10 Sep 2019
This series of articles has been compressed into a single post.
- Footprinting and Recon
- Scanning Networks
- System Hacking
- Social Engineering
- Covering Tracks
Ethical hacking helps system administrators understand how to better protect the assets they manage.
Footprinting and Reconnaissance (method of discovery) is the first stage and involves gathering information about the target.
Footprinting: learning as much as possible about the target, including remote access capabilities, open ports and services, and what security mechanisms are in place.
Reconnaissance: gathering information about the location of a target by scouting or by setting up covert observation points.
Sequence of Steps
- Gather information
- Locate the network range
- Discover active machines
- Determine operating systems
- Define running services
- Map the network
Competitive Intelligence (legal) to dig public information can be a great nontechnical approach to footprinting and reconnaissance.
Used in business to help a company learn about its competitors in order to make better business decisions.
- Public Resources
- Email Addresses
- Job Sites (idea of systems via tech job postings)
- Social Networks
- Logical Side
- Network architecture
- Defence mechanisms
- Operating systems
Questions before beginning
- Who is the target?
- What is the target?
- Where is the target?
- When is the best time for an attack?
- How? (learnt after footprinting)
Document the Findings: Its important to document any informations to help build a profile.
Search Engine Hacking
Using advanced operators and keywords that may possibly yield pages that contain sensitive information such as protected login screens.
The Google hacking database
Manipulating people to perform actions or reveal confidential information.
- Dumpster diving,
- Shoulder surfing,
- Phishing, Pharming
- Simple persuasion,
Defence: User Education, Authenication Mechanisms, Simply Questioning.
Dangers of Social Media:
- No autentication of users (acceptance)
- Forging someone’s identity
- Revealing information (travel plans)
- Sharing of unsafe links
Examples of Public Search Engines
Email and Websites
Finding email addresses on public records/websites, crafting an email lists using gained knowledge of username conventions to target for phishing.
- Sender Policy Framework (SPF) = ‘The From’ field spoofing
- Virus filtering and Antivirus techniques
- Strong Spam Filtering
- User Education
Reputation-based solutions for investigating email.
Email headers, tell the story of the journey, the stops etc
Download the entire website to examine the content, obtaining emails, phone number and other information.
You can sometimes see concealed comments, directories, links to protected content.
Free and Paid Tools for Website Mirroring/Extracting:
Open-source intelligence gathering tools
Generates a more targeted discovery
- Open-source Data Analysis Software
- Harvests Domain Names, Whois Information and IP Addresses
- Person Specific Information: Websites and Associated Companies.
- Discovers Devices are Connected to the Internet
- Extracts Metadata from the Target
- Harvests Info from Public Sources
DNS uses port 53 over UDP or TCP (zone transfers only)
- A = IPv4 Address of Host
- AAAA = IPv6 Address of Host
- PTR = Reverse DNS lookup
- MX = Mail Exchange record
Dangers of DNS
- Exposed Zone File
- Flood Attack
- Similar to a denial of service (DOS).
- Cache Poisoning
- Changes the DNS Cache on the local name server to point toward a bogus server.
- DNS Footprinting
- Find information managed by the SOA (Start of Authority).
- Restrict zone transfers to authorized servers
- Deny all inbound connection requests to TCP Port 53
- Consider using DNS security (authentication mechanisms)
Domain Name Generators
When phishing, spoofing the brand in the hyperlink may get someone to click on the link.
Domain names and subdomain names can be used to trick a DNS server into transferring its zone file.
Domain Name Analyzer is an example of a domain name generator tool.
Internet Control Message Protcol (ICMP) resides in the network layer (OSI Layer 3), used by routers and intermediary devices to communicate updates or error information.
Also used for network troubleshooting and to test if a device is alive/available on the network.
Traces the route and provides the path and transit times.
Returns the FQDN and the IP address of each gate, used to help paint a picture of the network.
Combines features of ping and tracert.
Shows packet loss at any given router or link by computing statistics at the end.
nslookup and then enter what you want to search after
You can also set other options such as
set type=mx then
google.co.uk and you’ll get the MX records.
Domain Information Groper (DIG)
tool used to querying the DNS, native to Linux, installation is required for Windows machine and there are online tools such as toolbox.googleapps.com
Steps to Reduce Exposure
- Administrators should use a non-standard format email address
- Keep patches up to date
- Monitor for scanning activity
- Shutdown all unnecessary services
- Use strong autentication methods
- Segment the network
- Shed paper based information
- Learn the types of devices on the network.
- Check for listening services and open ports.
- Determine the operating systems on the network.
- Monitor for data being sent over the network in clear text.
- Develop a profile of a target organisation
- can be a valuable tool for an analyst
- Ping Sweep -
- Port Scan -
- Network Mapping -
- OS Fingerprinting -
First stage and can be by anyone normally in-house security specialist. Generates a comprehensive report, these scans should be performed on a regular basis.
Expertise required by a skilled tester normally an outside consultant, they will create a report with methodologies and possible solutions to problems for an executive audience. Should be tested once a year, costs can range into thousands.
Scanning on IPv6 Networks
- Manual - Pattern recognition.
- SLAAC - All addresses uses FFFE in the middle, commonly shared NIC card vendors.
- DHCPv6 - Predictable patterns.
Identifies which ports and services are open, records information based on the queries.
Precursor to an attack so measures need to be taken to protect devices.
- Open and Listening
- Closed and Denying
- No reply - in stealth mode
Firewalls and IPS can use adaptive firewall responses if port scanning is detected.
Scanning Methods: Detection Avoidance
- Strobe mode - quietly checks a few ports at a time.
- Stealth mode - uses scans designed to avoid detection.
- Modifying records at the domain.
- DDOS against DNS infastructure.
- Cache Poisoning.
- WHOIS directory information.
- Restrict Zone Transfers
- Deny inbound connections to TCP port 53
- Consider using DNSSec
- Conceal information at the registrars on file
- Use split horizon or split DNS
- Don’t provide recursive servicees to the public
- Monitor your DNS infrastructure.
In ethical hacking ICMP packets are used to discover; live hosts, network topology, firewall detection and OS fingerprinting.
- Type 3 and Type 4 Required, the rest are optional.
Used to find out more information about the target host such as the operating system, open ports and services.
Prevent banner grabbing by:
- Mask or disable the webserver information.
- Hide file extensions.
- Disable unnecessary services.
Passive operating system discovery
- BROWSER protocol - shares information about devices and services.
- HTTP Headers - can provide information about the server.
Internet of Everything IoT
Self-configurating network allows devices to join, leave and learn about other devices
Universal plug and play (UPnP)
- Provides discovery and advertisements
- Awareness of services and devices on the network
Simple Service Discovery Protol (SSDP)
Drafted in late 1999
- Enables clients to discover network services
- Little or no static configuration required
- Used for passive discovery of network devices
- Configure registery to disable discovery messages
- Disable SSDP in the group policy object
- Create firewall rules to allow only trusted hosts on inbound port 1900/UDP
Probes targets on the network:
- Detect open ports
- Determines software, OSs, and versions
- Identifies known vulnerabilities
Software side, drives business processes and decision making, includes:
- Networking Devices
Both work together in an organisation and both should be tested.
Two types of scanning:
- Find basic configuration issues
- Uses no username or passwords
- Simple to run
- Will miss many vulnerabilties
- Uses a valid username and password
- Mimic a user on the system or website
- More aggressive - can see inside a system
- Closer look at software, versions
- Some use of brute force techniques
- More thorough and provides a comprehensive report.
Intrusion Detection Systems
- Intrusion Detection or Prevention System
- Monitor network for unusual of suspicious activity.
- Stand-alone or integrated within an ASA or router.
- Detection - Works out of band to identify malicious activity.
- Prevention - Works in line to block attacks.
When scanning you can hide your host IP address by using the
-D command this is called “Cloaking with Decoys” but doesn’t work with all types of scans.
Total stealth mode using an IDLE scan, it uses a bystander or zombie.
Spoof your MAC or IP Address
Christmas Tree Attack sends a large number of packets with the FIN, PSH and URG flags set. This could be avoided by older systems.
IP Fragmentation Scan
Splits an IP packet into fragmented parts to avoid detection as the target would need to fully assemble to identify the host.
- Used to avoid detection
- Can overwhelm and crash a device
Tiny fragmented IP packets splits up the TCP header over several packets.
nmap -f <IP addr>
IP fragmentation can only occur on devices that allow for this type of packet.
Concealing and Spoofing
Hiding with Onion Routing (TOR)
- Encrypts and moves taffic within the TOR network.
- Enables anonymous browsing.
- Nodes know there neighbours but nothing else.
- Ensure safe browsing
- Don’t torrent.
- Don’t install or enable plugins (Flash, Quicktime).
- Only use HTTPS (HTTPS Everywhere plugin).
- Don’t open documents while online.
TOR Flow Map
Proxifier and SocksChain
Proxy is using something on your behalf. Proxy chaining is where you use multiple proxy servers concealing where the traffic came from.
* Socket Secure
* SOCKS5 offers more choices for autentication and IPv6, UDP support.
IP address spoofing countermeasures
Conceals the identify of the hacker, the header is modified with a fake IP address so that the packet appears to have come from another machine.
IP Spoofing has the source address modified and is normally used when no reply is required such as DDoS.
ARP Spoofing is sending counterfeit ARP messages so that the attacker’s MAC is linked with a legitimate IP address, reply packets will be returned.
- Man-in-the-Middle Attack
- Denial-of-Service Attack
- Spoofing strengthens the attack.
- Server is not sure if requests are legitimate.
- Use cryptographic autentication methods (IPSec).
- Use bogon filters.
- Deny private IP addresses from coming into the network.
IP spoofing detection techniques
- Direct TTL Probe - Only useful when the attacker is on a different segment, we check the TTL value to ensure they are the same.
- IP Identification Number - Checking the ID number to ensure they are correct.
- TCP Flow Control Method - attackers will not be able to recieve a spoofed packet, sending a SYN packet, you will not recieve a SYN-ACK back.
Types of Tunneling:
- Teredo or 6to4 tunneling for dual stack
- IPSec, LLTP, SSL for encryption
Wiki Link: https://en.wikipedia.org/wiki/HTTP_tunnel
- Access programs without being monitored
- Not a true tunnel
- Doesn’t encapsulate within the HTTP protocol
- Plain text
- Sends content over port 80
- Reverse HTTP tunnel - a dangerous application
- Sends a CONNECT packet to a proxy
- All traffic is tunneled inside normal GET and POST
- This works with most proxies and firewalls
- Host based autentication
Defend against tunneling
- Allow only preapproved software
- Close unnecessary ports and services
- Use of anti-virus and anti-malware programs
Detecting HTTP Tunnel
HTTP connections are not persistent and have small packet sizes. Monitor for lengthy connections using port 80.
Use of a intrusion detection system (IDS)
- Catch and mine data destined for port 80 using WireShark or NetworkMiner.
- Inspect log files regularly.
- Collect and analyse statistics.
Application Proxy Firewall
- Post Request
- HTML Scripts
- Host or URL “filter url http 0 0 0 0”
- MIME and file extensions
- Set a connection timeout (prevents lengthy connections)
- Proxies with autentication
- Prevent HTTP-CONNECT queries
- Disable SSH port forwarding.
- DMitry (Deepmagic Information Gathering Tool)
- Proxy Switcher
- Proxy Workbench
- Acunetix - Web Vulnerability Scanner
- Command-line packet crafting tool (ICMP, UDP or TCP).
- Specific flags and options can be set.
- Nikto - Web Server Scanner
- NetScan Tools - Paid for Suite of tools.
- Microsoft Baseline Security Analyzer
- Qualys Browser Check
- Cloud Shark
- ManageEngine OpManager
- Solarwinds Network Topology Mapper
- The Dude (Mikrotik)
- Spiceworks Network Monitor
- Mobile Devices
- Fing - Network Tools
- Net Scan
- IP Tools: Wifi Analyzer
Advanced Persistent Threat (APT)
- Stay in the network undetected
- Goal is to obtain high-value information
Set the Stage
Information about the systems has been obtained in previous steps:
- Reconnaissance has been completed
- Target location
- Good times for attack
- How the target operates
- Valuable data or services identified
- Scanning and Mapping has been completed
- Make and model of devices
- Listening services
- Evidence of data being sent
- Live systems
- Operating systems
- Enumeration has identified weaknesses
- Users (Windows, Linux)
- Windows groups
- Networked devices
- Identified exploitable devices
This stage is System Hacking, which contains the following:
- Obtaining the password
- Active online attack
- Dictionary, brute force, or keylogger
- Passive online attack
- Packet sniffing, MITM, and reply attacks
- Offline evaluation
- Escalation of privilege
- Administration level is the aim
- Unmounted filesystems or development tools
- Executing applications
- Install spyware with backdoor
- Hiding files and tools
- Alternate data streams
- Covering tracks
- Clean up any evidence
- Delete or modify logs
Authenticate a User
New Technology LAN Manager (NTLM)
- Microsoft proprietary authentication protocol
- Operates within Explorer
- Uses a challenge/response method
- Use Cases:
- Authenticating to a non-domain server
- Peer-to-Peer network or workgroup
- Firewall restricts Kerberos (Port 88)
- Built into Active Directory
- Uses tickets to access services
- Domain Controller
- Houses user accounts and passwords
- Acts as the Key Distribution Center (KDC)
- Authentication service (AS)
- Ticket-granting service (TGS)
- Active Directory as its account database
Pluggable Authentication Modules (PAM)
- Account management
- Session management
- Password management
Simple Authentication and Security Layer (SASL)
- Authentication and data security services
- Used for various connection oriented protcols (LDAP, PAM, Kerberos etc.) to interact together
- Protocol must include a command for identifying and authenticating a user to a server
Ways for a user to authenticate:
- What you know: Password
- What you are: Biometric
- What you have: ID Card
Where are passwords stored?
- Found in %SystemRoot%/system32/config/SAM
- Accessible only with admin privileges
- Not available while operating system is booted
Syskey was introduced to increase security of the SAM against offline cracking
- Encrypts the password hash values
- 128 RC4 Encryption key, stored in the SAM registry hive
- Not accessible while the operating system is booted
How to obtain?
- Sniffing of passwords using a packet analysis tool, such as Wireshark
- MITM (Man-in-the-Middle) such as replay attacks
- Password cracking
- L0phtCrack (Paid)
- Ophtcrack (Open-Source, supports Rainbow tables)
- John the Ripper (Cross-platform)
- Cain and Abel (Windows, extra features: password sniff, cracking and voIP capture)
- Uses patterns
- Common passwords: https://www.passwordrandom.com/most-popular-passwords
- Manufacturer defaults: https://cirt.net/passwords
- Dictionary Attack
- Brute Force Attack
- Hybrid Attack - Dictionary combined with Brute Force
Hash Injections: “Pass the Hash”
- A technique that sends the hash value instead of the plain password
- Can be done against any service accepting LM or NTLM authentication
- Using a distributed rainbow table
- Rainbow tables are tables containing hash values
- Users authenticate by entering their password which gets converted into a hash then compared
- https://www.fileformat.info/tool/hash.htm - Hash Generator
- https://project-rainbowcrack.com/ - Downloadable Rainbow Tables
- http://onlinemd5.com/ - MD5 Hash Generator
- http://reverse-hash-lookup.online-domain-tools.com/ - Reverse Hash Lookup
- Salting (random string, stored in the database or with the hash string) will help protect against a rainbow attack
- Shoulder surfing
- Dumpster diving
- Social engineering
- Buying a password
Administrative accounts are normally protected so access is gained through lower privileged accounts. Escalation takes advantage of a vulnerability in a piece of software or operating system.
Escalation in two ways:
- Horizontal (peer privileged)
- Vertical (higher privileged)
Default accounts are known and targets. Make sure they are and secure as a ethical hacker will test these accounts.
Local access once obtained can be used to collect data, install rootkits, keyloggers, botnet.
Online botnet checker: https://checkip.kaspersky.com/
Once completed the hacker will clean the system to ensure they are undetected.
- Restrict Interactive Logon Privileges
- Logon to certain machines
- Routine Services
- Run as unprivileged (non-admin)
- Principle of Least Privilege
- Users and applications have least privilege to complete the job
- Using encryption
- Additional layer of protection
- Test and Patch
- Security settings of IE to zero or low
- Monitor log files
- Easy to miss alerts if logging to much
- Education and Training
- Harvests data:
- Screen Activity
- Web form data
- Internet usage
- Access to sensitive data
- Affects the machine:
- Tracking the users
- Redirection of hyperlinks
- Poor Performance
- Presented as a useful tool or free download
You may want to block third-party cookies, this can break some sites.
Disable ActiveX, although these are some benefits this has been known as a security concern allowing the installation of spyware.
Protect Your Phone
- Install app that monitors for security vulnerabilties
- Use caution when downloading apps
- Do not use free Wi-Fi hotspots
- Use “Find my phone” features
- Use strong autentication methods
Keyloggers are hard to detect and can cause more damage than a virus.
- Runs in the background
- Records every keystroke
- Stored on the systems hard drive
- Can log online activity and screen
- Physically attached to the system
- Records each keystroke
- Saves to onboard memory
- Easy to install
- Can be installed inside another device or USB
- No software installed, undetectable by anti-malware
- Use a firewall
- Egress (outbound) filtering
- Anti-spyware and Anti-Malware
- Windows Users Account Control (UAC)
- Avoid free software
- Use a more secure browser
- Password the system
- Use a limited user
- Install using the admin
Hiding in Plain Sight
NTFS Alternate Data Streaming (ADS)
- Providies compatibility with non-Windows file systems
- Stores data in hidden files linked to a regular file
- Streams are not limited in size
- Attackers can hide tools and data
“Hiding in Plain Sight”
- Three elements
- Carrier (e.g. Image, Audio, Text)
- Hidden message
The human eye can only see a range of colours, slightly tweaking these values we can hide data within pixels (demo: https://cs.vu.nl/~ast/books/mos2/zebras.html)
Detecting Steganography (Steganalysis)
Image steganography tools:
- Compare against the original
- Watch for a large image
- Blocky artifacts (pixelated)
- Stego Analyst
- Search for evidence in a image and audio file
- Stego Watch
- Scans the entire file system
- Flags suspected files
- Stego Break
- Obtains the passphrase used on a file (Encryption)
Cover Your Tracks
Hiding files and tools
- Alternate data streams
- Hidden Tools
- Backdoor access
- Log scrubbers
Hide any trace of activity
- Disable auditing
- Local Security Policy (GUI)
Clean Up - Linux
meterpreter > clearev
- Log files
- Erase Command History
- Shread Command History
shred -zu root/.bash_history
Clean Up - Windows
A con game relying on influence, social skills, and human interaction to obtain information about an organisation or computer system.
Security appliances and anti-malware protection has gotten better, so a hacker will try to attack a softer target - People.
Ways to attack:
- Phone phishing
- Online recon
- Dumpster diving
- Shoulder surfing.
Scam artists work on our emotions:
- May promise free gifts or prices
- Offer important information
- Threaten to take action if you do not reply.
Four main phases of Social Engineering
- Establishing Trust
- Exploiting that Trust
Recognising an attack
- Watch out for unscheduled utility service calls
- Be hesitant with calls claiming to be from the help desk
- Be aware of anyone who says you will get in trouble if the issue isn’t dealt with immediately
- Require visitors to check in
- Require visitors to wear a badge
- Be polite and calmly call for verification
- Escort them even when inside the lobby
Social Engineering Mechanisms
Catfishing is a newer form of social engineering where the attacker poses as a love interest, luring their victim into a relationship.
Browsers are commonly used in social engineering as the portal into the world wide web, a few tips for keeping safe:
- Use a modern browser
- Secure browser settings
- Be careful with extensions
- They can track
- Act as a keylogger
- Insert ads
- Redirect you
- Use extra protection
- Anti-exploit (https://www.malwarebytes.com/antiexploit/)
- Microsoft EMET (Enhanced Mitigation Experience Toolkit, https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit)
Mobile based attacks
- Links to Funny Videos
- Dial a number for a voice mail
- Phony patch - cloned website
- Free offers
- App switch - taking a legimate app and publishing on another site with embedded code
- Use reputable publishers
- Search under the publishers name
- Don’t jailbreak mobile devices
- Look for ratings, comments etc
- Check traffic volumes
- Watch for subscriptions
- Beware of Developers (Permissions)
Lack of company policies, oversight on employee actions. Hackers are aware of this common lack of oversight and prey on individuals in an informal environment, appealing to their sense of belonging and fear of what everyone thinks of them.
An organisation cannot control reputation risk as they are an external factor, but it is good practice to monitor for inappropriate disclosure, create and enforce policies.
Misuse of Trust
Attacks can come from within from disgruntled employees. Hackers will target these employees as they hold little loyalty.
- Passed up for a promotion
Best Practices to protection against insider (trusted) attacks
- The principle of least privilege
- Only the privilege needed
- Shortest time necessary
- Smallest domain (scope)
- Avoid permission creep
- Auditing and Logging
- Limit access
- Inventory Assets
Penetration Testing with Social Engineering
Email and Websites
Phishing and Pharming
- Send out massive emails
- Bait victims to open and respond
- Message appear urgent
- 1 in 10 will respond
Always go directly to any linked sites, do not use links.
Be aware of counterfeit wesbites, malicious content in advertisements and websites taking advantage of exploited or out of date browsers.
Malicious Emails may have attachments that contain malware
- Think before opening links or attachments
- Stay away from risky websites
- Keep up to date
- Use a safe search tool
In person and on the phone
If the employee is busy they may provide the information without thinking for example a busy receptionist providing a key card because they are swamped with work.
Open-source tool, downloadable or already installed on Kali Linux.
Get the victim to:
- Click on a link
- Open a file
- Goto a malicious site
The toolkit allows for the bait creation but you’ll need to use Metasploit to create the exploit.
Attacks from 3 main categories
- Phishing and Spear Phishing
- Generate malicious files
- Create a malicious website
The toolkit: https://www.trustedsec.com/tools/the-social-engineer-toolkit-set/
SET in Kali Linux
Make sure that the SET configuration has been updated regularly.
There are lots of options in SET to build the bait but there is a requirement to use Metasploit to deliver the content.
SET should be part of the vulnerabilities tests as we need to test the ‘human firewall’.
Defending against social engineering is hard as we cannot just defend using hardware and software alone.
- Caller ID
- Seperate Ringtone for Internal and External
- Hesitate before transferring an outside call
- Take the name, company, telephone number and forward the details, hackers use this to collect data of staff
- Helpdesk Policies
- Only authorised individuals to roam freely
- Contractors to show identification
- Train receptionists to make a phone call when unsure
- Know your employees
- Employees to wear appropriate ID
- Protect their ID badges
- Remove ID when in public
- Browsers and Web
- Set privacy settings
- Read privacy policies
- Use encryption for portal access
- Train employees to watch for tells of secure and real sites
- Review company websites removing sensitive information
- Disposal of Media
- Use of shredders
- Storage with lockers
- Use strong, complex passwords
- Do not give away passwords
- Do not leave passwords
- Challenge question on password reset
- Create and enforce realistic policies
- Clear and Easy to understand policies
- Use caution when giving out information
- How to spot a phish
- Train supervisors in security awareness
- Website dedicated to security including tips
- Entire organisation
- Reinforce observant behaviour (example: reward employees that spot phishing)
- Employees at all levels are important to security