What You Will Learn
Enumeration
After footprinting and the scanning phase, a hacker has to gain more specific information about hosts and devices in the network. → ENUMERATION.
Enumeration techniques:
- Default passwords
- User group extraction
- Username from email
- SNMP walking
- Active directory
- DNS zone transfer
NetBios Enumeration
Hacker can get information from the NetBIOS (commonly running on Windows system) using the following tools:
Users and default passwords
There are tools which are able to gather info from remote hosts (for example which application are running). One of this is PsExec.
Routers often have default passwords configured: a good method to find these passwords is just google them.
SNMP (Simple Network Management Protocol) Enumeration
SNMP runs on network devices and it is a protocol for managing and monitoring network devices. The protocol is used for both gather info about configuration and change this configuration.
The command used to obtain info is snmpwalk: with this you can gather information about the device (which is running SNMP!).
For example with this command you can get the version of the OS running on a particular device:
snmpwalk -v2c -c public IP-ADDRESS | grep Version
Linux Enumeration
Some commands to use on Linux. They can reveal information about the users.
finger @IP-address → info about users on the system
rpc info -p IP-address → info about RPC end-point on the system
rpcclient $> netsharenum → get a list of hosted shares
showmount -e IP-address → displays NFS (Network File System) shares available
Enum4linux -v IP → Enum4linux is a script for Linux that automatically run all the previous commands (and other commands as well)
LDAP, NTP, SMTP, DNS enumeration
LDAP (Lightweight Directory Access Protocol) → for maintaining and directory information. It allows to gather names, manager, telephone numbers, …
Tools:
Countermeasures:
- Authenticate queries to only domain users
- Use LDAPS
- Disable File/Printer Sharing
NTP (Network Time Protocol) → for networks synchronization Tools:
ntptrace, ntpdc, ntpq, ntpdate
SMTP (Simple Mail Transfer Protocol) → For sending emails Tools:
- Netscan Tools Pro
Countermeasures:
- Silently ignore unknown recipients
- Disable relay for other domains
DNS (Domain Name System) → for translating domain names to IP addresses Tool:
- dig axfr @NOMESERVER *.com Countermeasures:
- Disable Zone Transfer
- Don’t share internal IP addresses
- Don’t use personal names when registering domains
System Hacking
Password Cracking
This video is a Demo of cracking Windows passwords with the tool OFHCRACK. This tool is available for both Windows and Kali Linux.
Sometimes systems use an additional parameter (Salt) to store password in database:
KeyLoggers and Anti-KeyLoggers
Hardware Keystroke logger
- PC/BIOS
- Keyboard
- External
The External keystroke logger are listed here:
Keylogger Defense (Hardware-based):
Software Keystroke loggers
Some type of thing on the system able to log keystrokes:
The defense against Software Keystroke loggers:
Anti KeyLoggers tools:
CoDefender, GuardedID, PrivacyKeyboard, KeyScrambler, Anti-KeyLogger, SpyShelter
Microsoft authentication
Credentials stored in SAM (Security Accounts Manager) and in the Active Directory Database.
Authentication methods:
- NTLM → challenge response protocol
- Kerberos → use tickets for the authentication
Privilege Escalation
2 types of escalation:
- Horizontal: get access to another user’s account
- Vertical: get access to admin (windows) or root (linux)
It is accomplished by inserting malware on DLLs (automatically executed when application initializes), exploiting software vulnerabilities, bypassing User Access Control (running programs as administrator → see sudo for Linux)
Tools:
Escalation defense:
Executing Applications
The execution of applications by a hacker is often accomplished remotely
Goals:
- Gather more information (spyware: video, audio, USB-launched, GPS)
- Create backdoors
- Launch additional attacks
Execution tools (you get access to the system and then install them to have remote access):
– PsExec
- Remote-Exec
- PDQ Deploy
- Dame-ware
Rootkits & Anti-Rootkits
Rootkit is a software that allows the attacker to have further advantages after the attack is accomplished:
- Gain admin privileges
- Gain additional data
- Monitor network traffic
- Launch attacks to other hosts Some examples of Rootkit actions:
Defense against Rootkits:
- Avoid untrusted downloads
- Use Firewalls
- Verify all software before installing (install only the necessary one)
- Choose antivirus that protects from Rootkits
NTFS stream manipulation
It’s possible to determine if a critical file has been changed thank to the file metadata. NTFS Alternative Data Stream (NTFS ADS) allows a file’s content to be changes without changing the file metadata.
It allows the injection of malicious code.
Some tools to detect NTFS ADS:
Steganography
It’s the art of hiding a message or information within another data (doc,txt,img,audio,video…).
It’s used when the attacker accesses the information and he won’t make use that info right-away: so he hides it for further use.
over mediums and respective tools in the next table:
On the other hand, steganalysis is the art of discovering these hidden messages and is typical done by statistical analysis of files.
Tools for steganalysis:
Covering tracks
The most common techniques for covering tracks are:
- Delete log entries (Windows Event Viewer or /var/log in Linux
- Change log entries (better than deleting because you don’t leave any “hole” in the entries
- Disable auditing processes (no logs at all)
- Delete command history (clear MRU in Windows and shred – zu/root/.bash_history in Linux)
Tools:
- exe
- meterpreter
- CCleaner
- MRU-Blaster
- BleachBit
- ClearProg
System Hacking
Some steps for hacking a system:
Malware threats
- Trojan (appears to be normal program, but is destructive; may provide unauthorized access to hacker; does not replicate itself; spread via social engineering)
Types of Trojans:
- Virus (malicious software code attached to another program; designed to replicate itself; infect data files; spread via social engineering)
Types of Virus:
- Worm
- Adware (advertising products)
- Backdoor (allow the attacker to get access in the future by other ways)
- Spyware
- Botnet (it’s not software)
- Crypter (use encryption technology for bad purposes)
- Rootkit (provide more access to an already compromised system)
Malware actions:
Indications of infection
Common Ports for Malware
The range of ports (0-66535) is divided in 3 main blocks:
- WELL-KNOWN PORTS (0-1023) → basic services from a long time
- REGISTERED PORTS (1024-49151) → assigned to other services but you could use them for other services
- PRIVATE PORTS (49152-66535) → not assigned to any specific service
Port scanning tools can be used to determine open ports: once infected, a host may open additional ports.
How malware gets into a system
- Common Ports for Malware
The range of ports (0-66535) is divided in 3 main blocks:
- WELL-KNOWN PORTS (0-1023) → basic services from a long time
- REGISTERED PORTS (1024-49151) → assigned to other services but you could use them for other services
- PRIVATE PORTS (49152-66535) → not assigned to any specific service
Port scanning tools can be used to determine open ports: once infected, a host may open additional ports.
How malware gets into a system
How to detect
Scan for suspicious:
1) Open ports Port scanner: CurrPorts, nmap, TCPView
2) Processes Process scanner: HijackThis, Security task Manager, Microsoft Process Explorer, Autoruns, OpManager, YAPM
3) Registry entries Registry scanners: Registry Viewer, Alie Registry Viewer, Active Registry Monitor, RegScanner
4) Startup programs Startup Program Scanners: WinPatrol, Startup Manager, Startup Booster, ActiveStartup
5) Services Windows service scanners: Process Hacker, Service+, Nagios XI, SMART, ServiWin, SrvMan
6) Drivers Drivers scanner: Driver Reviver, My Drivers, Driver-View, Driver-Easy
7) Folder & Files Folder & File scanners: Tripwire, FastSum, FCIV, SIGVERIF, WinMD5
8) Network activity
7.6 Trojan Horse Construction with Metasploit Demo
Malware Analysis
1) Use reverse engineering (break down the code) to determine what the malware is doing
2) Use online tools that examine the code for you and compare with other malwares already known:
a) Akana
b) Detux
c) Joe Sandbox
d) Binary Guard
e) Threat Expert
Countermeasures
Penetration Testing
Procedure for Backdoors and Trojans:
SCAN → ISOLATE → RESOLVE
Procedure for Virus:
ANTI-VIRUS → SCAN → ISOLATE & RESOLVE
Sniffing
Sniffing is about watching traffic on the network for both legitimate and illegitimate uses. Wiretapping is also considered a sniffing technique.
Packets can be sniffed for law-purposes (an authorization is needed).
Sniffing Attack types
PASSIVE SNIFFING: when the sniffer is silent. Use of Hubs or Taps.
With Hubs all hosts in a network see all traffic. They replicate to every port except for the source one.
Taps are hardware devices that sit in line with communication media and replicate bits on the wire.
ACTIVE SNIFFING: it’s primarily used on networks that use Layer 2 switches where the attacker poisons protocols to redirect traffic to himself. This kind of sniffing is detectable on a network.
Switches are different from Hubs because they do an intelligent routing looking at MAC addresses.
Active sniffing techniques → MAC flood, MAC duplication, ARP spoof, DHCP starvation
Sniffing packets is crucial for a hacker background: he can see what’s going on the network but he can also steel a lot of sensitive information. Many protocols provide usernames and passwords in clear text → Telnet, POP, IMAP, SMTP, HTTP, NNTP, FTP.
Protocol analyzers
Tools able to capture traffic and analyze it: tcpdump, wireshark, softperfect network protocol analyzer.
MAC Flooding
MAC Flooding is an attack to CAM tables of switches which can have a maximum number of entries. We have a flood when the number of entries is higher than this maximum. An attacker can then send a lot of ARP requests to induce this flood. When flooding, the switches starts sending traffic to every port and the attacker can capture the traffic if he is listening at least to one port.
Tools for MAC flooding:
Macof, Yersihia
Defense for MAC flooding:
Operate on ports → establish a max number if MAC address for every port
DHCP attacks
DHCP can be used to influence a switch/host to send traffic to us. The method consists on spoofing a DHCP offer by “winning the race” with the DHCP server when a request is sent. If the attackers anticipate the server with the reply, he can set himself as the default gateway and receive all traffic by that particular switch/host.
DHCP starvation is another method for DoS attacks. We spoof the src address and ask for many addresses with the goal of finishing the available IPs addresses. This is not a sniffing technique.
ARP spoofing and poisoning
Another sniffing method is to manipulate the ARP cache of a host in a network. When a host sends an ARP request (for example for the default Gateway), the attacker sends an unsolicited ARP reply declaring he is the gateway. If he spoof the gateway as well, he becomes a perfect man-in-the-middle. From this point he can modify traffic in flight, sniffing packets, hijacking sessions.
Attack tools: Ettercap
Countermeasure tool: XArp
DNS spoofing
Method to get people to send us traffic.
Three areas of focus:
– Man-in-the-middle → like in DHCP the goal is winning the race with the DNS server in asking to a request. The attacker has to be sure the victim will accept the reply.
– Cache poisoning → manipulate the cache on a resolver that uses the recursive DNS queries. If the attacker responds to this process before the authoritative name server he can resolve the domain himself.
– Proxy server → is more about manipulating a host proxy server settings to get it to send traffic to you.
To protect yourself against DNS spoofing:
– Use iACL to filter DNS request/responses
– Use IDS and firewalls
– Use host protection software
– Use DNSSEC → DNS security with authenticated requests and responses
Sniffing tools
– Wireshark (graphical tool) + demo
– Tcpdump (command line tool) + demo tcpdump -i eth0 → display traffic tcpdump -i eth0 -nn → display traffic (no names) tcpdump -i eth0 -nnvv → display traffic (no names + verbose) tcpdump -i eth0 -nnvvX → display traffic (no names + verbose + data info) tcpdump -i eth0 -nnvvX tcp port 23 → display only TCP traffic (no names + verbose + data info)
– Riverbed SteelCentral (commercial sniffer)
– Omnipeek Network Analyzer (from Savvius, commercial sniffer)
– Capsa Network Analyzer (from Colasoft, commercial sniffer)
– Observer Analyzer (from Viavi Solution, commercial sniffer)
– Colasoft Packet Builder (free & commercial options)
Sniffing detection and defense
A few techniques can be used to detect active sniffing:
– Ping Method: craft echo request to suspect sniffer
– DNS Method: it relies on a common default setting of sniffing applications: Reverse DNS IP/Name resolution
– ARP Method: send non-broadcast ARP Reply to a bogus MAC address, promiscuous NIC receives and passes to kernel, ARP cache entry created, send ICMP Echo Request
Penetration testing
Social Engineering
Goal: Compromise security by tricking people into breaking security policy. Impact of social engineering hack: financial loss, physical damage, loss of property, loss of data, loss of reputation, loss of privacy, lawsuits, business shut down.
Life cycle:
Target: everyone! Common targets:
Techniques
There are 3 primary types:
– Computer-based– Human-based
(NLP = Neuro Linguistic Programming & RSE = Reverse Social Engineering)
– Mobile-based
Social engineering sites
Social sites allow to collect user data.
1) Facebook (fake companies pages, fake group pages, fake profiles)
2) Twitter
3) Linkedin
4) Google+
Identity theft
Identity theft steps:
1) Research info (with social media, web search and dumpster diving)
2) Gather info (with DMV, SSA and other government orgs)
3) Apply (at banks, credit card companies and department stores)
4) Damage (financial damage, the ability of borrow goes down, bankruptcy)
Some advices to minimize the risks:
– Keep personal information secure
– Use advanced security techniques offered by bank
– Check credit reports regularly
– Avoid signing up for mailing or phone lists
– Avoid sensitive data storage on remote locations
– Shred doc that contain sensitive info
– Verify all request for personal/company info
Countermeasures
