the stock info table. Hereâ&#x20AC;&#x2122;s a great example of some useful information. So, as you can see using this null session you can gain a lots of information and potentially under the right circumstances gain root access to a system and also remember that these vulnerabilities are associated only to Windows systems or other operating systems running the CIFS service.

5. NetBIOS Enumeration Another enumeration method that is somewhat specific to Windows is NetBIOS-based enumeration and just a quick review of NetBIOS stands for network basic input output system and is actually based on the Windows Internet naming service or wins and wins is actually the server part of the NetBIOS process. it operates with or without a wins server but essentially provides name resolution to the local network. Now, wins is not intelligent enough to actually work on the Internet, So, itâ&#x20AC;&#x2122;s limited to local networks. It is actually primarily broadcast-based especially when there's no win server present and it relies on the advertisement and the reply back from broadcasts, when systems are looking for information. So computer would look out on wire and yell that it needs a certain service or needs a certain computer name and if the target hears that it would respond back with the associated information. So it's a very primitive version of name resolution but advertisements here can be services, roles and drives and the nice thing about NetBIOS is that it's enabled by default on Windows systems, even though most Windows systems today don't even use NetBIOS. They probably are going to be focused for DNS, since it is the newer version of name resolution, it works a lot better. So it's almost one of those forgotten, thrown to the side type services that can provide hackers with lots of great information. One of the most common tools used here is the net step command and there are also other various tools such as NBT scan and SMB user dump as well as SMB server information. So, we are going to take a look at some of these tools and see what they can do for us. So we are going to jump back over and this time we are going to spend some more time on a Linux box and specifically we are going to look at two different tools. The first we are going to look at is the NBT scan tool which is one of the more popular tools out 60 | P a g e

there, so we are just going to specify to scan a particular system, so we will pick back up on our advocate Web server. now in this particular scenario we can see that it is running the server service, we can get it’s Mac address information IP and associated name and we also see that it is running the IIS service, although that may seem somewhat obscure at this point that’s actually a pretty good sign. So, although it does not seem like we have gained much information, but we didn’t know it was a server, we didn’t know what its mac or IP address or even host name was, we can actually determine that at this point. so we are going to take it a step further, we are going to breakout our SMB enum utility which is actually a two-part, which will dump users as well as servers. So, the first what we are going to do is the SMB get server information, we specify an I switch and the IP address and we want that to be verbose outputs, we are going to specify that. Here is a great example, advocate web is going to be the server name, it's running Windows 5.0, again if we don't know that at this point, this is a great place for us to start we know it's Windows 2000 and we also know what domain it's a member of. So at this point we might try to get some user information and this is really where the detail comes in to play and what we are really looking for, there you go. No w the beauty of this is in addition to telling us the username, it tells us the abbreviated security identifier, and let me explain why this is so important. Windows machines much like Linux machines have specific SIDS associated to certain types of accounts. An example of this is the administrator also known as the root account is always going to be Sid 500 so even if I went in and rename this to guest for example, you would always know that it is going to be sid 500. So, under normal circumstances if you see the guest operating system you would immediately assume, it’s probably disabled and even if I do get in, it doesn't have a lot of permissions. Well this one maybe named guest but because it's 500 we know that Sid has administrative privileges on the system and another thing to mention as well the guest is always going to be 501 on a Windows machine. Now the actual SIDS associated with Linux user accounts are a little bit different but in this scenario, we are locking it down to 50501 and we are definitely getting some good information. We can see that we have got a wins user account and Internet user account and these are actually service accounts that are used to manage various services such as IIS, DNS and wins. So, as you can see at this point we ha ve gained a significant amount of information over and beyond, what we knew before. Now we know the user accounts on the system, we know the hostname of that system, what operating system it’s running on, and even the domain or workgroup that it is a member of and we are not even done yet. Let’s move over to our Windows box. We are going to use a built-in utility of Windows called NBT stat, you can see the usage instructions here, lots of options available to us. We are specifically going to use the NBT stat A command against a specific IP address. 61 | P a g e

Now here is a great example of gaining information about the services that are running on the network. As you can see here this is actually running in the workgroup, its hostname is advocate web and you see these numbers associated here, these are various services that are running and these are well-known hexadecimal codes. Often times you can actually go and look those up on the Internet to find out exactly what they mean, but I can save you the trouble in this scenario. These are basically server services and workstation services. So its actually serving as both and in this scenario 1C is telling us that it is providing Internet services meaning that it's a Web server. So, as you can see there are lots more information as you can gain by jumping over the NBT stat command and these are just a few of the dozens of available enumeration type tools for NetBIOS.

6. Active Directory Extraction Active directory is much like DNS, in that it provides large organizations with key features that are absolutely necessary. Active directory is basically a structured user group and object database that allows users to login and have a centralized control for permissions. And the reason this is so important is if I want user A to be able to get on seven different servers then there needs to be a central authority for that and thatâ&#x20AC;&#x2122;s what active directory provides for us. Now the reason this is so important for us as hackers is that it contains records in that database for all users, groups, servers, workstations and sites and even additional information associated with DNS. So, if it contains all of that, that definitely raises my eyebrow as a place where I might be able to gain information about the network and potentially use that as a point of attack. So, with that in mind we need to be familiar with the fact that in active directory and its directory structure, any user that exists in the active directory structure has read permissions to the entire database across the board and they may not be able to change anything, but they have read permissions everywhere which is really all we need because we are looking to gain information at this point. We are not making any moves yet, so this is a great point for us to gain info. Active directory uses the standard LDAP protocol which means anything thatâ&#x20AC;&#x2122;s LDAP enabled could potentially gain access to that database and the primary utility used by most system administrators is something called LDP.exe and it is something provided by Microsoft as a simple LDAP manager and now keeping in mind this is one example of a simple LDAP client. There are literally thousands of LDAP clients out there that you can download from anywhere. The great thing is depending on the level of hardening that has been performed against the active directory database. you may be able to authenticate with no permissions at all or possibly guest with no password.

62 | P a g e

Now bearing in mind that although this may not always be possible, it would only take one compromised active directory account for you to enumerate the entire company with every user, group and computer across the board. So, a very common technique used out on the field is to combine the knowledge of active directory with the knowledge of exploits and hacking tools and hack a single workstation that may not be locked down very well and compromise their active directory account, once that's done you can authenticate to the active directory tree using that compromised account and basically download the database to a flat text file and use that to further exploit that network. So, even though active directory may not allow you to make changes to it and that's why a lot of administrators overlook this as a security point. We can actually go in and use that information for further discovery and exploitation across the board.

63 | P a g e

8. Vulnerability Assessment 8.1 OS Vulnerability 8.2 Vulnerabilities and Exploits 8.3 Web Server Vulnerabilities 8.4 Database Vulnerabilities 8.5 TCP Stack Vulnerabilities 8.6. Application Vulnerabilities 8.7. Vulnerabilities Assessment 1. Operating System Vulnerability Let us move on into a little bit more specific discussion about OS or operating system vulnerabilities. the first statement that we have here may seem kind of obvious at first but what you see a lot about in the field is that people have the misconception that Windows is the only insecure system out there and although this may be a little bit controversial, The Linux and Apache combination have had significantly more critical vulnerabilities than Windows server 2000 running IIS 5.0 and again that's depending on what research organization you look at but the moral of the story is this is not a competition on who can have more vulnerabilities. Every system, every piece of software, everything out there has vulnerabilities and it is just a matter of finding them and unfortunately because Windows is the single most popular operating system in the world, people are looking a lot more closely at the vulnerabilities that exist there. Exploits for Windows and other operating systems are commonly posted on hacker sites. so one thing that I do on a weekly basis is I actually have a list of about five or six great sites out there that are actually maintained by hackers in various countries and on a weekly basis I go out and download all the new exploit code, compile it and test it to see if it works and if it does, then I will add that to my arsenal of penetration testing tools. So it is definitely a good opportunity for you to go out there find some good resources and hang onto them and use those to continuously develop your list of tools. Operating system exploits are overall going to be used to do one of two things, either they are going to be to gain access to the system and one level of permissions or to another or to cause a denial of service attack. There is a great example of that with the SMB packet attack which is basically a malformed denial of service single packet that could be sent to the SMB service that will crash the system. Now operating system exploits, great examples of these and we actually have a list of those around the next page are going to include things like buffer overflows which will allow attackers to usually gain some level of system permissions or other permissions ultimately remote access to the system. 64 | P a g e

There can be specific vulnerabilities in the way Microsoft has implemented the TCP stack because there's does not follow the standard RFC for TCP/IP. So be aware that there are some stack vulnerabilities there. the default permissions setting is also a huge thing to be contended with as well as default security settings, remember Windows by default from back in its originating days said, we will allow everybody everything by default and if you don't want anyone to have something then you have to explicitly take that away, well that creates quite a problem for security professionals if everyone has access to everything. So it's a really big challenge for us to go through and lock those things down. Most of the holes that you are going to find in operating systems are actually holes in default services and applications, things that come installed by default or exist by default. So that's kind of what we are going to define and classify OS vulnerabilities at. some examples of this include first of our logon, which is basically remote logon for Linux so it's very similar to Remote Desktop or SSH or how we want to go with it but it's effectively a way to gain access to a system and it is a default application with Linux and you can choose not to install it or you can choose to, but it has a lot of vulnerabilities associated to this, as a matter of fact running that is borderline suicide on the Internet. RPC or remote procedure call in the Windows operating system, this has several dozen vulnerabilities associated with it and is actually one of the core critical default services for Windows. In other words you can't really turn it off, you can turn off remote access to it so there are ways to lock it down but this is one of those that we cannot really do a lot about until Microsoft patches it which they have done in recent years. Server message block or SMB which is basically the file sharing capability of Windows. Again turned on by default so that network computers can access network servers but definitely causes some vulnerability if left unpatched. Windows management instrumentation or WMI. This is actually a scripting/management interface that can be used to automate tasks on systems. but the problem with that is it's running by default on a lot of corporate organizations and if left unpatched can cause some major vulnerabilities. the local security Authority subsystem service, this is basically something that handles authentication and higher level howl based authentication and what that really means is that it's running on every single window system out there and there is nothing we can do about it and because of that people have found exploits for it and I think it's a great target and recently a worm was released that utilize this, and was a very successful and highly damaging worm because this system is installed on every Microsoft box out there. Since it's been patched and as long as you have updated your patches you don't have too much to worry about.

65 | P a g e

X server is another great example. Some of the older implementations of X server which is basically a graphical interface for Windows listens on an external port and that provided for some vulnerability that exist in an X server to be accessed remotely. X server has since been upgraded and patched. The reason I'm showing you various exploits or various vulnerabilities from different operating systems is to keep in mind we are not just hacking Windows boxes, they are a lot easier to hack because there are so many tools out there and so many vulnerabilities assessment resources but keep in mind Linux is just as vulnerable as Windows. 2. Vulnerabilities& Exploits At this point we have actually spent quite a bit of time going through and evaluating what systems and services might exist on the network. So we are at a good point where we can move into vulnerability assessment and start trying to determine what systems and what services contain vulnerabilities that we might exploit as hackers. So we are going to take a look at the basic concept of vulnerabilities and exploits and how they play a role in the methodology that we are working with. Then we are going to look at some specific vulnerabilities associated with operating systems and how they might create issues for us as well as Web server vulnerabilities, database vulnerabilities, TCP stack vulnerabilities and application vulnerabilities and finally we are going to actually go through a vulnerability assessment demonstration and show you kind of how to put it all this together and make some determinations about your target. So to kick things off the vulnerabilities are basically described as security flaws or errors in software, that software can be operating systems, applications, servers, it really doesn't matter even all the way down to routers and switches are going to have software -based vulnerabilities. 99% of the time vulnerabilities are created by poorly written or insecure code and this is usually where the programmer or the company building the software didnâ&#x20AC;&#x2122;t take the proper time to go through and evaluate their code for security holes. They May have just simply overlook something but chances are they didnâ&#x20AC;&#x2122;t go through and do due diligence on their code. So what we are going to use these vulnerabilities for is to play hand-in-hand with exploits. We are going to use these exploits to utilize the vulnerabilities to either break into or cause damage to the system in some way. Exploits can include various t hings such as denial of service attacks, remote execution on the system, manipulation of the remote system and sometimes information disclosure from that system or we can extract information from it. Vendors or software manufacturers release patches to correct these vulnerabilities and that's assuming the software we are looking at has a patching capability. What you will see often is manufacturers will create a software product, it's intended for a purpose and they shoot it out to the customer in haste looking to get the money that they have been 66 | P a g e

working for, for such a long time and they don't consider the fact the system may need to be patched years down the road. So they don't put in patching mechanisms and when they don't do that, it very much limits your ability to protect yourself in the long term from security vulnerabilities. There are quite a few different types of software out there, one of the more common examples of this was some backup software that was recently discovered to have some major security vulnerabilities that the manufacturer hadn't built in an automated patching mechanism. So, when that takes place itâ&#x20AC;&#x2122;s a lot harder for companies to get the patches out for the system and in some cases often impossible. So, those are the unpatched systems that we are going to be looking for, in addition it could be the company just chose not to patch the system because an application on that system wonâ&#x20AC;&#x2122;t function with a given patch. So it will take situation where you'll find in most large organizations every system in the entire bank is not patched properly. Vulnerabilities exist across the board and usually they vary from type to product. So, you have your buffer overflows, stack overflows you can have all these different methods for exploiting certain vulnerabilities. So the list is really endless on what your options are as far as exploiting those vulnerabilities. so an important thing to keep in mind is we have vulnerability scanners, automated vulnerability scanners such as Nessus and NICTO for example which work, Nessus works across the board for any type of vulnerability, Web server vulnerability, system, application does not matter. NICTO is actually a web scanning vulnerability assessment tool. So every individual vulnerability scanners can have its own benefit and its own drawbacks. There are also a lot of security websites out there. We have mentioned bug tracking, CBE location and even vendor sites as a matter of fact can often contain information about those vulnerabilities because they want everybody to know about them. So another great resource for this is going to be hacker sites. A lot of times hackers in hacker groups will go out and post their vulnerability code. So you can go download that, compile it and use it to test vulnerability. And just briefly here is a list of vulnerabilities that are very common. Operating system specific vulnerabilities, Web server and application vulnerabilities, now this is going to include the type of web service running as well as the associated code parser on the backend such as PHP, ASP, ASP.net and things of that nature. Database vulnerabilities are huge as well allowing for remote code execution, downloading the database files you name it, there are a lot of database vulnerabilities out there. Now TCP stack vulnerabilities usually affect the default implementation of TCP on a particular system and we will get more into detail on that as we go along.

67 | P a g e

Virus, Trojan, malware susceptibility, now this is kind of a borderline here, a lot of times these viruses and Trojans will exploit various vulnerabilities in the system and malware will do much in the same thing. So keep in mind that usually these viruses and Trojans and malware are going to exploit one of these vulnerabilities or exploits for the operating system or the application. now the multifunctional exploit tools we are going to call Nessus for example because it actually goes out and in a lot of cases will perform the exploit to see if it's actually vulnerable and the Mede spoil framework is not a vulnerability assessment tool, it is an exploitation tool but it contains hundreds of exploits built in the product that allow you to basically hack the system using a nice selection of tools.

3. Web Server Vulnerabilities Now, one of the reasons that we are going to take some time to talk about Web servers is they are probably one of the more frequently attack systems on any company's network, because of their nature they really lend themselves well to hackers because they are out on the Internet and there are so many different variables associated with them, it's very difficult to lock down. And because there are vulnerabilities across all platforms of Web servers including IIS Apache and tomcat, it definitely makes for great target. Another thing that actually increases the risk of being hacked for Web servers is that they are connected to the Internet. In most cases there's an open channel between the hacker and the particular servers, there is no firewalls, no intrusion detection system to worry about, it is just a great target. in some scenarios these Web servers may be protected by external firewalls or a DMZ style setup but even then you are associated with the problem that anonymous users need to make requests to this server in various directories on port 80, which means there's only so much you can do to prevent access from hackers because you don't know the user from the hacker. So this is a good example of you putting yourself out there, you are in a vulnerable situation because you're allowing anonymous access to your system at many levels on port 80. So this is almost one of those setups that is just doomed to fail, and we have mentioned also here that it's easier to exploit these guys due to poor security. Now I want to elaborate on that for a minute, what that basically is going to mean is that there are so many different things involved in setting up a website and I am just going to walk-through a standard IIS setup. First of all you've got local file system privileges, you have got operating system security, you've got the configuration of the account that IIS runs under, you have got the IIS service itself and associated virtual directories. You have to deal with whatever Cody running IIS with, letâ&#x20AC;&#x2122;s take PHP for example, so you have got a deal with the versioning and the patching associated with PHP and its configuration. And then you have to deal with the application that PHP and IIS host and its associated patching 68 | P a g e

and vulnerabilities and its associated permissions inside the application as well as the backend database that, that application is potentially interfacing with. I will go ahead and stop there but I could go on for quite a while. So, the reason I am bringing that up is to point out the fact that Web servers are such a very complex animal, that it is extremely difficult to have a well locked down Web server in any type of environment. So keep in mind that Web servers are usually targeted and successfully hacked simply because most systems admin or Web server managers, they donâ&#x20AC;&#x2122;t have the skills and the understanding to lock down every aspect of that site. So all the hacker has to do is assess that Web server and find out where the weaknesses are whether it's in database permissions, application permissions or vulnerabilities that exist in various versions of software. But again it's such a complex environments, itâ&#x20AC;&#x2122;s very difficult to protect. So we are going to go over some common Web server vulnerabilities that exist out there, a password stored in website code, although this isn't the most common thing in the world I did a job for a lawyer's office a while back and they had it set up so that clients could see the case status on their website and basically you would go to the site and it would prompt you for a username and password authentication, you type in your username, you type in your password and it would let you in if you authenticated properly. So the authentication part actually worked pretty well, the problem is the authentication application was checking a URL that ultimately led me to a plaintext file where the passwords are stored. so I could simply go read that file and go find all of their clients and get a look at the status for all the cases for every client in that lawyer's office. So, that's a pretty big vulnerability that was created by whoever wrote the code for that particular software application. So, that is a great example of passwords being stored in the code on sites. Another huge one that came out from windows 2000 is the ability to traverse directories, it was called the Unicode attack and basically it allowed us to go in any directory on the system as long as it was on the same physical drive as the website itself, ability to execute scripts or programs. There are actually dozens of default scripts and programs that come with the default installation of Apache, tomcat and IIS. a lot of administrators don't know or choose not to remove those scripts or programs, so if permissions are not set up correctly I can execute those scripts on the remote system. ability to bypass URL checking, what this basically means is I want to run the command.exe file on the Web server, well there should be mechanisms to put in place that prevent me from doing that. But, often times the URL checking is flawed or not configured correctly and it will allow me actually run arbitrary code on those remote systems. Another very common one is improperly patched and configured servers. Now this can actually apply across the board but what I'm specifically focusing on is the improperly patched, remember all the different software versions that kind of laid out for you earlier, 69 | P a g e

well every one of those has vulnerabilities and needs to be patched. It only takes one subsystem to be missed in the patching process and you have created a major vulnerability for yourself. Now, once we actually go through and determine the exploits and actually exploit them, we can gain all kinds of different things, read access is definitely kind of the holy grail of hacking because we now have root access to the system. so website defacement is something that's actually commonly done by script kiddies who generally just take a tool and run that against every Web server on the Internet till they find one, they hack it, they put their name out there, they hover a message and then they walk away from it. They don’t actually do any real hacking it's more just for publicity. Denial of service can definitely exist in those vulnerabilities. Theft or alteration of data on server, this is actually a very common thing hackers are looking to get data, that’s our ultimate goal here. For the most part we are looking to get information that is not normally accessible. Well if i can actually extract your database records through the vulnerabilities in your web application that’s going to get me what I'm looking for and depending on the skill and the desire of the hacker further penetration deeper into that network is definitely going to be one of our goals as well. So as you can see Web servers as complex as they are provide a great place for hackers to start when penetration testing a network. 4. Database Vulnerability The next topic we are going to cover is going to be the database vulnerabilities and one of the reasons we want to take some time to talk about databases is in nearly any corporate or enterprise style company you have to have a place to put your information. information whether its customer data, statistical data it does not really matter you need a place to house that and fortunately fo r us hackers there really are not but about three major database manufacturers out there. So these software vendors create these databases and they don’t always have Security in mind. Their goal is for functionality, end user support all of these different things that make a client happy not what makes their product secure. So pretty much all major databases have vulnerabilities whether it be Oracle, Microsoft SQL, Weather it be MySQL which are really the three big players. There are probably dozens of other different smaller businesses in the database business but your large players are basically Microsoft SQL and Oracle who recently purchased MySQL. So, basically these database servers depending on what their purpose would be will be located either inside the network or possibly if poorly designed in the DMZ itself. so the location is definitely going to greatly affect how we access the database not whether or not we can hack it because we can hack it whether it's in the network or not and I'll tell you why later. 70 | P a g e

Often times these databases are back ends for Web servers or for end-user applications. So one of the common things that you are going to see is to compromise the Web server followed by the database server. So there are actually many different methods available to hackers to even bypass the Web server and go straight to the database server. So there are lots of options available for us and this is kind of the scenario I am talking about where even if it's in a protected pardon network and it is locked down, the database is going to allow access from the application. So if we use the application to hack the database then we have bypassed all security checks apply to that database. So great example of utilizing software for something other than it was intended which is going to be hacking through that web application itself and there are lots of common vulnerabilities here. Misconfiguration of permissions and roles is definitely a huge one. Permissions and roles basically define who gets access to w hat and how in a database environment. As you can imagine if you incorrectly configure this then you are opening yourself up to anyone with any account to gain access to sensitive information. Another great example of this is badly constructed database objects. These are going to include the tables, the manipulation language statements and the definition language statements and these are basically fancy ways to say how we create our objects and an object can be anything from a table to a view to a database itself or to a user account and how we design the interaction of that as database engineers dictates whether or not attackers are going to try to bypass our security mechanisms. probably one of the single most common ways of hacking databases is through SQL injection and this basically utilizes an application on the front end, whether it be a desktop or web application is irrelevant, but we try to manipulate the strings that are being sent to the database and this actually breaks two different massive r ules, the first is data validation. Data validation is one of those things where you are only wanting a certain thing to be passed into the application if you change that, then the application should stop you and should let you know that's not valid data. a lot of applications don't do that and basically what will happen here is we will send in that invalid data which ultimately is a SQL statement, that can be read by the SQL Server, we send it to the application. the application parses it doesn't say anything and it sends it to the database and if the database doesn't have restrictions on how the application can send requests to it, it will actually parse that and return back whatever your request was. So the limited knowledge of applications and how they interact with databases and a little bit more knowledge of structured query language, you can exploit pretty much any system with a correctly formed select statement. Another very common database vulnerability are the database passwords that get left unchanged. If you actually go through and accept the defaults on the entire installation of Microsoft SQL 2000 the SA password will be blank, which is the system administrator account. So effectively you can gain root permissions on the remote 71 | P a g e

system by simply not supplying a password and probably the single most critical thing and I kind of hinted at this and maybe touched on it throughout our conversations about database vulnerabilities is that the application that they serve is probably going to be their downfall. Databases almost have to open themselves up to that application and that application pretty much has across-the-board permissions to whatever they need and again this is up the database and application designer, but the application is where the vulnerabilities generally start. Now there are some existing vulnerabilities in the database software but the application is where we should spend most of our time, if you're looking for vulnerability or method for exploitation.

5. TCP Stack Vulnerabilities Although it's not the most common thing in the world, we are going to some time and talk about TCP stack vulnerabilities and the main reason that I want to talk about this is because TCP is the basis for everything that we do, when it leaves your system chances are it's using the TCP protocol. Now the reason that's important is regardless of operating system or application or database or infrastructure you can have various implementations of TCP. Every manufacturer has their own version of how they thi nk TCP should work so because of that vulnerabilities will exist based on the implementation of TCP provided by the manufacturer. Now without going to a ton of detail about all the different TCP flaws and vulnerabilities that exist, usually we are going to exploit these for a couple of different reasons. First of all we have denial of service attacks and foot printing. In some scenarios how the TCP implementation is handled can lead to exploit and major vulnerabilities that could provide access to the network or access to the system housing that implementation of TCP. So, moral of story is every implementation is different; therefore they are all going to have different vulnerabilities. So, letâ&#x20AC;&#x2122;s go over some common vulnerabilities and attacks. the first o f which is the sequence prediction and basically what this means is that I can take over a session by predicting the TCP sequence being utilized by the applications. so user A is communicating with server A and hacker B comes in and predicts the sequence of those packets and jumps in and kicks user A off and picks up where his communication was going with server A. window size overflow is a common example of buffer overflows or usually denial of service attacks because we make the window size to be larger than the buffer that exist on the remote system and generally if implemented correctly the data will be lost that was larger than the buffer, but in some scenarios the handling of that overflow is not correct and they can cause denial of service on particular systems. SIN attacks are basically a fact of life. they are one of those things that are a flaw in how TCP is handled, even in standardized formats basically meaning that we allocate X 72 | P a g e

amount of RAM to particular sessions to be established, we almost predict that's going to take place and in doing so we utilize resources even when there's not a full connection. gateway redirection this is another one of those things that are inherently built into TCP, there is not much we can do about , what that mea ns is that we sent out an ACK request to everybody and say hey look I'm the new gateway of the network, everybody talk to me and then I forward my traffic to the gateway. So users never have any idea that their traffic is in fact forwarding through a malicious host before its being sent to the gateway. Again just the default vulnerability that exists in TCP and the way it's implemented. DNS poisoning is another big one, not necessarily that this is specific to TCP but it's often affected by how DNS is hand ling network requests. So we can go in and actually poison the DNS records so that users can no longer access particular resources or are redirected to a resource of our choice which could be a compromised system and also malformed traffic attacks are high-volume traffic attacks examples include the ping of death, Smurf and teardrop attacks. The Smurf attack is basically where we have a particular system on the network and we are going to ping a system, but we are going to change our source address to be the broadcast address of the network so that system will then reply with its pings to broadcast. So, it will in effect attack every system of the network for us without us doing anything but sending a simple ping request. So those are various examples about highvolume attacks that utilize flaws in how TCP is handled on various operating systems. 6. Application Vulnerability We are going to take some time here to address application-specific vulnerabilities and one of things I want to mention here is that we've covered a lot of different vulnerabilities so far and some of those affect applications, some of the them effects systems and services, what I want to address at this point is applications that are not common and this can skin include both homegrown and enterprise applications because coding practices are very similar across the board. I'm talking about applications that are written inside a particular enterprise by their development department or even in some cases large-scale enterprise software that is written but may not be very popular and remember just because they are not popular and vulnerabilities are not published, vulnerabilities do exist in that software and itâ&#x20AC;&#x2122;s up to us to pull these vulnerabilities out and this is kind of the point where you draw the line between being a novice in this field and being a professional and being an expert is when you can go into application you've never seen before and find an exploit or a vulnerability.

73 | P a g e

Usually these exploits and holes are present as a result of poor coding and poor testing practices for vulnerabilities. There really aren't a lot of good options for programmers to test their code for security unless they know how to do that. So there are not a lot of programs or methods in place out there to check for various vulnerabilities that exist in code. So one of those things you throw it out there and if you find a vulnerability you do the best you can to close it but if we are the first ones to find that vulnerability then thatâ&#x20AC;&#x2122;s an Avenue into the network. every application will have a unique method sometimes methods that have never even been discovered yet, so this is an example again where a highly skilled penetration tester or hacker comes into play because up until this point we can pretty much utilize existing tools and methodologies to guess where we need to be and this is kind of where the line changes from vulnerability assessment to hacking. So once we have identified these vulnerabilities whether we choose to exploit them or not is where that the fuzzy line is drawn between assessing the vulnerabilities and using them to gain access to a system. Common examples of application vulnerabilities are very similar to something we might see in other software packages as well such as buffer overflows, very weak authentication mechanism such as clear text communication of usernames and passwords. Probably the most frequent vulnerability I see in homegrown and nonpopular enterprise applications is poor data validation. in other words we can put anything we want to put in to that field even if it's to the detriment of the application or the backend database hosting it and also applications that are written with errors or poor error-checking, in other words we can make it crash because it doesn't know how to handle a particular error that we caused. So as you can see even undiscovered application vulnerabilities can be an avenue into the network.

7. Vulnerability Assessment So now that we have got a pretty good handle on how vulnerabilities exist in our enterprise or small business networks, we are going to talk about assessing those vulnerabilities from a penetration tester's perspective and basically the methods in which you choose to enumerate vulnerabilities are going to depend on the experiences that you've had in the past and what's been successful for you as well as the target that you're trying to perform vulnerability assessment against. In other words you not looking for database vulnerabilities in a Web server and you're not looking for TCP stack overflows on a Web server for example. So definitely keep in mind that a lot of skill and experience and even common sense come into play at this point. Most of your vulnerability assessment is going to be done using automated tools and there aren't really a lot of great options out there for vulnerability assessment today. Nessus is probably the single most common vulnerability assessment tool because its 74 | P a g e

open source meaning it's free and it's a great product and it really works well. most of the other vulnerability assessment tools you are going to find out there are going to be commercial based tools that are actually built on the open-source Nessus and there are lots of examples out there you can probably go out into a web search for vulnerability assessment tool and find a couple of dozen of them, bearing in mind most vulnerability assessment tools outside of Nessus and very few commercial tools are specific to the target. a great example of that is NICTO, NICTO is a great vulnerability assessment tool, but it only works for Web servers and only works under certain circumstances for Web servers, but itâ&#x20AC;&#x2122;s continuously being developed and maybe at some point will be an all-inclusive Web server vulnerability assessment tool but today we have to rely on something such as Nessus or one of those commercial tools to perform our vulnerability assessment. There are also a lot of other resources that are not necessarily tools or necessarily vulnerability assessment programs such as oval which is basically a standardized assessment process. They are going to provide you with a database, called a common vulnerability database that will allow you to pump that into either home-grown tool or another tool for example and come up with a standardized methodology for performing vulnerability assessments. So they donâ&#x20AC;&#x2122;t offer any tools but they offer the foundation for a great vulnerability assessment methodology. FRCERT or fridge incident response team is actually a website that keeps track of vulnerabilities and disclosures of vulnerabilities and also houses exploit code for those vulnerabilities and one thing to keep in mind is just recently apparently the French authorities decided that, that was a bad idea to actually host code on the site. So now they've pulled that off, itâ&#x20AC;&#x2122;s not publicly available but it is available through subscriptionbased pay service. so if you subscribe to the FRCERT list, then you can actually go download exploit code which if you are doing vulnerability assessment and hacking for a living is probably a good resource for you and also just general public web postings of exploits, I know mentioned a little bit earlier that I have a pretty good ritual of going out to these various sites and downloading new sections of code and you should do the same thing and there are always new sites out there, new hacker groups coming up with new codes and you need to really stay on your toes and be out there looking for these things. We are going to go ahead and move into an example or demonstration of the Nessus vulnerability assessment tool and I've actually gone ahead and taken the liberty of setting up the Nessus server because it is a client/server architecture and logging into that system. so that process is fairly lengthy, so I did that for us but basically we can enable various plug-ins, we can check for Web server, Cisco, DDN, denial of service, FTP all these different checks can be enabled. so I have got that all those enable for me and once we have got that enabled, we are going to go over to our scan options, so we can choose port ranges, we can add details such as NMAP, SIN scans, the net STAT scanner we can go through an entire list of options that are available to us choose those and then move over to our target. I have already got our ta rget typed in at this point we 75 | P a g e

will simply click, start the scan again because Nessus is so thorough and has literally in my example 9000 plug-ins, we can actually take quite a bit of time to perform the scans. So I am going to actually do al load up and report while I've already gone through this process and this is what our Nessus report is going to look like. I am going to select the subnet in which I wanted to scan and the target that I want to look at and based on the severity of the rating we can see all these icons off to the side and there is actually quite a few vulnerabilities associated with this system and we will look at the more severe ones just in this example. So apparently the Pixie environment that's running here is a major security hole so attack can actually gain root privileges or root shell on this particular host. SNMP has a security hole as well which is where the community name of the SNMP host can be guessed and we have actually seen that by enumerating lots of information from that system using that public community string. So if we continue looking forward we can see there's some name server vulnerabilities apparently associated here where arbitrary code can be executed on the remote host through the wins, Windows Internet naming service. We can continue forward, we can see the MySQL running, MSDTC distributed transaction coordinator we talked about earlier and here's our MS SQL Server. SQL Server has a blank password for the SA account, which is the system administrator account, that is a result of poor configuration of the database during the installation process and this is one of things we discussed during database vulnerabilities. We can see here as well that there's a security hole for this particular service through SMB. so it looks like a denial of service attack can be performed against the SMB service here, and thatâ&#x20AC;&#x2122;s going to continue across the board we got a messenger service vulnerability, RPC service vulnerability looks like denial of service attack. We are using an older version of PHP which has a set of known exploits. so an attacker can gain remote access, We have denial of service attack available for port 21 or FTP and the distributed transaction coordinator has a vulnerability for remote code execution, so they could actually completely control this particular system based on that. So, as you can see on this particular system there are quite a few vulnerabilities, most of them are result of not patching the system or not configuring the system to be security minded and not allow request from the network. So, definitely keep in mind Nessus is a great resource, it's a little bit complicated to set up but we will go into a lot more detail on Nessus at a later time in a different title.

76 | P a g e

9. Penetration Access Compromise 9.1. Penetrating the System Part.1 9.2. Penetrating the System Part.2 9.3. Bypassing Access Control 9.4. Password Cracking Part 1 9.5. Password Cracking Part 2 9.6. Social Engineering 1. Penetrating the systems Part 1 At this point of our methodology it's time to stop the information gathering process as far as the step-by-step flow is concerned and start actually breaking into systems or at least attempting to do so. A couple of things I'd like to mention here first of all this is where you cross that line of vulnerability assessment and penetration testing. So keep in mind if you are doing vulnerability assessment or simple security assessments of the network this is where you would stop, write up your documentation in your report, ha nd it off and your job would be done, but because that's not what we are here for, we are actually ready to get into some of the hands-on hacking that we've been talking about for so long that's exactly what we are going to cover starting here. Now, another thing I should mention or some of the legal ramifications of what penetration access and compromise can offer. Obviously, these things are illegal they are covered by dozens of various federal state and county laws, as well as international laws. So, be aware that things that you do with what you are going to learn from this point forward can definitely get you into a lot of trouble. So now that the disclaimers are out of the way, letâ&#x20AC;&#x2122;s talk about what we are going to cover. Starting things off we are going to go over the basics and the concepts of actually breaking into the system. Now, in Part1 we are going to go through penetrating the system and different methods and techniques that can be used to do so. Then we are going to focus on some very specific things such as bypassing access controls. ACL's are access control lists are probably our biggest hindrance in gaining remote access to systems. So we are going to talk about some methods to getting around that. probably one of the most common and frequently used method for bypassing access controls is password cracking which is where we are going to find some way to break that password so that we can get it and use it to access a system. So obviously the access controls won't mean much if we have the password to gain access to them. Another interesting point that we are going to talk about is social engineering. Social engineering allows us as hackers to remove ourselves from the computer element and 77 | P a g e

utilize the many flaws in the human personality to gain access to systems without ever opening the lid of our laptop. Now, after we have covered all this we will actually move into part2 and talk about the steps that you might take after you gain access to the system. so kicking things off we are going to talk about penetrating the system, gaining access to it and our ultimate goal here is to gain the highest level of permissions or rights to the system, what that means is we want to be able to do things to the system, read files from it, write files to it, utilize it for our own needs. So, there are so many different options of things that we want to do all of which depend on the level of permissions that we have on that system. So we are going to pay especially close attention to the various levels of permission that we might gain throughout each one of these steps in the penetrating process. Now, one of the things that I want to mention here and this is what sets you or anyone else apart from the crowd in penetration testing and white hat hacking world and that's going to be that you use undiscovered techniques and methods meaning that during the course of the penetration process you create hacks and exploits and find vulnerabilities that no one else has done before. Again its extremely important that you think outside the box when performing penetration testing and you'll hear me say that many more times throughout the next several videos. So basically what we are going to focus on here is specifically targeted exploits executed in specific orders are going to enable us to penetrate those system defenses. So we want to focus in very closely on what we are attacking, make sure that our skill set is appropriate, our tools are set and that we are very very attentive to what we are doing. The person that is paying extremely close attention to that packet trace is the one thatâ&#x20AC;&#x2122;s going to get the penetration as opposed to someone who is just moving along slowly and not paying a lot of attention. So, we are going to talk about some specific exploits that might enable possibilities for penetration. The first one we are going to talk about is the buffer overflow and you have probably heard this terminology used quite a bit in any kind of reading and researching you might've done. Now we are going to visit buffer overflows a little bit later on in great detail so for now we are going to just say that it's basically an error in the program. It is a hole in the flow, in the logic of the program and that allows us to do things and change things in that system that shouldn't be able to change. Stack exploits are basically a mutation of a buffer overflow. If you can imagine a buffer as being a single container, when it fills up there is nowhere for anything to go. Stacks work very much in the same way except they are a series of containers or a flow of logic and anytime you can break outside of that flow allows you to do things that weren't meant to be done with that particular application. So, these are definitely two things that are very commonly used to gain access to systems.

78 | P a g e

2. Penetrating the system Part 2 Web vulnerabilities are probably one of the biggest and most popular ways to gain access especially if the system is sitting on the Internet, itâ&#x20AC;&#x2122;s easily accessible and because as we mentioned before Web servers and web applications are extremely difficult to configure, so the many vulnerabilities in the many different applications and services and backend servers it might be running allow us to have a lot higher likelihood of compromising a Web server. So, there are literally thousands and thousands of web vulnerabilities that exist out there, we are going to take a closer look at some of them a little bit later. Services and applications that allow unauthenticated access this is a great example of some of the enterprise applications that are coming out nowadays. One of the things that you'll notice if you look at the trending of applications over the last 10 years, things have steadily gone from a client only or a client/server architecture to what we call a three-tier or n-tier style application. Essentially, what that means is we have a browser that is the first tier, they communicates with a server which is usually a Web server or some type of intranet available server that then communicates with a backend or a database of some sort, because system owners and companies feel like their applications on the inside of the network, they donâ&#x20AC;&#x2122;t feel the need to lock it down or require authentication. So we can focus very heavily on these applications that are either grown internally or build my internal programmers or are bought from less than reputable software vendors. Now aside from standard exploitation of software we can also focus on some alternate methods of penetration and I just want to quickly review a few of these because of their level of importance. SQL injection is actually an exploit but it's not an exploit that exist necessary in a buffer or can be exploited through an application. SQL injection is our ability to change queries in the application before they're sent to the database. We are going to take a very close look at SQL injection a little bit later. Application error handling and lack thereof can often cause applications to cut themselves out or dial together resulting in a denial of service attack. This is actually probably one of the more frequent vulnerabilities that I find in corporate arenas. directory traversal is also a huge one, again these home-grown web applications or incorrectly configured file system permissions allow me to browse directories I should never be able to do so on, and finally malformed packets this is probably one of the more difficult methods of penetration because it requires a very extensive knowledge of how TCP packets are assembled and disassembled, but once you get the hang of it is probably one of the more effective ways of penetration testing against some servers and even network devices such as printers, switches and routers

79 | P a g e

3. Bypassing Access Control the next thing we are going to talk about is going to be bypassing access controls. Now, again this is where thinking outside the box comes in to play. We have to find a way around this big wall of access control systems and basically access controls can be defined in many venues including user and group membership associated to file level permissions, application authentication, directory systems such as active directory and NDS, LDAP. all these various things exist all over the network, just about everything that is touched on a corporate network requires some level of access and therefore is usually configured with some level of access control even switches, routers, firewalls all of these things have built-in access controls that prevent anonymous people or unauthorized people from gaining access to them. Our job is to find holes or vulnerabilities and how those are configured or how they're implemented. So all the story is our goal is to circumvent those access controls in order to gain entry into a particular system, whether that be a PC or a server or a printer on the network. So, we are going to talk about some of the more popular access controls and how we might be able to circumvent them. First of all the most popular of all access controls is a username and password combination. We are also going to talk a little bit about Smart card real quick and smart cards are basically little scan cards very much like a credit card and you scan those through a little scanner and they contain your username and password information usually assisted with a pin number or some third factor of authentication. Smartcards are extremely effective, there is one thing to keep in mind and thatâ&#x20AC;&#x2122;s the physical security of your smartcards. So, making sure they don't get stolen and that they're not scan or compromised is very important.

Biometric access methods are definitely better than smart cards and or even sometimes used in combination with smart cards. but one of the problems you are going to find with biometric authentication is that it's so expensive to implement, most companies with thousands and thousands of users they just simply don't have the money to implement such an expensive authentication method. In addition to that itâ&#x20AC;&#x2122;s extremely expensive to maintain in the long haul. So, we are going to talk about the first thing about passwords and because passwords are the most common, they almost inherently are going to be the most insecure and they actually are. So, username passwords combinations are really tricky and misleading because you would think it's a two factor authentication, would in fact it's not passwords are very easy to circumvent and usernames are practically public knowledge, if you're familiar with the naming convention. So, at this point we can pretty much guess a username or we can gain access to that information relatively easily. so now the trick is to crack the password and this can be done in numerous different ways, usually using a brute force or dictionary-based cracking attempt and there are various 80 | P a g e

programs out there to do that, all you got to do is get that password in one form or another chances are you can crack it or better yet guess what it is. Social engineering is definitely a very common method for gaining information. a great example of this would be to call up a user at a particular organization claimed to be the help desk, even better if you have information about their real helpdesk and asked them questions what your username and password I need to log on your system and check for viruses or check for spyware most people are not going to challenge you on that. Itâ&#x20AC;&#x2122;s a matter of fact in all the penetration testing and social engineering I've done I've only had one person ever challenge me over the phone and that was a secretary. So, you can definitely imagine it's rare that people will ever challenge IT or any sort of authority. Sniffers are another great way to bypass access controls by gaining passwords. A lot of protocols and applications such as HTTP and FTP communicate passwords over the wire in plaintext. So, all we have to do is get on the wire somehow and start pulling these passwords off and utilizing them in any way we see fit. Session hijacking is very similar to sniffing passwords except we don't even get the password, we don't need it because we take over the entire session. Imagine for a second that person A and person B are really close friends and often exchange very private information. Well person A walks up to person B and starts off a private conversation where you can walk up and push person A off to the side and assume their identity and imagine that person B would never know the difference, that's a great example of session hijacking. Another thing to keep in mind is a lot of companies and organizations use application user accounts or service user accounts and these are especially vulnerable because they generally don't change their passwords ever. So that means the password is going to be the same indefinitely which is great for us because that means it gives us almost an unlimited timeline to crack that password and gain access to that service account. In addition very often application service accounts having a very elevated level of permissions across the entire network, even though they shouldn't. Itâ&#x20AC;&#x2122;s a lot easier to configure them that way from an administrative standpoint so they often do. Incorrectly or loosely populated group membership is also an effective way of bypassing those controls. Often timeâ&#x20AC;&#x2122;s users are given significantly more privileges than they need and all you need is just enough permission to start populating group memberships or changing those around and you can have a pretty big effect and bypassing those access controls. in addition incorrectly configured permissions play right along with that incorrectly configured group membership in that it's often easier to give everyone permission then try to figure out exactly who needs it. So you are going to find that even more frequently in a larger company that you deal with.

81 | P a g e

4. Password Cracking Part 1 As we mentioned previously password cracking is one of the more common methods to circumvent access control lists and bypassing them by simply stealing the username and password information. So, as we mentioned usernames and passwords are the most common access methods and they are that for a couple of reasons. First of all they are easy to remember when you get hard over the company its standard issue, you get a username and it's usually some variation of your own name, so that it is in fact easy to remember. in addition a password is usually assigned to you which you are allowed to change it to whatever you like, usually changing it to something that is familiar to you again so that you can remember it and because of these reasons, they are the most insecure access method available today simply because they are known information, even passwords which are supposed to be highly protected are often found on sticky notes of the monitors in the people that use them. Usernames are easily discovered through various avenues. first of all t he naming convention, a lot of companies use first name dot last name or first letter of your first name and your full last name, whatever the case may be almost every company uses some variation of your personal name to make up for your username or someti mes you can even do your email address. a great example of this would be BrettCausey@company.com, where you can make a pretty decent gas that my username is Brett Causey inside the company as well. A pretty good percentage of the time once we have access to the username, we have got to get the password. When I say get the password, I donâ&#x20AC;&#x2122;t mean to get it in plain text. most of the time when you steal passwords, they are going to be encrypted or hashed or hidden in some way and it's our job to have the skill and knowledge to be able to break that method of concealing the password and reveal it for use again to bypasses those access control methods. There are three primary ways to gain access to a password once you have stolen it. The first way and probably one of the most common is the brute force attack and basically what this does is, it tries every single combination of alphanumeric and special character sequences against a password hash. a great example of this is the NTLN hash because the method for creating hashes known then we basically take the number zero and we hash it, if my hash matches your hash then I know I've got the right password. if zero doesn't work I try the number one and I keep going up all the way to nine and then I jump to A, then I go all the way to Z and then I jump to * and go all the way through; and then I jump back into two digit so now it's 00 and 01 and 02. Then we go through that entire process, until we reach the link and eventually break the password. Now, what this means is that every password ever under any circumstances can and will be broken with brute force attacks. the difference between a high-security password and a low security password is how long that brute force attack takes. a great example of the password that I'm currently using, using a computer with dual 82 | P a g e

processors it would take someone 17 million years to crack my password and I know that because I actually plugged it into a brute force calculator. So, someone with a plaintext password such as Sam it would take about five seconds. So you can see a pretty big difference between five seconds and several million years. a dictionary attack is significantly faster but often less effective than a brute force attack and here's why, dictionary attacks rely on a word or phrase-based dictionary, what that means is I'm going to take that pre known hash, your user account may be Sam for example and your password could be Bob. Well if Bob is in my dictionary, I will crack your password, if Bob is not in my dictionary or my list of words or phrases then I will not crack your password. So, essentially a dictionary attack is taking a list of known words and variations of words and possibly phrases depending on how big you want to go and hashing all of those and comparing them against that password. A hybrid attack is a combination of different tools, often combining the effectiveness of brute force and dictionary attacks and often using other attack mechanisms

5. Password Cracking Part 2 Often you can gain passwords or various critical information by sniffing usernames and information off the wire and what that means is placing yourself in line between a user and the authenticating resource. Now, a great example of this would be in most enterprise networks users use the same username and password across several often several dozen different authentication mechanisms. One of those is bound to communicate in plain text so if you steal that, you can now authenticate to anything that user could. So sniffing plain text passwords is definitely an effective measure even in companies today. You can also gain encrypted hashes of those passwords through the sniffing process and pass those into the password cracking techniques we discussed earlier. So, once we've gotten a hash, we are going to load it into the hash generator or the brute force or however you want to call it. We are going to load it into the password cracker and see if they can come up with anything. Sometimes passwords can take weeks, days, months, hours or even Seconds but you can give it your best shot and hopefully break into it. And as we mentioned before these duplicate hashes are going to provide us with an indication that match has been placed. So, by generating them basically backwards we are able to determine which ones got to be the password. Letâ&#x20AC;&#x2122;s take a quick look at an example of password cracking that I would like to show you. One of the more popular tools used out there today is something called Cain and 83 | P a g e

Abel and I'm actually only going to use the cane portion of the program but effectively it's a sniffer which tracks information on the wire and I actually had it running throughout the entire title so far and as you can see we've gained quite a few accounts, we've got passwords for FTP, three different ones as a matter of fact, we can see we've got anonymous a non-Eynon.com and even a blank password here. S&P or server message block authentication is been listed out for us and we get several instances of this and we can also see the TES which is Microsoft SQL authentication we can see the username essay with a blank password and we have even got an S&P password which is effectively going to be the community string of public. So, if we want to gain information about one of these we simply right-click on it and send it all to cracker and if we move over here, we now have the systems added in. so, at this point I can look at this account which is the administrator account on the XP attack WS system and here are various hashes. so we pull the hash off the wire and at this point we're ready to go ahead and make an attack on that and by simply right clicking on it I can look at dictionary attacks or brute force attacks or a cryptanalysis attack which is one of those hybrid attacks we were talking about but because I know what the password is, I am going to test it out and it actually checks out and you can notice that by the keys that pop up. So, if we right-click on this and we want to perform a dictionary attack, then we need to add dictionary files in which your word list or whatever the case may be. So as you can see the technology definitely exists out there to crack these passwords or pull them off the wire. This particular piece of software even allows me to explicitly add in hashes from text files or manually type those in, pull them from the Sam file for example. So lots of options available to me, I don't necessarily have to be on the wire to sniff those out

6. Social Engineering Now we are going to talk about an area of hacking that has gained a lot of attention over the last several years and you might remember a hacker by the name of Kevin Mitnick who was recently released from prison and has since started his own security consulting firm and basically what Kevin was extremely good at had not hing to do with his computer skills, as matter of fact he really wasn't all that great on a computer, what he was exceptionally good at is manipulating people. he was able to call various people and get them to do things for him that were outrageous, such as give him critical information about companies, give him usernames and passwords, access codes to phones and PBX systems. All these different things that normally you would never do. so he was using a technique called social engineering and is simply defined as the art of manipulating people to get information or persuade them to do things and you'd be very surprised how easy this is especially in a larger organization. 84 | P a g e

Now social engineering can take place in several different forms. We can do so in person, we can do over the phone, via email, through chat or in some cases even web interfaces but that's a little bit more rare. Itâ&#x20AC;&#x2122;s an extremely low-tech method of hacking the system but what you'll find is itâ&#x20AC;&#x2122;s often the most effective method. Now we will also mention this, in most scenarios companies will hire you to do either technical penetration testing or social engineering tests, in very rare occasions have I ever been employed to do both or to use all possible venues at my will. As a matter of fact I will tell you a brief story about a scenario where a CIO of a major financial organization brought me in to gain access to his systems and basically his words were use whatever methods are available that hackers would use but don't bring my systems down. so he requested that I call in via cell phone whenever I was complete with those tasks. so I walked into the front door requested the Secretary, let me see someone and basically told them that I was late to a meeting I wasn't able to get a hold of that person, she sent me through, I walked straight past the desk back to the server room. the server room was actually protected by a swipe card and eight pin number, well I simply waited for someone to come back out of the server room and when they did I walked in right behind them needless to say I was able to find a console in a server room that had the domain admin account logged in to one of the domain controllers of the system. So within five minutes I was able to get full domain admin privileges to the entire company network. So, as you can probably imagine that particular executive was not very happy. Most of the time we are going to utilize and reserve social engineering for user ID information, server address information or any type of technical reconnaissance that we might need to do in order to elevate the likelihood of gaining access. Now, in addition to gaining information we can also get people to perform actions such as let us into a door, allow us physical access even though we are unauthorized or potentially coerced them into resetting a password or maybe handing over a particular key code that we can use to gain access to something. So, it's a very effective method. Now, a couple of examples of this would be posing as an important person or user and using pressure to get information. there is definitely a technique here that I like and that is going up to a particular person of relatively low rank in a company and telling them that the CEO or CFO has mandated that I must be able to do this immediately and anyone that doesn't want to comply with that's going to have to deal with that person. as you can imagine someone coming to you and saying if you don't do this for me your senior executive officials are going to come down on you and you'll probably get fired. Most people buckle under that pressure and do whatever you ask, so it's definitely an effective method. Posing as technical support or help desk, a great example of this is something I've seen in the past. One of my colleagues used a technique where the support system was basically an email server and it sent out emails across the wire to the help desk and to other support personnel. So, when user A would send in a request for help or an issue was being had by that user then this person was able to intercept that support email and call the user posing as the help desk and even be able to recite the help request identification number to assure the user that it was actually the help desk calling them. 85 | P a g e

So there's not really an effective way to protect against this unless you have better authentication mechanisms in place such as usernames and passwords associated to these various things and even encrypted emails. Pretending to be authorized by a thirdparty, a great point of this is coming in letting them know that you're the plumber and that someone's called in requesting service. They are going to escort you to the bathroom and probably leave you unattended for a significant amount of time allowing you to actually walk around the building freely and look at any information that you need. And finally we are going to cover two additional forms of social engineering that are little bit less popular but are still effective. the first of which is dumpster diving basically means we go out of our way to go dig through the trash of certain companies or users to try to find information that is sensitive and without having to hack. So as you can imagine this is a pretty effective method as well, most companies should have a proper disposal policy set up. Shoulder surfing or watching over the shoulder of someone logging into a system or accessing confidential information is another very effective method especially in Internet cafĂŠs where there's not a lot of security and you can see there are a lot of different options available to us for penetrating or gaining access to a system.

86 | P a g e

10. Penetration Testing Compromise Part 2 10.1. Session Hijacking Part 1 10.2. Session Hijacking Part 2 10.3. Privilege Escalation 10.4. Maintaining & Expanding Access 10.5. System Compromise 1. Session Hijacking Part 01 We are ready to move in a part two of our penetration access and compromise series methodology components. Basically at this point we are going to go ahead and assume that we have compromised the system using the various methods that we talked about before and at this point we are ready to do different things with the privileges that we have gained. So we are going to look to gain critical information, further expand our access, whatever the case may be so with that theory in mind we are going to focus in on session hijacking, and even though session hijacking can often be used for the initial penetration phase I'm actually focusing on it as part of the maintaining and expanding access. The reason I'm doing that is because of the dynamics of session hijacking. You almost have to place yourself between the user and the resource in order to be effective in that session hijacking process. Now there are some exceptions there will talk more about that later. We are also going to talk about privilege escalation, what that means is we may not be satisfied with the level of privileges that we have gained, so we might want to elevate those privileges and try to do more things. In addition we are going to talk about maintaining and expanding access which is kind of a general overview of some different methods we can use to keep access to our system and potentially expand access. And finally we are going to talk about system compromise. Now the term penetration and compromise are often used interchangeably but simply hacking into a system is definitely not the same thing as compromising that system or taking that system over. So we are going to focus a little bit there as well. So to start things off we are going to talk about session hijacking and basically this is also known as a man in the middle attack and the idea is we wait for the user to go ahead and perform their regular routine of authentication and accessing the resource and we jump in and take over that session that, that user has established with that resource or that server or website or whatever the case may be. This basically involves intercepting, monitoring and recording those sessions for potential playback or compromising the account or the session itself. 87 | P a g e

Often it can be used to intercept logon credentials, so basically we place ourselves in there and we force the data to route through us and we steal that information as it passes across to our network cards ultimately resulting in potential password leaks or other information confiscation. We can also use this to take over the session between the server and the client and here is the cool thing about that why bother with authentication when you can let the real client do it for you. So user A logs onto his workstation for a dayâ&#x20AC;&#x2122;s work and he opens up his web browser to go to the mortgage access system. User A types in his username and password to access the mortgage system and it says the page cannot be displayed. In the users mind he's thinking there must be an error with the server, when in fact a hacker has taken over the session right after he authenticated. So, now the server of the secure mortgage access server thinks that the hacker has just authenticated using user A's credentials. So user A retyped the URL and reauthenticates and goes on about his business as usual not knowing that he's recreated a different session and hacker is still maintaining the original session. now that doesn't necessarily mean every time you get a page cannot be displayed error right after authentication that you've been hacked but that's one of the indications. Data can also be intercepted, modified and retransmitted and that's actually the overall definition of how you perform a man in the middle or session overstep attack. So we want to go through a quick demonstration here of how this process is going to take place. So, in normal circumstances a user or client is going to send authentication credentials such as the username and the password across the wire and normally the username and the password is submitted, the server comes back with an okay and the user actually sends traffic back and forth between the two systems. Well if we look at the man in the middle attack in a way that's actually going to work for us. It operates quite differently, so letâ&#x20AC;&#x2122;s say for example the user has been compromised by the attacker and the attacker has established an open session with the server so what happens is the user either sending over the wire or inadvertently redirecting his traffic to the attacker submits its username and password information. The attacker pulls it off the wire, reads it, saves it and then forge the user onto the server. So this is one example where the user would've never known their information has been stolen because they authenticated normally no errors and continue to work. in another scenario the user sends her username and logon information across the wire and because the attacker is paying very close attention to what's passing, he actually grabs it off the wire and pulls it back and saves it, and then once the session is established the attacker jumps in, kicks the user out and redirects the session from the server back to the hacker. This allows us to effectively kick the user out of session process and the server thinks that user A for example is actually on this machine and talking normally between the two systems. So I'd like to take a moment and show you an example of how this works. 88 | P a g e

2. Session Hijacking Part 2 We actually have two systems and this is one of the rare scenarios, where we are going to see both sides of the fence. So this is going to be our victim machine. We are going to open up an Internet Explorer browser window and we are going to move over to our attack base system. I have loaded up the GUI Cain version of Cain and able and we are already at the sniffer kicked off and basically I'm getting enable something called art poisoning and art poisoning is basically the active tracking systems into talking to you instead of who they would normally talk to. So, I am going to enable that and I'm going to go ahead and add in various systems to list. And I am going to grab all traffic between one and dot 32 because that's the default gateway, and I am going to grab all information between two and 32 because that's the DNS server. So, let’s go ahead and kickoff the poisoning process which is going to trick both of those systems into talking to me instead of each other. So at this point not a lot of traffic is going on between the two systems but now let's say I log into and we are going to take eve a step further and say that I log into a secure system. So I am going to attempt to connect to the system, I am going to go through my regular process and in just a moment you are going to notice, we will connect to that system and we are going to go ahead and log on because again we haven't seen anything out of ordinary yet aside from a couple of error messages that we might see normally every day anyway. so I am going to log into the system with bogus user and bogus password and at this point we will be going through the authentication process, we come back over here, what you are going to notice is, I am running full and half routing between those systems and all communication is taking place here. So, if I notice over here I can actually see various pieces of information. In this scenario we can actually see all of the specific connection information associated with that process. So that’s quite a bit detail here again we are gathering information by placing ourselves in the very middle of the communication process. So, we can see that the Google account session set up in English, we can see URLs in which it was set up for and if look down through the process we can see even the versions of the various software that is being used to communicate between these. We can even see the URL where the authentication took place between those systems. Now if we want to log on with a real account for example then it’s going to attempt to perform that check and it is going to fail and we can see that we are going to continue to get information back from that. So if we look at these text files there is the email address and the password that was provided. So we essentially per formed a man in the middle attack, we were able to compromise a username and a password. Now here's the interesting part this was using HTTPS or secure HTTP protocol almost every system in the world relies on HTTPS for security.

89 | P a g e

3. Privilege Escalation Another option that is actually available to us that we could potentially do once we gain access to a system is attempt to elevate our privileges or the process of privilege escalation. And basically what this addresses is the issue of potentially hacking the system but only gaining access at a user or guest level which really limits our ability to continue the hacking process and move forward in the methodology. So, essentially we are going to need elevated privileges to move forward with that attack and do a full compromise of the system and potentially even compromise of other systems based on that privilege escalation. There are quite a few options available to us to elevate our privileges beyond that of a normal user. A lot of these actually rely o n what are called local exploits and a lot of these exploits go through buffers, stack overflows or various other hacks. But, the key point here is that a lot of security administrators and systems administrators really play down the criticality of local system exploits and the reason for that is because you actually have to be on the system to utilize those. So what you will find is during the patch review or security review of system very often people will kind of toss off to the side these local exploits, these local vulnerabilities and just say we won't worry about those, we will patch the remote vulnerabilities and although those are important as well. Any user or any hacker that gains any level of permissions on that system can utilize those local privilege escalation exploits and vulnerabilities to leverage a higher level of permission on that system. So there are a lot of different options available to us and there are actually a lot of common tools out there that can do that for us. Probably a good 50% of the vulnerabilities that are released publicly about the UNIX, Linux and BSD operating systems are actually local privilege escalation exploits. So, all it would take is a very low-level almost guest level permission access to a system for us to sc ream all the way up to root privileges and totally compromise that box. Another scenario is try to trick a user either into using admin privileges via social engineering or trying to let them give us administrative privileges. A great example of that is calling into a security department and trying to forge authentication emails or faxes from department heads authorizing admin privileges to certain systems. in addition we may be able to based on user level permissions install key loggers or sniff the wire to potentially obtain administrative accounts and passwords. So as you can see there are a lot of options available. now another great example if you have physical access to the box you can actually boot off of a Linux based password change disk or an actual password cracking disc. there are several dozen Linux operating systems out there that allow you to boot a Windows system to Linux and basically scrape the Sam file or the security accounts manager file where the password hashes 90 | P a g e

are housed and crack those to reveal the passwords or rehash those and create a new password for the local administrator account. One thing to remember is that there's probably going to be a lot of work involved in this one because it requires physical access to that machine. I've also seen scenarios where a user or hacker will gain access to the system and load whatâ&#x20AC;&#x2122;s called a virtual drive or a RAM drive which is essentially a disk that exists only in memory and this particular scenario that I'm talking about allow the attacker to upload the Sam file to the RAM disk and install password cracking software such as John Or loff crack into that particular RAM disk. So the great thing about this is standard systems administrators would never know because the software is installed in a place that unviewable by any type of software management utilities. So once the password is cracked that user has admin access to that system. so as you can see there are lot of options available to us for privilege escalation and its probably one of the first step we are going to take once we gain access to a system assuming we don't do so through system or root privileges by default.

4. Maintaining and Expanding Access Another one of our high priorities once we gain access to a system is to investigate the possibilities of keeping our access or maintaining it and potentially expanding our access beyond what we already have. So, basically once we have got access one of our goals is going to be to maintain that, so we want to try to prevent the detection of this compromised system and present challenges to the administrators, so that we donâ&#x20AC;&#x2122;t lose access to that system. So there are a lot of options available for us, probably one of the biggest most common methods of maintaining access is through a root kit and the basic idea there is that the root kit will hide all of your activities. So you root the box which is where that term comes from and you get in there and you change the task manager and the task viewer, you hide the files through NTFS data streams and it basically is an alternate control method for that system. So, even if someone is looking for signs of being hacked they won't notice because the system has been assigned a root kit. We can also use other various things such as exploits and credential caching capabilities to try to protect ourselves. In addition we can prevent or remove logs that might give away the actions that we've taken. So we might go in and go ahead and clear all the log files that we are aware of and maybe even disable those log files by putting a write lock on them, so that new information can't be written. Trojans are also a huge asset to us once we have compromised the system. So, they are going to continue to create backdoors or compromise other accounts to logon to that system. So, there is going to be another method for us to maintain our access in addition to potentially hiding that access. 91 | P a g e

Another method that is actually very commonly used is to create new accounts. now I can tell you from experience a lot of SysAdmin keep very close tabs on what accounts exist and where. So creating new accounts might draw attention to yourself. Now one thing that I've used in the past that seems to be really effective is to elevate the privileges of accounts that already exist that you may have compromised. A fantastic example of this is to find network maintenance software the type of software that goes out and maybe paying servers for availability or sends out packets for maintenance and things like that. The type of services that don't draw a lot of attention to themselves because everyone knows their accessing remote systems. If we can compromise the service account and both the privileges up to domain administrative privileges we effectively have an invisible open hacking account. So we want to pay special attention to those service accounts and those application accounts and try to use the existing ones to our advantage because generally permission changes on accounts donâ&#x20AC;&#x2122;t draw a lot of attention and how many administra tors do you know that regularly audit the members of the domain admin's group. Obviously, a good security company would but most don't. in addition to continue to expand and maintain our access we can change permissions on various files and shares, so we might go in and create a folder such as system33 for example even though that may be kind of obvious, we can remove all permissions to that so no one can delete it, no one can modify it and if we start affecting the administrators account and other user accounts we may be able to protect ourselves for quite some time. another great example is to undo security measures that have been taken to protect the box, for example a lot of administrators will go into the registry and disable null sessions on Windows machines to keep that vulnerability from being exploited, well the catch is how many of them are going to go back and verify the registry key is still set. so that's a great opportunity for us to create a backdoor for ourselves by undoing that lockdown procedure and then maybe locking down the one we used to come in with so now we have an alternate method for attack. Now it actually be a lot smarter to go in and do something a lot less obvious so that other hackers might not get into your system as well. we want to expand access by utilizing our newfound hosts to try to hack other hosts and this is especially useful in a large -scale enterprise environment because any given machine is probably being logged onto or logging on several dozen systems whether it be workstations or other servers because network communication is happening all the time. So we might actually upload our hacker tools through built -in utilities such as TFTP or the FTP client, upload those to the compromised host and then use those tools to sniff and crack passwords and use those resources to gain access to other systems. we might even be able to go in and use some built-in commands to foot print the rest of the network especially if it's a high level server such as a DNS server or domain controller, then we are definitely in great shape because then We can do DNS zone 92 | P a g e

transfers, we can dump through LDAP, the actual active directory database and so on and so forth. So, again depending on the host you actually got the hold of you can reall y do a lot of damage and gain a lot of information and obviously you can also gain other protected passwords to other systems especially if cached credentials is enabled which in most enterprise environments it will be. So, any type of cash credentials or profiles are also a great source for finding user accounts. So, there are a lot of options available to us for maintaining that. So, continuing forward we can also go through enumerate DHCP server information, thatâ&#x20AC;&#x2122;s definitely a useful one because then we know all the systems on the network that have obtained IP addresses, whether they are reserved or automatically assigned to DHCP. We can also gain useful information about looking at the DHCP by looking at TCP/IP configuration that might tell us where Pixie servers are or DNS or DHCP servers. So we can gain a lot of useful information there and often times from a single authorized but compromised host we can pretty much dump the entire domain down to files and offload them it only takes one vulnerability in one system on a company network and you can literally strip all of the sensitive important information out of the network and then use that to launch additional packs from that host.

5. System Compromise So we have finally reached the point of system compromise and we are going to talk about the differences between successful penetration and compromise for just a few minutes. Basically achieving system compromise is enacting whatever intent you have for that system or whatever purpose there was versus simply gaining access or utilizing an exploit. when you successfully penetrate a system or hack a system that simply means that you've gained some form of unauthorized access to that box that doesn't mean that you have actually used the box for anything a nd that's where system compromise comes into play and really the definition of compromise can differ from one expert to the next, but for the most part we can look at it at having complete control of the system and using that system for whatever your purposes. So, we are going to call it system compromise when the goal is met or whatever that server is intended to perform for us, whether it be access to a particular network or set of computers. a very common mode would be data access or theft especially i n today's environment when a person's identity can sell for as much as $50 a piece on the Internet, imagine you hear about 27 million identities being stolen in a single compromise, can you imagine the amount of money that individual is going to make, possibly in the billions of dollars assuming they don't get caught. So data access and the theft of sensitive information is way up there on everybody's priority list when these black cats are actually attacking our systems. 93 | P a g e

Again we are here to determine these holes before they do. We might also be looking to perform a denial of service. I've seen scenarios and actually perform forensics on some systems that were attacked and formatted where user actually again set up a RAM disk or rebooted the machine to an auto format image and destroyed all the data on the system, that could be the attackers goal. So if that's met we are going to consider that a fully compromise system. Another compromise if you're just looking to maintain the system is going to be the root kits or file replacements. We want to get in there and we want to further utilize that system may be even for the long-term. Some systems are hacked for years before admins find out about it, usually by accident, where some systems compromise may last 30 seconds when SysAdmin and security admins are paying close attention. So we might want to get on their quick, get a root kit on their, protect our actions and grab more information. Another very common reason for hacking Web servers and Internet DNS servers is to house pornography, hacking MP3s or pirated movies things of that nature. so there's a lot of that peer-to-peer file sharing or rogue FTP systems that hackers will find a system with a lot of disk space, dump all of their pilot information up there and then allow their friends and various community members to download that, once it's found out they move on to the next system with plenty of disk space. So definitely an option there for us, also we were looking for in some scenarios the system compromise that actually open the door to further access to other systems. So, that may be the intent from the very beginning and often will be a combination of fact, we will go in, we will route the box with a root kit, we will replace some files and send it out to sniff passwords on the network for example or to brute force hacker Web server from inside the network, obviously that would be much more efficient. We might create other user accounts, install programs to continue our access in the back end such as backdoors all kinds of options available there. we can even install Trojans and key loggers to try to break into other user accounts or potentially even steal credit card numbers as they pass across the system, if that's the type of system that is. so obviously depending on our goal here we want to achieve system compromise as quickly as possible because there are lots of different points during this overall penetration process where we could be detected and again a lot of times the compromise that may not be taken away, it may in fact be that the forensics acquisition team may be monitoring your activities and you're that much closer to being caught. So we are definitely going to focus in on doing whatever it is as quickly as possible or hiding our actions very well.

94 | P a g e

11. Covering Track 11.1. Where your actions recorded Part 1 11.2. Where your actions recorded Part 2 11.3. Deleting Log files and Other Evidence Part 1 11.4. Deleting Log files and Other Evidence Part 2 11.5. Root Kits 11.6. Steganography 11.7. Evading IDS & Firewalls 1. Where your actions recorded part 1 We have gone in and we have got a pretty good idea of how we are going to break into these systems. We know what we are going to do once we've broken into them. We are going to utilize those systems for whatever purpose we have intended. At this point we just are concerning ourselves with how hackers or black cats are going to attempt to evade any existing defenses or erase their tracks. Ultimately they don't want to get caught, so we have to understand how these black cats are going to go in and prevent themselves from getting caught. So, we are going to talk about a couple of different things here, first of all where your actions are recorded, in other words you should be aware of where these different processes and procedures that you're going through might be logged or might be saved in some way. Once we have identified those, we are going to talk about deleting log files and other evidence or tracking-based information that could aid in getting us caught and remembers we are thinking about this from a black cat point of view. So if we do not want to get caught, how will we protect ourselves and understanding that we can better protect ourselves in the long run. We are also going to talk about root kits because they are probably one of the single most common defense mechanisms that hackers take once they have compromised a system. This is probably going to be their final line of defense and if are able to circumvent tha t we are in good shape. We have to understand how they work. We are also going to talk about steganography which is a very little understood method of hiding files in the security community. A lot of people don't understand how this works and therefore don't have a lot of protection against it and finally we are going to talk about attempting to evade intrusion detection systems and associated firewalls. so these are going to be our real tricks here, these are going to be the ones that give us the worst time of trying to get around and keep ourselves from getting caught. So we are going to make sure we have a good understanding of how that works. 95 | P a g e

2. Where your actions recorded part 2 We are going to talk about where we might be recorded as far our actions are concerned and the first thing that you need to understand is that everything we do has the potential to be logged or recorded somewhere, everything even if we so much as send a single ping request to the external interface of a DMZ Web server, there is probably a log either on external firewall or on the host itself about the request that was made to it. So our job is not necessarily to completely eliminate or avoid our actions being recorded but if they are going to be recorded, we want them to be as inconspicuous as possible. If someone really looks hard enough they are going to be able to back trace everything that we've done. Now if we are really worried about this and there are a lot of options available to us to actually delete items or doctor those items that are relevant to our intrusion without being detected. so you can definitely imagine as soon as we are detected one of two things is going to happen, either they are going to unplug the link and cut off all possibility to us having access to that system. Probably directly following that there will be a forensics investigation and they will probably be able to track your system down especially if you don't have time to put your defenses in place. in addition they may decide to let you go on about your business but watch you the entire time, so neither of which of those options are good for us if we are trying to compromise a system and continue forward with actions. We also have to be aware of log files for various applications, a great example of this is the IIS server log files. Itâ&#x20AC;&#x2122;s definitely an overlooked resource by security administrators because a lot of the webbased attacks that you might see perform out in the field are actually logged with predictable results, every time in those IIS and Apache log files. We need to be aware of where those log files exist so that we can clear those under the right circumstances. File access time is another thing that we really need to watch for. This is something that forensics technicians are trained and trained for is being able to read a timeline based on file access times and there are tools out there that are available to hackers that allow them to modify the file access times. Windows registry is a huge hive full of information about a system if we change even some of the most minor things in a Windows operating system we could directly affect the registry. So being aware of what registry entries might be affected by what we are doing is definitely valuable and some of the things we have talked about so far such as log files, access times and registry entries can all be prepared for in a lab environment especially during the research and the reconnaissance process as long as you're taking notes about what systems you're finding, what exploits might be available, it's a perfect opportunity for you to set up and try to sell lab that would emulate your target's environment as best as possible and the great thing about that is you can set up defenses and monitoring utilities and all these different defense mechanisms that might exist on that system and try to circumvent those or at least be aware of how they are going to be affected. 96 | P a g e

Remember we are not just a super hacker sitting in a dark basement somewhere attacking on the fly. This is a plan and precise attack on a very large and usually well protected network. we also want to be aware of any hacker tools that we leave behind, remember part of our compromise and maintaining access procedures were to potentially load hacker tools to one of the systems we have hacked and use that system as a new attack base. It allows us to migrate our attack base throughout the network and reduces the potential of us getting caught, but we need to be aware of any residual tools or configurations that we might leave behind. Another interesting thing that might be overlooked by a lot of hackers or even security professionals is the performance statistics of operating systems. I am going to tell you a quick story about this. We were actually going through and looking at some of the degraded performance on some servers in a particular organization we were doing some consulting with and one of the things that we noticed is that the servers performance would degrade significantly but we would never see a spike in utilization of resources, so the memory utilization didn't change, the processor utilization didn't change, disk I/O remain the same but the server dropped to a crawl usually toward the end of business each day, well what we end up realizing is the system had been compromised, a root kit had been installed and someone had installed file sharing software on the system and uploaded Tons of hacked video games and video files. So every afternoon at three or 3:30 PM when the kids were getting a school they would go home connect to the Internet and start downloading these files, so around that same time each day we would see a major degradation in service on those systems. So really we didn't see anything on the IDS records the person had done a great job of covering his tracks except for the one thing that overloaded the server to a point where it calls attention and therefore ultimately revealed that the system had been compromised. You should also be aware of the various types of intrusion detection systems. IDS can sit nearly anywhere on the network, you have got network-based intrusion detection systems, host-based and application-based intrusion detection systems. So be that aware that there are a lot of options that these security administrators have to help identify these type problems. Proxy servers or another very often overlooked point for actions to be recorded especially if hackers download files from the Internet as part of their compromise process. So it's often a possibility for forensics investigators to go back and track your actions via the proxy servers, so make sure you are careful about how you send or receive data. If you are going to use a proxy server set up a permanent tunnel through the proxy to a remote host that is also compromised and of course we cannot have a discussion about recorded actions without talking about firewalls. So definitely keep in mind any kind of firewalls you are trying to evade or potentially compromise. Firewalls are usually very rich with logs, so we want to be aware of those and where their locations might reside.

97 | P a g e

3. Deleting log files and other evidence part1 We are going to spend some time on understanding what the ramifications are and the skills required in order to delete log files and remove the various components of evidence from the network. agaIn we are looking to find ways to protect ourselves from getting caught and being able to maintain our presence. So first of all right off the bat we are going to make a statement of the leading evidence is extremely difficult and requires a very high level of knowledge of the system that you are trying to circumvent. The reason that this is the case is we don't have access to the registry of the system, we donâ&#x20AC;&#x2122;t have access to the console, we don't know what's installed o n that system and we definitely don't know what type of physical hardware might be watching our actions as we speak. this is where itâ&#x20AC;&#x2122;s extremely important to do very good reconnaissance, do very good research, very good scanning, very good enumeration all of these prerequisites steps that we led up to before we have actually got to system compromise. this is where that knowledge and information that you've gathered is going to come into hand because you need to be aware of what software is installed in that system, you need to be aware of what other systems live on the network around it and what the potential will be for other systems to log your actions or even for that system. So we need to pay special attention. now it's very easy to cover the simple things such as log files for the security event log, weblogs, firewall, IDS logs we know about all of those and chances are there locations and their level of logging and capabilities are documented all over the Internet. so it's important to become an expert in how the default logs work, but what you really need to be watching out for and what separates a highly skilled hacker from someone just running tools is they take the time, it may take a week to hack the system but when they do it's perfectly flawless with no issues they fully route the box and no one's ever known that they were there and probably never will and itâ&#x20AC;&#x2122;s because they take the time to fingerprint and foot print everything out properly. So we need to be aware of those really strange things such as a SysAdmin may be out of paranoia running win dump and dumping to a log file or remote file system or potentially having tripwire installed in the system which is a host-based intrusion detection system. They could have things very simple like the Windows firewall turned on which by the way has pretty good and verbose logging. In addition custom applications or even high level enterprise applications generally contain logs especially applications that communicate with databases. They usually log very heavily the transaction log in the database. So any SQL injection attempts that we might have could be logged extensively and be able to be extracted by someone performing forensics on that particular penetration attempt.

98 | P a g e

4. Deleting log files and other evidence part 2 Now it is possible for us to locate and delete all of the log files but one thing that you should note is that log file deletion is very simple. Usually it's a simple â&#x20AC;&#x153;RM log file nameâ&#x20AC;? end of story, except for one thing when I go through and I am analyzing an attack on a system, something that is going to get my attention more so than anything else is an empty log file. If you go through and delete all the security events to the security event log and I go look in the registry and find out that the security event log is enabled, then I'm going to be very suspicious that someone's cleared the event log. So, be aware that missing log files or empty log files can tell just as much about what's happened as log files that are populated with telling information. So a really good strategy would be to doctor the log files so that they look realistic. An example that I've used in the past was to compromise a system using standard credentials that I stole from a different system, stealing all the log files from that system and copying them across the board and doctoring them only to match the host identification information. so what you then see is an investigator going through and will see server A, server B and server C all show normal log files, that they might look really close at it and noticed all log files are identical, but it's definitely a lot better than having logs of my attempts as well as empty log files. But our ultimate goal in all of this is to delete traces of tools and of actions used to compromise that system. So it's important to get pass the compromise logging and also understand the logging of tools installations and how those are handled. There have been a lot of scenarios before where I was able to tell a lot about hack system by simply looking at the binaries or the source files that were left on thereby the hacker. One of the things we want to make note of is avoid replacing system files that are of high value to the operating system, things like NTOS kernel.exe or various kernel files for the Linux operating system and the reason for that is if nothing else is going to be logged on the system, it's going to be the system files. They are going to be tracked and monitored very heavily because they are core to the operation of the system. So we want to kind of dance around those and we want to touch things that are not going to be noticed as much. So, one thing that I've seen done in the past is setup screw ups, so that if anyone logs on to the system or if the system is ever rebooted, it will immediately clear all the pertinent information. Definitely one point of interest here is the paging file. the paging file is sort of the holy Grail for forensics investigators because it's going to hold all of the most critical information about what's been rhymed and what is currently running on the system. So we want to prevent these forensics investigators from getting the information from that page file especially if it's going to tell them information about what we've done, 99 | P a g e

So definitely be aware. Registry keys and registry entries are also a very rich source of information. We want to keep track of any keys that we had to modify and reset those or remove them altogether later on down the road before we leave this system. We also want to attempt to disable antivirus where possible. Now this is kind of a tossup and is really a point of disagreement between penetration testers because you can choose to use tools and custom compiled programs that don't get detected by antivirus or you can disable antivirus and upload easier to use tools that allow you to operate faster, really this depends on you. One thing that you should note is that disabling antivirus can often give you away. most large corporations in today's environment have centrally monitoring antivirus consoles and if one of the serverâ&#x20AC;&#x2122;s application stops responding or is disabled, chances are someone will be notified, and always even though it may seem like common sense be aware of what you're doing, pay very close attention to what you do and how it might affect other components of the system because ultimately carelessness will be the number one way to lose a box.

5. Root kits So continuing in our effort to evade defenses and potentially erase tracks we are going to take some time to talk about one of the most common methods of hiding your tracks and thatâ&#x20AC;&#x2122;s going to be with a root kit. now the overall idea of a root kit is to maintain access as long as possible and prevent anyone from being able to see exactly what's going on, on that particular system and basically root kits are going to be software packages that are essentially a set of tools that are used by an attacker after you have gained root level access to that system, and it's going to effectively conceal those activities on the host permitting those attackers to maintain that access and continue to operate in a covert manner. oftentimes root kits will go in and replace system files with modified files that keep track of what things you're doing and allow yo u to specify what to hide and what to not. Basically these files are going to look and behave exactly like the original files, so that they may not be noticed by a system or security administrator. Oftentimes root kits will also replace common utilities such as task viewer, performance monitor, computer management, the services, that MSC console all of those things could potentially be modified and replaced to hide activities. Basically we want to maintain normal looking functions and day to day operation type stuff but we want to protect ourselves from being detected with the activities that we are performing. So, the example that we give here is a rooted net stat command will list all connections except for the one you are using. the way most root kits actually work is once they are installed in the system and the system is fully owned, then we are going to go through and usually it's depending on the naming convention that you use. for 100 | P a g e

example you might name a file that you plan on using to scrape the Sam file,, filename.exe or *_filename.exe and the root kit monitors for files on the file system with a prefix of *__ and when it detects that you have created that file, it immediately hides it from view, so that no one else can see it except for you. Another example of this is to do the same thing with processes to hide them and their associated identification numbers, to hide TCP connections. A lot of root kits will actually have an alternate TCP stack altogether that maintains itself on a different IP address. So the attacker can connect to that IP address and actually never enter the logical network face of your individual machine. Now, generally we only want to modify files that are necessary to prevent us from being detected and the reason for this is that the more things that we change the easier it's going to be for us to get caught. a lot of times because root kits are written on the fly or poorly debugged or tested they cause a lot of problems on the systems that they are installed on. In other words you want to affect as little as possible because that reduces the effect of you crashing the system due to poor coding or an exception error, something along those lines. root kits are generally extremely difficult to find, as a matter of fact there really are only a small handful of utilities that are effective at detecting them in a Windows box and there are just a few more for detecting root kits on Linux machines and i should note here, there are significantly more root kits for Linux systems than there are for Windows systems and personally I think this has a lot to do with the open source versus closed source methodology adopted by Linux versus Microsoft, because Microsoft doesn't release their source code. it's a lot harder to write replacement NTOS kernels then is to write a replacement for the kernel of a Linux box which is released under public knowledge. Usually we can manually detect these individual root kits by running ME5 or SHOWSOME on them against the files we think might've been compromised. now this is only going to be good if we have an ME5 to compare it to, like a clean NTOS kernel for example. Now there are programs out there that will monitor for hash level changes to file system components that are critical or operating system files. One of the most common which is both open-source and commercial is tripwire. Tripwire is free for Linux operating systems but is a pay by subscription basis for Windows operating systems. Once a root kit is on the system itâ&#x20AC;&#x2122;s practically impossible to get rid of. it uses a technology most of the time called hooks that actually embed itself into the various components of the operating system and effectively the operating system is going to be a toaster when it's all said and done. So we want to rebuild that machine once a root kit has been detected after we properly investigated it.

101 | P a g e

6. Steganography Another very common method used by hackers to hide their individual actions as well as the files that they might use is a technique called steganography which is basically hiding files inside of other files and this is also often referred to as hiding things in plain sight because we are going to you use the steganography techniques to mask our individual files in our various actions. Often times viruses, root kits and various other malware can actually live inside of files that appear harmless. So, a standard picture file that someone emails to you might have a stay go attached file inside of it that could be malicious. It is also very common to hide these files in media files such as JPEG's, picture files, MP3s are also a common target as well as document files. probably one of the more popular methods utilizing steganography technology is NTFS, alternate data streams or ADS and the basic idea here is that we use the built-in fork technology of NTFS and what i mean when I say fork technology is the ability for a file to represent multiple scenarios or our ability to be able to fork that file out into multiple streams of data, ultimately allowing multiple files to exist where only one is shown. Steganography is extremely difficult to detect and there are only a handful tools out there that allow you to actually identify files that contain alternate data streams. There are some forensics utilities out there that assist in this but for the most part you really need to expect alternate data streams in order to find them. It is highly unrealistic for you to scan an entire drive for ADS and you will find lots of those because many Windows files use that technology as well. So this is a very effective method for us to hide our tools and our files. We can utilize this to hide our individual hacker tools and utilize this on just about any operating systems using built-in technology. So this is definitely a major asset to us regardless of the operating system that we are penetrating. So letâ&#x20AC;&#x2122;s take a quick look at an example of steganography in action. We are actually going to focus on NTFS alternate data streams even though there are lots of tools out there that will allow us to hide files and files. So we are going to go ahead and focus on these three files DNS enum.txt which is the file we used earlier when we were dumping DNS databases so that we can enumerate information. We are also going to use a hacker tool called SMB relay version 2 that allows us to steal credentials and hashes off the network as a man in the middle attack and we are going to focus on utilizing the doc.doc file which is a company standard document written by employee number one. So this is actually a fairly innocent file people expect to see these and it might already exist on the file system of the system that you're hacking. So we are going to open up a command prompt and the first thing we are going to do to kind of demonstrate how thi s is going to work, as we are going to create ME5 some of the files that were using so that 102 | P a g e

we can look at those when everything said and done to see if we make any changes to them and specifically I want to focus on the doc.doc file itself. So, we are goi ng to use UNIX details generated in the ME5 of the doc.doc and we are going to port that over into some file so that we can reference it later. So we will have this file open and we will minimize it for now. so now that we know exactly what the doc.doc File is, how big is it going to be such as file size 171 bytes for example and we will transfer that information over to our notepad document as well. So now that we have information on reference we are going to go ahead and hide the SMB relay tool inside of the documents. We will put in executable of malicious intent inside the document file. We are going to use the type command which is actually built into the Windows operating system. So, at this point we have actually ported the SMB relay tool executable into the document and rename the executable to SMB.exe. now let’s go back and do an ME5 sum of that document, as you can see the sum is exactly the same so there are very little chances for us to be able to detect that executable is hidden. in order to prove that executable does in fact exist, we are going to use the start command to kick that executable off and as you can see it executed as the following filename and the reason that this is so effective for us, we can hide files in our tools in plain sight and call them up at will because we know exactly where they are. No one else will be able to detect that those exist. So, if we simply go in and remove SMBrelay2.exe from the file system, at this point no one can see where that file is. But we can continue to watch that file because it lives inside of that document file and this document file can actually be moved between NTFS file systems and it will retain the properties of that additional executable file. We can even take this a step further and we will go ahead and ME5 sum it again and then we are going to put another one there. We are actually going to hide our DNS enum text file because that’s malicious information that we want to utilize, later we will port that also into the doc.doc File as DNS.txt. So now that the information's been saved, we will do another sum on the file and again as we can see the file hasn't changed. Now if we want to launch that we simply use the notepad application or we can use DOS or any of the other reading utilities available to us and we will call that file. And as you can see we were able to read that information. So we are going to exit out of that and we are going to delete our DNSenum.txt file because now all of our hacking tools and everything that would utilize so far is gone but yet it's still available to us but it’s inside a document file and hidden very well from view.

7. Evading IDS and Firewalls

Now that we have got a pretty comfortable idea, what it might take for us to hide our tracks and evade detection once we are on a system. I want to take some time to talk about a little bit more of an advanced topic and that is the intended invasion of protection or security devices namely firewalls and intrusion detection systems or IES or 103 | P a g e

an intrusion prevention systems or intrusion protection systems or IPS devices and basically you have to have pretty advanced technology or pretty advanced skills in the art of packet handling, before you can actually attempt to evade detection by these different logging devices. An example of this would include using the slow paranoid stealth version of NMAP so that firewalls will not put the two and two together of, okay I scanned port one, now I am going to scan port two. Well if a firewall is timeout and port scan expires between Port one and port two, then it will never make the Association of those two together as being part of the port scan. So, we can use those slow or randomizing scanning techniques to try to trick the intrusion detection system into thinking, oh that’s just normal traffic, a packet here or a packet there, I'm not too worried about. It’s going to take significantly longer to perform a good scan but it definitely makes detection more difficult and you have heard me mentioning in the past, hey it’s the guys that take a week to hack a system that are the most successful and that is very true in this scenario of and a lot of times penetration testers will be hired to come into organization, given an unreasonable deadline to go through and analyze the systems. So, they come in, they do a port scan, they find a port open, they test the port and they walk away from the system and the intrusion detection system has probably picked them up a 100 different times and that might put the management at ease, what they don't realize is hackers are out there and they're not looking to get caught. So, they are going to take whatever techniques are necessary to compromise that system, especially in a targeted attack one in which an attacker is explicitly looking after a particular company. So we are going to use techniques that are nonstandard even not known techniques. We want to again think outside the box here and think of ways to get around those intrusion detection systems. Imagine in your mind how a company might set that up, there's probably a firewall and IDS or may be even IPS at the perimeter of the network, Well what other entry points might there be. An example of this would be before dialing a series of numbers to try to detect modems to gain access to the network in an area that may not be protected by firewalls and intrusion detection systems. another technique that is frequently used to evade firewalls and especially IDS systems is to use specially crafted or design packet combinations in order to bypass those firewalls and IDS systems. Now, we want to take a moment to talk about kind of how that works. One of the major flaws about a firewall and an intrusion detection system is that you have to know your network well enough to exclude everything but what is necessary, what that really means is you can't lock your firewall down unless you know what the legitimate traffic needs to be. So most of the time administrators and security professionals would open things up more so than they really needed to be. an example of this would be opening port 80 and allowing all traffic on port 80 to pass through into the DMZ and to the Web server and through a standard systems ministry, that sounds a great idea I just open port 80, it is easy I deny everything else. 104 | P a g e

Well one of the things they may not think about is directory traversal. The firewall is not going to protect you for attacks that work on port 80, a good security administrator might go a step further and put an application level filter between that firewall and the Web server and the DMZ. so that it only allows access to the various directories on the system where customers would need access to. So definitely think outside the box and remember not everyone is going to be a security expert. A lot of these systems are not designed for the purpose of security. They are put in usually in the haste of things to try to get a function to be on the network or on the Internet. So we can take advantage of that poor security planning and evade these systems that are not configured properly.

105 | P a g e

12. Introduction to Hacking Technique Part 1 12.1. Encryption 12.2. Sniffers 12.3. Wireless Hacking 12.4. SQL Injection

1. Encryption We are going to move into part two of our introduction to hacking techniques and we are going to cover a couple of different things here. We are going to start off by talking about buffer overflows. We want to get a good understanding of buffer overflows so that ultimately we can exactly predict and understand how our tools are going to work for us when utilizing these techniques. We are also going to spend some time to get into a little more detail on root kits, talk about why does exist and where you might find them and what's important to know about this type of technology. We are also going to spend some time talking about spoofing techniques or ways in which spoofing can enable hackers to be more effective and make it challenging for IT security professionals. We are also going to focus on denial of service attacks, I'm sure you've heard about DOS or DDOS attacks. So we are going to spend sometimes talking about that and discovering how that works. We are also going to talk about web hacking or more specifically hacking the technology associated with web hosting such as the Web server or application or service that is actually hosting the web code itself. So moving on to the buffer overflows, it's definitely important to understand that buffer overflows exist on just about every program and operating system out there and really the point there is it balls down to bad coding or poor validation of coding or errorchecking and the reason it exists almost across the board is because it's so very difficult to validate hundreds of thousands of millions of lines of code. So, oftentimes these might go completely unnoticed until someone gets around to attempting a buffer overflow against that system. Any given piece of software or operating system could in theory have hundreds of buffer overflows in it just waiting to be discovered. the basic concept of the buffer overflow is when a programmer does not clearly define the boundaries on buffers or variables in a particular application or operating system or they might simply make what's called the fencepost error and what that basically amounts to is if you want to make offense 100 m long and your sections of fence are 10 m long, how many fencepost do you need, well the correct answer is 11. although your immediate thought might've been that we only need 10 because 10Ă&#x2014;10 is 100, so that would effectively give us 100 m, but we need 11 fence posts to be on all sides of all 10 of those individual fence sections. So those are the type of mistakes that programmers commonly make and end up leading to buffer overflows or stack exploits. What we are going to do is utilize this ability of out of bounds data or data that doesn't have a home 106 | P a g e

to insert our data or redirect the execution pointer to a program buffer that we can utilize for something else. An example of this would be we want to go in and we want to perform a buffer overflow exploit on a particular service on a Windows machine. well if we want to set up a return shell for example, then we set the buffer overflow to go in and in the buffer in which we have stolen effectively will build shell code and return a shell prompt back to the system that we actually hacked, then we will do that by redirecting the pointer that actually parses through memory. So it is a little bit of a complicated process. But once you get a hang of it you can actually build these buffer overflows relatively easily. Ultimately our goal here is to insert malicious code or execute commands on the remote system utilizing these overflows and lack of checking. the results of this can be denial of service in where it causes the program to freeze or the machine to crash or in best case scenario permits the exploits to lead to a compromise or to some execution of information on that system. In order to actually build buffer overflows you need to be a pretty good programmer and have a good knowledge of stack and buffer vulnerabilities as well as stack and buffers in general depending on the code that you're using. You also need to have the skills to be able to research and apply those vulnerabilities to a current attack meaning it's not enough to know how to overflow a buffer, you have to know how to utilize that overflow to get a usable end result meaning a vulnerability or an exploit or remote code execution. There really are not a lot of things that we can do to protect ourselves from buffer overflows other than stay on our programmers about working with that security mindset, double checking their code and validating that those fencepost type errors are not present in your particular software and in addition we want to have a penetration tester or an ethical hacker perform vulnerability assessment on our applications and our operating systems before we roll it to production.

2. Sniffers Probably one of the more common tools used by hackers once they are on the physical network are sniffers. sniffers are used all over the place, a lot of systems administrators use these and they are very easy to get your hands on and they are extremely effective for analyzing network traffic which is definitely a key requirement of penetration testing and the idea here is that the host that houses the sniffer software picks up all traffic on that wire even if it isn't intended for the host where it is installed. It basically places the network card into something called promiscuous mode which is listening for any traffic that crosses the wire. Sniffers have become significantly less effective over time because switches no longer forward unnecessary traffic to host attached to that device. Now there are more advanced sniffers and more advanced techniques for sniffing networks aside from a standard promiscuous base sniffer. But the overall concept regardless of the technology you are using is to steal or eavesdrop on network traffic as 107 | P a g e

it crosses through the wires. this could enable attackers to pick up plaintext data which could be user credentials, I've also seen scenarios where a sniffer was able to pick up a URL sent between the Web server and the SQL Server in the back end that howls the actual select statement in plain text a nd usually directly following that we are going to see a communication back to the application with the results of that select statements. So, oftentimes you can pick up sensitive data by watching the wire as well. For all intents and purposes our sniffers are going to require physical connection and physical location and proximity to the network you want to sniff. The only exception to that rule being that wireless sniffers do not have to be in close physical proximity to operate. Sniffers come in the form of software that can be installed on systems or even physical hardware devices that output to a system. The term promiscuous mode is used quite a bit to describe the process of sniffing because it is one of the requirements of gathering traffic intended for other hosts. The sniffing process is extremely useful because it will actually record that traffic and allow you to save it locally and potentially use cracking techniques to crack network-based encryption locally on your system. So you can literally go sniff traffic for an hour, take it off-line, save it and go off-site to attempt to read through and analyze that captured traffic. There are several possible sniffers that you might be able to use, a lot of these actually have ports over to Windows and Linux. Ethereal is probably one of the most common and most functional open source sniffing tools out there. Etherape is also very commonly used sniffer that works extremely well on Linux, same goes for adhercap. Now the network monitor utility is a Windows only Microsoft product that usually ships with various support packs for Windows server and Windows client operating systems. Now i will warn you network monitor is not a very effective sniffer tool although it does put the network interface into promiscuous mode, often times it will filter out traffic that it deems is not being valid to the sniffing session. So be very cautious about the reliability of the traffic you're seeing in the network monitor scenario. For Windows operating systems sniffers have to be complemented by special protocol drivers that enable promiscuous mode, where as in Linux you can simply use the IIS config utility to place your network card into promiscuous mode. The software thatâ&#x20AC;&#x2122;s most commonly used to place Windows nix into promiscuous mode is called WINPCAP and is freely available for download all over the Internet.

3. Wireless Hacking One thing that we really canâ&#x20AC;&#x2122;t go too far without mentioning is the advent of wireless technology into our lives as penetration testers and because wireless is a relatively new technology obviously wireless hacking is going to be relatively new as well and interestingly enough wireless hacking has been able to keep up with wireless security technology pretty well from the get-go, within a very short amount of time of the original 108 | P a g e

wireless encryption protocols there were already vulnerabilities and hack tools available for those and that trend really hasn't changed all that much in those last several years. Wireless hacking is generally going to take advantage of weak encryption protocols and even vulnerabilities in the wireless standards themselves. Itâ&#x20AC;&#x2122;s very interesting that we can basically become a physical attachment to your network effectively bypassing firewalls and other perimeter protection by utilizing wireless networks. So, one of the things that you are going to notice in the very near future is companies are going to start treating their wireless networks just like they treat the Internet. There will be a DMZ with wireless access points, with intrusion detection systems and firewalls and all of those things are going to take place because companies are quickly starting to realize that a wireless access point is also a vulnerability or weakness in the armor of the organization. Wireless networks because of their ease to set up and very cheap cost to implement have become extremely common, but most people don't understand the security configuration, so they choose either not to set it up or they set it up poorly. So there is a couple of different types of encryption and security that are available to us. the first of which and the original security protocol for wireless is WAP or wired equivalency privacy and this was set up to use a hexadecimal key, that is very cryptic and hard to remember and came in various ranges of encryption sizes. Not too long after WPA or Wi -Fi protected access followed and it actually uses various types of key generation so that it can be effective. WAP actually comes in 40, 64, or 128 bit keys currently on t he public market. Now those have been proposed to be up to 256 and even 512, there are even some rumors that some 512 bit WAP is actually out in some agencies. one thing to keep in mind though, no matter how good the encryption is if you don't change the web key it will never be totally secure because all you do is capture the web key, sniff the traffic for a couple of hours, grab the key and then crack it through the short initialization vector because the key doesn't change and because it doesn't change you just need to simply capture enough traffic to reassemble that key. So it is a very simple process and it is very easy to circumvent. For all intents and purposes WAP has been replaced with WPA or WPA version 2. One of the places you'll probably most com monly find weapon use is in home networks which again even though our target may be a corporation, a CEO with an unsecured wireless access point in his home can provide us with a very easy access to sensitive information. There is actually a terminology used to describe driving and looking for networks with a laptop with wireless sniffing and cracking enabled and that term is WAR driving which is kind of a spinoff of the old WAR dialing days when you could go through and dial into various modem banks to try to find vulnerabilities or access. So, WAR driving works very much in the same way, we can actually drive around the physical perimeter of a particular target to detect if they have any wireless networks. there are lots of popular WAR driving software out there, net stumbler is a very common one, air snort is actually a Linux derivative of snort for sniffing wireless 109 | P a g e

networks, Aero peek is a very common one as well which is actually a Windows product and kismet is also a wireless detection software. So there are a lot of options available to us out there and the process basically works like this, once the wireless network is discovered we sniff traffic for a long enough time to gather the web key itself. once we have that and let's assume that the wireless access point is using Mac filtering, well within a very short amount of time we will have collected all the Mac addresses from the wireless clients. So we then spoof that Mac address and that's it, we are in the network. We get a DHCP address if not we can assume it's probably one of the three private ranges, so we can keep trying until we find it but ultimately we are going to be able to gain access to it. So definitely your best bet is going to be securing it like you would a DMZ. In addition to your standard hacking techniques wireless is also susceptible to other attacks such as denial of service attacks or session reset attacks which basically break sessions between clients and the wireless access point. Data theft, sniffing traffic and sniffing information off of an unsecured access point or physically stealing the device itself and of course illegal access. so we are not really gaining a tremendous amount of security or necessarily losing a tremendous amount of security with enabling wireless but one of the things that you keep in mind is wireless technology is a broadcast technology everything that you say across your network card to that wireless access point is essentially broadcasts and has the potential to be picked up by someone that is listening in. so, be aware of that and make sure that you use proper data of classification to protect sensitive information from being transmitted across wireless technology.

4. SQL Injection Another thing I would like to take a few moments to discuss is a technology or technique called SQL injection and SQL injection is basically a technique that allows attackers to steal valuable database information, usually involving things like user account information, personal data, financial data for example and it actually relies on poor data validation and poor statement checking and I want to kind of clarify that for a minute when you build an application you have to choose what type of field is going to exist, for example in that application. so one field might be username and one field might be password and those fields have data types username is probably text and password is probably going to be a password data type because it will put * up instead of the actual letters. so if you don't restrict the data types and restrict the number of characters and the type of characters you can put into that individual form, then that means I can type anything that I want and if that data is being interpreted somewhere then I can actually reinterpret it or change how it will be interpreted. so we are going to rely on that bad or poor data validation so that when the application goes to talk to the database usually a Microsoft SQL database, then we will successfully retrieve information we shouldn't 110 | P a g e

have been able to access and what this ends up being for us is modifying the SQL statement itself. A lot of applications use SQL authentication and really would SQL authentication balls down to is a select statement where username is equal to and what you have typed in and password is equal to and then the resulting hash of that password. Well all we have to do is modify or append values to that SQL statement, so that it retrieves data instead of checks against the validation or whatever the case may be. remember SQL is not always intelligent enough if it's not configured that way to determine the difference between an authentication query and a data request query, so if we trick it into thinking that a request is the same as authentication, or a submit is the same as a request, SQL is just going to process the information thatâ&#x20AC;&#x2122;s given to it. we can usually use SQL injection to circumvent authentication altogether or actually remove restrictions that are placed on standard application functions, for example application A might have a restriction that you can only return one database record at a time, well by providing the SQL statement with a little bit of modification and sending it to the database and we might be able to retrieve the first 10 records of the first 5000 records, ultimately circumventing the application intent. Usually SQL injection is restricted to Web servers or web applications with SQL ANSI 92 enabled databases like MS SQL, Oracle, MySQL and various databases that might be popular at any given time. So it's not just going to affect these web applications but thatâ&#x20AC;&#x2122;s usually the easiest for an attacker to get to and therefore is utilize as an attack vector. But if you can get access to other database applications such as end-user database applications you can most likely perform the same level of SQL injection that you could with the Web server. The only real protection against SQL injection is to use proper data validation techniques and restrict the type and number of queries that can be sent to the SQL Server so that way you're not relying on the SQL Server to correctly interpret the intent of the application query. There are some levels of database configuration that can be useful but for the most part we want to protect ourselves at the application layer. Although we can usually change some permission around or set up some restrictions on the type of queries that we are sending, we want to rely more on that front end or that second tier of the application structure.

111 | P a g e

13. Introduction Hacking Techniques Part 2 13.1. Buffer Overflows 13.2. Root kits 13.3. Spoofing 13.4. Denial Of Service Attack 13.5. Web Hacking 1. Buffer Overflows We are going to move into part two of our introduction to hacking techniques and we are going to cover a couple of different things here. We are going to start off by talking about buffer overflows. We want to get a good understanding of buffer overflows so that ultimately we can exactly predict and understand how our tools are going to work for us when utilizing these techniques. We are also going to spend some time to get into a little more detail on root kits, talk about why does exist and where you might find them and what's important to know about this type of technology. We are also going to spend some time talking about spoofing techniques or ways in which spoofing can enable hackers to be more effective and make it challenging for IT security professionals. We are also going to focus on denial of service attacks, I'm sure you've heard about DOS or DDOS attacks. So we are going to spend sometimes talking about that and discovering how that works. We are also going to talk about web hacking or more specifically hacking the technology associated with web hosting such as the Web server or application or service that is actually hosting the web code itself. So moving on to the buffer overflows, it's definitely important to understand that buffer overflows exist on just about every program and operating system out there and really the point there is it balls down to bad coding or poor validation of coding or errorchecking and the reason it exists almost across the board is because it's so very difficult to validate hundreds of thousands of millions of lines of code. So, oftentimes these might go completely unnoticed until someone gets around to attempting a buffer overflow against that system. Any given piece of software or operating system could in theory have hundreds of buffer overflows in it just waiting to be discovered. the basic concept of the buffer overflow is when a programmer does not clearly define the boundaries on buffers or variables in a particular application or operating system or they might simply make what's called the fencepost error and what that basically amounts to is if you want to make offense 100 m long and your sections of fence are 10 m long, how many fencepost do you need, well the correct answer is 11. although your immediate thought might've been that we only need 10 because 10Ă&#x2014;10 is 100, so that would effectively give us 100 m, but we need 11 fence posts to be on all sides of all 10 of those individual fence sections. So those are the type of mistakes that programmers commonly make and end up leading to buffer overflows or stack exploits. What we are 112 | P a g e

going to do is utilize this ability of out of bounds data or data that doesn't have a home to insert our data or redirect the execution pointer to a program buffer that we can utilize for something else. An example of this would be we want to go in and we want to perform a buffer overflow exploit on a particular service on a Windows machine. well if we want to set up a return shell for example, then we set the buffer overflow to go in and in the buffer in which we have stolen effectively will build shell code and return a shell prompt back to the system that we actually hacked, then we will do that by redirecting the pointer that actually parses through memory. So it is a little bit of a complicated process. But once you get a hang of it you can actually build these buffer overflows relatively easily. Ultimately our goal here is to insert malicious code or execute commands on the remote system utilizing these overflows and lack of checking. the results of this can be denial of service in where it causes the program to freeze or the machine to crash or in best case scenario permits the exploits to lead to a compromise or to some execution of information on that system. In order to actually build buffer overflows you need to be a pretty good programmer and have a good knowledge of stack and buffer vul nerabilities as well as stack and buffers in general depending on the code that you're using. You also need to have the skills to be able to research and apply those vulnerabilities to a current attack meaning it's not enough to know how to overflow a buffer, you have to know how to utilize that overflow to get a usable end result meaning a vulnerability or an exploit or remote code execution. There really are not a lot of things that we can do to protect ourselves from buffer overflows other than stay on our programmers about working with that security mindset, double checking their code and validating that those fencepost type errors are not present in your particular software and in addition we want to have a penetration tester or an ethical hacker perform vulnerability assessment on our applications and our operating systems before we roll it to production. 2. Root kits Letâ&#x20AC;&#x2122;s take a few moments and talk about root kits and I know we have kind of mentioned root kits and passing and spend a little bit o f time talking about them. But we are going to revisit that because it is probably one of the more common hacker technologies and techniques that are used, so it's definitely a good subject to spend some time with. Basically the definition of a root kit is a malicious program that replaces components of the operating system that allow it to maintain and hide illicit access on that system. So effectively we are going to go in and we are going to modify or tweak the operating system, so that it hides the actions of what we do or steals passwords and user information or whatever the case may be they basically serve to do a stealth job in relation to hacking. 113 | P a g e

usually root kits will require some level of permissions on that system depending on that root kit and ultimately it will require root level access to install it but oftentimes you will find that root kits are embedded with an exploit or hack of some sort that allows you to get that as long as you can execute on the remote system. Linux is actually one of the more heavily targeted operating systems for root kits in today's environment and Windows root kits although are far and few between the numbers are growing every day. Windows is definitely a hot target because it's on probably 90% of the desktops in the world. The reason that Linux probably has so many root kits is because it's open source software, so if I want to redesign a kernel file I simply go read the source code and find out what I want to change, make that change and compile that file. in a Windows environment itâ&#x20AC;&#x2122;s a little bit more difficult because it is a closed source operating system and unless you have a very good skills and tools available for decompiling and reverse engineering kernels you are going to have a real challenge trying to figure out how to rebuild the code in a Windows operating system. One of the big downsides to a root kit for security professionals is there are a very few detection methods available. Itâ&#x20AC;&#x2122;s a matter of fact systems are rooted almost every day and retrofitted with root kits and no one will ever know until that system is rebuilt and even then there probably won't be any clues, we will just rebuild the system, the root kit is gone, never even knowing that it was there. there are a couple of different basic ways such as the MD5 sum of those files and one of the problems you run into there is if the file is updated legitimately between the time you run an MD5 and the time you check for validation, the MD5 is going to change. So you almost have to be very diligent in maintaining your database with MD5 sum and it really just gets logistically challenging to keep up with all of that, make sure itâ&#x20AC;&#x2122;s up to date and go through that process. So, generally companies just choose not to do host level sums or validation against root kits. Once you have established that you have a root kit or you can even install root kit on the system it's all but impossible to actually remove because it embeds itself so deeply into the system that removing it would probably destroy the system altogether. The general consensus on recovering from root kit application is to rebuild the box from scratch and basically do a bare-bones rebuild from a back image or maybe from a backup somewhere but we definitely don't have a lot of ways to clean the system of those root kits. The major disadvantage here is that any time an investigation or prosecution might be possible rebuilding the machine will destroy that evidence that we might utilize to track a hacker. So there are definitely benefits and drawbacks and how you react and handle root kit type scenarios.

114 | P a g e

3. Spoofing The term spoofing is basically defined by making yourself appear as something that you're not and would utilize that concept and technology by hiding the identity of traffic or assuming the identity of something else. So, there are a lot of different applications for spoofing techniques and technologies in the hacking and security world. So, a couple of examples of things that you might spoof starting out would be IP address and the reason that this is valid is naturally if you hack something, the security administrator or forensics investigator is going to try to backtrack that and if they are able to obtain your IP address based on an IDS or host logs, then they could essentially track you down. well if you spoof the IP address to be somewhere else say FBI.gov for example, most companies are going to know immediately when they resolve the DNS name of that, that it was a spoofed IP, and thatâ&#x20AC;&#x2122;s really a dead and so that's an example of that. Mac addresses are also an example of spoofing especially when hacking wireless networks because one of the authentication mechanisms to an access point is via authenticated Mac address, well if I take on the role of someone else's Mac address than the access point doesn't know me from the person that was actually authenticated. In addition emails are very simple to spoof because most email or Web servers that utilize email don't validate the source email address, they do however validate the target email address when determining the route to send it, but as far as origination validation in the email world it's extremely rare that, that process is actually used. So you can send an email to anyone from and just simply type in the name of someone else's email address or modify the headers of the email before it's actually sent out. but the ultimate goal regardless of the technology we are going to be utilizing and working with, the goal is to prevent the attacker from easily being traced by assuming someone's identity or something's identity and or changing our own. Usually spoofing relies on vulnerabilities or flaws in the implementation of TCP/IP itself or poor validation and authentication mechanisms in applications or operating systems. so basically the ability to spoof boils down to poor implementations of technology, for example if we implemented source verification for every email ever sent, then we would not have the ability to spoof that email and therefore that technology would not be available to us as hackers. So, we really have a lot of programmers out there that we can thank for the ability to use spoofing technology. There are some mechanisms that are actually put in place to prevent spoofing. an example of this would be the common configuration of blocking internal address space access from entering the firewall through the external interface and the reason that this is a commonly a here to practice is because it used to be back in the mid-90s and early 90s that firewalls would basically stop everything except for internal traffic and internal traffic was free to roam indefinitely and the mechanism used to identify internal traffic was the IP range. so then in theory an attacker could assume an IP address that match the internal address space and pass straight through the firewall. So we can put these 115 | P a g e

mechanisms of blocking that in place to help protect ourselves from spoofing but until the standards of coding changes it's always going to be a factor we have to deal with. Now the technology you are going to use to actually perform spoofing will differ greatly from one platform or architecture to the next. So if we are spoofing an application client for example then we are going to have to program a client or trick one client into talking to that particular server. So other examples include using mac address modifiers, IP spoofing utilities or all of these different options, so there really is not a clean set of tools you really just have to take it by the scenario and utilize this as a technique rather than a tool.

4. Denial of Service Attack Denial of service attacks are becoming more and more common in today's environment. 15 years ago hacking was about skill and stealth and all of the things that you imagine when you think of an actual hacker. In today's world we donâ&#x20AC;&#x2122;t see that so much, there are very few true black hats out there that are there for profit or for skill development. most of what you are going to find out there as far as malicious users are concerned or people that are interested in making a name for themselves in their small community of hackers or gamers or whatever the case may be. in addition denial of service attacks lend themselves very well to holding a company ransom or getting revenge on a company or on a person because of whatever reason. So the ultimate idea or goal of the denial of service attack is to prevent legitimate users from accessing a particular system and oftentimes what you will find is if hackers failed to compromise the system than they may fall back to and settle for a denial of service attack. Now as far as the amount of skill required to run a denial of service attack it's actually very simple. There are a lot of tools available for it, there are a lot of exploits for it, but again you donâ&#x20AC;&#x2122;t gain anything from that. So one might ask the question why do people do it and it kind of goes back to that trying to make a name for themselves or threatening a company that they will shut their servers down, if they don't comply with this person's demands. So they are definitely a very real threat and should be treated very seriously. They are actually a lot of different methods and technologies associated with the denial of service attacks because again we are not looking to gain root privileges, we just want to shut it down to normal users, so that no one can access it. An example of that would be TCP stack overflow such as the ping of death, window size overflows, Smurf and teardrop attacks and the Smurf attack is actually a really interesting one where we can actually spoof the source address to the broadcast id of the subnet while pinging a system that is legitimately going to apply to that ping and it will effectively will blow the network up. There are a lot of mitigations available for these types of denial of service attacks. user access denial of service attacks include intentionally locking users out of systems. An 116 | P a g e

example of that would be to try logging in as a user three times, so it would lock their account, if you do that parsing every potential user account in the domain, you shut the company down by locking all their user accounts out. Another interesting piece of this would be to stop one piece of the puzzle such as halting a service that particular app relies or depends upon. So again as you can see there are lots of different ways to perform denial of service. Large-scale denial of service attacks are also somewhat common in today's environment and are usually called DDOS or distributed denial of service attack and it uses something called a zombie or an unwilling or unsuspecting host to launch a consecutive large-scale multisystem attack. for example let's say that I send out a worm that contains a denial of service attacks set to run at a particular time and that worm affects 40,000 workstations, well the target of those 40,000 workstations will probably be taken off -line if they all come up and start pinging that system or they all come up and try to log into that Web server for example. Ultimately the load will be too much for the web server to handle and it would simply give up. So, as you can see denial of service is actually a very wide range of things and can use multiple types of techniques to be successful.

5. Web Hacking Web hacking is basically the act of hacking individ ual sites or the servers or components that are used on those websites and one of the reasons that you will find in web hacking is probably one of the more popular types of attacks is because Web servers are a natural target. They are publicly available, there's not really a way for me to say you can't access my website because it's on the Internet anybody can access it that wants to. So that definitely lends itself well to being hacked. usually web hacking and web vulnerabilities and exploits are as a result of a couple of different things, one of which is insecure coding because web languages are so very easy to understand and interpret, a lot of people simply write their own web code or have in-house developers that write their web code for them and depending on the code used whether it be PHP, ASP, JAVA or whatever the case might be, then there are exploits available just for those specific things as well. Itâ&#x20AC;&#x2122;s also extremely difficult and complicated to lock down and secure a Web server because of the nature of its trusting port 80 and port 443 it makes them a very easy target because of that level of challenge and usually lack of security. Even though most Web servers are most likely going to be part behind a firewall and in a protected DMZ or demilitarized zone, you can't really block all illegitimate traffic because again that port 80 and port 443 are pretty much guaranteed to get traffic from all over the world. so there's not really a way for you to protect that so once you've restricted it's all but the bare minimum types of network communication then itâ&#x20AC;&#x2122;s actually going to be relying on you to go secure that host and lock it down, so it's not vulnerable to common attacks to port 80 or other web ports. 117 | P a g e

the first step an attacker is going to take is to enumerate the services or the applications on that target and try to determine what Web server hosting software is being utilized such as Apache or IIS, usually we will pick up and run known exploits against those identified Web servers especially if we can enumerate version information such as IIS 4.0, that immediately tells us it's a Windows NT box and we will go start looking up known exploits for Windows NT operating system running IIS 4.0 and Apache is going to be in the same boat. Usually we are going to at this point once we've done a vulnerability assessment and determine what vulnerabilities might exist, we are going to use those exploits to zero in on whatever we are there for, whether it be defacing the site, modification of data or wherever ultimate goal is going to be. Oftentimes when you compromise the Web server because they are the e -commerce central of the world you can usually intercept or change data as a process of the attack. So there are a lot of different options available to us and really your limitation on how you penetration test a Web server is limited to your imagination. so you definitely need to be thinking outside the box in these type of scenarios how can I get into this system, what vulnerabilities are there if it's running IIS 5.0 what other software it might be running, so you might go, do some research on authentication modules for IIS 5.0. there are a lot of options available. Usually the ultimate goal for a true penetration tester or hacker and not a script kiddie or someone looking to deface a site is going to be to penetrate deeper into the network. one of the things that I have found to be really common is because Web servers content changes on such a regular basis, most companies have one of two scenarios either they have an open communication channel between the Web server and an internal server for content management or they actually have an alternate server aside from the Web server that sits in the DMZ, that is responsible for content management but ultimately there will be a link back into the internal network, I guarantee it most companies could not operate without that link back into the network, so all we have to do is find that link and utilize that to ultimately move into the internal network. There are a lot of popular attack methods and styles associated with web hacking, we are going to cover some of the more common ones here. The first of which is cross site scripting and this actually relies on a rouge Web server or the ability for us to script on your Web server from my Web server or run scripts across different domain names. so effectively you're in a trusted location and you have no reason to suspect anything is wrong but an alternate site could trick DNS and actually come over on your domain name and run scripts against your clients. They are also quite a few Internet information services or IAS DLL vulnerabilities out there in the way that it handles remote requests. IIS is a very commonly exploited web hosting service, so be aware that Microsoft Web servers are pretty well known for their vulnerabilities, not to say that Apache doesn't have its fair share as well. Directory traversal is also very common goal because this allows us to exit the web directories and potentially move into the core operating system directories as well. 118 | P a g e

Unicode attacks basically utilize the point in which URL validation is utilized so what that means is if I send an invalid URL something that the Web server knows is not going to be an actual HTML page or whatever the case may be the idea is that the URL filtering stops that will Unicode utilizes the ability for us to represent characters in alternate methods for example the spacebar key or the actual space character can also be represented by the number 20 when converted to Unicode, what this means is my Web server may have a filter that stops all URL request with spaces in them, thatâ&#x20AC;&#x2122;s not going to do us any good if the 20 is not converted to a space until after the content filter has been applied. So it goes to the content filter and on the other side, the content filter says, hey this is good data, I'll have any spaces in it, so I am okay and then the Unicode folder takes in and converts it over and there's a space in it and it is applied to that system or run against that system ultimately allowing in bypassing of those URL filters built into the web services.

119 | P a g e

14. Popular Tools 14.1. Nmap Part 1 14.2. Nmap Part 2 14.3. Nessus 14.4 Superscan 1. NMAP Part One So at this point we've pretty well covered all the concepts associated with an introduction to hacking and penetration testing. so we are going to take some time to kind of give you some information to introduce yourself to various hacking tools and some of the more popular tools that you might be using, just to get you started in understanding tool usage and some of the capabilities offered there. So we are going to talk about a couple of different very popular tools starting off with probably the most popular scanning tool NMAP. We are going to look at some demonstrations there and some different options that might be chosen. We are also going to take a look at a Windows port scanner and network scanning utility called super scan. In addition we will take a look at the Nessus vulnerability assessment tool and Meta spoilt framework which is the exploitation version of Nessus but not quite as robust. so to kick things off, NMAP is probably the most popular flexible hacker tool out there, versions exist for both the Windows and Linux platforms as well as just about any other platform out there, even so far as BSD and Macintosh. As a general rule the Linux command line version actually works a lot better and is even better supported and tends to function and give better results. It has various functions such as ping utilities, port scanning utilities, service enumeration and OS fingerprinting all of that is built into a very compact and useful tool. It is extremely useful throughout the process but it really shines extremely well during the early stages of the attack mechanism. We are going to go in, we are going to scan the network, find the systems that are on the network and then we are going to use it to enumerate host information and services and finger print those operating systems and applications. The command line features actually have a series of switches that indicate what you want to do and what you want to do it against. So it's actually really easy to use and even if you don't like using the command line there are NMAP graphical front ends available even for the Linux operating system. So letâ&#x20AC;&#x2122;s just dive right in and take a look at an NMAP demonstration. We are basically going to go over some of the more common tool usage that's available and that you might frequently use. so the first one we are going to look at is the sin scan, so we are going to type in NMAP and thatâ&#x20AC;&#x2122;s going to initialize a program for us and then we can type in any that we like at this point, so we are going to actually focus in on the default which is actually the TCP sin scan and the sin scan is going to be the default choice if you don't choose a scanning mechanism because it's a very effective, it's very fast, works extremely well and can scan thousands of ports per second on a relatively fast network. Itâ&#x20AC;&#x2122;s pretty silent and stealthy because it never fully establishes a TCP 120 | P a g e

transaction, so at this point we will choose our host and we are going to port that into a text file and in this example we'll call it sin.txt. okay so while it is running, we are going to go and open another shell and kick off a different NMAP scan and this time we are actually going to specify the TCP connect scan which is used with ST and the TCP connect scan has a comparable speed and result set as the sin scan but it's very noi sy and is easily detected by intrusion detection systems. So it is generally not used, but we will use it in the place of the sin scan where the sin scans are not possible. So if we want to take a quick example of what we have seen so far we can open up our TCP results and as you can see here we actually enumerated quite a bit of information. we can see we have an FTP server, a domain server, DNS server, Web server all of these different features are built-in and our sin scan is actually going to be pretty much comparable to that. so if take a look at our sin scan, we can see that we have got comparable answers but the sin scan is going to be significantly quieter on the network then the TCP scan is going to provide for us. We can also use the UDP scan by specifying SU and it is going to look for reports that are responding to the UDP protocol as opposed to TCP. UDP scanning can actually be kind of slow sometimes, but in this example we have lots of services that responded quickly to those. So, we can see all of the different services responding to individual UDP requests. We are also going to take a look at something called a mammon scan which is specified by using the SM switch and this is not going to bring back information necessarily on a Windows box because it utilizes the implementation of the TCP stack in BSD-based operating systems. We are going to call this BSD.txt and as you can see it showed that all 1672 scan ports were closed even though they're not because again we are going to utilize this against the BSD system not a Windows system. We also have something called the TCP ack scan and the ack scan is actually built because we want to be able to test firewall systems. so this is an actually effective in any way against a host so we are going to actually scan my firewall/net, we probably won't get much back from it anyway, but you should definitely be aware of the ack scan is primarily used to enumerate a firewall rule set of how that works. So it's showing unfiltered on all of the ports. So, as you can see depending on how you set this up, you can definitely get very different answers.

2. NMAP Part 2 Another thing we are going to take a look at is the various types of Null Finn and Christmas scans and I am going to call this Linux.txt and we are going to write all three of these scans to that file and the reason I am going to do that is generally null finn and Christmas scans are reserved for Linux systems. The null scan can be initiated by using 121 | P a g e

SN and basically what it does is it implements kind of a loophole where if a packet doesn't contain a sin reset or ack flag then it will always return in a reset if it's closed and no response if it is open. So we ran a null scan, now we are going to run our Finn scan which uses the finn flag turned on as opposed to the null flag and we are also going to go ahead and run Christmas scan which essentially just turns on Finn, TSH and origin flags. So now if we go and look at our Linux text file we will see that we really did not get that much feedback from our systems because again this is more focused on Linux systems as opposed to Microsoft or BSD systems. Now finally there are some options available to you for custom scanning, so instead of actually using a predefined scan technique you can create custom scans. So we can say scan flags and specify the packet and scan that system. So we can identify the various flags that we want to use and see what the reply to those systems is going to be. So in this scenario we scan common ports with the urgent flag set to on, we get anything back. We can try various combinations of this so that we can get various results back so even for a nonstandard device you can still perform penetration testing and assessment using NMAP.

3. Nessus Another extremely popular tool mostly used for vulnerability assessment is Nessus. Nesses is an open source software kit that has commercial subscriptions available for additional feature sets and Nessus is actually very unique security tool because it actually uses a client/server architecture, and basically the server will be installed on a central location and that server will house vulnerability definition information, authentication and a lot of other services and features that are very useful to a largescale scanning scenario. It has interfaces that rely on both command line and graphical interfaces and there are actually many variations of the graphical interface available. Basically it has a modular meaning a series of things that can be pieced together and are collected in that database of current exploits for various operating systems and applications and even network level appliances. Nessus uses a scripting language called nasal that allows for plug-ins to be created or added to the system at any point. So it's a very extensible, very flexible system. There are literally hundreds and hundreds of vulnerability plug-ins and are updated on a very regular basis and there are even third-party plug-ins available for very specific applications or targets. Nessus does require a pretty high level of knowledge and understanding to use the tool effectively but what you will find most people do is go in and simply select all possible exploits and run the whole database against the target and in order to have that flexibility and take advantage of lot of the features you need to go a little bit beyond that and understand more about the tool we can actually go out to the web and download live exploit code and turn that in and using the nasal scripting language turn that into a vulnerability assessment module for Nessus. 122 | P a g e

So, letâ&#x20AC;&#x2122;s take a quick look at some of the basic functionality of the Nessus utility. so the first thing that we have to do is actually start up the Nessus server which we do by using Nessus D. so it is actually going to go through the process of loading all the plug-ins and while it's doing that I'm actually going to go ahead and fast-forward time, so that you donâ&#x20AC;&#x2122;t have to watch these numbers increment. So, at this point we have got the server up and running and we are ready actually to log into the server using the Nessus client which is initialized by simply typing Nessus on the system where the client is installed. So, that will bring up a graphical interface and we can go ahead and log into the system with the use r account, either the default user account or we can login with user account that we have created which really affords itself to various levels to distribute scanning. So we are going to go ahead and click login and now we actually initialize the plug -ins and go through the various client/server communication processes that will enable us to have the most effective scanning possible. Okay, so we have successfully logged into the system and it brings the server to our plug-ins option and these are all the different scripts and remote vulnerabilities that we can verify that they have been loaded to us by the database. So, we can choose to enable them all disable them all or even choose to handle the dependencies depending on what's necessary. If we want to we can even choose various pieces of authentication, so if we want to try a known password for a particular organization we can go through that process here. We can choose the different usernames that we will use to log on the various systems. Then we can go into actually quite a bit of detail for scanning options in addition to actually doing the vulnerability assessment. So, this is kind of an all-inclusive thing here and if you notice we actually have NMAP capabilities that are built -in. so, it will actually run NMAP and we can actually configure this, so that it does all this at the same time. So will enable that and we can choose to do a send scan, we are definitely going to choose to do that, we can use the built-in TCP scanner as well. So we can that there is high level of configurability here, we can do CGI checks, we can choose to consider un-scanned ports as closed ports and ultimately we would have to come up with a target. So we plug our target information in there and we can actually go through and add rules to our users and configure various preferences about any advanced plug-ins that we've selected. so we can actually do UDP scans as part of our scan, we can go through TCP string information, we can go through and actually configure service scan, RPC scan and go through and check all kinds of options for the NMAP plug-in that we've used. We can do very aggressive scan speeds go through timeout, I mean there is just a ton of configuration options here. so basically when it is also set and done we come over to target and we go start the scan and these Nessus scans can take quite a long time to run but it does give you a status update in the window and will actually support parallel scanning. We can stop it at any time or we can stop all the host scans at any time as 123 | P a g e

well. So, this process can be quite lengthy, so I am going to go ahead and fast-forward time again till the scans complete. So at this point our scan is finished and we can actually go select our host that we targeted and then we can scroll down and look through the vulnerabilities and the results of our scanning process and these are actually very easy to interpret and generally give you informational messages or severity ratings based on what's running on the remote host.

4. Superscan So now that we've covered one of the Linux-based tools such as NMAP, let’s talk about super scan which is almost the graphical Windows equivalent of NMAP, although personally I don't think it's quite as effective or fast. It’s definitely a good Windows scanner. It’s actually developed by found stone who actually released quite a few good free security tools. So it might be worth your time to go out and check out the found stone site and download some of their free security tools. Its GUI interface is actually very easy to use. So let's actually jump over into a Windows box and take a look at this program. So when you extract it after you download it, it basically drops into with a couple of files here into that folder. We can simply double-click on executable and it will run for us. at this point we can actually select various options associated with the scan process, so we can choose an individual hostname or IP address which we will type in now and we simply hit the over arrow key and it adds it into the list. we can choose if we want to do host discovery or we can request information from that host, we can do UDP and TCP port scan options, choosing whether we want simple TCP data type or data and ICMP type, we can optimize the port sequences by specifying a static source port and by default we've got most of the good common ports selected to be scan. we can go under scan options and choose our scan speed allowing us to basically choose the level of stealth that we want to utilize and choose various options such as the number of passes for host discovery and service discovery, whether we want to actually resolve the hostname or the IP address and even add in certain tools to use after the scans complete. We also have various options available for Windows enumeration as well as the standard scanning features. So there are definitely lots of useful utilities in this program, so we are going to go ahead and initiate our scan by clicking the play key and it goes through its processes and it gives you kind of a real-time feedback. It tells us that we have discovered the machine and we're grabbing banners right now from the various ports that might have that possibility. As you can see by default we did a sin scan and we are currently scanning both TCP and UDP packets. So at this point everything's done and we can view the results by clicking on the view HTML results key. This actually allows us to create user -friendly reports to be presented to coworkers or management or whatever the case may be. so we can see various pieces of information as we go about the process, we were able to 124 | P a g e

gain anonymous access to the FTP server, we can tell you that it's Windows NT version 5, we can see the HTTP header, versions of PHP and Apache that are running, we can see the NetBIOS information associated with that system and even the SQL information associated with that box and a brief summary at the end. So as you can see super scan is an extremely user-friendly graphical interface that provides you with very useful information set when it's all set and done. So letâ&#x20AC;&#x2122;s not forget about some of the Windows enumeration option information that we might have. So we are going to go ahead and drop our host in there and see what kind of information we can get back. So, we can see our NetBIOS information and remember we haven't authenticated to the system, we are just doing anonymous requests and you can see lots of information, we can see registry keys that have anonymous information, we can see services that are running on the system, we can see the shares, the accounts that are associated there, the time of day for that system, the various interfaces associated with that system and the services working with those. And we can even see the user accounts, administrator, there is a vendor account apparently and IE user account for that system, so lots of information can be gathered here as well. In addition we can actually run information about host names or URLs and gain information about Internet-based servers.

125 | P a g e