Tutorial 11

Question 01. List down and then briefly elaborate the phases of an ethical hacking
process.

Answer:

 Foot printing

This phase consists of passively and actively gaining information about a

target. Foot printing takes advantage of the information that is carelessly exposed
or disposed of unintentionally.

 Scanning

It focuses on active engagement of the target with the intention of obtaining

more information. Scanning the target network will ultimately locate active
hosts that can then be target in a later phase.

 Enumeration
The systematic probing of a target with the goal of obtaining user lists,
routing tables and protocols from the system. This process moves us from
outside to the inside network to gather system data.
 System Hacking
Things cannot be completed in a single step. This process involves a
methodical approach that includes cracking passwords, privilege
escalations, executing and hiding applications, etc.
 Escalation of privilege
The goal of privilege escalation is to gain a level where fewer restrictions
exist on the account and you have greater access to the system. Horizontal
and Vertical Escalation are the two types of escalation.
Horizontal Privilege Escalation: An attacker attempts to take over the
rights and privileges of another user who has the same privileges as the
current account.
 Vertical Privilege Escalation: The attacker gains access to an
account and then tries to elevate the privileges of the account. It is also
possible to carry out a vertical escalation by compromising an account and
then trying to gain access to a higher-privileged account.
 Covering Tracks
Covering tracks is also known as clearing tracks in penetration
testing. This means that the attacker should erase all tracks leading the
investigators who can trace back at him. Using Reverse HTTP shells, ICMP
tunnels, clearing event log, erasing or shredding command history are some
of the methods to cover tracks.
 Planting Backdoors
Backdoors are designed to compromise the system in such a way as to
allow later access to take place. Backdoors can come in many forms of Trojans
and Rootkits (RATs). Key loggers can be either hardware or software applications
(generally) which are used to gain information entered via the keyboard

Question 02. Briefly elaborate the process of foot printing (reconnaissance).

Answer:

Foot printing or Reconnaissance is a method of observing and collecting

information about a potential target with the intention of finding a way to attack the target.
It is the first step of hacking methodology. If this process is performed in a careless
manner, then it will lead to unnecessary and junk information and it can also attract
victim’s attention. The main goal of foot printing is to gather almost all information about
the target such as network and OS information, system architecture, network services
and blocks, Intrusion detection and prevention systems.

There are three types of foot printing and they are Active, Passive and Internet foot
printing. Active foot printing is the way of directly engaging with the target through
techniques such as social engineering. Passive foot printing is the process of gathering
information in least aggressive manner such as gathering information from newspapers,
websites, discussion groups, blogs, etc. Internet footprinting is process of gaining
information from the internet by using different tools and technologies on the web.

Question 03. What types of data and information can be gathered through the process
of footprinting?

Answer:

The main goal of footprinting is to gather information about the target. Footprinting
involves information gathering about Networks, Operating Systems and the target
organization. Many other aspects such as network services, system architecture,
organizational information can also be gathered with the help of footprinting.

Question 04. List down some important information related to computer networks which
can be gathered, via reconnaissance.

Answer:

Computer networks can reveal precious information about the victim because most
of the communication and information is shared with the help of network. Information that
can be gathered by footprinting are:

 Domain names the enterprise uses to conduct businesses.

 Internal domain name information.
 IP addresses of available systems.
 Rogue or unmonitored websites that are used for testing or other purposes.
 TCP/UDP services that are running.
 Access control mechanisms, including firewalls and ACLs.
 VPN information.
 Intrusion detection and prevention information as well as configuration data.
 Telephone numbers, including analog and VoIP.
 Authentication mechanisms and systems.
Question 05. List down some important information related to operating systems which
can be gathered, via reconnaissance.

Answer:

Operating systems are one of the most important area to gather information about.
Some important information related to operating systems which can be gathered via
footprinting are as follows:

 User group information and names

 OS versions
 System architecture
 Remote system data
 System names
 Passwords

Question 06. List down some important information related to organization data which
can be gathered, via reconnaissance.

Answer:

Gathering information about organization means information that provides details

about employees, operations, projects, etc. Some vital information related to organization
data which can be gathered via footprinting are:

 Employee details.
 Organization’s website.
 Company directory.
 Location details.
 Address and phone numbers
 Comments in HTML source code.
 Security policies implemented.
  Web server links relevant to organization.
 Background of the organization.
 News articles and press releases.

Question 07. List down the differences between active information gathering and passive
information gathering process.

Answer:

Active Passive
 Gathering information by engaging  Gathering information without
with the target. establishing contact between pen
tester and target.
 It can be done by using techniques  Sources like newspapers, websites,
like social engineering, nmap blogs can be used to gather
scan, etc. information.
 It is more aggressive method,  It is least aggressive method, hence
hence this process has a higher the defender might be unaware about
chance to attract the defender’s the footprinting.
attention.

Question 08. Write down some threats which can be possibly introduced into an
enterprise’s network system through the process of footprinting.

Answer:

A successful process of footprinting can provide almost every information about

enterprise’s network system. This can cause some serious threats to the enterprise and
some of them are:

 Privacy Issues
 IP addresses of available system can be at risk.
 Internal domain name information can be leaked.
 Network structure and Operating System information can be at risk.
Question 09. List down the type of information, that can be gathered when we carry out

reconnaissance using the following types of dataset:

Answer:

 Search Engines
Search engines such as Google and Bing can easily provide a wealth of
information that the client may have wished to have kept hidden or may have just
plain forgotten about. Using a search engine, you can find a lot of information,
some of it completely unexpected or something a defender never considers, such
as technology platforms, employee details, login pages, intranet portals, and so
on. A search can easily provide even more details such as names of security
personnel, brand and type of firewall, and antivirus protection.
 Public and Restricted Websites
Websites that are intended not to be public but to be restricted to a few can
provide you with valuable information. Because restricted websites such as
technet.microsoft.com and developer.apple.com are not intended for public
consumption, they are kept in a subdomain that is either not publicized or that has
a login page.
 Location and Geography
Not to be overlooked or underestimated in value is any information
pertaining to the physical location of offices and personnel. You should seek this
information during the footprinting process because it can yield other key details
that you may find useful in later stages, including physical penetrations. Knowing
a company’s physical location can aid in dumpster diving, social engineering, and
other efforts.
 Social Networking
One of the best sources for information is social networking. Social
networking has proven not only extremely prolific but also incredibly useful as an
 information-gathering tool. Armed with personal data learned on social networking
sites, an attacker can use social engineering to build a sense of trust.

 Financial Services
Popular financial services such as Yahoo! Finance, Google Finance, and
CNBC provide information that may not be available via other means. This data
includes company officers, profiles, shares, competitor analysis, and many other
pieces of data.
 Job Portals
A valuable method of gathering information about a target is through job
sites and job postings. It is not uncommon to find information such as infrastructure
data, operating system information, and other useful facts. Job requirements and
experience, employer profile, hardware and software information can be revealed
by a vacancy announcement.
 Computer Networks
The information about domain name, ownership information, IP information
can be gathered from a network. The ping command which uses ICMP protocol
can be used to determine if a host is reachable or not and also check the status of
host. The Tracert tool helps to follow the path of traffic from one point to another,
including points that are in the middle.

Question 10. In detail, elaborate what the process of Scanning refers to.

Answer:

Scanning is the process of engaging and probing a target network with the
intention of revealing useful information such as live hosts, ports and services. The
gathered information can be used for later phases of the pen testing process. Scanning
is the process of collecting more information using complex and aggressive footprinting
methods. There are three categories of scans; Port scan, Network scan and Vulnerability
scan but the main purpose of each scan is the same.
Question 11. What are the three types of scans? List them down and then elaborate
those scanning techniques in detail.

Answer:

The three types of scan are as Port, Network and Vulnerability scan. They are
described below:

 Port Scan
It is the process of sending carefully crafted messages or packets to a
target. These probes are associated with well-known port numbers (<=1024). This
process can reveal mail servers, domain controllers and web servers of the target.
 Network Scan
This process is designed to locate the active hosts on a network. This scan
can help identify the system which may be attacked later. Ping sweeps can be
used to scan an IP range rapidly.
 Vulnerability Scan
This is used to identify weaknesses or vulnerabilities on a target system.
This scan is typically done as proactive measure. The main goal of this scan is to
catch and identify vulnerabilities in a system before and attacker can locate those
flaws. This scan can help to discover hosts, access points, open ports and services
and generate reports.

Question 12. Provide differences between penetration testing process and vulnerability
scanning.

Answer:

Penetration Testing Vulnerability Scan

Penetration testing is designed to not only A vulnerability scan is designed to reveal
find weakness but also exploit them as an weakness present in a network or host but
actual attacker would. does not exploit those weakness.
 This process requires a lot of experience This process requires less resources
and tools to exploit a vulnerabilities in a compared to pen testing.
system.

Question 13. How can Ping be used for the process to check for live systems in a
computer network domain? What makes it less useful in a prolonged scanning phase
when it comes to ethical hacking?

Answer:

Ping is a utility that can be used to determine network connectivity by determining

if a remote host is up or down. While a very simple utility, it is perfect for performing the
initial scanning process.

Ping is less useful in a prolonged scanning phase when it comes to ethical hacking
because there are some drawbacks of ping. Some network administrator block ping at
the firewall so, pinging hosts from outside a network is useless. An intrusion detection
system and intrusion prevention system can be used to shut down ping scans and it can
even alert the network administrator. The ping command will tell if the host status is up
or live, in case the host is down the ping will hang for a moment before informing that the
scan cannot reach the targeted host.

Question 14. What are the category of applications that can be used to modify the header
contents of the packets be called as? Provide two examples of such applications.

Answer:

The category of applications that can be used to modify the header contents of
packets are called as packet crafters and this process is called as packet crafting. Hping3
and Yersinia are packet crafting tools.

Question 15. List down the six types of TCP header flags and then provide short
descriptions of each.
Answer:

The TCP header flags are:

 Urgent Pointer (URG)

This flag is used to identify incoming data as “urgent”. Such flags are sent
and processed immediately.
 Acknowledgement (ACK)
This flag is used to acknowledge the receipt of a packet of information.
 Push (PSH)
This flag tells the sending system to send all buffered data immediately.
 Reset (RST)
This flag is used when a segment arrives that is not intended for the current
connection. It is used to reset a connection.
 Synchronization (SYN)
This flag initiates a connection between two hosts to facilitate
communication. Perhaps, it is most well-known flag used in TCP
communication.
 Finished (FIN)
This flag is used to tear down the connections that were created using the
previous flags. It appears when the last packets are exchanged between a
connection.

Question 16. Write short notes on:

Answer:

 Full Open Scan

This scan refers to complete three-way handshake. Suppose, a client sends
a SYN message to the server and the server replies with SYN-ACK and the client
again sends the ACK message to the server. This gives information that the host
is up and the connection is complete. This scan can be noticed by security
appliances such as Firewall or IDS/IPS so, this has a greater chance of attracting
 the victim’s attention. This process will complete handshakes or communicate with
the open ports.
 Half Open Scan
This scan less noisy than full-open scan and it is also called as stealth scan.
The common name of this scan is SYN scan. A half open scan works by the same
process as the full-open scan but it does not complete the final step of three-way
handshake. It means that the half-open scan does not reply with a final ACK
message in response to SYN-ACK message. The final step is replied by a RST
message. This way it is less likely to trigger detection mechanisms or end up being
logged.
 Xmas Tree Scan
The Xmas tree scan sends a TCP frame to device with the Urgent (URG),
Push (PSH) and Finish (FIN) flag sets. The benefit of this scan is that it can reveal
the specific OS in use on the target system. In this scan, the source sends
URG/FIN/PSH frames to the destination. If the destination port is open, then it does
not respond and if the port is closed it responds with a Reset (RST) frame.
 FIN scan
The attacker sends packets to the victim with FIN flag sets. In order to
maintain a lower profile while scanning, a packet with a FIN flag set can be used.
It is much like an Xmas tree scan, if a FIN is sent to an open port, there is no
response but the closed port responds with an RST.
 NULL scan
In this type of scan, the attacker sends frames to the victim with no flag sets.
This scan also gives similar response as the Xmas tree and FIN scan.

Question 17. How would the UDP ports respond to a port scan?

Answer:

If a UDP packet is sent to open port, there is no response but the closed port
respond with ICMP “Port Unreachable” message.
Question 18. What does the process of Enumeration refer to with respect to ethical
hacking and penetration testing?

Answer:

Enumeration is the process of extracting information from a target system to

determine more of the configuration and related vulnerabilities. it is possible to extract
information such as usernames and other related services which may depend on the OS
itself.

Question 19. List down the types of information which can be obtained via the process
of Enumeration.

Answer:

The type of information which can be obtained by the process of enumeration are:

 Usernames
 Hostnames
 Network shares and services
 IP tables and routing tables
 SNMP and DNS details

Question 20. What typically involves in the process of a System Hacking?

Answer:

The process of system hacking involves using a methodical approach that includes
cracking passwords, escalating privileges, executing applications, hiding tracks,
concealing evidence and pushing into a more involved attack. We cannot complete
system hacking in a single pass. The process becomes much more complex.

Question 21. In detail, explain the concepts involved in password cracking.

Answer:

Password cracking is used to obtain the credentials of a given account with the
intention of using the account to gain unauthorized access to the system under the guise
of a legitimate user. Dictionary attacks, Brute force attacks, Packet sniffing, man in the
middle and malware are the concepts that include password cracking.

Question 22. Elaborate the different password cracking techniques.

Answer:

The different password cracking techniques are:

 Dictionary Attacks
An attack of this type takes the form of a password-cracking application that
has a dictionary file loaded into it. The dictionary file is a text file that contains a list
of known words up to and including the entire dictionary. The application uses this
list to test different words in an attempt to recover the password.

 Brute Force Attacks

In this type of attack, every possible combination of characters is attempted
until the correct one is uncovered.
 Packet Sniffing
A sniffer, or packet analyzer, as it also called, is a mechanism (typically
software) designed to capture packets as they flow across the network. Generally,
a sniffing attack is most effective if it is performed on a network that employs a hub
between the attacker and victim, or if the two parties are on the same segment of
the collision domain.
 Man-in-the-middle
During this type of attack, two parties are communicating with one another
and a third party inserts itself into the conversation and attempts to alter or
eavesdrop on the communications.
 Malware
 Malware such as Trojans, spyware, and key loggers can prove very useful
during an attack by allowing the attacker to gather information of all types, including
passwords.

Question 23. Explain the importance of escalating privilege level during the process of
system hacking.

Answer:

The reality is that the account you’re compromising may end up being a lower-
privileged and less-defended one. The goal should be to gain a level where fewer
restrictions exist on the account and you have greater access to the system. The main
importance of escalating privilege is that it can give you a better position while performing
a penetration test. Vertical and Horizontal are the two types of Privilege escalation.

Question 24. Why are backdoors relevant during the process of system hacking?

Answer:

Backdoors are designed to compromise the system in such a way as to allow later
access to take place. Backdoors can come in many forms of Trojans and Rootkits (RATs).
Key loggers can be either hardware or software applications (generally) which are used
to gain information entered via the keyboard.